Hi 😀 !
Here follows some information about the really well-integrated Kerberos client utilities in the NetBSD base system. I used them when trying to configure NetBSD 8.1 (I haven't checked the new 9.0 release yet) as a Kerberos client.
First, it is worth noting that there is more than one implementation of Kerberos: MIT and Heimdal are maybe the most common ones. They should be api-compatible, as I was suggested in the IRC channel #netbsd.
The implementation of Kerberos natively used in NetBSD is Heimdal: the base system already includes an essential set of utilities like kinit(1), klist(1), kadmin(8), ktutil(8). If the MIT Kerberos is needed, several packages are available in the pkgsrc repository.
Using only the base system, with just the creation of an appropriate /etc/krb5.conf
file and the necessary lines in /etc/hosts
, a NetBSD host is immediately able to obtain a Ticket-Granting-Ticket as a Kerberos client. I used it against a MIT Kerberos server and I found no compatibility issues. This has been quick and very, very useful.
I found instead some issues when trying to create a keytable in the NetBSD client. For example, kadmin -p admin_user
suddenly shows the admin_user
admin prompt, which seems very odd; then, for some of the available commands, it asks for the password and does not return the prompt after entering the correct password. The same happens with ktutil get -p admin_user host/fqdn.of.the.client
.
Note that I can not exclude that this is due to something I forgot (or did not know) to configure.
However, a keytab created with MIT Kerberos utilites and then copied into NetBSD is correctly read with ktutil -k keytab_file list
and is perfectly suitable, for example to receive ssh connections.
If ssh authentication through a Kerberos user must be provided in a NetBSD client, the /etc/pam.d/
files already include a line for the pam_krb5.so
module: so, no configuration for PAM is needed. I installed from pkgsrc the package pam-krb5
, which includes pam_krb5.so
, but this file is already in the base system in /usr/lib/security/
and maybe there is no need for the package. It is instead necessary cy2-gssapi, which depends on cyrus-sasl
(needed as well), for GSSAPI authentication, in addition to the correct configuration lines both in /etc/ssh/sshd_config
(for the server) and /etc/ssh/ssh_config
(for the client).
In conclusion, the NetBSD 8.1 base system includes some executables and libraries which make a Kerberos client configuration almost immediate. Thanks to those who tailored the base system.
The original message is from the @netbsd-users mailing list: I hope it can also be useful here, as well.