Kerberos fun

Vincent Danen

July 16, 2009

This actually isn't a sarcastic title, for once. I'm actually having a blast fiddling with Kerberos these last few days. I was put into a position to do some kerberos debugging for work, so had to re-setup a kerberos realm at home to do the testing. Of course, at the time I also updated my Using Kerberos 5 for Single Sign-On Authentication which was a little out of date. So I updated that to be relevant to RHEL rather than Annvix, and fixed a few bits that were out-dated.

Then I did more poking around and figured out a few bits that were preventing me from actually using it years ago when I first setup a kerberos realm (didn't seem overly useful to me at the time). I've got my OS X workstation kerberized which was... not as straight-forward as I would hope, but not awful (LDAP authentication from OpenLDAP is another matter entirely... still haven't nailed that yet). So right now on my network I have my workstation, my server, and two vm's kerberized -- just for SSH now (which doesn't seem really amazing since I've been using SSH keys for years so no passwords, but this seems even more hands-off and will help with future vm deployments since it should all be out-of-the-box).

Then I've been poking around and found that you can hook Mediawiki up to LDAP/Kerberos for auth. I never knew that. All of a sudden this seems a lot cooler. Oh, and subversion apparently works with kerberos (using mod_auth_kerb). Then, the icing on the cake was to see a python-kerberos module which makes this way too interesting to ignore since I've been doing some python coding recently and have really enjoyed it, and some future projects/ideas could really benefit from some kerberos love.

Anyways, as I figure new bits out, I'll be updating my linsec.ca wiki article -- the info is out there but some of it isn't the easiest to grok. Hopefully I can make it a bit more accessible/readable in the future.

Leave a Comment

Comments use MarkDown. Need help? MarkDown Cheatsheet