Summary: Learn to make use of the Kerberos authentication tickets in the day-to-day network services on IBM® AIX® V6 and discover how Kerberos can be useful in getting rid of the password hassles for network service logons. This is another method towards achieving single sign on (SSO) on an AIX system network.
The network applications in AIX (for instance, telnet, FTP, and r-commands like rlogin, rsh, rcp, and more) inherently support Kerberos authentication. All the administrators need to do is to install and configure Kerberos and configure AIX system (in turn its applications) to use that Kerberos setup for authentication. The Kerberos authentication means that once you have a valid Kerberos ticket (obtained by a manual
/usr/krb5/bin/kinit or integrated login), the network applications can use this ticket as your authentication token and once authenticated successfully, you will be given access without being asked to enter your password.In order to enable Kerberos authentication, some common basic configuration is required on Kerberos front as well as on the AIX systems. Let's glance through them.
- Make one server machine the Kerberos master KDC (Key Distribution Center). This machine will be responsible for all the Kerberos-related tasks such as generating tickets, authenticating users, and more. Here the administrator needs to install and configure IBM Network attached storage (NAS) (preferably version 1.4.0.7 or latest) as a master KDC.
- All the other machines in your network (from where you are going to use telnet, FTP, or r-commands to log in), install, and configure IBM NAS as a client to the master KDC.
- These are the machines where the telnet / FTP daemons are running and from the clients you will be connecting to this machine. Install and configure IBM NAS as a client to the master KDC on these machines, too.
For complete instructions on the IBM NAS server and client installation and configuration, please refer to the IBM NAS Version 1.4 Administration Guide, shipped with the AIX Version 5.3 Expansion Pack CD.
For the examples in this article, I refer to an example Kerberos environment. The Figure 1shows that enviroment and the logical flow of information.
Figure 1: An example showing Kerberized telnet in action
]The following definitions are used throughout the article:
Kerberos Administrator Name:
admin/admin
Kerberos Realm Name:
ISL.IN.IBM.COM
IBM NAS 1.4.0.7 Master KDC:
Hostname: land.in.ibm.com Port: 88
OS: AIX 5.3
IBM NAS 1.4.0.7 Administration Server:
Hostname: land.in.ibm.com Port: 749
OS: AIX 5.3
IBM NAS 1.4.0.7 Client:
Hostname: fakir.in.ibm.com
OS: AIX 6.1
Machine with telnet service running:
Hostname: fsaix005.in.ibm.com Port: 23
OS: AIX 5.3
Machine with FTP service running:
Hostname: fsaix005.in.ibm.com Port: 21
OS: AIX 5.3
Kerberos Administrator Name:
admin/admin
Kerberos Realm Name:
ISL.IN.IBM.COM
IBM NAS 1.4.0.7 Master KDC:
Hostname: land.in.ibm.com Port: 88
OS: AIX 5.3
IBM NAS 1.4.0.7 Administration Server:
Hostname: land.in.ibm.com Port: 749
OS: AIX 5.3
IBM NAS 1.4.0.7 Client:
Hostname: fakir.in.ibm.com
OS: AIX 6.1
Machine with telnet service running:
Hostname: fsaix005.in.ibm.com Port: 23
OS: AIX 5.3
Machine with FTP service running:
Hostname: fsaix005.in.ibm.com Port: 21
OS: AIX 5.3
Check and synchronize the time difference between all the machines; it should not be more than 5 minutes. To check the correctness of Kerberos configuration, use
'/usr/krb5/bin/kinit admin/admin', followed by '/usr/krb5/bin/klist'and see if you are able to get the Kerberos ticket, and use '/usr/krb5/sbin/kadmin -p admin/admin' to check that everything (time difference and more) is correct.In order to make sure that all the network applications try Kerberos authentication before the standard password-based authentication, the administrator needs to change the preference of the authentication method on all the AIX machines.
The
'/usr/bin/lsauthent' command shows the current authentication mode preference.bash-2.05b# /usr/bin/lsauthent |
To change the authentication mode preference, use the
'/usr/bin/chauthent' command.bash-2.05b# /usr/bin/chauthent -k5 -std |
Now,
'/usr/bin/lsauthent' would show something like this:bash-2.05b# /usr/bin/lsauthent |
Be sure to keep the standard password-based authentication method (-std above), as a fallback authentication method, or else you will not be able to log in to the system if the proper Kerberos login is not enabled.
In the Kerberos environment, each Kerberos service is represented by a service principal. This service principal is nothing but a normal Kerberos principal, who holds the key to decrypt the response sent by the Kerberos server. For telnet service as well, you will need to create a telnet service principal and perform some configuration steps on the telnet server.
