Kerberos service, part 1

David Becker (becker@wakko.cs.washington.edu)
Tue, 8 Sep 1998 10:34:19 -0700

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Stefan Savage: "FW: FW: B-school course on telecomm industry for Autumn 1998"
Previous message: Amin Vahdat: "TCP handoff"

Kerberos authentication (krb5) is now available on all the spin and
loom machines. The major benefit for us is we will no longer need well-known
passwords for root or rconsole access. Instead a list of users allowed
to become root is in /.k5login and list of rconsole users is
in /usr/contrib/lib/rconsole/.k5login.

The well-known passwords have not changed. This announcement is just
saying the new way of doing things is now possible.

How-to use kerberos
-------------------

Step zero is to get yourself entered into the kerberos database. Most
likely you already are in it. Telnet to june and the login process will
silently add your password to the kerberos database. Lab has been
collecting telnet passwords off of june for at least 6 months now.

The common kerberos utilities are in /usr/local/bin.
Use kinit to authenticate and acquire a kerberos ticket. Tickets expire
after 10 hours on all dept hosts. Use klist and kdestroy to see and
delete tickets.

***Please do not give your password to kinit over unsecure links.***
Run kinit on either your local host or over a ssh connection only.
Do not run kinit over a telnet, rsh, or rlogin connection.
(I don't know what the story is for ftp passwords)

Once you have a ticket, become root with ksu
$ ksu
Authenticated becker@CS.WASHINGTON.EDU
ksu[4510]: 'ksu root' authenticated becker@CS.WASHINGTON.EDU for becker on /dev/ttyp2
Account root: authorization for becker@CS.WASHINGTON.EDU successful
ksu[4510]: Account root: authorization for becker@CS.WASHINGTON.EDU successful
Changing uid to root (0)
#

The root k5login file is readable only by root. If you need root access
and cannot ksu, ask me to add you to k5login.

To get an AFS tokens
$ krb524init
$ aklog

The krb524init program creates krb4 ticket from your krb5 ticket. AFS
security is all based on krb4 so it needs the version 4 type of ticket.
You can still use klog to get an AFS token.

The full kerberos distribution is off in /usr/local/.contrib/krb5/bin across
all the dept unix hosts. This is because kerberos has replacements for
several utilities of the same name (like telnet).

The man pages are in /usr/local/.contrib/krb5/man.

The Plan
--------

Part 1 - setup krb5 to make it possible to kinit and use ksu and aklog
Part 2 - replace rconsole with krconsole
Part 3 - do login authentication via kerberos. This will allow users to
have a single password across the entire department.
Part 4 - remove the well-known passwords and the local user password entries.
All passwords will be in the krb database.

Lab is working towards the same goal. I hope to have Sanislo's krconsole
in service this week. The remaining steps could happen this fall.

Next message: Stefan Savage: "FW: FW: B-school course on telecomm industry for Autumn 1998"
Previous message: Amin Vahdat: "TCP handoff"