Solaris Advanced System Administrator's Guide, Second Edition:Using Authentication Services

Kerberos Version 4

Kerberos is an authentication system that was developed at the Massachusetts Institute of Technology. Kerberos uses DES to authenticate a user when logging in to the system. Authentication is based on the capability of the sending system to use the common key to encrypt the current time, which the receiving system can decrypt and check against its current time. Kerberos Version 4 is supported in the Solaris 2.6 release.

Kerberos works by authenticating the user's login password. A user enters the kinit command, which acquires a ticket that is valid for the time of the session (or eight hours, the default session time) from the Kerberos authentication server. When the user logs out, the ticket can be destroyed (by using the kdestroy command).

NOTE: Solaris 2.6 provides the capability to connect to the Kerberos functionality. However, it does not provide the Kerberos package. You can ftp Kerberos 4 source from athena-dist.mit.edu using anonymous as a username and your email address as a password. The source is located in the pub/kerberos directory.

The Kerberos software is available from MIT project Athena, and is not part of the SunOS 5.x software. The SunOs 5.x software provides:

• Commands and APIs used by the client to create, acquire, and verify tickets

• An authentication option to Secure RPC

• A client-side daemon, kerbd(1M)

How Kerberos Authentication Works with NFS

This section provides an overview of how the Kerberos authentication procedure works. The following process assumes that the Kerberos key distribution center (KDC) is already installed on the network, using publicly available sources from MIT project Athena.

1. The /usr/sbin/kerbd daemon must be running on both the NFS client and server. This daemon is normally started when needed by inetd. You can use the rpcinfo command to make sure that the kerbd service is registered. kerbd is the user-mode daemon that interfaces with the kernel RPC and the KDC. It generates and validates authentication tickets.

2. The system administrator sets up the NFS server to use Kerberos authentication. The MIT Kerberos software is used to register the principal names in the Kerberos KDC on the kerberos server. The following entries are required:

• root.<hostname> (required for each NFS client)

• nfs.<hostname> (required for each NFS server)

3. The user mounts the shared file system. The user on the client must get a ticket for root on the client to mount the shared file system.

4. The user logs in to the kerberos service by using the kinit command. The Kerberos authentication server authenticates the request and grants a ticket for the ticket-granting service.

5. The user accesses the mounted directory. The kerbd daemon automatically secures a ticket on behalf of the client for the NFS server exporting the file system. At this point, there are two valid tickets: the original ticket-granting ticket and one for the server.

6. The user destroys the tickets at the end of the session to prevent them from being compromised. The kdestroy command destroys the user's active kerberos authorization tickets by writing zeros to the file that contains the tickets. You can put the kdestroy command in the user's .logout file so that all Kerberos tickets are automatically destroyed when the user logs out of the system.

7. If tickets have been destroyed before the session has finished, the user must request a new ticket with the kinit command.

Administering Kerberos Version 4 Authentication

This section describes the command used to administer Kerberos and provides instructions for the following tasks associated with network security:

• Sharing and mounting files with Kerberos authentication

• Acquiring a Kerberos ticket for superuser on a client

• Logging in to the Kerberos service

• Listing Kerberos tickets

• Accessing a directory with Kerberos authentication

• Destroying a Kerberos ticket

Table 19-3 lists commands used to administer Kerberos authentication.

**Table 19-3** Kerberos Commands

Command	Description
`kdestroy`	Destroy Kerberos tickets.
`kerbd`	Daemon that generates and validates Kerberos tickets for kernel RPC.
`kinit`	Log in to Kerberos authentication and authorization system.
`klist`	List currently held Kerberos tickets.
`ksrvtgt`	Fetch and store Kerberos ticket-granting ticket using a service key.

Refer to the MIT documentation for details about how to set up and administer Kerberos. Also refer to the kerberos(1), kerberos(3N), and krb.conf(4) manual pages for useful reference information about Kerberos.

Acquiring a Kerberos Ticket for Superuser on a Client

If the NFS file system you need to access has not been mounted, you need to acquire a ticket for superuser on the client before mounting it.

To acquire a ticket for a not-yet-mounted file system:

1. Become superuser.

2. Type kinit root.<hostname> and press Return.

3. When prompted, type the password. The root.<hostname> entry for the client is entered into the /etc/srvtab configuration file.

In the following example, seachild is the name of the client system:

#kinit root.seachild
Password:
#

If the root.<hostname> for the client is present in the /etc/srvtab configuration file, you can use the ksrvtgt command to get a ticket for superuser. In this case, you are not required to give a superuser password. Consult the MIT documentation for information on how to initialize the /etc/srvtab file.

To acquire a ticket for superuser when root.<hostname> is present in the /etc/srvtab configuration file:

1. Become superuser.

2. Type ksrvtgt root.<hostname> and press Return.

In the following example, a Kerberos ticket is acquired for superuser on the client seachild:

#ksrvtgt root.seachild
#

Table of Contents