Account Management

Introduction to Kerberos-related Tools

This page is an introduction to the tools installed when your system is moved into the Computer Science Kerberos system. Items noted with * were written at Rutgers, and will only be on our systems. Everything else will be used on all Linux systems that use the most recent Kerberos software.

Kerberos - Kerberos is primarily in libraries which are used by programs that do authentication. Configuration is in /etc/krb5.conf. You'll note that we don't define the central servers (KDCs). That's because the libraries look them up in the DNS system. So we can add servers without having to update /etc/krb5.conf everywhere.

/etc/krb5.keytab is a keytable for the specific computer. It allows the computer to identify itself for things like NFS mounts, where servers may only authorize certain computers to mount a file sytem.

/etc/krb5.i2chain.pem and krb5.kdc.pem are SSL certificates used to validate SSL connections to the Kerberos server.

Generally users won't have to use any explicit Kerberos tools, but administrators might want to:

sssd - Sssd is a set of librarys and daemons to handle login and act as a source of data on users, groups, netgroups, and ssh host keys. There is a pam module, pam_sss, that talks to sssd to manage authentication and authorization for login. We normally leave pam_unix, so if you have an entry in /etc/passwd both your Kerberos and Unix passwords will work. However only your Kerberos password will result in a Kerberos ticket.

Sssd will create Kerberos credentials for you. Those credentials expire after 24 hours. Renewd* will renew them automatically as long as you're still logged in.

Sssd also has an nss library. This acts as a source for user, group, and netgroup data, and host ssh keys. Normally /etc/nsswitch.conf specifies "files sss" so that information in /etc/passwd and /etc/group takes precedence. On systems we maintain, /etc/passwd and /etc/group has only information for software specific to the local system, e.g. passwd and group entries for mysql and other packages. We get all user information from sss. Sss, in turn, gets its informaton from an LDAP server that is part of our Kerberos system.

Sssd caches information. If necessary, you can clear the cache using "sss_cache -E". This isn't available on some older operating systems.

renewd* - this is a daemon that automatically renews Kerberos credentials. Normally they would expire after 24 hours. They can be renewed for up to a year. Renewd also removes credentials when no processes still need them.

Renews works with a pam module, pam_reg_cc*. It registers your credentials when you login, so that renewd will renew and eventually remove them. (If you are using selinux, a security system that comes with Centos 7 by default, a special selinux module is needed to let pam_reg_cc work. Our Kerberize script installs it automatically. The files are in /usr/local/etc/selinux.)

kgetcred* - Many times you will have cron jobs that need to access files on servers that use Kerberos. So there needs to be a way that your cron jobs can get Kerberos credentials. Allowing this is a bit of a security risk, since it means that root can get credentials for you. So we require you to register permission for cron jobs to use your credentials on the current system. "kgetcred -r" will do that.

Kgetcred works with a pam modules pam_kgetcred*. It is used when a cron job starts, to get credentials for you. pam_kgetcred gets those credentials from a service running on the Kerberos server.

Outside Rutgers, people using cron jobs are told to create a key table. Their cron jobs can then use kinit to get credentials from the key table. The difficulty with this is that a key table has no limits on time or host. So if someone can copy it, they can become you anywhere. The kgetcred mechanism is a lot more controlled.

pam_kmkhomedir* - on our central systems, user home directories are created the first time they login. Normally this would be done by pam_mkhomedir. However pam_mkhomedir require root to be able to create home directories. On Kerberized file systems, root has no special privileges. pam_kmkhomedir talks to a service on the file server to create a home directory if one doesn't exist.

skinit* - Our Kerberos system supports one-time passwords. See two-factor authentication. Normally this will be handled automatically by sssd. However if you need to authenticate manually, you will need to use skinit rather than kinit. It has the same arguments and functionality as kinit, but supports one-time passwords.

ipa - IPA is a command-line client that allows changes to be made in central information, e.g. user information such as default shell, and membership in groups. There are a few other ipa tools that are used in setting up a system. IPA is only installed on recent OS's, not Centos 6 or Ubuntu 14.

/usr/local/bin/ssh* is added. This runs the normal ssh with a special library that causes your Kerberos ticket to be renewed before ssh connects to the remote system. This prevents situations where you could end up with a ticket whose lifetime is too short.

Configuration changes

Our installation changes some existing configuration.

NFS setup

The following services are required to allow NFS to use Kerberos to identify users.