OpenBSD 4.4 comes with Heimdal installed. For this section, I used the docs for Heimdal version 1.2, augmented with the MIT Kerberos 5 docs and the info heimdal command within Open BSD.
I'm setting up a small home server here, so no elaborate failover measures, and DHCP server == nameserver == NTP server == KDC == Kerberos server.
Procedure 55. Installing and configuring Kerberos/Heimdal on OpenBSD 4.4
Preliminaries
Before starting on Kerberos, make sure you have nameserving and NTP set up (see for that). It is a good idea to make the Kerberos server and clients use the same NTP server, or as I did here, have the Kerberos server be the NTP server.
Creating the database
The KDC
- Key Distribution Center - is the service that issues tickets to principals asking for one, and thus is the heart of Kerberos.
We follow the Heimdal docs on creating a database and do the following:
Create a working directory for Kerberos (which will be shared between all KDC daemons).
We use /var/heimdal
because it is the compiled-in default of the binaries that come with OpenBSD:
sudo mkdir /var/heimdal
sudo chmod go-rwx /var/heimdal/
sudo ls -ld /var/heimdal/
drwx------ 2 root wheel 512 May 25 11:17 /var/heimdal/
We create a master key for the Kerberos database, so that an intruder who steals the database file(s) will also have to steal the key before they can read all the tickets. The way to steal the database is typically by gaining read access to the disk on which both the database and the key are stored, so the point of this exercise eludes me a bit, but we go with the flow of the manual here. The key is generated.
$ sudo kstash --random-key
kstash: writing key to `/var/heimdal/m-key'
We initialize the realm using kadmin, with the -l option to make it:
$ sudo kadmin -l
Password:
kadmin> command>init INTRANET
Realm max ticket life [unlimited]:
Realm max renewable ticket life [unlimited]:
kadmin>
Add a principal:
kadmin> add tuya
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
tuya@INTRANET's Password:
Verifying - tuya@INTRANET's Password:
kadmin>exit
By now, in /var/heimdal
, there should exist three files. m-key
, the stored encryption key for the database, log
, and heimdal-db
, the database itself.
If we start the KDC daemon, we should be able to fetch a ticket:
/usr/libexec/kdc &
kinit tuya
tuya@INTRANET's Password:
$
Running the daemons
With the Kerberos database prepared and the KDC daemon runnable, we set up the system in such a way that it will run the daemons by default.
In /etc/rc.conf.local
, we add a stanza ...
#KerberosV/Heimdal krb5_master_kdc=YES
... which will cause the daemons to be started from /etc/rc
to start /usr/libexec/{kdc,kadmind,kpasswdd} with no parameters.
Then we reboot:
sudo reboot
Note | |
---|---|
Before rebooting, you might want to run these programs by hand to see if they generate any output.
They log to files in |
After rebooting, ps axu should show the kdc
, kadmind
and kpasswdd
running.
Opening up the firewall
The pf
firewall on the KDC needs a line:
pass in log on $intranet_if proto {tcp, udp} from $intranet to $intranet_if:0 port { kerberos }