Kerberos

The family of kreucher.net servers use secure authentication via Kerberos V5. All services (except IMAP and SMTP) allow access only after a valid Kerberos authentication ticket has been obtained. This greatly increases security, protecting your data!

Kerberos Realm

  • Kerberos Realm: KREUCHER.NET
  • Kerberos Version: V5 (V4 also supported)
  • KDC Server: kdc.kreucher.net
  • Admin Server: kdc.kreucher.net

To obtain the KDC host via DNS, query the approperate SRV records from DNS:

$ host -t TXT _kerberos.kreucher.net
_kerberos.kreucher.net descriptive text "KREUCHER.NET"

$ host -t SRV _kerberos._udp.kreucher.net
_kerberos._udp.kreucher.net has SRV record 0 0 88 kdc.kreucher.net.

$ host -t SRV _kerberos._tcp.kreucher.net
_kerberos._tcp.kreucher.net has SRV record 0 0 88 kdc.kreucher.net.

$ host -t SRV _kerberos-adm._tcp.kreucher.net
_kerberos-adm._tcp.kreucher.net has SRV record 0 0 749 kdc.kreucher.net.

Client Setup

Some client setup is needed to enable access to kerberos enabled services on the kreucher.net family of servers.

Outlined below are instructions for various common Operating Systems and client programs.

Windows Kerberos Installation

    MIT's Kerberos for Windows is required to use Kerberos enabled versions of putty, and other client software packages.

  1. Download and run the Kerberos for Windows installation program (kfw-*-*-*.exe).
  2. Accept all defaults up to the "Kerberos Configuration" screen. Here, as shown below:
    1. (*) Download from web path:
    2. http://secure.kreucher.net/krb5/
  3. After installation, locate and start the Network Identity Manager from Start -> All Programs -> Kerberos for Windows -> Network Identity Manager
    • This will be started for you on reboot, if you kept the default installation options
  4. To obtain an authentication ticket, click the "Obtain Credentials..." button.
    1. Enter in your username, for example: nick
    2. Ensure the realm is set to: KREUCHER.NET
    3. Wait for your identify to be verified, after which a password field will appear
    4. Enter in your password
    5. If all goes well, you will have a ticket that doesn't expire for several hours, allowing you to use kreucher.net services without further authentication!

Note: The "Network Identity Manager" application can also be used to change your password. In fact, you are encouraged to do so!

WinSCP

First, make sure you complete the steps above for Windows Kerberos Installation

  1. Install WinSCP version 4.0.*.
    • WARNING: WinSCP 4.1.* has broken Kerberos support and will not work!
    • For example: download and install winscp407setup.exe from the above link.
  2. Launch WinSCP
  3. When creating a new session, fill out and select:
    1. Host name, for example: corona.kreucher.net
    2. User name, for example: nick
    3. Enable: [X] Advanced options
    4. In SSH | Authentication, modify:
      • [ ] Attempt 'keyboard-interactive' authentication (SSH-2)
      • [X] Attempt Kerberos 5 GSSAPI/SSPI authentication (SSH-2)
      • [X] Allow Kerberos 5 ticket forwarding in GSSAPI/SSPI (SSH-2)
  4. Make sure you have a valid ticket in Network Identity Manager
  5. Don't forget to save your session for future use!
  6. Finally, click: Login

PuTTY

First, make sure you complete the steps above for Windows Kerberos Installation.

  1. Download putty+gssapi
  2. Extract the contents of this zip to C:\Program Files\PuTTY
    • This will likely be a new folder, so you'll have to create it
    • You can optionally create a shortcut to putty.exe on your desktop, start manu or quick launch bar
  3. Launch putty.exe
  4. When creating a new session, modify the following options in "Connection | SSH | Auth":
    • [ ] Attempt "keyboard-interactive" auth (SSH-2)
    • [X] Attempt Kerberos 5 GSSAPI/SSPI auth (SSH2)
    • [X] Allow Kerberos 5 ticket forwaring GSSAPI/SSPI
  5. Make sure you have a valid ticket in Network Identity Manager
  6. Don't forget to save your session for future use!
  7. Finally, click: Login

Mac OS X Kerberos Installation

Mac OS X 10.2 and later support Kerberos out of the box, however it's partally disabled, and the management app is hard to find.

To resolve these issues, MIT has a Mac OS X Kerberos Extras package.

  1. Download and Install the approperate Kerberos Extras package for your version of Mac OS X
  2. Launch "Kerberos" from your /Applications/Utilities folder
  3. Click the "New" button to obtain an authentication ticket
    • Enter in your username (example: nick)
    • Change the realm to: KREUCHER.NET
    • Enter in your password
  4. If all goes well, you will have a ticket that doesn't expire for several hours, allowing you to use kreucher.net services without further authentication!

Note: The "Kerberos" application can also be used to change your password. In fact, you are encouraged to do so!

Cyberduck

Unfortunatelly, Cyberduck does not currently offer Kerberos/GSSAPI support. There is a request to add this feature, and you can track progress here.

Fetch

First, make sure you complete the steps above for Mac OS X Kerberos Installation

Fetch includes Kerberos/GSSAPI support out of the box. No special configuration is required. Just be sure to have a valid Kerberos ticket!

Linux/UNIX Kerberos

  1. Ubuntu/Debian: Install krb5-user (if needed):

    $ sudo apt-get install krb5-user

    • If you are asked about a default realm, use KREUCHER.NET
    • DNS is setup "properly" for this realm, but you can tell it to use kdc.kreucher.net as the key and auth server if you are forced to enter something.
    • If needed, you can reconfigure krb5 like this:

      $ sudo dpkg-reconfigure krb5-config

  2. To obtain an authentication ticket:

    $ kinit username@KREUCHER.NET

  3. To see the new ticket you just obtained, and its expiration:

    $ klist

  4. Now any service that can use kerberos will be able to use the ticket for authentication! Example for SSH:

    $ ssh username@corona.kreucher.net

  5. If desired, to revoke your ticket early:

    $ kdestroy

  6. To change your password, first obtain a ticket via kinit, then:

    $ kpasswd

Note: You can also install a GNOME applet to manage your Kerberos tickets: krb5-auth-dialog.

Common Problems

A few common problems are described here.

  1. When I try and change my password, I receive an error like "failed decrypting request".
    • You are likely using a machine that is behind a NAT device, such as a wireless router. The Kerberos password change facility is incompatable with NATs. Use a machine on a public network, or PuTTY/ssh into corona.kreucher.net and use kpasswd there.
  2. I get an error about my clock skew.. what!?
    • Kerberos uses time based tickets, so if you're clock is not in sync with the server (within 5min) then it will refuse to grant you a ticket. Fix your clock, you need to do this anyway :)