Notes on integrating Windows 2000, RedHat Linux, and HP-UX.These are a few notes on integrating Windows 2000, RedHat, and HP-UX HP's version of Unix that runs on its 9000 family. It is based on SVID and incorporates features from BSD Unix along with several HP innovations. (operating system) HP-UX - The version of Unix running on Hewlett-Packard workstations. , which provide a vague guide on how one might get a UNIX system Noun 1. UNIX system - trademark for a powerful operating system UNIX, UNIX operating system operating system, OS - (computer science) software that controls the execution of computer programs and may provide various services to authenticate (1) To verify (guarantee) the identity of a person or company. To ensure that the individual or organization is really who it says it is. See authentication and digital certificate. (2) To verify (guarantee) that data has not been altered. to a Windows 2000 box. Basically this is done by setting up your UNIX systems as a Kerberos An access control system that was developed at MIT in the 1980s. Turned over to the IETF for standardization in 2003, it was designed to operate in both small companies and large enterprises with multiple domains and authentication servers. 5 client and having the Windows 2000 box act as the KDC KDC Key Distribution Center KDC Katholiek Documentatie Centrum KDC Kerrier District Council (UK) KDC Kodak Digital Camera format (file extension) KDC Kurt Donald Cobain . The "automatic" authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC. (2) Verifying the identity of a user logging into a network. is done by using the PAM (1) (Pulse Amplitude Modulation) The conversion of audio wave samples to pulses (voltages). PAM is the first step in pulse code modulation (PCM), which is followed by converting the pulses to digital numbers. See PCM. module pare krb5 to authenticate everything that goes through the PAM stack by using Kerberos. First step: dealing with Windows 2000 The first step is to setup See BIOS setup and install program. Windows 2000. Each UNIX UNIX Operating system for digital computers, developed by Ken Thompson of Bell Laboratories in 1969. It was initially designed for a single user (the name was a pun on the earlier operating system Multics). machine that is going to authenticate using Kerberos 5 must have a user account on the windows machine. Simply add a user and make sure its first name and login Signing in and gaining access to a network server, Web server or other computer system. The process (the noun) is a "login" or "logon," while the act of doing it (the verb) is to "log in" or to "log on. name is the host name of that UNIX machine. Make sure the correct domain is selected in the field next to the login name. For example, the UNIX machine "withersa" would get a first name of 'withersa', a login name of 'withersa@gunet.gonzaga Gonzaga (gōntsä`gä), Italian princely house that ruled Mantua (1328–1708), Montferrat (1536–1708), and Guastalla (1539–1746). The family name is derived from the castle of Gonzaga, a village near Mantua. .edu', and 'mypass' as a password. Now that the account has been created the next step is to generate the keytab file. You must first make sure that the Kerberos configuration utilities are installed. It's it's 1. Contraction of it is. 2. Contraction of it has. See Usage Note at its. it's it is or it has it's be ~have the package found on the Windows 2000 distribution media under the support/tools directory. To install the package simply run 'setup.exe". This package will give you one utility in particular: Ktpass. Simply open a command shell and change to the root directory. Second step: dealing with UNIX Believe it or not, setup is complete on the Windows 2000 machine. The next step is to setup the UNIX machine. The following is not platform specific since the configuration file for a UNIX Kerberos client is the same for all platforms. Under the RedHat Linux Linux Nonproprietary operating system (OS) for digital computers. In 1991 Linus Torvalds of Finland began asking for volunteer programmers over the Internet to collaborate on the development of a UNIX-like OS for personal computers; the “1. platform it is recommended that you install using the 'Custom" option. The custom option allows you to specifically select which packages you want installed on your machine. For a RedHat Linux machine you will need the pam_krb5 package and the krb5 workstation package. To check that you have the packages installed login as root and issue the command "rpmm -qa I grep krb" you should then see output similar to this: pam_krb5-1.31-1 krb5-libs-1.2.2-4 krb5-workstation-1.2.2-4 The above three packages come with RedHat 7.1 and they are all that are necessary for the Kerberos client to run properly. Under an HP-UX 11.0 machine Kerberos 5 and pam_kr b5 should already be installed. But on CD 5 of the December December: see month. 