Add Kerberos post.

diff --git a/posts/Kerberos.mdwn b/posts/Kerberos.mdwn
new file mode 100644 (file)
index 0000000..0bb9471
--- /dev/null
+++ b/posts/Kerberos.mdwn
@@ -0,0 +1,323 @@
+Over the years I've watched [Kerberos][] and related tools from afar,
+interested in the idea, but not interested enough to figure out the
+installation, configuration, etc.  Well, in an attempt to secure
+assorted [[NFS]] mounts around my home, I decided to take the plunge
+today and install NFSv4 + Kerberos.  Here are my notes for my
+[[Gentoo]] systems, mostly following the [Kerberos install
+guide][install].  I'll use the following settings for my examples:
+
+* Domain: `d.net`
+* Kerberos realm: `R.EDU`
+* Server: `server.d.net`
+* Client: `client.d.net`
+* User: `jdoe` (on both the client and server)
+
+Setup the Kerberos server
+-------------------------
+
+Emerge the Kerberos server (`app-crypt/mit-krb5`) and [[PAM]] module:
+
+    # USE=-openldap emerge -av pam_krb5
+
+`-openldap` breaks an OpenLDAP <-> Kerberos dependency loop.
+
+Setup [[DNS]] to centralize service location management ([krb
+manual][NDS]):
+
+    # emacs /etc/bind/pri/d.net.zone
+    # /etc/init.d/named restart
+
+I added the following entries to the `$ORIGIN d.net.` section of my
+zone file:
+
+    _kerberos TXT   "R.EDU"
+    kerberos  A     192.168.0.2
+    krb5      A     192.168.0.2
+    _kerberos-adm._tcp     SRV  0 0 749 krb5
+    _kerberos._udp         SRV  0 0 88  krb5
+    _kerberos-master._udp  SRV  0 0 88  krb5
+    _kpasswd._udp          SRV  0 0 464 krb5
+
+Configure Kerberos and the KDC ([krb manual][config]):
+
+    # cp /etc/krb5.conf{.example,}
+    # emacs /etc/krb5.conf
+    # cat /etc/krb5.conf
+    [libdefaults]
+            default_realm = R.EDU
+            dns_fallback = yes
+            kdc_ports = 88
+    
+    [realms]
+            R.EDU = {
+                    kdc = "server.d.net"  # HACK?
+                    admin_server = "server.d.net"  # DNS support not yet complete
+            }
+    
+    [domain_realm]
+            .d.net = R.EDU
+            d.net = R.EDU
+    
+    [logging]
+            kdc = FILE:/var/log/krb5/kdc.log
+            admin_server = FILE:/var/log/krb5/kadmind.log
+            default = FILE:/var/log/krb5/krblib.log
+    # cp /var/lib/krb5kdc/kdc.conf{.example,}
+    # emacs /var/lib/krb5kdc/kdc.conf
+    # cat /var/lib/krb5kdc/kdc.conf
+    [realms]
+            R.EDU = {
+                    admin_server = server.d.net  # DNS support not yet complete
+                    database_name = /var/lib/krb5kdc/principal
+                    admin_keytab = FILE:/etc/krb5.keytab
+                    acl_file = /var/lib/krb5kdc/kadm5.acl
+                    key_stash_file = /var/lib/krb5kdc/.k5.R.EDU
+                    kdc_ports = 88
+                    max_life = 10h 0m 0s
+                    max_renewable_life = 7d 0h 0m 0s
+            }
+
+Create the database and stash file ([krb manual][database]):
+
+    # kdb5_util create -r R.EDU -s
+
+Add administrators to the access control list ([krb manual][acl]):
+
+    # emacs /var/lib/krb5kdc/kadm5.acl
+    # cat /var/lib/krb5kdc/kadm5.acl
+    jdoe/admin@R.EDU  x
+    # kadmin.local
+    kadmin.local:  add_principal jdoe/admin@R.EDU
+    WARNING: no policy specified for jdoe/admin@R.EDU; defaulting to no policy
+    Enter password for principal "jdoe/admin@R.EDU": 
+    Re-enter password for principal "jdoe/admin@R.EDU": 
+    Principal "jdoe/admin@R.EDU" created.
+    kadmin.local:  quit
+
+Start the Kerberos daemons:
+
+    # /etc/init.d/mit-krb5kdc start
+    # /etc/init.d/mit-krb5kadmind start
+
+Add them to your default runlevel with:
+
+    # eselect rc add /etc/init.d/mit-krb5kadmin default
+    # eselect rc add /etc/init.d/mit-krb5kadmind default
+
+Add new principals ([krb manual][principal]:
+
+    $ kadmin -p jdoe/admin
+    Authenticating as principal jdoe/admin with password.
+    Password for jdoe/admin@R.EDU: 
+    kadmin:  list_principals
+    ...
