カテゴリー
FreeBSD Mac

FreeBSD 10-R を OS X Server 3.0 の Kerberos に追加する

既に偉大な先達が OpenDirectory で FreeBSD/NetBSDを認証という記事を残されていたのですが、当時と比較すると OS X の Kerberos 実装が MIT Kerberos から Heimdal に変わったという事情もあるので敢えて記事にしてみるテスト。まぁ、違いは MIT Kerberos の kadmin で ktadd なところが Heimdal の kadmin では ext_keytab になりますよってだけのような気もしますが。

あ、正確には 10-R じゃなくて 10.0-RC5 だけど、誤差ってことでいいよね(笑

例によって我が家の Kerberos 環境は以下の通り

Kerberos Realm: HYRULE.JP
KDC: flora.hyrule.jp
FreeBSD: kyoka.hyrule.jp

まずは KDC たる OS X 側

goro@flora:~$ sudo kadmin -l
kadmin> add --random-key host/kyoka.hyrule.jp
Max ticket life [unlimited]:
Max renewable life [unlimited]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
Policy [default]:
kadmin> ext_keytab -k /tmp/freebsd.keytab host/kyoka.hyrule.jp
kadmin> exit
goro@flora:~$ sudo chown goro /tmp/freebsd.keytab
goro@flora:~$ scp /tmp/freebsd.keytab kyoka:~

krb5.conf 書けば krb5.keytab は必要な部分だけ勝手にコピーされるんじゃないかと夢見てたんだけど、手動コピーが必要なのかな…。管理するサーバーが 1 桁台ならいいけど、それ以上になると辛そう。ここら辺のコツみたいなのはどっかにまとまってないかな…。

続いて FreeBSD 側。あ、前に書いたように FreeBSD 側は既に nss_ldap とか入ってる前提です(と言っても関わりがあるのは /etc/pam.d ぐらい?)

goro@kyoka:~$ sudo mv freebsd.keytab /etc/krb5.keytab
goro@kyoka:~$ sudo chown root /etc/krb5.keytab
goro@kyoka:~$ ls -l /etc/krb5.keytab
-rw-------  1 root  staff  257  1月 19 13:33 /etc/krb5.keytab
goro@kyoka:~$ cat /etc/krb5.conf
[libdefaults]
       default_realm = HYRULE.JP
[domain_realm]
        .hyrule.jp = HYRULE.JP
        hyrule.jp = HYRULE.JP
[realms]
        HYRULE.JP = {
                kdc = flora.hyrule.jp
                default_domain = hyrule.jp
        }

あとは /etc/pam.d/system と /etc/pam.d/sshd のコメントアウトされてる pam_krb5.so 行を有効化して、 /etc/ssh/sshd_config に GSSAPIAuthentication yes を追加(デフォルトは no )

これでチケット取って ssh すると

goro@sara:~$ klist
klist: krb5_cc_get_principal: No credentials cache file found
goro@sara:~$ kinit
goro@HYRULE.JP's Password:
goro@sara:~$ klist
Credentials cache: API:A5ED05A0-2020-4272-AAEE-BF7B5679D777
        Principal: goro@HYRULE.JP

  Issued                Expires               Principal
Jan 19 14:25:08 2014  Jan 20 00:25:05 2014  krbtgt/HYRULE.JP@HYRULE.JP
goro@sara:~$ ssh -v -K kyoka.hyrule.jp
OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /Users/goro/.ssh/config
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: Connecting to kyoka.hyrule.jp [192.168.0.4] port 22.
debug1: Connection established.
debug1: identity file /Users/goro/.ssh/id_rsa type -1
debug1: identity file /Users/goro/.ssh/id_rsa-cert type -1
debug1: identity file /Users/goro/.ssh/id_dsa type 2
debug1: identity file /Users/goro/.ssh/id_dsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.4_hpn13v11 FreeBSD-20131111
debug1: match: OpenSSH_6.4_hpn13v11 FreeBSD-20131111 pat OpenSSH*
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none
debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
debug1: Host 'kyoka.hyrule.jp' is known and matches the RSA host key.
debug1: Found key in /Users/goro/.ssh/known_hosts:20
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none
debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
debug1: Host 'kyoka.hyrule.jp' is known and matches the RSA host key.
debug1: Found key in /Users/goro/.ssh/known_hosts:20
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-mic,keyboard-interactive
debug1: Next authentication method: gssapi-with-mic
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Authentication succeeded (gssapi-with-mic).
Authenticated to kyoka.hyrule.jp ([192.168.0.4]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = ja_JP.UTF-8
Last login: Fri Jan 19 13:40:31 2014 from flora.hyrule.jp
FreeBSD 10.0-RC5 (GENERIC) #0 r260430: Wed Jan  8 05:10:04 UTC 2014

