OpenBSD @ Iowa State


Setting up Kerberos Clients

Take a look at the OpenBSD faq section on Kerberos. For usage at Iowa State, we want to setup the krb.conf and krb.realms as follows:
/etc/kerberosIV/krb.conf
IASTATE.EDU kerberos-1.iastate.edu admin server
IASTATE.EDU kerberos-2.iastate.edu

/etc/kerberosIV/krb.realms
iastate.edu IASTATE.EDU
.iastate.edu IASTATE.EDU

This tells kerberos on your machine where the servers for the IASTATE.EDU realm are, and which machines are in that realm. You can ignore the stuff about setting up a Kerberos server; we're only concerned at this point about getting an encrypted telnet session.

Once you have that set up, you can get a ticket:

gatekeeper:tkula {103} kinit kula@IASTATE.EDU
The OpenBSD Project (gatekeeper.madscientistresearch.net)
Kerberos Initialization for "kula@IASTATE.EDU"
Password:

See which tickets you have:

gatekeeper:tkula {104} klist
Ticket file: /tmp/tkt1000
Principal: kula@IASTATE.EDU
Issued Expires Principal
Mar 13 10:23:50 Mar 13 20:23:50 krbtgt.IASTATE.EDU@IASTATE.EDU

Now that you have a ticket for the IASTATE.EDU realm, you can telnet to a Project Vincent machine and have the connection encrypted. Now, I was unable to connect properly through the isua.iastate.edu round-robin name, but if I went to a specific machine it worked fine:

gatekeeper:tkula {111} telnet -l kula isua4.iastate.edu
Trying 129.186.1.204...
Connected to isua4.iastate.edu.
Escape character is '^]'.
[ Trying mutual KERBEROS4 ... ]
[ Kerberos V4 accepts you ]
[ Kerberos V4 challenge successful ]

Using encryption for Input and Output
login: kula
password:
Last login: Tue Mar 13 08:45:33 from infinity.madscie
Processes soft limited to 5 CPU minutes
Processes hard limited to 5 CPU minutes

Welcome to Project Vincent (OSF1 4.0)

Note that I used the -l flag with telnet: My username on my local machine is different than my username on Project Vincent, and the -l flag will pass my PV username to the remote machine.

Remember, when you are done, to destroy your tickets:

gatekeeper:tkula {112} kdestroy
Tickets destroyed.

This was demoed on a i386 machine running OpenBSD 2.6 (with patches). The machine is located behind a NATing firewall. Your milage may vary.

This page barrows some information from D. Joe Anderson's Linux-Acropolis-Enabling-mini-HOWTO. Linux users should look there for information. It should be noted that all errors in this document are my responsibility, not his.

Questions, comments and suggestions can be directed to kula@iastate.edu .