Gentoo Kerberos5 HOWTO

Date: 07 October 2005

Install Kerberos 5

Add kerberos to the USE flag in /etc/make.conf.

USE="kerberos"

Then install everything:

emerge -N world

– Or –

emerge mit-krb5

This will install the MIT kerberos 5 library which may be restricted under US export restrictions. The Heimdal krb5 implementation is free from those restrictions. You can install Heimdal by doing:

emerge app-crypt/heimdal

Because the kerberos install will change libgssapi, you will need to run revdep-rebuild to fix any apps that you build prior to install krb5. Note: If you install heimdal, you may need to rebuild OpenSSH to enable krb5 support.

Configure Kerberos

Updated 2010-09-26: I just realized that I never put in the example configs. Oops. Sorry about that.

Edit /etc/krb5.conf

sample krb5.conf here

Edit /etc/kdc.conf

sample kdc.conf here

Initialize the Database

mkdir /etc/krb5kdc
kdb5_util create -r REALM -s

You will be prompted for the Master Password. This will be stored as the principle K/M@REALM.

Add Administrators

Now we need to add admin users to /etc/krb5kdc/kadm5.acl.

sample kadm5.acl here

bash# kadmin.local
kadmin.local: addprinc admin/admin@REALM

Skip keytab

Starting the Servers

/etc/init.d/mit-krb5kadmind start
/etc/init.d/mit-krb5kdc start

It can sometimes take a while to start kadmind. Be patient.

Setup PAM

PAM is used by many services to authenticate. It would be very convenient if it talked to the KDC too. So, let’s enable Kerberos in PAM. Note: According to the pam_krb5 docs, it only works with MIT Kerberos 5.

emerge pam_krb5

Now edit /etc/pam.d/system-auth

auth       required     pam_env.so
auth       sufficient   pam_unix.so likeauth nullok
auth       sufficient   pam_krb5.so try_first_pass
auth       required     pam_deny.so

account    required     pam_krb5.so
account    required     pam_unix.so

password   required     pam_cracklib.so retry=3
password   sufficient   pam_krb5.so use_authtok
password   sufficient   pam_unix.so nullok md5 shadow use_authtok
password   required     pam_deny.so

session    required     pam_limits.so
session    required     pam_krb5.so
session    required     pam_unix.so