Use the following step-by-step process to configure Kerberos for telnet service.
If you have already configured the Kerberos client using the AIX
'mkkrb5clnt' command, then you do not need to do steps 1 and 2. The 'mkkrb5clnt' command created a host service principal and stored it in/var/krb5/security/keytab/.keytab file. Link this file to the default keytab file /etc/krb5/krb5.keytab.- On the machine where the telnet service is running (fsaix005.in.ibm.com), create the telnet service principal by the name 'host/
'. For us, it will be 'host/fsaix005.in.ibm.com'. Using the Fully Qualified Domain Name (FQDN) is very vital for this setup to work.bash-2.05b# hostname
fsaix005.in.ibm.com
bash-2.05b# kadmin -p admin/admin
Authenticating as principal admin/admin with password.
Password for admin/admin@ISL.IN.IBM.COM:
kadmin: addprinc -randkey host/fsaix005.in.ibm.com
WARNING: no policy specified for host/fsaix005.in.ibm.com@ISL.IN.IBM.COM;
defaulting to no policy. Note that policy may be overridden by
ACL restrictions.
Principal "host/fsaix005.in.ibm.com@ISL.IN.IBM.COM" created.
- Add the telnet service principal to the keytab file (/etc/krb5/krb5.keytab).
kadmin: ktadd host/fsaix005.in.ibm.com
Entry for principal host/fsaix005.in.ibm.com with kvno 3, encryption type Triple DES
cbc
mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/fsaix005.in.ibm.com with kvno 3, encryption type ArcFour
with
HMAC/md5 added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/fsaix005.in.ibm.com with kvno 3, encryption type AES-256
CTS mode
with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/fsaix005.in.ibm.com with kvno 3, encryption type DES cbc
mode
with RSA-MD5 added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/fsaix005.in.ibm.com with kvno 3, encryption type AES-128
CTS mode
with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
kadmin: q
bash-2.05b#If you are not able to do 'kadmin' for some reason, then create the service principal on KDC and add to the keytab file (/etc/krb5/krb5.keytab) and transfer this keytab file to the machine where telnetd is running (fsaix005.in.ibm.com, for us). - On the telnet service machine (fsaix005.in.ibm.com), run
'/usr/krb5/bin/klist -k'and check the entries.bash-2.05b# hostname
fsaix005.in.ibm.com
bash-2.05b# /usr/krb5/bin/klist -k
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
---- ---------
3 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM
3 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM
3 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM
3 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM
3 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM
bash-2.05b#
- On the telnet service machine (fsaix005.in.ibm.com), create a new user 'vipin' using which you will telnet to fsaix005. Change the password of this user.
bash-2.05b# hostname
fsaix005.in.ibm.com
bash-2.05b# mkuser -R files vipin
bash-2.05b# passwd vipin
Changing password for "vipin"
vipin's New password:
Enter the new password again:
bash-2.05b#
- Create a Kerberos principal with the same name 'vipin'. This can be done from any machine (either the master KDC or client) in the Kerberos realm.
bash-2.05b# hostname
fsaix005.in.ibm.com
bash-2.05b# kadmin -p admin/admin
Authenticating as principal admin/admin with password.
Password for admin/admin@ISL.IN.IBM.COM:
kadmin: ank -pw vipin vipin
WARNING: no policy specified for vipin@ISL.IN.IBM.COM;
defaulting to no policy. Note that policy may be overridden by
ACL restrictions.
Principal "vipin@ISL.IN.IBM.COM" created.
kadmin: q
bash-2.05b#
- Go to the any other client machine (fakir.in.ibm.com) on which the Kerberos client is configured. Run
'/usr/krb5/bin/kinit vipin'to get the initial Kerberos ticket, as shown below:bash-2.05b# hostname
fakir.in.ibm.com
bash-2.05b# /usr/krb5/bin/kinit vipin
Password for vipin@ISL.IN.IBM.COM:
bash-2.05b# /usr/krb5/bin/klist
Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0
Default principal: vipin@ISL.IN.IBM.COM
Valid starting Expires Service principal
02/16/08 04:31:41 02/17/08 04:31:39 krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM
bash-2.05b#
- Try to telnet to the telnetd machine (fsaix005.in.ibm.com). If everything goes fine, you will not be asked to enter the password and you will be logged in as user "vipin".
Here is how:bash-2.05b# hostname
fakir.in.ibm.com
bash-2.05b# telnet -l vipin fsaix005.in.ibm.com
Trying...
Connected to fsaix005.in.ibm.com.
Escape character is '^]'.
