Skip to main content

Kerberos Authentication

Register

We strongly recommend that you register your application with Northwestern Information Technology (IT). This will enable us to notify you of minor upgrades and configuration changes. Registering contact information will also allow us to contact you if we suspect that your application is being abused by persons attempting to guess passwords or launch denial-of-service (DOS) attacks. If we detect suspicious activity from your IP address(es) and are unable to contact you, we may disable your network access.

Contact Info

Please contact Xiaoxia Dong or Phil Tracy for assistance with the Kerberos authentication service.

Introduction

The Kerberos Authentication Service is offered by Northwestern IT for the use of NU departments and schools for authenticating access to applications, workstations and services. The service is intended to be lightweight, both administratively and technically, and does not require prior approval to use. Northwestern IT will work with you to understand and deploy the service. We can direct you to some example code. We are not, however, able to offer extensive programming or debugging support.

This service differs from the LDAP Registry service in a few ways:

There are two main ways you can use Kerberos authentication:

Guidelines

Authentication for Other Operating Systems

There are Kerberos PAM distributions for several flavors of Unix. There are also Kerberized versions of telnet, ftp and rsh included with MIT's Kerberos distribution (see below). OpenSSH also includes support for Kerberos authentication.

Kerberized Applications

The MIT Kerberos source code distribution has good examples of how to Kerberize a client/server application. See the files ~src/appl/sample/sclient/sclient.c and ~src/appl/sample/sserver/sserver.c. Most Kerberized applications require special Kerberos security principals to be created. You can request service principals here.

Password Checking

Password checking applications will generally need to perform the following steps: Excellent example code is available inside the Apache Kerberos authentication module from Source Forge: http://modauthkerb.sourceforge.net/. You will also need to request a service principal for your application, and store its key in a keytab file on your application server.

Client Software - MIT's Kerberos Distribution

http://web.mit.edu/kerberos/www/ This is MIT's main web site for distributing Kerberos software for Unix and Windows. Source code is also available, and some links to documentation.

Configuration

Below is a sample configuration file (/etc/krb5.conf in most Unix systems).

[libdefaults]

ticket_lifetime = 28800
default_realm = ADS.NORTHWESTERN.EDU
default_tkt_enctypes = aes256-cts-hmac-sha1-96
default_tgs_enctypes = aes256-cts-hmac-sha1-96
permitted_enctypes = aes256-cts-hmac-sha1-96
[realms] ADS.NORTHWESTERN.EDU = { kdc = kerberos.northwestern.edu:88
admin_server = kerberos.northwestern.edu
kpasswd_server = kerberos.northwestern.edu } [domain_realm] .northwestern.edu = ADS.NORTHWESTERN.EDU northwestern.edu = ADS.NORTHWESTERN.EDU

Last Updated: 25 July 2017

Get Help Back to top