2000 application software release there is an upgrade of the Kerberos 5 software. This package needs to be installed for things to work property. Now that any RedHat and HP-UX system has the software properly installed it is time to configure See configuration. (software) configure - A program by Richard Stallman to discover properties of the current platform and to set up make to compile and install gcc. Cygnus configure was a similar system developed by K. Kerberos 5. There are two main files one needs to be concerned about on a Kerberos 5 client:/etc/krb5.conf and/etc/kib5.keytab. Here would be a sample/etc/kr b5.conf configuration:
[libdefaults]
default_realm = GUNET.GONZAGA.EDU
dns lookup_realm = true
dns_lookup_kdc = true
default_tkt_enctypes = des-cbc-md5
default_tgs_enctypes = des-cbc-md5
[realms]
GUNET.GONZAGA.EDU = {
kdc = dc1-gunet.gunet.gonzaga.edu:88
kpasswd_server = dc1-gunet.gunet.gonzaga.edu:464
}
.gonzaga.edu = GUNET.GONZAGA.EDU
This is all you would need on both the RedHat and HP-UX systems. The above section (libdefaults) gives the realm in default_realm = GUNET.GONZAGA.EDU. Then under the section [realms] we define the GUNET. GONZAGA.EDU realm. We give the KDC (Key Distribution Center) with kdc = dc1-gunet.gunet.gonzaga.edu. Note that dc1 - gunet.gunet.gonzaga.edu is the active directory server Refers to the Active Directory service running in a Windows 2000 server. See Active Directory. which controls the GUNET.GONZAGA.EDU domain. In order m get Kerberos password changing to work (meaning one can change his/her Windows 2000 password under UNIX) the kpasswd server flag must be set to the active directory server. This can be a different host under more complicated setups. Also note the specified port numbers for both fields. The next defined section [domain-realm] is used for translation. It contains relations which map subdomains and domain names to Kerberos realm names. For example, on the host withersa.gonzaga.edu notice that the host name does not contain the subdomain gunet.gonzaga.edu (which happens to be our realm). So we need to provide a mapping of. gonzaga.edu = OUNET.GONZAGA.EDU. Note that this section is VERY IMPORTANT and if it's not provided it can cause a failure to connect to the KDC. Once the/etc/krb5.conf file is complete the next step is to import the keytab files that were generated on the Windows 2000 server. Simply transport the keytab file (withersa.keytab from the example above) to the UNIX host. Now run the command "ktutil" and you will get a prompt: ktutil: rkt withersa.keytab ktutil: wkt /etc/krb5.keytab ktutil: q The first command, "rkt", reads the file in. If it comes up with an error you might have to provide a full path to the file. The next command "wkt" merges the imported key to the/etc/krb5.keytab file. And finally 'q' quits quits adj. On even terms with by payment or requital: I am finally quits with the loan. [Middle English, probably alteration (influenced by Medieval Latin the program. Now that this has been done one should be able to authenticate to the Windows 2000 machine. This has to be done with the utility "kinit" which fetches a ticket from the Windows 2000 server. Here are some useful Kerberos utilities: kinit--obtain and cache Kerberos ticket-granting ticket. klist--list cached Kerberos tickets. kdestroy--destroy Kerberos tickets. kpasswd--change a user's Kerberos password. Third step: using PAM to bring your cooking together The next step is get all applications that request authorization The right or permission to use a system resource; the process of granting access. See access control. to use Kerberos 5. The easy answer to this is pam which is where the pam-krb5 module comes into play. Once the setup has been completed as above the setup for pam is quite simple, On RedHat 7.x systems the pam configuration files are kept inside of/etc/pam.d. In this directory one will notice the myriad Myriad is a classical Greek name for the number 104 = 10 000. In modern English the word refers to an unspecified large quantity. The term myriad is a progression in the commonly used system of describing numbers using tens and hundreds. of configuration files corresponding to different applications such as imap, login, gu, sshd, etc. However, each of these depend upon a master file called "system-auth" and it is this file that needs to be changed:
#% PAM-1.0
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam krb5.so
auth sufficient /lib/security/para_unix.so likeauth nullok
