KerberizingUbuntu
Status
- Created: July 11, 2005 by AndrewJForgue
Priority: NeedsPriority
People: NeedsLead, NeedsSecond
- Contributors: AndrewJForgue
Interested: AndrewJForgue, JorgeOCastro, ManuelZach2
Status: BrainDump, BreezyGoal, UduBof, DistroSpecification, NewSpec
- Branch: n/a
- Packages: ssh, mozilla, mozilla-firefox, slapd
- Depends:
- Dependents:
Introduction
- A method of authentication for large networks is Kerberos. Kerberos is designed to be used over an assumed insecure network (that should be the case on any network today). It allows for passwordless authentication for services with a central authentication source, sometimes this is called single sign-on. It's not trivial to initially configure, however it's very powerful.
Rationale
- Ubuntu's goals of becoming an "enterprise" operating system requires a scalable method for authentication. Most networked applications support it though GSSAPI and/or SASL, however it is rare to find it enabled in most of the packages that are in ubuntu today. Ubuntu needs to support this in all available applications. We'd like this to be a supported by-default configuration in Ubuntu so that we can further enterprise adoption. It also supports the "holy-grail" of single sign-on and is a foundation
Implementation Plan
- This will add an additional dependency on libkrb53 in the base system, which in turn depends on krb5-config which requires a user to enter a realm, KDC, and KAdmin servers. I do not know the best way to handle this. There are 2 different implementations of Kerberos. There's MIT and Heimdal. We'd have to choose one to be installed by default. The Debian guys have done a good job at allowing interoperability with the krb5-config package and both implementations using the same configs. In choosing it should be noted that Heimdal has an in-memory credentials cache, heimdal-kcm, which is useful so users don't have to manually "kinit" periodically from the command line. It might also ease integration into an identity manager or gnome-keyring, or smartcard support. Having all-heimdal libraries and purging libkrb53 would allow use of the KCM functionality. At present, with mixed Heimdal and MIT library using clients, KCM is broken. Big MIT users are Evolution, ssh, samba for starters. Some can use Heimdal libs simply by recompiling.
Packages Affected
- Here is a partial list of affected packages:
- SSH -- SSH supports kerberos GSSAPI logins. Users can login to ssh using their Kerberos TGT and not be prompted for a password.
- Package needs to be compiled with "--with-kerberos5" - already done?
- Add dependency on libkrb5-dev and libkrb53
- also builds against heimdal-dev / dependency on libkrb5-17-heimdal
- sudo -- sudo supports verifying users with against a KDC. This could be left out in favor of libpam-krb5.
- Package needs to be compiled with "--with-kerb5"
- Add dependency on libkrb5-dev and libkrb53
- slapd -- OpenLDAP supports Kerberos through GSSAPI with SASL mappings which allows binding to the LDAP with the Kerberos TGT
- None needed, uses SASL authentication with SASL mapping.
- Mozilla/Firefox -- Supports authenticating to Kerberos aware servers and authenticating to a webserver in the realm with the credentials.
- libpam-krb5 -- Provides a "door" to a Kerberos Realm. This should be installed (default?) if one wishes to acquire a TGT.
- libsasl2 -- See below
- libsasl2-gssapi-mit -- Should be installed by default with libsasl2 (if MIT is planned)
- libsasl2-gssapi-heimdal -- Should be installed by default with libsasl2 (if Heimdal is planned)
- jabberd2 -- a patch reinstating cyrus-sasl and thereby Kerberos has recently been merged into upstream repository
- gaim -- there is a patch to add real SASL and thereby Kerberos support
- libneon25 libneon26 -- http/WebDAV client library used by Subversion clients
- libcurl3 -- http client library
- samba
- Evolution
- libpq5 - Postgresql client library
- racoon - Kerberos5 bindings exist for IPSEC
- libgnomevfs2-extra
- SSH -- SSH supports kerberos GSSAPI logins. Users can login to ssh using their Kerberos TGT and not be prompted for a password.
Authentication Libraries
- Authentication Libraries such as PAM and SASL theoretically just need their respective modules installed and enabled:
- libsasl2-gssapi-mit
- libsasl2-modules-gssapi-heimdal
- libpam-krb5 (MIT Kerberos)
- libpam-heimdal (Heimdal Kerberos)
Shortcomings
Kerberos doesn't address the need for authorization or the need for a place to retrieve user information via NSS. KerberizingUbuntu should be combined with any LDAP intitiative that's also in progress.