既に偉大な先達が OpenDirectory で FreeBSD/NetBSDを認証という記事を残されていたのですが、当時と比較すると OS X の Kerberos 実装が MIT Kerberos から Heimdal に変わったという事情もあるので敢えて記事にしてみるテスト。まぁ、違いは MIT Kerberos の kadmin で ktadd なところが Heimdal の kadmin では ext_keytab になりますよってだけのような気もしますが。
あ、正確には 10-R じゃなくて 10.0-RC5 だけど、誤差ってことでいいよね(笑
例によって我が家の Kerberos 環境は以下の通り
Kerberos Realm: HYRULE.JP
KDC: flora.hyrule.jp
FreeBSD: kyoka.hyrule.jp
まずは KDC たる OS X 側
goro@flora:~$ sudo kadmin -l kadmin> add --random-key host/kyoka.hyrule.jp Max ticket life [unlimited]: Max renewable life [unlimited]: Principal expiration time [never]: Password expiration time [never]: Attributes []: Policy [default]: kadmin> ext_keytab -k /tmp/freebsd.keytab host/kyoka.hyrule.jp kadmin> exit goro@flora:~$ sudo chown goro /tmp/freebsd.keytab goro@flora:~$ scp /tmp/freebsd.keytab kyoka:~
krb5.conf 書けば krb5.keytab は必要な部分だけ勝手にコピーされるんじゃないかと夢見てたんだけど、手動コピーが必要なのかな…。管理するサーバーが 1 桁台ならいいけど、それ以上になると辛そう。ここら辺のコツみたいなのはどっかにまとまってないかな…。
続いて FreeBSD 側。あ、前に書いたように FreeBSD 側は既に nss_ldap とか入ってる前提です(と言っても関わりがあるのは /etc/pam.d ぐらい?)
goro@kyoka:~$ sudo mv freebsd.keytab /etc/krb5.keytab goro@kyoka:~$ sudo chown root /etc/krb5.keytab goro@kyoka:~$ ls -l /etc/krb5.keytab -rw------- 1 root staff 257 1月 19 13:33 /etc/krb5.keytab goro@kyoka:~$ cat /etc/krb5.conf [libdefaults] default_realm = HYRULE.JP [domain_realm] .hyrule.jp = HYRULE.JP hyrule.jp = HYRULE.JP [realms] HYRULE.JP = { kdc = flora.hyrule.jp default_domain = hyrule.jp }
あとは /etc/pam.d/system と /etc/pam.d/sshd のコメントアウトされてる pam_krb5.so 行を有効化して、 /etc/ssh/sshd_config に GSSAPIAuthentication yes を追加(デフォルトは no )
これでチケット取って ssh すると
goro@sara:~$ klist klist: krb5_cc_get_principal: No credentials cache file found goro@sara:~$ kinit goro@HYRULE.JP's Password: goro@sara:~$ klist Credentials cache: API:A5ED05A0-2020-4272-AAEE-BF7B5679D777 Principal: goro@HYRULE.JP Issued Expires Principal Jan 19 14:25:08 2014 Jan 20 00:25:05 2014 krbtgt/HYRULE.JP@HYRULE.JP goro@sara:~$ ssh -v -K kyoka.hyrule.jp OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011 debug1: Reading configuration data /Users/goro/.ssh/config debug1: Reading configuration data /etc/ssh_config debug1: /etc/ssh_config line 20: Applying options for * debug1: Connecting to kyoka.hyrule.jp [192.168.0.4] port 22. debug1: Connection established. debug1: identity file /Users/goro/.ssh/id_rsa type -1 debug1: identity file /Users/goro/.ssh/id_rsa-cert type -1 debug1: identity file /Users/goro/.ssh/id_dsa type 2 debug1: identity file /Users/goro/.ssh/id_dsa-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.2 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.4_hpn13v11 FreeBSD-20131111 debug1: match: OpenSSH_6.4_hpn13v11 FreeBSD-20131111 pat OpenSSH* debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Server host key: RSA 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 debug1: Host 'kyoka.hyrule.jp' is known and matches the RSA host key. debug1: Found key in /Users/goro/.ssh/known_hosts:20 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Server host key: RSA 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 debug1: Host 'kyoka.hyrule.jp' is known and matches the RSA host key. debug1: Found key in /Users/goro/.ssh/known_hosts:20 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,gssapi-with-mic,keyboard-interactive debug1: Next authentication method: gssapi-with-mic debug1: Delegating credentials debug1: Delegating credentials debug1: Authentication succeeded (gssapi-with-mic). Authenticated to kyoka.hyrule.jp ([192.168.0.4]:22). debug1: channel 0: new [client-session] debug1: Requesting no-more-sessions@openssh.com debug1: Entering interactive session. debug1: Sending environment. debug1: Sending env LANG = ja_JP.UTF-8 Last login: Fri Jan 19 13:40:31 2014 from flora.hyrule.jp FreeBSD 10.0-RC5 (GENERIC) #0 r260430: Wed Jan 8 05:10:04 UTC 2014 Welcome to FreeBSD! goro@kyoka:~$
