Hi, I've have a workable configuration to authenticate via kerberos with pam_krb5 and pam_ccreds to cache passwords for offline logins.
in nixos/modules/config/krb5.nix, I install the default kerberos defined in nixpkgs instead of krb5 (MIT version). - systemPackages = [ pkgs.krb5 ]; + systemPackages = [ pkgs.kerberos ]; Marco (and others), is there a reason to specify krb5 instead of heimdal? Maybe we need a better way to specify the kerberos implementation. -- Regards, David
>From 24afdf62d3957c991e141b325063e368def6d84e Mon Sep 17 00:00:00 2001 From: David Guibert <[email protected]> Date: Mon, 22 Feb 2010 08:47:47 +0100 Subject: [PATCH 1/2] nixos: kerberos services for the server. --- modules/module-list.nix | 1 + modules/services/networking/xinetd.nix | 7 +++ modules/services/system/kerberos.nix | 71 ++++++++++++++++++++++++++++++++ 3 files changed, 79 insertions(+), 0 deletions(-) create mode 100644 modules/services/system/kerberos.nix diff --git a/modules/module-list.nix b/modules/module-list.nix index 8e12fd1..9f0253a 100644 --- a/modules/module-list.nix +++ b/modules/module-list.nix @@ -107,6 +107,7 @@ ./services/system/dbus.nix ./services/system/nscd.nix ./services/system/uptimed.nix + ./services/system/kerberos.nix ./services/ttys/gpm.nix ./services/ttys/mingetty.nix ./services/web-servers/apache-httpd/default.nix diff --git a/modules/services/networking/xinetd.nix b/modules/services/networking/xinetd.nix index 4729ba9..5b74d7e 100644 --- a/modules/services/networking/xinetd.nix +++ b/modules/services/networking/xinetd.nix @@ -26,6 +26,7 @@ let { protocol = ${srv.protocol} ${optionalString srv.unlisted "type = UNLISTED"} + ${optionalString (srv.flags != "") "flags = ${srv.flags}"} socket_type = ${if srv.protocol == "udp" then "dgram" else "stream"} ${if srv.port != 0 then "port = ${toString srv.port}" else ""} wait = ${if srv.protocol == "udp" then "yes" else "no"} @@ -98,6 +99,12 @@ in description = "Command-line arguments for the server program."; }; + flags = mkOption { + type = types.string; + default = ""; + description = ""; + }; + unlisted = mkOption { type = types.bool; default = false; diff --git a/modules/services/system/kerberos.nix b/modules/services/system/kerberos.nix new file mode 100644 index 0000000..4ca9a01 --- /dev/null +++ b/modules/services/system/kerberos.nix @@ -0,0 +1,71 @@ +{pkgs, config, ...}: + +let + + inherit (pkgs.lib) mkOption mkIf singleton; + + inherit (pkgs) heimdal; + + stateDir = "/var/heimdal"; +in + +{ + + ###### interface + + options = { + + services.kerberos_server = { + + enable = mkOption { + default = false; + description = '' + Enable the kerberos authentification server. + ''; + }; + + }; + + }; + + + ###### implementation + + config = mkIf config.services.kerberos_server.enable { + + environment.systemPackages = [ heimdal ]; + + services.xinetd.enable = true; + services.xinetd.services = pkgs.lib.singleton + { name = "kerberos-adm"; + flags = "REUSE NAMEINARGS"; + protocol = "tcp"; + user = "root"; + server = "${pkgs.tcpWrapper}/sbin/tcpd"; + serverArgs = "${pkgs.heimdal}/sbin/kadmind"; + }; + + jobs.kdc = + { description = "Kerberos Domain Controller daemon"; + + startOn = "ip-up"; + + preStart = + '' + mkdir -m 0755 -p ${stateDir} + ''; + + exec = "${heimdal}/sbin/kdc"; + + }; + + jobs.kpasswdd = + { description = "Kerberos Domain Controller daemon"; + + startOn = "ip-up"; + + exec = "${heimdal}/sbin/kpasswdd"; + }; + }; + +} -- 1.7.1
