Kerberos @ IBR

Parts of the authentication and authorization infrastructure are based on MIT Kerberos. Some services support already Kerberos based SSO. Other services will be upgraded to support Kerberos for more comfortable authentication and more secure data and credentials protection.

Obtaining Tickets

Most Linux Servers obtain a TGT when a user logs in on the console or via SSH (but only if no other implicit authentication like pubkey is used, so that the user is asked for a password).

You can explicitly request a ticket using kinit username@IBR.CS.TU-BS.DE. If you want to make the IBR realm your default, you might want to put this in your /etc/krb5.conf file:

[libdefaults]
        default_realm = IBR.CS.TU-BS.DE
        dns_lookup_kdc = true
        renewable = true
        forwardable = true
        proxiable = true
        ticket_lifetime = 7d
        renew_lifetime = 30d
      

Services

The following services already support Kerberos/GSSAPI authentication:

• SMTP on mail.ibr.cs.tu-bs.de (Postfix MTA)
• IMAP on mail.ibr.cs.tu-bs.de (Cyrus IMAP Server)
• SIEVE on mail.ibr.cs.tu-bs.de (Cyrus Sieve Server)
• LDAP on ldap.ibr.cs.tu-bs.de (OpenLDAP Server)
• HTTPS on trac.ibr.cs.tu-bs.de (Trac)
• HTTPS on git.ibr.cs.tu-bs.de (GITweb)
• HTTPS on svn.ibr.cs.tu-bs.de (Subversion)
• HTTPS on nagios.ibr.cs.tu-bs.de (Icinga)
• HTTPS on cal.ibr.cs.tu-bs.de (CalDAV & CardDAV)
• SSH on almost all Linux hosts
• NFS (testing phase on bierator.ibr.cs.tu-bs.de)
• IPP?

Among other services, the IBR web server www.ibr.cs.tu-bs.de does NOT YET support Kerberos authentication.

Potential problems: NFS with crontabs or "offline" jobs

One major change will affect NFSv4 with Kerberos authentication, which is used on most IBR Linux workstions (but not on most Linux servers): Since Kerberos is based on "tickets" with a limited lifetime, Kerberos based services will stop working when a ticket times out before being renewed or before the session ends normally or when a ticket is removed while the Kerberos-based service keeps being used. Since the default ticket lifetime at IBR is currently 7 days, a ticket lifetime expiration will hardly cause any trouble. But you should take special care in case of cronjobs, simulations, and other "offline" jobs.

Cronjobs should be managed on the host cron.ibr.cs.tu-bs.de, which does not use Kerberos for NFS. Simulations and other "offline" jobs could be run on IBR servers, which also do not use Kerberos-based NFS authentication. You can check, which NFS version and authentication is used for home directories: mount | grep home. If the options contain "vers=3" you should not expect any problems. If the options contain "sec=krb5*" you should take care:

If you need to run jobs on workstations or other hosts that use Kerberos-based NFS authentication, then you could request an explicit credentials cache, which will not be removed upon logout:

kinit -F -c /tmp/krb5cc_`id -u`_specialuse

You can look at this ticket's lifetime with:

klist -c /tmp/krb5cc_`id -u`_specialuse

And you can renew the ticket regularly for 7 days during an overall period of up to 30 days with:

kinit -R -c /tmp/krb5cc_`id -u`_specialuse