[ Kerberos V5 accepts you as ``vipin@ISL.IN.IBM.COM'' ]
telnet (fsaix005.in.ibm.com)
*******************************************************************************
* *
* *
* Welcome to AIX Version 5.3! *
* *
* *
* Please see the README file in /usr/lpp/bos for information pertinent to *
* this release of the AIX Operating System. *
* *
* *
*******************************************************************************
Last unsuccessful login: Wed Feb 13 11:50:40 CST 2008 on /dev/pts/2 from
land.in.ibm.com
Last login: Fri Feb 15 12:49:06 CST 2008 on /dev/pts/3 from aixdce8.in.ibm.com
$ hostname
fsaix005.in.ibm.com
$ id
uid=237(vipin) gid=1(staff)
$ exit
Connection closed
bash-2.05b# hostname
fakir.in.ibm.com
bash-2.05b#
That’s all it takes to do the kerberized telnet! Please note the additional option (in the highlighted text above) while issuing the telnet command.If you want to check whether you actually got the ticket for the telnet service principal or not, run‘/usr/krb5/bin/klist’on the client and see the output. You should see something like this:bash-2.05b# hostname
fakir.in.ibm.com
bash-2.05b# /usr/krb5/bin/klist
Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0
Default principal: vipin@ISL.IN.IBM.COM
Valid starting Expires Service principal
02/16/08 04:31:41 02/17/08 04:31:39 krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM
02/16/08 04:32:56 02/17/08 04:31:39 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM
bash-2.05b#
Similar to telnet service, you can also configure FTP service to accept and use Kerberos authentication. Use the following step-by-step procedure to achieve this:
- Create an FTP service principal. This time the name of FTP service principal would be ‘ftp/
’. So for us, it will be something like ‘ftp/fsaix005.in.ibm.com’. Create the principal: bash-2.05b# hostname
fsaix005.in.ibm.com
bash-2.05b# kadmin -p admin/admin
Authenticating as principal admin/admin with password.
Password for admin/admin@ISL.IN.IBM.COM:
kadmin: ank -randkey ftp/fsaix005.in.ibm.com
WARNING: no policy specified for ftp/fsaix005.in.ibm.com@ISL.IN.IBM.COM;
defaulting to no policy. Note that policy may be overridden by
ACL restrictions.
Principal "ftp/fsaix005.in.ibm.com@ISL.IN.IBM.COM" created.
- Now add this principal entry to the keytab file (/etc/krb5/krb5.keytab).
kadmin: ktadd ftp/fsaix005.in.ibm.com
Entry for principal ftp/fsaix005.in.ibm.com with kvno 3, encryption type Triple DES
cbc
mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal ftp/fsaix005.in.ibm.com with kvno 3, encryption type ArcFour
with
HMAC/md5 added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal ftp/fsaix005.in.ibm.com with kvno 3, encryption type AES-256 CTS
mode
with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal ftp/fsaix005.in.ibm.com with kvno 3, encryption type DES
cbc mode with
RSA-MD5 added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal ftp/fsaix005.in.ibm.com with kvno 3, encryption type AES-128 CTS
mode
with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
kadmin: q
bash-2.05b#
- On the FTP service machine (fsaix005.in.ibm.com), run
'/usr/krb5/bin/klist -k'and check the entries in the keytab file. This time it should look something like this:bash-2.05b# hostname
fsaix005.in.ibm.com
bash-2.05b# /usr/krb5/bin/klist -k
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
---- ---------
3 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM
3 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM
3 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM
3 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM
3 host/fsaix005.in.ibm.com@ISL.IN.IBM.COM
3 ftp/fsaix005.in.ibm.com@ISL.IN.IBM.COM
3 ftp/fsaix005.in.ibm.com@ISL.IN.IBM.COM
3 ftp/fsaix005.in.ibm.com@ISL.IN.IBM.COM
3 ftp/fsaix005.in.ibm.com@ISL.IN.IBM.COM
3 ftp/fsaix005.in.ibm.com@ISL.IN.IBM.COM
bash-2.05b#
- The next step is to get the initial Kerberos ticket. Since we already have a Kerberos user called 'vipin', we will be using this principal to get the initial Kerberos ticket by using the
'/usr/krb5/bin/kinit'command.bash-2.05b# hostname
fakir.in.ibm.com
bash-2.05b# /usr/krb5/bin/kinit vipin
Password for vipin@ISL.IN.IBM.COM:
bash-2.05b# /usr/krb5/bin/klist
Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0
Default principal: vipin@ISL.IN.IBM.COM
Valid starting Expires Service principal
02/16/08 04:47:46 02/17/08 04:47:45 krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM
bash-2.05b#
More Here
Courtesy:http://www.ibm.com/developerworks/aix/library/au-kerberosaix6/index.html