>From 005392ff3225ab2b0843b4f843de64cd3569604d Mon Sep 17 00:00:00 2001 From: David Guibert <[email protected]> Date: Sun, 21 Feb 2010 21:56:58 +0100 Subject: [PATCH 2/2] nixos: authenticate through kerberos config.krb5.enable needs to be set as true. Also use pam_ccreds to cache Kerberos credentials for offline logins. --- modules/config/krb5.nix | 30 +++++++++++++++++++++++++----- modules/security/pam.nix | 16 ++++++++++++++-- 2 files changed, 39 insertions(+), 7 deletions(-) diff --git a/modules/config/krb5.nix b/modules/config/krb5.nix index 6543bba..5fc75bc 100644 --- a/modules/config/krb5.nix +++ b/modules/config/krb5.nix @@ -6,8 +6,6 @@ let cfg = config.krb5; - #myPkgs = import /home/nixer/nix/my-expr.nix { system = "x86_64-linux"; }; - options = { krb5 = { @@ -21,6 +19,11 @@ let description = "Default realm."; }; + domainRealm = mkOption { + default = "atena.mit.edu"; + description = "Default domain realm."; + }; + kdc = mkOption { default = "kerberos.mit.edu"; description = "Kerberos Domain Controller"; @@ -43,12 +46,13 @@ mkIf config.krb5.enable { ]; environment = { - systemPackages = [ pkgs.krb5 ]; + systemPackages = [ pkgs.kerberos ]; etc = [ { source = pkgs.writeText "krb5.conf" '' [libdefaults] default_realm = ${cfg.defaultRealm} + encrypt = true # The following krb5.conf variables are only for MIT Kerberos. krb4_config = /etc/krb.conf @@ -84,6 +88,7 @@ mkIf config.krb5.enable { ${cfg.defaultRealm} = { kdc = ${cfg.kdc} admin_server = ${cfg.kerberosAdminServer} +# kpasswd_server = ${cfg.kerberosAdminServer} } ATHENA.MIT.EDU = { kdc = kerberos.mit.edu:88 @@ -162,6 +167,8 @@ mkIf config.krb5.enable { } [domain_realm] + .${cfg.domainRealm} = ${cfg.defaultRealm} + ${cfg.domainRealm} = ${cfg.defaultRealm} .mit.edu = ATHENA.MIT.EDU mit.edu = ATHENA.MIT.EDU .media.mit.edu = MEDIA-LAB.MIT.EDU @@ -172,10 +179,23 @@ mkIf config.krb5.enable { whoi.edu = ATHENA.MIT.EDU .stanford.edu = stanford.edu -[login] +[logging] + kdc = SYSLOG:INFO:DAEMON + admin_server = SYSLOG:INFO:DAEMON + default = SYSLOG:INFO:DAEMON krb4_convert = true krb4_get_tickets = false - + + +[appdefaults] + pam = { + debug = false + ticket_lifetime = 36000 + renew_lifetime = 36000 + max_timeout = 30 + timeout_shift = 2 + initial_timeout = 1 + } ''; target = "krb5.conf"; } diff --git a/modules/security/pam.nix b/modules/security/pam.nix index 2086814..5c59282 100644 --- a/modules/security/pam.nix +++ b/modules/security/pam.nix @@ -7,7 +7,7 @@ with pkgs.lib; let - inherit (pkgs) pam_usb pam_ldap; + inherit (pkgs) pam_usb pam_ldap pam_krb5 pam_ccreds; otherService = pkgs.writeText "other.pam" '' @@ -63,6 +63,8 @@ let # Account management. ${optionalString config.users.ldap.enable "account optional ${pam_ldap}/lib/security/pam_ldap.so"} + ${optionalString config.krb5.enable + "account sufficient ${pam_krb5}/lib/security/pam_krb5.so"} account required pam_unix.so # Authentication management. @@ -74,11 +76,18 @@ let "auth sufficient ${pam_ldap}/lib/security/pam_ldap.so"} auth sufficient pam_unix.so ${ optionalString allowNullPassword "nullok"} + ${optionalString config.krb5.enable +''auth [default=ignore success=1 service_err=reset] ${pam_krb5}/lib/security/pam_krb5.so use_first_pass +auth [default=die success=done] ${pam_ccreds}/lib/security/pam_ccreds.so action=validate use_first_pass +auth sufficient ${pam_ccreds}/lib/security/pam_ccreds.so action=store use_first_pass + ''} auth