Welcome to FreeBSD!
goro@kyoka:~$

目出度く gssapi で認証が通るようです。

ちなみに netatalk の場合は OS X Server と同じ principal でいいみたいなんでこんな具合

goro@flora:~$ sudo kadmin -l
kadmin> add --random-key afpserver/kyoka.hyrule.jp
Max ticket life [unlimited]:
Max renewable life [unlimited]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
Policy [default]:
kadmin> ext_keytab -k /tmp/freebsd2.keytab host/kyoka.hyrule.jp afpserver/kyoka.hyrule.jp
kadmin> exit
goro@flora:~$ sudo chown goro /tmp/freebsd2.keytab
goro@flora:~$ scp /tmp/freebsd2.keytab kyoka:~
goro@kyoka:~$ sudo mv freebsd2.keytab /etc/krb5.keytab
goro@kyoka:~$ sudo chown root /etc/krb5.keytab
goro@kyoka:~$ goro@kyoka:~$ grep uam /usr/local/etc/afp.conf
        uam list = uams_dhx2.so uams_gss.so

/etc/pam.d/netatalk でも pam_krb5.so を有効化してるので afp.conf に uams_gss.so を書く必要があるかどーかは正直わかりません。が log level = default:maxdebug にしてみると

Jan 19 21:10:59.876239 afpd[68076] {auth.c:1043} (D5:AFPDaemon): uam: loading (/usr/local/libexec/netatalk-uams//uams_gss.so)
Jan 19 21:10:59.877414 afpd[68076] {uams_gss.c:567} (D5:AFPDaemon): gss_create_principal: using first entry from keytab as service principal
Jan 19 21:10:59.877569 afpd[68076] {uams_gss.c:506} (I:AFPDaemon): Using AFP Kerberos service principal name: host/kyoka.hyrule.jp@HYRULE.JP
Jan 19 21:10:59.877616 afpd[68076] {auth.c:1050} (D5:AFPDaemon): uam: uams_gss.so loaded
Jan 19 21:10:59.877678 afpd[68076] {status.c:644} (I:AFPDaemon): signature is XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Jan 19 21:10:59.877697 afpd[68076] {afp_config.c:106} (D5:AFPDaemon): DSIConfigInit: hostname: kyoka, listen: -, interfaces: -, port: 548
Jan 19 21:10:59.879796 afpd[68076] {auth.c:110} (I:AFPDaemon): uam: "Client Krbv2" available

とか

Jan 19 21:13:44.277424 afpd[68092] {afp_dsi.c:610} (D5:AFPDaemon): <== Start AFP command: AFP_LOGINCONT
Jan 19 21:13:44.277680 afpd[68092] {uams_gss.c:438} (D5:UAMS): FPLoginCont: client thinks user is goro
Jan 19 21:13:44.277949 afpd[68092] {uams_gss.c:251} (D5:UAMS): FPLoginCont: accepting context (ticketlen: 639)
Jan 19 21:13:44.300978 afpd[68092] {uams_gss.c:85} (D5:UAMS): FPLoginCont: context flag: GSS_C_MUTUAL_FLAG
Jan 19 21:13:44.301237 afpd[68092] {uams_gss.c:87} (D5:UAMS): FPLoginCont: context flag: GSS_C_REPLAY_FLAG
Jan 19 21:13:44.301272 afpd[68092] {uams_gss.c:91} (D5:UAMS): FPLoginCont: context flag: GSS_C_CONF_FLAG
Jan 19 21:13:44.301513 afpd[68092] {uams_gss.c:93} (D5:UAMS): FPLoginCont: context flag: GSS_C_INTEG_FLAG
Jan 19 21:13:44.302270 afpd[68092] {uams_gss.c:123} (D5:UAMS): FPLoginCont: service principal is `afpserver/kyoka.hyrule.jp@HYRULE.JP'
Jan 19 21:13:44.302727 afpd[68092] {uams_gss.c:160} (D5:UAMS): FPLoginCont: user principal is `goro@HYRULE.JP'
Jan 19 21:13:44.411188 afpd[68092] {auth.c:232} (N:AFPDaemon): AFP3.3 Login by goro

という具合に少なくとも uams_gss は仕事してるようです。

ちなみに前に作った keytab が残ってるなら ext_keytab は afpserver だけ書けば勝手にマージしてくれるみたいです。というかそれを知らずに両方指定したら host が二つあるダメな感じの keytab が出来上がったという…。

コメントを残す