KerberizeServices

Summary

Software in Ubuntu that runs as a server should be audited for Kerberization.

Release Note

Common services have been enabled to be easily integrated in a kerberos infrastructure.

Rationale

Kerberos is used in major corporate infrastructure to handle authentication. Microsoft Active Directory (and Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008), Apple Mac OSX use Kerberos as their default authentication methods.

Enabling kerberos for common services would facilitate Ubuntu Server integration in existing infrastructure.

Use Cases

  • Miranda installs the mail server task and configures it to use the kerberos infrastructure to authenticate clients.
  • Neal deploys systems in the data center and can log into them via ssh using its kerberos ticket.
  • Olaf runs web applications related to the company intranet. He relies on Kerberos authentication to provide a single-sign-on environment to all employees.

Design

Default Kerberos implementation for client libraries

There are different implementations of Kerberos available in the repositories:

  • MIT:
    • Package in main.

    • The client library is libkrb53.
  • Heimdal:
    • Package in universe.

    • The client library package is libkrb5-22-heimdal.

The current preferred choice is MIT (ie is in main).

Should we switch to Heimdal instead for the client libraries ?

Keep MIT libraries:

  • Pros:
    • Most of the packages in Debian are compiled with MIT libraries.
    • The MIT library is installed by default (because most of the packages are compiled to use it).
  • Cons:

Move Heimdal libs:

  • Pros:
    • in-memory credentials cache, heimdal-kcm, which is useful so users don't have to manually "kinit" periodically from the command line: NEEDS TO BE CHECKED.

    • might also ease integration into an identity manager or gnome-keyring, or smartcard support: NEEDS TO BE CHECKED.

    • having all-heimdal libraries and purging libkrb53 would allow use of the KCM functionality: NEEDS TO BE CHECKED.

    • most of the packages can use Heimdal libs simply by recompiling: TO BE TESTED.

  • Cons:
    • increase deltas with Debian.
    • heimdal is linked against OpenSSL, which is GPL-incompatible.

The Debian guys have done a good job at allowing interoperability with the krb5-config package and both implementations using the same configs and can share ticket caches.

The runtime libraries for MIT Kerberos and Heimdal can be installed simultaneously and use symbol versioning, so it should be safe to mix the libraries on one system.

Authentication Libraries

SASL

There are multiple implementations of SASL libraries:

  • cyrus-sasl - in main.
    • libsasl2-modules-gssapi-mit - in universe.
    • libsasl2-modules-gssapi-heimdal - in universe.
  • dovecot - in main.

List of packages in main that depends on libsasl2-2:

Package Name

Cyrus SASL support

Dovecot SASL

cyrus-sasl2

exim4

Yes

Yes

kdepimlibs

Yes

libnss-ldap

Yes

libvirt

Yes

mutt

Yes

opal

Yes

openldap

Yes

php5

Yes

pidgin

Yes

postfix

Yes

Yes

ptlib

Yes

pwlib

Yes

python-ldap

Yes

subversion

Yes

PAM

  • libpam-krb5 (MIT Kerberos) - in main.
  • libpam-heimdal - in universe.

Services

in main

Packages

Currently supported via

Default Service principals name

openssh

GSSAPI

host/fqdn@REALM

openldap

SASL

ldap/fqdn@REALM

samba (as a cifs server)

cifs/fqdn@REALM host/fqdn@REALM

postfix

SASL

smtp/fqdn@REALM

exim4

SASL

dovecot

GSSAPI

imap/fqdn@REALM pop/fqdn@REALM

cupsys

GSSAPI

IPP/fqdn@REALM

postgresql

GSSAPI

postgres/fqdn@REALM

mysql

Not available

apache2

via mod-auth-krb5

HTTP/fqdn@REALM HTTP/short_fqdn@REALM

freeradius

freeradius-krb5 module

ipsec-tools (racoon)

GSSAPI

openvpn

pptpd

vsftpd

virt-manager/libvirt

Implementation

Kerberos client libraries

Keep libkrb53 in main.

SASL

Keep Cyrus-Sasl in main.

  • Move libsasl2-modules-gssapi-mit in main:
    • Write a MIR for it.

Services

setup-krb-service script

Provide a CLI to help in service principal creation so that admins don't have to figure out what are the default principal names. Each package that support kerberos will provide a list of service principal names that should be created.

   $ setup-krb-service package-name
  1. create the service principals (kadmin addprinc).
  2. copy them to the local machine (kadmin ktadd).
  3. configure the service to use kerberos:
    • check configuration (default configuration with krb enabled?)
    • make a test
  4. check if the PTR and A dns entries are set correctly.

Support the case where the user doesn't have necessary privileges.

Keytab files

As a policy services should look into /etc/krb5/keytab.d/package-name.keytab. Each file should be owned by root which has rw permissions, group owned by the group running the service with r permissions. No world permission. /etc/krb5.keytab is reserved for the host principal.

Examples:

/etc/krb5/keytab.d/dovecot.keytab
/etc/krb5/keytab.d/postfix.keytab
/etc/krb5/keytab.d/openldap.keytab

Rationale: By default most services uses the default /etc/krb5.keytab. Since keytab files contains sensitive information access should be tightly controlled. For example the dovecot process should not have access to the cups service credentials.

Pkg integration
  • support for setup-krb-service in each package:
    • provide a list of default principal names.
    • script to configure the service to use kerberos.
  • setup-krb-service during postinstall time: if the host is already kerberized, setup the service to run with kerberos enabled (ex: via debconf key?).

List of targeted packages/tasks
  • openssh task (openssh)
  • mail server task (postfix+dovecot)
  • print server task (cupsys)
  • samba (as a cifs server)
  • openldap

Document how to enable kerberos in the Ubuntu Server Guide

Migration

Look into pam-krb5-migrate and may be move it into main.

Test Plan

The testing plan covers testing each application in a kerberos environment:

  1. an AD environment.
  2. an MIT environment.

Outstanding Issues

BoF agenda and discussion


CategorySpec

NetworkAuthentication/KerberizeServices (last edited 2009-04-28 01:25:54 by mathiaz)