Debian GNU/Linux and Ubuntu are very similar and share almost all of their packages. Installation of Kerberos on either system is therefore essentially the same. Both Linux distributions come with a complete set of Kerberos packages and with configuration for Stanford's Kerberos realm which is sufficient for most uses.
Clients and basic configuration
For a basic Kerberos install on Debian or Ubuntu, run:
aptitude install krb5-user krb5-clients
This will install the basic kinit, klist, kdestroy, and kpasswd clients as
well as Kerberos versions of rlogin, rsh, and rcp. It will also
automatically install a Kerberos configuration. When prompted for your
local realm, enter "stanford.edu" (without the quotes) in all lowercase.
You should not have to enter any additional information about the Stanford
realm, since our realm information is already present in the configuration
files that ship with Debian and Ubuntu. However, you may still want to
download the sitewide version of /etc/krb5.conf and replace the system version with it since it
contains some additional realm mappings that are sometimes helpful.
If you are using AFS on this system, also run:
aptitude install openafs-krb5
to install the aklog program, which obtains AFS tokens from Kerberos tickets. For more information about installing AFS on Debian or Ubuntu, install the openafs-client package and look in /usr/share/doc/openafs-client/README.Debian.gz.
The SSH client in Debian or Ubuntu (in the openssh-client package) supports and enables GSSAPI authentication without any special configuration.
Remote logins
First, before enabling remote logins with Kerberos, you should make sure
that all accounts on your system with logins enabled either match the
SUNet IDs of those users or contain a .k5login file (which should
be empty if Kerberos logins aren't permitted for that account). By
default, the servers that accept Kerberos logins will allow a user to log
in to an account if their Kerberos principal matches the account name.
The presence of a .k5login file overrides this logic and only
principals listed in that file will be permitted to log in to that
account.
See UNIX Kerberos Commands in the
user guide for more information on creating a .k5login file. If
the account names on your system generally do not match SUNet IDs, you may
wish to create an empty /etc/skel/.k5login file, which will be
copied to the home directory of any new account you create.
To authenticate connections to your system using Kerberos, the system needs its own Kerberos service principal and a keytab for that principal. The service principal is an account in Kerberos, similar to a SUNet ID but for a service instead of a person. The keytab is, in essence, the password for that account stored in a file on your system. For information on how to obtain a service principal, see Downloading Keytabs with Wallet.
The SSH server in Debian or Ubuntu (in the openssh-server package) includes GSSAPI support, but that support is disabled by default. To enable it, add:
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
GSSAPICleanupCredentials yes
to /etc/ssh/sshd_config. You can ignore the Kerberos* options; those are
for an older version of Kerberos support that's not recommended or
particularly useful. After modifying this file, restart sshd with
/etc/init.d/sshd restart.
This only adds Kerberos support for users who have a Kerberos-aware SSH client. To allow users to log in with a username and password but check that password against Kerberos and use it to acquire Kerberos tickets, enable PAM support in sshd (UsePAM in /etc/ssh/sshd_config) and see the next section.
If you want to allow Kerberos rlogin, rsh, and rcp connections, run:
aptitude install krb5-rsh-server
This will install the necessary programs and add the Kerberos rlogin and rsh services to /etc/inetd.conf.
Local logins
Logins with a username and password, which includes console logins, login managers such as gdm or kdm, SSH with a username and password, and screen lock programs, use PAM to verify that password and to obtain user credentials such as Kerberos tickets. Therefore, enabling use of Kerberos passwords for local login means adding a Kerberos PAM module to your PAM configuration.
First, install the Kerberos PAM module with:
aptitude install libpam-krb5
Then, read /usr/share/doc/libpam-krb5/README.Debian, which explains how to configure your system to use this module. You may also want to read the pam_krb5 man page.