目出度く gssapi で認証が通るようです。
ちなみに netatalk の場合は OS X Server と同じ principal でいいみたいなんでこんな具合
goro@flora:~$ sudo kadmin -l kadmin> add --random-key afpserver/kyoka.hyrule.jp Max ticket life [unlimited]: Max renewable life [unlimited]: Principal expiration time [never]: Password expiration time [never]: Attributes []: Policy [default]: kadmin> ext_keytab -k /tmp/freebsd2.keytab host/kyoka.hyrule.jp afpserver/kyoka.hyrule.jp kadmin> exit goro@flora:~$ sudo chown goro /tmp/freebsd2.keytab goro@flora:~$ scp /tmp/freebsd2.keytab kyoka:~
goro@kyoka:~$ sudo mv freebsd2.keytab /etc/krb5.keytab
goro@kyoka:~$ sudo chown root /etc/krb5.keytab
goro@kyoka:~$ goro@kyoka:~$ grep uam /usr/local/etc/afp.conf
uam list = uams_dhx2.so uams_gss.so
/etc/pam.d/netatalk でも pam_krb5.so を有効化してるので afp.conf に uams_gss.so を書く必要があるかどーかは正直わかりません。が log level = default:maxdebug にしてみると
Jan 19 21:10:59.876239 afpd[68076] {auth.c:1043} (D5:AFPDaemon): uam: loading (/usr/local/libexec/netatalk-uams//uams_gss.so) Jan 19 21:10:59.877414 afpd[68076] {uams_gss.c:567} (D5:AFPDaemon): gss_create_principal: using first entry from keytab as service principal Jan 19 21:10:59.877569 afpd[68076] {uams_gss.c:506} (I:AFPDaemon): Using AFP Kerberos service principal name: host/kyoka.hyrule.jp@HYRULE.JP Jan 19 21:10:59.877616 afpd[68076] {auth.c:1050} (D5:AFPDaemon): uam: uams_gss.so loaded Jan 19 21:10:59.877678 afpd[68076] {status.c:644} (I:AFPDaemon): signature is XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Jan 19 21:10:59.877697 afpd[68076] {afp_config.c:106} (D5:AFPDaemon): DSIConfigInit: hostname: kyoka, listen: -, interfaces: -, port: 548 Jan 19 21:10:59.879796 afpd[68076] {auth.c:110} (I:AFPDaemon): uam: "Client Krbv2" available
とか
Jan 19 21:13:44.277424 afpd[68092] {afp_dsi.c:610} (D5:AFPDaemon): <== Start AFP command: AFP_LOGINCONT Jan 19 21:13:44.277680 afpd[68092] {uams_gss.c:438} (D5:UAMS): FPLoginCont: client thinks user is goro Jan 19 21:13:44.277949 afpd[68092] {uams_gss.c:251} (D5:UAMS): FPLoginCont: accepting context (ticketlen: 639) Jan 19 21:13:44.300978 afpd[68092] {uams_gss.c:85} (D5:UAMS): FPLoginCont: context flag: GSS_C_MUTUAL_FLAG Jan 19 21:13:44.301237 afpd[68092] {uams_gss.c:87} (D5:UAMS): FPLoginCont: context flag: GSS_C_REPLAY_FLAG Jan 19 21:13:44.301272 afpd[68092] {uams_gss.c:91} (D5:UAMS): FPLoginCont: context flag: GSS_C_CONF_FLAG Jan 19 21:13:44.301513 afpd[68092] {uams_gss.c:93} (D5:UAMS): FPLoginCont: context flag: GSS_C_INTEG_FLAG Jan 19 21:13:44.302270 afpd[68092] {uams_gss.c:123} (D5:UAMS): FPLoginCont: service principal is `afpserver/kyoka.hyrule.jp@HYRULE.JP' Jan 19 21:13:44.302727 afpd[68092] {uams_gss.c:160} (D5:UAMS): FPLoginCont: user principal is `goro@HYRULE.JP' Jan 19 21:13:44.411188 afpd[68092] {auth.c:232} (N:AFPDaemon): AFP3.3 Login by goro
という具合に少なくとも uams_gss は仕事してるようです。
ちなみに前に作った keytab が残ってるなら ext_keytab は afpserver だけ書けば勝手にマージしてくれるみたいです。というかそれを知らずに両方指定したら host が二つあるダメな感じの keytab が出来上がったという…。