Note: This site will look much better in a browser that supports web standards, but it is accessible to any browser or Internet device.

It's a weblog! ... sort of.

Tuesday, September 19 2017

OpenBSD, Apache, Kerberos, and Windows 2000

BSD

Admittedly, one topic you won't see very often on the OpenBSD mailing lists is Windows 2000. However, for many of us who use OpenBSD in a corporate environment, Windows, and OpenBSD-Windows integration is an important issue. After the recent post of mod_auth_kerb to to the ports@ mailing list, I decided to take advantage of Kerberos to secure an OpenBSD hosted website, using Windows 2000 as the KDC so I wouldn't have to maintain local accounts. I've documented below how I accomplished it.

Fortunately, I came across this tutorial, which described exactly what I was trying to accomplish, although it wasn't OpenBSD specific. I had to make some changes to account for OpenBSD, and I also decided to take advantage of login_krb5 to eliminate local passwords for login accounts as well.

OpenBSD mod_auth_kerb and login_krb5 setup:

  1. Basic Kerberos configuration with krb5.conf. Here is a basic working configuration for OpenBSD. (/etc/kerberosV/krb5.conf)
    [libdefaults]
        default_realm = EXAMPLE.COM
    
    	# Required for communication with Windows 2000 KDC
    	default_etypes = des-cbc-crc
    	default_etypes_des = des-cbc-crc
    
    [realms]
    	EXAMPLE.COM = {
    		# any Windows 2000 domain controller
    		kdc = example.com
    
    		# specific DC
    		admin_server = dc.example.com
    	}
    
    [domain_realm]
    	.example.com = EXAMPLE.COM
    
    A few notes on the config: "example.com" is the Windows domain name, and dc.example.com is the domain controller where you want to have changes made (I used the PDC Emulator for this). For the KDC, I have used example.com, since all Windows DCs register this A record in DNS, so using example.com will get you a random DC. Alternately, you could specify a list of DCs or a specific DC to use. You should also be able to use DNS SRV records to lookup the KDC, however, I was not able to get this working. Also, note that you do need to specify the default encryption types on OpenBSD. Finally, be aware that it is important for kerberos to work properly for the clock on your system to be in sync with the KDC; you can use ntpd or a cron job running ntpdate to keep your OpenBSD clock accurate.
  2. Test the configuration. To verify that the configuration works, test a kerberos login using kinit:
    $ kinit username@EXAMPLE.COM
    
    You will be prompted for your Windows domain password, and if everything is working, kinit will terminate with no errors. You can verify you have a valid ticket using klist, and remove the ticket using kdestroy.
  3. Create the Windows Service Principal account. Each service running Kerberos will require a separate Windows account to establish a service principal on the Windows KDC. (Although Windows supports multiple Service Principal Names on a single account, this configuration did not work for me) To support both mod_auth_kerb and login_krb5 I created 2 accounts for my openbsd system "puffer": puffer (for login_krb5) and pufferhttp (mod_auth_kerb). The accounts don't need any additional access (Domain Users works fine),but they should have non-expiring passwords, and optionally "user can't change password".
  4. Create the Kerberos keytabs. To create the OpenBSD keytabs, you will need to log on to a windows Domain Controller and run the ktpass utility (without the line breaks)
    ktpass /out puffer_host_crc.keytab /princ host/puffer.example.com@EXAMPLE.COM
           /mapuser puffer /crypto DES-CBC-CRC /pass password
    
    ktpass /out puffer_http_md5.keytab /princ HTTP/puffer.example.com@EXAMPLE.COM
           /mapuser pufferhttp /crypto DES-CBC-MD5 /pass password
    
    ktpass /out puffer_http_crc.keytab /princ HTTP/puffer.example.com@EXAMPLE.COM
           /mapuser pufferhttp /crypto DES-CBC-CRC /pass password
    
    You will generate 3 keys: one for login_krb5 and two for mod_auth_kerb; the first HTTP key is required for Internet Explorer "Integrated Authentication", and the second is required for Firefox (and IE) password-based authentication.
  5. Install the keytabs. Copy the keytabs to the OpenBSD system, and install the host_crc.keytab as /etc/kerberosV/krb5.keytab, which should be owned by root and mode 600. (you can simply copy the file). Copy the http keytabs to somewhere in the wwwroot - I use /var/www/auth/http.keytab. You will need to merge in the second keytab with ktutil:
    cp ~/puffer_http_md5.keytab http.keytab
    ktutil copy puffer_http_crc.keytab http.keytab
    
    http.keytab should be owned by www and mode 400.
  6. Configure Kerberos logins using login.conf. To set up your OpenBSD system to support kerberos logins, create a new class by adding the following to the end of your login.conf:
    windows:\
    	:path=/usr/bin /bin /usr/sbin /sbin /usr/X11R6/bin /usr/local/bin:\
    	:umask=022:\
    	:datasize-max=256M:\
    	:datasize-cur=64M:\
    	:maxproc-max=256:\
    	:maxproc-cur=128:\
    	:openfiles-cur=1024:\
    	:stacksize-cur=8M:\
    	:localcipher=blowfish,6:\
    	:ypcipher=old:\
    	:auth=krb5:
    
    
    This creates a new class called "windows", basically a copy of the default class but using login_krb5 for authentication. To enable windows passwords for login accounts, use vipw or chpass to change the user's class to windows. Optionally, you can remove the user's password by changing the password to null (*), although doing so will cause the daily security script to generate a warning message:
    Login winuser is off but still has a valid shell and alternate access files in 
             home directory are still readable.
    
    Alternately, you could use a long random password to avoid the warning message.
  7. Configure mod_auth_kerb. Edit the appropriate section in your /var/www/conf/httpd.conf: (Complete configuration options are documented here)
    AuthType Kerberos
    AuthName example.com
    KrbAuthRealms EXAMPLE.COM
    KrbServiceName HTTP
    Krb5Keytab /var/www/auth/http.keytab
    KrbMethodNegotiate on
    KrbMethodK5Passwd on
    require valid-user
    
    The sample configuration above grants access to any valid windows account in the example.com domain. To restrict access to specific users, use the following syntax:
    require user winuser@EXAMPLE.COM WINUSER@EXAMPLE.COM
    
    Although the first entry is technically not necessary, most people will enter their username in lower case. The second is necessary, because IE integrated auth always sends the username in UPPERCASE.

To access the web site, you can use Internet Explorer - if integrated authentication is enabled and the server is in the intranet zone, you won't even be prompted for a password. Firefox also works, but prompts for your windows user name & password (in my testing - if you log on to your local *nix box using kerberos, you should be able to log on automagically). I also tested Safari, but it appeared to be confused by KrbMethodNegotiate and didn't work.

With a working kerberos unix login and www authentication, what else could be improved or added? First, you should be able to use SRV records (using dns_lookup_kdc = true) to locate the KDC. I don't know if this was a problem unique to my environment or an OpenBSD / Windows compatibility issue (with Windows DNS). Another enhancement would be to add transparent logon using SSH from a Windows system; SSH.com's current Tectia Client appears to support this solution, as does OpenSSH, using "KerberosAuthentication". Additional services can always be added as necessary - including ports such as imap-uw. Finally, enabling kerberos support for sshd also allows for unix-to-unix system logons without passwords.

Hopefully this tutorial has been helpful with your own OpenBSD / Windows integration. If you have comments, feedback, or anything to contribute to this document, please email me at loki@technomagik.net. Thanks.

posted by Loki on Mon, 18 Oct 2004 10:02:46 -0500