required pam_deny.so # Password management. ${optionalString config.users.ldap.enable "password sufficient ${pam_ldap}/lib/security/pam_ldap.so"} + ${optionalString config.krb5.enable + "password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass"} password requisite pam_unix.so nullok sha512 ${optionalString config.services.samba.syncPasswordsByPam "password optional ${pkgs.samba}/lib/security/pam_smbpass.so nullok use_authtok try_first_pass"} @@ -86,6 +95,8 @@ let # Session management. ${optionalString config.users.ldap.enable "session optional ${pam_ldap}/lib/security/pam_ldap.so"} + ${optionalString config.krb5.enable + "session optional ${pam_krb5}/lib/security/pam_krb5.so"} session required pam_unix.so ${optionalString ownDevices "session optional ${pkgs.consolekit}/lib/security/pam_ck_connector.so"} @@ -184,7 +195,8 @@ in environment.systemPackages = # Include the PAM modules in the system path mostly for the manpages. [ pkgs.pam ] - ++ optional config.users.ldap.enable pam_ldap; + ++ optional config.users.ldap.enable pam_ldap + ++ optional config.krb5.enable [pam_krb5 pam_ccreds]; environment.etc = map makePAMService config.security.pam.services -- 1.7.1
>From ac213067bf187900eef1dfded3deca940f0ff180 Mon Sep 17 00:00:00 2001 From: David Guibert <[email protected]> Date: Sat, 20 Feb 2010 14:48:06 +0100 Subject: [PATCH 1/4] heimdal: add sqlite and exe from libexec to sbin --- pkgs/development/libraries/kerberos/heimdal.nix | 17 +++++++++++++---- pkgs/top-level/all-packages.nix | 2 +- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/pkgs/development/libraries/kerberos/heimdal.nix b/pkgs/development/libraries/kerberos/heimdal.nix index 6cdd101..57f63ae 100644 --- a/pkgs/development/libraries/kerberos/heimdal.nix +++ b/pkgs/development/libraries/kerberos/heimdal.nix @@ -1,4 +1,4 @@ -{stdenv, fetchurl, openldap, readline, db4, openssl, cyrus_sasl} : +{stdenv, fetchurl, openldap, readline, db4, openssl, cyrus_sasl, sqlite} : stdenv.mkDerivation rec { name = "heimdal-1.3.2"; @@ -12,7 +12,16 @@ stdenv.mkDerivation rec { }; ## ugly, X should be made an option - configureFlags = "--with-openldap=${openldap} --without-x"; - - propagatedBuildInputs = [ readline db4 openssl openldap cyrus_sasl ]; + configureFlags = [ + "--with-openldap=${openldap}" + "--with-sqlite3=${sqlite}" + "--without-x" + ]; + # dont succeed with --libexec=$out/sbin, so + postInstall = '' + mv $out/libexec/* $out/sbin/ + rmdir $out/libexec + ''; + + propagatedBuildInputs = [ readline db4 openssl openldap cyrus_sasl sqlite]; } diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 2c3c903..f9ea957 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -4242,7 +4242,7 @@ let kerberos = heimdal; heimdal = import ../development/libraries/kerberos/heimdal.nix { - inherit fetchurl stdenv readline db4 openssl openldap cyrus_sasl; + inherit fetchurl stdenv readline db4 openssl openldap cyrus_sasl sqlite ; }; hsqldb = import ../development/libraries/java/hsqldb { -- 1.7.1
