security/krb5 setup

[weberjn]

Heimdal from base currently coredumps in kadmin.

So I wanted to give security/krb5 a try. This isn't easy. The port contains no rc script, and some binaries and man pages are overshadowed by those of heimdal.
Has anybody rc scripts for kdc and kadmind? How can you put krb5 binaries and man pages before those of heimdal?

 

[SirDice]

Has anybody rc scripts for kdc and kadmind?

Don't need them.

Chapter 16. Security

Hundreds of standard practices have been authored about how to secure systems and networks, and as a user of FreeBSD, understanding how to protect against attacks and intruders is a must

docs.freebsd.org

How can you put krb5 binaries and man pages before those of heimdal?

You could create an alias, that'll take precedence. Changing the order of PATH is also an option.

 

[PMc]

Using security/krb5 even in client-only mode (so no use of kdc/kadmin) did not work really satisfactory for me, until I recompiled base WITHOUT_KERBEROS.

 

[weberjn]

Found a Raspberry Pi 3 in a drawer and put Heimdal kdc and kadmind on it.
Heimdal was written at the time of 90 MHz SPARC machines and runs fine on a 1.2GHz Pi.

I was pleasantly surprised that there is www/mod_auth_kerb2 so curl and Firefox can now access a Kerberos protected Location.

 

[thutuid]

weberjn Did you need to take any steps to make Heimdal from ports take precedence over the version of Heimdal from base?

 

[cracauer@]

I was pleasantly surprised that there is www/mod_auth_kerb2 so curl and Firefox can now access a Kerberos protected Location.

Can somebody explain how this works, in detail?

 

[PMc]

Can somebody explain how this works, in detail?

What knowledge do you lack?

There is a protocol SPNEGO that implements a negotiation dialogue inside the HTTP headers.
If you are authenticated to kerberos on your desktop, firefox will grab your TGT and send it out within SPNEGO to the web server. Now you need something on the HTTP server side that can understand that dialogue. Some applications have that built in, e.g. pgadmin4 (and pgadmin4 will move that ticket onwards to the managed databases, so you can single-sign-on all the way thru - I put this into pgadmin4 in a first proof-of-concept, and later it was implemented upstream, too).
For other applications you may want to handle these authentications within the access controls of Apache - and that is what mod_auth_kerb2 allows.

Concerning client-side gadgets, there should be some kerberos/spnego support on smartphones, but I didn't dig into that more deeply. And I know nothing about the raspberry stuff.

 

[weberjn]

curl -v --negotiate -u : http://karo/kerberostest/
*   Trying 192.xxxxx:80...
* Connected to karo (192.xxx) port 80 (#0)
* Server auth using Negotiate with user ''
> GET /kerberostest/ HTTP/1.1
> Host: karo
> Authorization: Negotiate <Ticket in Base64>

 

[weberjn]

weberjn Did you need to take any steps to make Heimdal from ports take precedence over the version of Heimdal from base?

I had at that time Heimdal run on the Raspberry under Raspberry Pi OS.

In the mean time I switched to a FreeBSD 13.3 x64 bhyve VM, running Heimdal from the base os, not the port. Without ports the system runs with 128m, only for freebsd-update I had to temporarily increase to 1G.

 

[weberjn]

Heimdal from base currently coredumps in kadmin.

So I wanted to give security/krb5 a try. This isn't easy. The port contains no rc script, and some binaries and man pages are overshadowed by those of heimdal.
Has anybody rc scripts for kdc and kadmind? How can you put krb5 binaries and man pages before those of heimdal?

I tried again security/krb5. It actually went without problems:

kdc_program="/usr/local/sbin/krb5kdc"
kadmind_program="/usr/local/sbin/kadmind"
kdc_flags=""
kdc_enable="YES"
kadmind_enable="YES"

then I followed https://reintech.io/blog/configuring-kerberos-authentication-debian-12

also needed to add an acl:

cat /usr/local/var/krb5kdc/kadm5.acl
*/admin@EXAMPLE.COM *