Kerberos The Definitive Guide-Kerberos The Definitive Guide

7.4 Mac OS X and the Login Window

The initial console login window presented to Mac OS X users is called, appropriately enough, the loginwindow. Unfortunately, loginwindow's PAM support is incomplete. But luckily for Kerberos 5 users, Apple has provided special support in the loginwindow contained in Mac OS X 10.2 and above to provide users with Kerberos tickets when logging into their OS X system.

The procedure for enabling Kerberos support in the Mac OS X loginwindow application is documented in the AppleCare document #107154, "Mac OS X 10.2: How to Enable Kerberos Authentication for Login Window." Note that the method to enable this facility is subject to change in future OS X revisions.

Just like PAM, there are two basic options available when enabling Kerberos login support in OS X. You can either require valid Kerberos credentials for successful local login, or simply acquire Kerberos tickets if the local password is the same as the Kerberos password.

The Mac OS X Security and Authorization Services use the /etc/authorization file, and this is the file that we'll use to enable Kerberos authentication in loginwindow. First, to require valid Kerberos credentials for login to the local system, Mac OS X can either require a valid host keytab or operate without a host keytab. Note that as we discussed in Chapter 6, a host keytab is required to defend against man-in-the-middle attacks against the Kerberos system.

Since Mac OS X does not include the kadmin utility, the best way to get a host key onto the Macintosh host is to create and extract the host key for the OS X host on the KDC and use Secure Shell (installed by default on OS X) to copy the key securely to the Mac.

In order to require Kerberos credentials when a host keytab is present, search for the system.login.console key in the /etc/authorization file and replace it with the following:

<key>system.login.console</key>
  <dict>
    <key>eval</key>
<string>loginwindow_builtin:login,krb5auth:authenticate,loginwindow_builtin:success
</string>
  </dict>

If, on the other hand, you still wish to require Kerberos credentials even though a valid keytab is not present, you can replace the system.login.console key with the following text:

<key>system.login.console</key>
  <dict>
    <key>eval</key>
<string>loginwindow_builtin:login,krb5auth:authnoverify,loginwindow_builtin:success
</string>
  </dict>

Finally, the OS X loginwindow can acquire a Kerberos TGT as a result of successful local authentication. This method will attempt to acquire a TGT if the local password is the same as the Kerberos principal's password (where the principal name is the local user name, and the realm is the default realm as specified in the Kerberos configuration file). If the passwords differ, no error messages or additional password prompts appear; there will simply be no tickets available in the credential cache.

To enable this method of obtaining Kerberos tickets, search for the system.login.done key in the /etc/authorization file and replace it with the following:

<key>system.login.done</key>
       <dict>
               <key>eval</key>
               <string>switch_to_user,krb5auth:login</string>
       </dict>

[ Team LiB ]