Account Management

Introduction to Kerberos-related Tools

This page is an introduction to the tools installed when your system is moved into the Computer Science Kerberos system. Items noted with * were written at Rutgers, and will only be on our systems. Everything else will be used on all Linux systems that use the most recent Kerberos software.

Kerberos - Kerberos is primarily in libraries which are used by programs that do authentication. Configuration is in /etc/krb5.conf. You'll note that we don't define the central servers (KDCs). That's because the libraries look them up in the DNS system. So we can add servers without having to update /etc/krb5.conf everywhere.

/etc/krb5.keytab is a keytable for the specific computer. It allows the computer to identify itself for things like NFS mounts, where servers may only authorize certain computers to mount a file sytem.

/etc/krb5.i2chain.pem and krb5.kdc.pem are SSL certificates used to validate SSL connections to the Kerberos server.

Generally users won't have to use any explicit Kerberos tools, but administrators might want to:

• kinit - does a Kerberos login. Creates a ticket in whatever location is defined as the default in /etc/krb5.conf. If you use a one-time password you will need to use skinit*. It has the same arguments as kinit. (Note that when a system is Kerberized, login automatically gets a ticket. So normal users don't need kinit. This is for testing.)
• klist - lists your current tickets. Try klist -A if you're using a collection.
• kdestroy - destroys the current ticket. Note that at Rutgers renewd will kill your current ticket when you logout the last time.

sssd - Sssd is a set of librarys and daemons to handle login and act as a source of data on users, groups, netgroups, and ssh host keys. There is a pam module, pam_sss, that talks to sssd to manage authentication and authorization for login. We normally leave pam_unix, so if you have an entry in /etc/passwd both your Kerberos and Unix passwords will work. However only your Kerberos password will result in a Kerberos ticket.

Sssd will create Kerberos credentials for you. Those credentials expire after 24 hours. Renewd* will renew them automatically as long as you're still logged in.

Sssd also has an nss library. This acts as a source for user, group, and netgroup data, and host ssh keys. Normally /etc/nsswitch.conf specifies "files sss" so that information in /etc/passwd and /etc/group takes precedence. On systems we maintain, /etc/passwd and /etc/group has only information for software specific to the local system, e.g. passwd and group entries for mysql and other packages. We get all user information from sss. Sss, in turn, gets its informaton from an LDAP server that is part of our Kerberos system.

Sssd caches information. If necessary, you can clear the cache using "sss_cache -E". This isn't available on some older operating systems.

renewd* - this is a daemon that automatically renews Kerberos credentials. Normally they would expire after 24 hours. They can be renewed for up to a year. Renewd also removes credentials when no processes still need them.

Renews works with a pam module, pam_reg_cc*. It registers your credentials when you login, so that renewd will renew and eventually remove them. (If you are using selinux, a security system that comes with Centos 7 by default, a special selinux module is needed to let pam_reg_cc work. Our Kerberize script installs it automatically. The files are in /usr/local/etc/selinux.)

kgetcred* - Many times you will have cron jobs that need to access files on servers that use Kerberos. So there needs to be a way that your cron jobs can get Kerberos credentials. Allowing this is a bit of a security risk, since it means that root can get credentials for you. So we require you to register permission for cron jobs to use your credentials on the current system. "kgetcred -r" will do that.

Kgetcred works with a pam modules pam_kgetcred*. It is used when a cron job starts, to get credentials for you. pam_kgetcred gets those credentials from a service running on the Kerberos server.

Outside Rutgers, people using cron jobs are told to create a key table. Their cron jobs can then use kinit to get credentials from the key table. The difficulty with this is that a key table has no limits on time or host. So if someone can copy it, they can become you anywhere. The kgetcred mechanism is a lot more controlled.

pam_kmkhomedir* - on our central systems, user home directories are created the first time they login. Normally this would be done by pam_mkhomedir. However pam_mkhomedir require root to be able to create home directories. On Kerberized file systems, root has no special privileges. pam_kmkhomedir talks to a service on the file server to create a home directory if one doesn't exist.

skinit* - Our Kerberos system supports one-time passwords. See two-factor authentication. Normally this will be handled automatically by sssd. However if you need to authenticate manually, you will need to use skinit rather than kinit. It has the same arguments and functionality as kinit, but supports one-time passwords.

ipa - IPA is a command-line client that allows changes to be made in central information, e.g. user information such as default shell, and membership in groups. There are a few other ipa tools that are used in setting up a system. IPA is only installed on recent OS's, not Centos 6 or Ubuntu 14.

/usr/local/bin/ssh* is added. This runs the normal ssh with a special library that causes your Kerberos ticket to be renewed before ssh connects to the remote system. This prevents situations where you could end up with a ticket whose lifetime is too short.

Configuration changes

Our installation changes some existing configuration.

• On Centos and SLES,We set up chrony to keep time synchronized. If ntp is set up, we disable it. Chrony is a replacement for ntp, which behaves better if the computer's hardware clock has problems. Chrony is not set up on Ubuntu systems, as there are conflicts with some GUI tools. Ubuntu should automatically set up timesyncd (or ntp on older versions).
• /etc/sudoers.d/lcsr allows LCSR systems staff to be able to sudo. Note that this has no effect unless you authorize those staff to login.
• We change /etc/nsswitch.conf so it gets user and group information first from /etc/passwd|group, and then from ldap. The module used for LDAP is different depending upon how you choose to set up your system. If you get user/group information primarily from IPA, sss is used to supply user/group information. If you primarily use /etc/passwd, we set up a copy of nslcd and use ldap to get information for users and groups not in /etc/passwd|group. (On SLES, nslcd is not available, so we use the older LDAP libraries.)
• We change sshd and ssh configuration (if necessary) to allow login without password for users who are authenticated via Kerberos. On current OS versions (i.e. not Centos 6 or Ubuntu 14), ssh is also configured to get host keys from LDAP. This lets ssh avoid prompting the user to decide whether a host is valid.
• We enable the pseudo-file system /net. This allows you to access files on other computers without explicitly mounting them.

NFS setup

The following services are required to allow NFS to use Kerberos to identify users.

• The NFS server package is installed if it's not there already
• /etc/idmapd.conf is set up by specifying the domain as cs.rutgers.edu, and idmapd is started. Idmapd is used by NFS version 4 (both client and server) to map user and group names. That means that UIDs and GIDs don't need to be synchronzied between client and server. Only names are used.
• rpc.gssd is enabled if necessary. This daemon manages Kerberos credentials on the client side for NFS. Its configuration is modified so it is run with the argument -t 600. That causes credentials to be reevaluated every 10 minutes. The idea is that when you logout, your files should no longer be exposed to anyone who can become you.
• rpc.svcgssd is enabled if necessasry. This daemon manages Kerberos credentials on the server side for NFS. Note that this service will exit if you nothing is listed in /etc/exports. When you're ready to export a file system, you may need to start rpc.svcgssd manually. (It will start automatically when you boot the system.)