>From 78a7466a0c3afc62322c89e44bc8d7aa739e65e8 Mon Sep 17 00:00:00 2001 From: David Guibert <[email protected]> Date: Wed, 31 Mar 2010 22:35:56 +0200 Subject: [PATCH 2/4] pam_krb5: added version 2.3.11-1. --- pkgs/os-specific/linux/pam_krb5/default.nix | 19 +++++++++++++++++++ pkgs/top-level/all-packages.nix | 4 ++++ 2 files changed, 23 insertions(+), 0 deletions(-) create mode 100644 pkgs/os-specific/linux/pam_krb5/default.nix diff --git a/pkgs/os-specific/linux/pam_krb5/default.nix b/pkgs/os-specific/linux/pam_krb5/default.nix new file mode 100644 index 0000000..62f9b5c --- /dev/null +++ b/pkgs/os-specific/linux/pam_krb5/default.nix @@ -0,0 +1,19 @@ +{stdenv, fetchurl, pam, kerberos}: + +stdenv.mkDerivation { + name = "pam_krb5-2.3.11-1"; + + src = fetchurl { + url = https://fedorahosted.org/releases/p/a/pam_krb5/pam_krb5-2.3.11-1.tar.gz; + sha256 = "1x6wgjzkfkx0h9a7wdgx0jwrdm15npbs79i510lk1n3fyx9lk4mq"; +# url = http://archives.eyrie.org/software/kerberos/pam-krb5-4.2.tar.gz; +# sha256 = "0a0zyd4ddln8yf827qxbfqi1pryxnj0fykfz8lx6nxn2f9pqj1gv"; + }; + + buildInputs = [pam kerberos]; + meta = { +# homepage = "http://www.eyrie.org/~eagle/software/pam-krb5";; + homepage = "https://fedorahosted.org/pam_krb5/";; + description = "The pam_krb5 module allows PAM-aware applications to authenticate users by performing an AS exchange with a Kerberos KDC. It can optionally convert Kerberos 5 credentials to Kerberos IV credentials and/or use them to set up AFS tokens for a user's session."; + }; +} diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index f9ea957..bd97511 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -6718,6 +6718,10 @@ let inherit stdenv fetchurl pam; }; + pam_krb5 = import ../os-specific/linux/pam_krb5 { + inherit stdenv fetchurl pam kerberos; + }; + pam_ldap = import ../os-specific/linux/pam_ldap { inherit stdenv fetchurl pam openldap; }; -- 1.7.1
>From 444113c1277213e73cb44815fc77fc615f875268 Mon Sep 17 00:00:00 2001 From: David Guibert <[email protected]> Date: Thu, 1 Apr 2010 09:04:50 +0200 Subject: [PATCH 3/4] pam_ccreds: to locally authenticate using an enterprise identity when the network is unavailable. --- pkgs/os-specific/linux/pam_ccreds/default.nix | 19 +++++++++++++++++++ pkgs/top-level/all-packages.nix | 5 +++++ 2 files changed, 24 insertions(+), 0 deletions(-) create mode 100644 pkgs/os-specific/linux/pam_ccreds/default.nix diff --git a/pkgs/os-specific/linux/pam_ccreds/default.nix b/pkgs/os-specific/linux/pam_ccreds/default.nix new file mode 100644 index 0000000..4d48c86 --- /dev/null +++ b/pkgs/os-specific/linux/pam_ccreds/default.nix @@ -0,0 +1,19 @@ +{stdenv, fetchurl, pam, openssl, db}: + +stdenv.mkDerivation { + name = "pam_ccreds-10"; + + src = fetchurl { + url = "http://www.padl.com/download/pam_ccreds.tgz";; + sha256 = "1h7zyg1b1h69civyvrj95w22dg0y7lgw3hq4gqkdcg35w1y76fhz"; + }; + patchPhase = '' + sed 's/-o root -g root//' -i Makefile.in + ''; + + buildInputs = [pam openssl db]; + meta = { + homepage = "http://www.padl.com/OSS/pam_ccreds.html";; + description = "The pam_ccreds module provides the means for Linux workstations to locally authenticate using an enterprise identity when the network is unavailable."; + }; +} diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index bd97511..b304742 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -6708,6 +6708,11 @@ let # pam_bioapi ( see http://www.thinkwiki.org/wiki/How_to_enable_the_fingerprint_reader ) + pam_ccreds = import ../os-specific/linux/pam_ccreds { + inherit stdenv fetchurl pam openssl; + db = db4; + }; + pam_console = import ../os-specific/linux/pam_console { inherit stdenv fetchurl pam autoconf automake pkgconfig bison glib; libtool = libtool_1_5; -- 1.7.1
_______________________________________________ nix-dev mailing list [email protected] https://mail.cs.uu.nl/mailman/listinfo/nix-dev