+    kadmin:  add_principal jdoe
+    WARNING: no policy specified for jdoe@R.EDU; defaulting to no policy
+    Enter password for principal "jdoe@R.EDU": 
+    Re-enter password for principal "jdoe@R.EDU": 
+    Principal "jdoe@R.EDU" created.
+    kadmin:  quit
+
+Now you can get your ticket granting ticket (TGT) with
+
+    $ kinit
+
+and do all the other standard Kerberos stuff.
+
+Setup the Kerberos client
+-------------------------
+
+Not much to do here, just
+
+    # emerge -av pam_krb5
+
+and `scp` `/etc/krb.conf` from your Kerberos server onto the client.
+
+Check that everything works by running
+
+    $ kinit
+    Password for jdoe@R.EDU: 
+    $ klist 
+    Ticket cache: FILE:/tmp/krb5cc_1000
+    Default principal: jdoe@R.EDU
+    
+    Valid starting     Expires            Service principal
+    06/02/11 10:32:30  06/02/11 20:32:30  krbtgt/R.EDU@R.EDU
+            renew until 06/03/11 10:32:30
+
+Setup the NFS server
+--------------------
+
+Now we'll setup [[NFSv4|NFS]] using Kerberos authentication.  There
+don't seem to be authoritative docs, but there are a number of good
+tutorials ([1][], [2][], [3][], [4][]).
+
+Emerge `nfs-utils` with the `kerberos` USE flag set
+([homepage][nfs-utils]).  You may also want `app-crypt/kstart`
+([homepage][kstart]) to automatically renew your server and client
+tickets.  Now is also a good time to check your kernel config.  I was
+missing [CRYPTO_CTS][CTS], which lead to
+
+    error writing to downcall channel /proc/net/rpc/auth.rpcsec.context/channel: Invalid argument
+
+If your realm is not your uppercased domain name, you probably also
+want a version of [libnfsidmap][] >0.21 to avoid the
+
+    get_ids: failed to map name 'nfs/<fqdn>@REALM' to uid/gid: Invalid argument
+
+bug [discussion][lr-bug].
+
+Since we'll be running the NFS service, we'll need a
+`nfs/<fqdn>@REALM` principal for the service.  Because we want that
+service to start automatically at boot, we neek to keep its key in a
+keytab file ([krb manual][keytab]).
+
+    # kadmin.local -p jdoe/admin
+    Authenticating as principal jdoe/admin with password.
+    Password for jdoe/admin@R.EDU: 
+    kadmin.local:  add_principal -randkey nfs/server.d.net
+    WARNING: no policy specified for nfs/server.d.net@R.EDU; defaulting to no policy
+    Principal "dns/server.d.net@R.EDU" created.
+    kadmin.local:  ktadd nfs/server.d.net
+    Entry for principal nfs/server.d.net...
+    ...
+    kadmin.local:  quit
+
+You need use `kadmin.local` here (instead of `kadmin`) so the process
+has premission to create and edit the keytab file.
+
+Read through `/etc/idmapd.conf` to see if you need to make any changes
+for your setup.  I set `Domain = d.net` and `Local-Realms = R.EDU`.
+You probably also want to look through `/etc/conf.d/nfs`.  I added
+`-vvv` to `OPTS_RPC_GSSD` and `OPTS_RPC_SVCGSSD` to aid in debugging.
+
+Setup your export filesystem.  NFSv4 wants all its exports to live
+under a single root, so do something like:
+
+    # mkdir /export
+    # mkdir /export/home
+    # mount --bind /home /export/home
+
+And then setup `/etc/exports`:
+
+    # cat /etc/exports
+    /export  *(rw,fsid=0,insecure,sec=krb5p,root_squash,no_subtree_check,crossmnt)
+    /export/a/ *(rw,insecure,sec=krb5p,root_squash,no_subtree_check)
+
+Note that the syntax has changed somewhat, and there seem to have been
+a few versions of the NFSv4 syntax.  `exports(5)` should contain good
+documentation for whatever version of `nfs-utils` you have installed
+on your system.
+
+If you used `mount --bind` to populate `/export`, make sure you add
+appropriate entries to `/etc/fstab` so the mounts come up when you
+reboot.
+
+    # cat /etc/fstab
+    ...
+    /home /export/home none rw,bind 0 0
+
+Start the NFS server:
+
+    # /etc/init.d/nfs start
+
+Add it to your default runlevel with:
+
+    # eselect rc add /etc/init.d/nfs default
+
+Setup the NFS client
+--------------------
+
+You'll also need `nfs-utils` here
+
+    # USE="kerberos" emerge -av nfs-utils
+
+You'll need a client principal for secured mounts, so head back over
+to the server and run
+
+    server.d.net# kadmin.local
+    kadmin.local:  add_principal -randkey nfs/client.d.net
+    kadmin.local:  ktadd -k /tmp/krb5.keytab nfs/client.d.net
+    Entry for principal nfs/client.d.net ...
