Security optimize

Configure OS X for Kerberos single sign-on authentication

If you have an existing Kerberos Linux server, you can tie a Mac OS X client into it. Vincent Danen takes you through this tricky configuration.

If you have an existing Kerberos Linux server, you can tie a Mac OS X client into it. Vincent Danen takes you through this tricky configuration.

---------------------------------------------------------------------------------------

Kerberos is a system that can be a pain to set up, but is immensely useful when properly configured. It allows for Single Sign-On (SSO) authentication, which means that you obtain a special ticket once and with that ticket you can access any service that has Kerberos support (also known as a kerberized service). Kerberos is used in many companies and educational institutions to provide SSO resources like file sharing, Web sites, and so forth.

Setting up a Kerberos client in Linux is very straightforward, and a lot of tools exist to aid in the initial setup. Setting up Mac OS X as a client, however is not as easy, particularly if you are not using OS X server as the authentication and credential service (i.e., using a Linux server as the Kerberos KDC and server). There are no automatic setups and documentation is sparse and often confusing.

If you have an existing Kerberos server (we'll assume a Linux server), you can easily tie an OS X client into it. The first step is to create the /Library/Preferences/edu.mit.Kerberos file which mimics the /etc/krb5.conf file on Linux distributions. If the realm you are joining is EXAMPLE.COM, /Library/Preferences/edu.mit.Kerberos would contain:

 [domain_realm]
       .example.com = "EXAMPLE.COM"
       example.com = "EXAMPLE.COM"
[libdefaults]
       default_realm = "EXAMPLE.COM"
       dns_fallback = "yes"
       noaddresses = "TRUE"
[realms]
       EXAMPLE.COM = {
              admin_server = "kerberos.example.com.:749"
              default_domain = "example.com"
              kdc = "kerberos.example.com.:88"
       }

The above assumes that the Kerberos KDC and admin server are the same: kerberos.example.com. The next step is to edit the /etc/authorization file. This is where you tell OS X to obtain Kerberos credentials upon login, which prevents you from having to use the "kinit" tool to obtain credentials after login. In OS X 10.5 and 10.6, open the file and look for the string system.login.console. In this section, there is a line that reads <string>builtin:authenticate,privileged</string>. This line needs to be changed to read <string>builtin:krb5authnoverify,privileged</string>:

<key>mechanisms</key>

<array>

<string>builtin:smartcard-sniffer,privileged</string>

<string>loginwindow:login</string>

<string>builtin:reset-password,privileged</string>

<string>builtin:auto-login,privileged</string>

<string>builtin:krb5authnoverify,privileged</string>

<string>loginwindow:success</string>

<string>HomeDirMechanism:login,privileged</string>

<string>HomeDirMechanism:status</string>

<string>MCXMechanism:login</string>

<string>loginwindow:done</string>

</array>

You may want to make a backup of the /etc/authorization file prior to changing it, just in case. As well, you will need root credentials to change the file, so edit it using vim or nano via sudo (i.e., sudo vim /etc/authorization).

You will still have to use kinit to renew tickets once they have expired. In OS X 10.5 there is a Kerberos.app that can be used to also obtain tickets and configure Kerberos, in 10.6 this was replaced with the Ticket Viewer application found in /System/Library/CoreServices/ which is not nearly as feature-rich as the previous Kerberos.app but will allow you to renew and obtain new tickets manually.

Once this is done, reboot the system. When you next log in, open a Terminal and execute the klist command, and you should already have a ticket-granting ticket available, which will allow you to use any kerberized service to which you have access.

$ klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: joe@EXAMPLE.COM
Valid Starting     Expires            Service Principal
09/07/09 15:38:07  09/08/09 15:38:07  krbtgt/EXAMPLE.COM@EXAMPLE.COM
       renew until 09/07/09 15:38:07

About

Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.

0 comments