Strong Authentication at Fermilab

Chapter 22: Installing Heimdal Kerberos for use with Cygwin

Chapter 22: Installing Heimdal Kerberos for use with Cygwin

---

In this chapter we get you started installing the Heimdal Kerberos software in order to Kerberize your network connections from a Windows Cygwin system (Win2k or NT4, or other OS running NTFS). Currently, MIT Kerberos and Fermi Kerberos do not run on Cygwin without tweaking and recompiling. Installation of the Heimdal Kerberos software will allow you to connect to Kerberized machines and encrypt your data transmissions.

Notes:

• hile the configuration described in this chapter complies with the Fermilab Policy on Computing and thus may be used, it is not supported at Fermilab.
• The documentation we are providing on this configuration is cursory.
• Work is being done on getting Fermi kerberos to compile under Cygwin. Stay tuned...
• Testing of Heimdal has been minimal.
• The Heimdal distribution includes Kerberized daemons that can be used for Kerberizing a Windows machine. However we restrict our discussion to setting the machine up as a Kerberos client only.

22.1 Obtain a Kerberos Principal

First, verify that you have administrator privileges on the PC. Next, you need to obtain a Kerberos principal and initial password for the FNAL.GOV realm. See section 3.1 Your Kerberos Principal. Use the online Request Form for Computing Username and Primary Accounts at http://computing.fnal.gov/cd/forms/acctreq.html.

22.2 Install Cygwin

Cygwin runs on Win2K, and on NT using NTFS. This discussion is based on a Win2K install. The full Cygwin installation requires ~ 300 MB of space. This can be reduced by selecting only the tools desired from the installation.

22.2.1 Partial Installation

In order to run the Heimdal kerberos client software, you don't need to install the full Cygwin. The minimum installation for Kerberized telnet and ftp for Windows can be accomplished by downloading six files, all available for download from the URL ftp://ftp.it.su.se/pub/kerberos/contrib/win32/. The six necessary files are:

• cygwin1.dll (the DLL file necessary to run Cygwin executables under Windows)
• telnet.exe
• rsh.exe
• ftp.exe
• kinit.exe
• kdestroy.exe

The four executables and the DLL can be put into C:\WINNT\SYSTEM321 or into a directory of your choice, provided that the client executables can find the DLL file. We recommend that you copy the DLL file to one of the following locations: the same directory as the executables, C:\WINNT\SYSTEM32, or to some other directory in the PATH. If you choose a different location, make sure the directory containing the DLL is in your PATH2 before you try running the programs.

22.2.2 Complete Installation

Cygwin can be installed from: http://sources.redhat.com/cygwin/. There is an icon on the upper right of this page that is titled Install Cygwin Now. Click this icon to download the setup.exe program to your hard drive.

Run the setup.exe program to begin installation (Sorry, no screen-by-screen details!).

22.3 Install Heimdal Kerberos

The Heimdal distribution of kerberos is available via a binary distribution at: ftp://ftp.it.su.se/pub/kerberos/contrib/win32/. The file of interest is travelkit.zip. This binary distribution is based on the Heimdal 0.3e source. The current source is 0.4b and is available via a link from the Heimdal page http://www.pdc.kth.se/heimdal/. (If you prefer to compile the current source under Cygwin, which requires some tweaking of the source, send a request to kerberos-users@fnal.gov.)

To install the travelkit.zip:

• Expand the zip file into the /usr directory (under Cygwin /usr becomes //c/cygwin/usr).

  This will populate the /usr/heimdal directory as well as drop a sample krb5.conf file in the /usr/etc directory.

• Remove the sample krb5.conf file.
• Obtain a standard Fermi krb5.conf (available from KITS as the product krb5conf, or just copy from a Kerberized UNIX machine), and copy it to the /etc directory.
• Put the /usr/heimdal/bin directory in your PATH.

In the /usr/heimdal/bin directory you will find the available client tools. There are Kerberized clients for telnet, FTP, rsh and rcp (rlogin is not yet available).

22.4 Using CVS under Cygwin

The Heimdal Kerberized rsh allows the Cygwin CVS client to work with Kerberos authentication. Put the Kerberized rsh in your $PATH, and set your CVSROOT variable to the appropriate value, e.g., cvsuser@cdcvs.fnal.gov:/cvs/cd. Authenticate to Kerberos, and then, for example, you can execute cvs co kerberos to get the kerberos source.

1Assuming that %SYSTEMROOT% is C:\WINNT.

2To get to the PATH, navigate to Start > Settings > Control Panel > System > Environment.

View/print PDF file | Back to Strong Auth Index Page | Computing Division | Fermilab at Work | Fermilab Home