use_first_pass
auth required /lib/security/pam_deny.so
account required /lib/security/pare_unix.so
password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok use_authtok
md5 shadow
password sufficient /lib/security/pam_krb5.so use_authtok
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
session optional /lib/security/pam_krb5. so
Notice that there are four sections to this file. For authentication we need to be concerned with the "auth" section only. Pare acts like a stack, so the modules are ran from top to bottom with the conditions in the second field. The first module simply sets up an environment The second module, pam_krb5, is set to sufficient which means that if the user authenticates with his/her username The name you use to identify yourself when logging into a computer system or online service. Both a username (user ID) and a password are required. In an Internet e-mail address, the username is the left part before the @ sign. For example, KARENB is the username in karenb@mycompany. and password then it returns success and the user is able to login. The third modules is checked but since it's optional It's Optional was a pricing game on the American television game show, The Price Is Right. Played from September 4, 1978's show through May 9, 1983, it was played for two cars, both of the same make and model. it really doesn't matter if the user authenticates successfully or not. But if the pam_krb5 module fails then this can allow the user to login provided that his/her account and password match with the/etc/passwd scheme. As an example: if jsmith telnets in and enters a username and password that exists on the Kerberos server then he/she will be able to login. If root telnets in but there is no "root" account on the kerberos server then the pam unix module will use the username and password that was given to pamkrb5. The pam_unix will see if the root username and password are valid and allow a login if they are indeed valid. The HP-UXII.x PAM configuration file is found in/etc/pam.conf. The format is very similar to the RedHat file and the concept is still the same:
#
# PAM configuration
#
# Authentication management
#
login auth sufficient /usr/lib/security/libpam_krb5.1
login auth required /usr/lib/security/libpam unix.1
try_first_pass
su auth sufficient /usr/lib/security/libpam_krb5.1
su auth required /usr/lib/security/libpam_unix.1
try_first_pass
dtlogin auth sufficient /usr/lib/security/libpam_krb5.1
dtlogin auth required /usr/lib/security/libpam_unix.1
try_first_pass
dtaction auth sufficient /usr/lib/security/libpam krb5.1
dtaction auth required /usr/lib/security/libpam_unix.1
try_first_pass
ftp auth sufficient /usr/lib/security/libpam_krb5.1
ftp auth required /usr/lib/security/libpam_unix.1
OTHER auth sufficient /usr/lib/security/libpam_krb5.1
OTHER auth required /usr/lib/security/libpam unix.1
try_first_pass
# OTHER auth required /usr/lib/security/libpam_unix-1
#
# Account management
#
login account required /usr/lib/security/libpam_krb5.1
login account required /usr/lib/security/libpam_unix.1
su account required /usr/lib/security/libpam krb5.1
su account required /usr/lib/security/libpam_unix.1
dtlogin account required /usr/lib/security/libpam krb5.1
dtlogin account required /usr/lib/security/libpam_unix.1
dtaction account required /usr/lib/security/libpam_krb5.1
dtaction account required /usr/lib/security/libpam_unix.1
ftp account required /usr/lib/security/libpam_krb5.1
ftp account required /usr/lib/security/libpam_unix.1
OTHER account required /usr/lib/security/libpam_unix.1
#
# Session management
#
login session required /usr/lib/security/libpam_krb5.1
login session required /usr/lib/security/libpam_unix.1
dtlogin session required /usr/lib/security/libpam_krb5.1
dtlogin session required /usr/lib/security/libpam unix.1
dtaction session required /usr/lib/security/libpam krb5.1
dtaction session required /usr/lib/security/libpam_unix.1
OTHER session required /usr/lib/security/libpam unix.1
#
# Password management
#
login password required /usr/lib/security/libpam_krb5.1
login password required /usr/lib/security/libpam_unix.1
passwd password required /usr/lib/security/libpam_krb5.1
passwd password required /usr/lib/security/libpam unix.1
dtlogin password required /usr/lib/security/libpam krb5.1
dtlogin password required /usr/lib/security/libpam_unix.1
dtaction password required /usr/lib/security/libpam_krb5.1
dtaction password required /usr/lib/security/libpam_unix.1
OTHER password required /usr/lib/security/libpam_unix.1
