masson
Version:
Module execution engine for cluster deployments.
137 lines (104 loc) • 4.91 kB
Markdown
Kerberos is a network authentication protocol. It is designed
to provide strong authentication for client/server applications
by using secret-key cryptography.
This module install the client tools written by the [Massachusetts
Institute of Technology](http://web.mit.edu).
The package "krb5-workstation" is installed.
export default header: 'Krb5 Client Install', handler: ({options}) ->
Install the "krb5-workstation" dependency.
@service
header: 'Package'
name: 'krb5-workstation'
Modify the Kerberos configuration file in "/etc/krb5.conf". Note,
this action wont be run if the server host a Kerberos server.
This is to avoid any conflict where both modules would try to write
their own configuration one. We give the priority to the server module
which create a Kerberos file with complementary information.
@file.types.krb5_conf
header: 'Configuration'
if: options.krb5_conf.enabled
content: options.etc_krb5_conf
backup: true
Wait for the Kerberos servers to be started.
@call 'masson/core/krb5_client/wait', options.wait
Create a user principal for this host. The principal is named like
"host/{hostname}@{realm}". Only apply to the default realm
("krb5.etc\_krb5\_conf.libdefaults.default_realm") unless the property
"etc_krb5_conf[realm].create\_hosts" is set.
@call header: 'Host Principal', handler: ->
default_realm = options.etc_krb5_conf.libdefaults.default_realm
for realm, config of options.etc_krb5_conf.realms
continue if default_realm isnt realm or not config.create_hosts
@krb5.addprinc
principal: "host/#{options.fqdn}@#{realm}"
randkey: true
kadmin_principal: config.kadmin_principal
kadmin_password: config.kadmin_password
kadmin_server: config.admin_server
Populate the Kerberos database with new principals. The "wait" property is
set to 10s because multiple instance of this handler may try to create the same
principals and generate concurrency errors.
@call header: 'Principals', ->
for realm, config of options.admin
for principal in config.principals
@krb5.addprinc config, principal
Updated the "/etc/ssh/sshd\_config" file with properties provided by the "krb5.sshd"
configuration object. By default, we set the following properties to "yes": "ChallengeResponseAuthentication",
"KerberosAuthentication", "KerberosOrLocalPasswd", "KerberosTicketCleanup", "GSSAPIAuthentication",
"GSSAPICleanupCredentials". The "sshd" service will be restarted if a change to the configuration is detected.
@call
header: 'Configure SSHD'
if: -> options.sshd
handler: ->
@file
write: for k, v of options.sshd
match: new RegExp "^#{k}.*$", 'mg'
replace: "#{k} #{v}"
append: true
target: '/etc/ssh/sshd_config'
@service
srv_name: 'sshd'
state: 'restarted'
if: -> @status -1
misc = require '@nikitajs/core/lib/misc'
* List all the current principals in the realm: `getprincs`
* Login to a local kadmin: `kadmin.local`
* Login to a remote kadmin: `kadmin -p wdavidw/admin@ADALTAS.COM -s krb5.hadoop`
* Print details on a principal: `getprinc host/hadoop1.hadoop@ADALTAS.COM`
* Examine the content of the /etc/krb5.keytab: `klist -etk /etc/krb5.keytab`
* Destroy our own tickets: `kdestroy`
* Get a user ticket: `kinit -p wdavidw@ADALTAS.COM`
* Confirm that we do indeed have the new ticket: `klist`
* Check krb5kdc is listening: `netstat -nap | grep :750` and `netstat -nap | grep :88`
* Enable sshd(8) Kerberos authentication.
* Enable PAM Kerberos authentication.
* SASL GSSAPI OpenLDAP authentication.
* Use SASL GSSAPI Authentication with AutoFS.
## Notes
Kerberos clients require connectivity to the KDC's TCP ports 88 and 749.