+    ...
+    kadmin.local:  quit
+
+Then `scp` the new keyfile over to `/etc/krb5.keytab` on the client
+and remove the temporary version from the host.  You can list the keys
+in a keytab with `klist -e -k /path/to/keytab` if you find a keytab
+lying around but forget what's inside it.
+
+On the client, you'll need `gssd` and `idmapd` running (both part of
+`nfs-utils`).
+
+    # /etc/init.d/rpc.gssd start
+    # /etc/init.d/rpc.idmapd start
+
+There's no need to add these to your default runlevel, since they
+should be started automatically if you have NFSv4 entries in your
+`/etc/fstab` (I have no idea how that works).
+
+Now test your mount:
+
+    $ sudo mkdir /tmp/mnt
+    $ sudo mount -v -t nfs4 -o sec=krb5p server:/ /tmp/mnt
+    mount.nfs4: timeout set for Thu Jun  2 10:44:46 2011
+    mount.nfs4: trying text-based options '...'
+    server:/ on /tmp/mnt type nfs4 (rw,sec=krb5p)
+    $ ls /tmp/mnt 
+    ls: cannot access /tmp/mnt: Permission denied
+    $ klist 
+    klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_1000)
+    $ kinit 
+    Password for jdoe@R.EDU: 
+    $ ls /tmp/mnt/
+    home
+
+Note that if you `kestroy` your key, you can still access the files:
+
+    $ kdestroy 
+    $ klist 
+    klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_1000)
+    $ ls /tmp/mnt/
+    home
+
+I'm not sure if this is a bug or a feature.
+
+Other stuff
+-----------
+
+If you hadn't had the `kerberos` USE flag set before, you should
+consider adding it to your `/etc/make.conf` and running
+
+    $ sudo emerge -av --deep --newuse --update @world
+
+to get Kerberized versions of any packages you have installed
+(e.g. `cups`, `curl`, `cvs`, `emacs`, `openssh`, most SASL libraries,
+...).
+
+There's also [suite of Kerberos-aware utilities][apps] in
+`app-crypt/mit-krb5-appl` (`krcp`, `krlogin`, `krsh`, `ktelnet`, and
+`kftp`).  I don't use the non-Kerberized versions, so I haven't tried
+any of these.
+
+[Kerberos]: http://web.mit.edu/kerberos/
+[install]: http://web.mit.edu/kerberos/krb5-1.9/krb5-1.9.1/doc/krb5-install.html
+[DNS]: http://web.mit.edu/kerberos/krb5-1.9/krb5-1.9.1/doc/krb5-admin.html#Using%20DNS
+[config]: http://web.mit.edu/kerberos/krb5-1.9/krb5-1.9.1/doc/krb5-install.html#Edit%20the%20Configuration%20Files
+[database]: http://web.mit.edu/kerberos/krb5-1.9/krb5-1.9.1/doc/krb5-install.html#Create%20the%20Database
+[acl]: http://web.mit.edu/kerberos/krb5-1.9/krb5-1.9.1/doc/krb5-install.html#Add%20Administrators%20to%20the%20Acl%20File
+[principal]: http://web.mit.edu/kerberos/krb5-1.9/krb5-1.9.1/doc/krb5-admin.html#Adding%20or%20Modifying%20Principals
+[keytab]: http://web.mit.edu/kerberos/krb5-1.9/krb5-1.9.1/doc/krb5-install.html#Create%20a%20kadmind%20Keytab%20%28optional%29
+[nfs-tut1]: http://wiki.linux-nfs.org/wiki/index.php/Enduser_doc_kerberos
+[nfs-tut2]: http://bernard.nexusinternational.jp/2008/03/nfs-and-kerberos-bernie-howto.html
+[nfs-tut3]: http://www.techrepublic.com/blog/opensource/kerberos-authentication-with-nfsv4/1965
+[nfs-tut4]: http://www.itp.uzh.ch/~dpotter/howto/kerberos
+[kstart]: http://www.eyrie.org/~eagle/software/kstart/
+[nfs-utils]: http://linux-nfs.org/
+[CTS]: http://permalink.gmane.org/gmane.linux.nfs/39963
+[libnfsidmap]: http://www.citi.umich.edu/projects/nfsv4/linux/
+[lr-bug]: http://linux-nfs.org/pipermail/nfsv4/2008-October/009558.html
+[apps]: http://web.mit.edu/kerberos/krb5-1.9/krb5-1.9.1/doc/krb5-user.html#Kerberos%20V5%20Applications
+
+[[!tag tags/linux]]
+[[!tag tags/tools]]