Some things To Watch For It is essential that the time on the Windows saver and the time on Unix Machines ( kerberos clients ) match, else the authentication does not work. The root user cannot change the password of kerberos users using 'kpasswd". The root user is also prompted for the previous password of the user. So instead you must change the user's password on windows server See Windows Server 2008, Windows Server 2003, Windows Home Server, Windows 2000 and Windows NT. . What is Kerberos? Kerberos is a network authentication protocol designed to provide strong authentication for client/server applications by using semi-key cryptography. A free implementation ovus protocol is available from the Massachusetts Institute of Technology Massachusetts Institute of Technology, at Cambridge; coeducational; chartered 1861, opened 1865 in Boston, moved 1916. It has long been recognized as an outstanding technological institute and its Sloan School of Management has notable programs in business, . Kerberos is available in many commercial products as well. Many of the protocols used in the Internet Internet Publicly accessible computer network connecting many smaller networks from around the world. It grew out of a U.S. Defense Department program called ARPANET (Advanced Research Projects Agency Network), established in 1969 with connections between computers at the do not provide any security. Tools to "sniff" passwords off of the network are in common use by malicious Involving malice; characterized by wicked or mischievous motives or intentions. An act done maliciously is one that is wrongful and performed willfully or intentionally, and without legal justification. DESERTION, MALICIOUS. hackers, Thus, applications which send an unencrypted password over the network are extremely vulnerable. Worse yet other client/sewer applications rely on the client program to be "honest' about the identity of the user who is using it. Other applications rely on the client to restrict its activities to those which it is allowed to do, with no other enforcement by the server. Some sites attempt to use firewalls to solve their network security problems. Unfortunately, firewalls assume that 'the bad guys" are on the outside, which is often a very bad assumption. Most of the really damaging incidents of computer crime are carried out by insiders. Firewalls also have a significant disadvantage in that they restrict how your users can use the Internet. (After all, firewalls are simply a less extreme example of the dictum [Latin, A remark.] A statement, comment, or opinion. An abbreviated version of obiter dictum, "a remark by the way," which is a collateral opinion stated by a judge in the decision of a case concerning legal matters that do not directly involve the facts or affect the that there is nothing more secure then a computer which is not connected to the network--and powered off) In many places, these restrictions are simply unrealistic and unacceptable. Kerberos was created by MIT MIT - Massachusetts Institute of Technology as a solution to these network security problems. The Kerberos protocol uses strong cryptography Strong cryptography or cryptographically strong are general terms applied cryptographic systems or components that are considered highly resistant to cryptanalysis. so that a client can prove its identity to a server (and vice versa VICE VERSA. On the contrary; on opposite sides. ) across an insecure in·se·cure adj. 1. Lacking emotional stability; not well-adjusted. 2. Lacking self-confidence; plagued by anxiety. in network connection. After a client and server has used Kerberos is freely available from MIT, under copyright permissions very similar those used for the BSD (Berkeley Software Distribution) The software distribution facility of the Computer Systems Research Group (CSRG) of the University of California at Berkeley. operating system operating system (OS) Software that controls the operation of a computer, directs the input and output of data, keeps track of files, and controls the processing of computer programs. and the X Window System. MIT provides Kerberos in source form so that anyone who wishes to use it may look over the code for themselves and assure themselves that the code is trustworthy. In addition, for those who prefer to rely on a professionally supported product, Kerberos is available as a product from many different vendors. In summary, Kerberos is a solution to your network security problems. It provides the tools of authentication and strong cryptography over the network to help you secure your information systems across your entire enterprise. Kerberos Update 11 Jun 2004--krb5-1.3.4 is released The krb5-1.3.4 source release is now available. 01 Jun 2004--MITXRB5-SA-2004-001 26 May 2004--Kerberos for Windows 2.6.3 is released |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion