KERBEROS: Configure a system to authenticate using Kerberos.

Last updated on (8,150 views) - CertDepot 3 Comments ↓
Share this link
Google+0
LinkedIn0

Prerequisites

Before configuring a Kerberos client, you have to configure a KDC.
Also, to get Kerberos running, NTP synchronization and hostname resolution must be working.
If DNS is not configured, add the following lines in the /etc/hosts file (replace the specified ip addresses with yours):

192.168.1.11 kbserver.example.com
192.168.1.12 kbclient.example.com

Client Configuration

Install the Kerberos client packages:

# yum install -y krb5-workstation pam_krb5

Edit the /etc/krb5.conf file, replace EXAMPLE.COM with your own realm, example.com with your own domain name, and kerberos.example.com with your own KDC server name (here kbserver.example.com).

Create a user for test:

# useradd user01

Add the client machine name (here kbclient.example.com) to the principals:

# kadmin -q "addprinc -randkey host/kbclient.example.com"
Authenticating as principal root/admin@EXAMPLE.COM with password.
Password for root/admin@EXAMPLE.COM: kerberos
WARNING: no policy specified for host/kbclient.example.com@EXAMPLE.COM; defaulting to no policy
Principal "host/kbclient.example.com@EXAMPLE.COM" created.
# kadmin -q "ktadd -k /etc/krb5.keytab host/kbclient.example.com"
Authenticating as principal root/admin@EXAMPLE.COM with password.
Password for root/admin@EXAMPLE.COM: kerberos
Entry for principal host/kbclient.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kbclient.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kbclient.example.com with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kbclient.example.com with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kbclient.example.com with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kbclient.example.com with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/krb5.keytab.

Edit the /etc/ssh/ssh_config file and add/uncomment the following lines:

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

Reload the sshd service configuration:

# service sshd reload

Configure the PAM component with a text interface:

# authconfig-tui

Select “[*] Use Kerberos” in the Authentication column, then Next and OK.

Alternatively, configure the PAM component at the command line:

# authconfig --enablekrb5 --update

Test your configuration (here kbserver.example.com is the KDC server name):

# kinit user01
Password for user01@EXAMPLE.COM: user01
# ssh user01@kbserver.example.com
$ klist
Ticket cache: FILE:/tmp/krb5cc_500_TGWbLJ1810
Default principal: user01@EXAMPLE.COM

Valid starting Expires Service principal
02/12/14 17:51:58 02/13/14 17:50:46 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 02/12/14 17:50:46

Now, you should be able to quit and reconnect without giving any password.
In addition, the first time you log in to a Kerberos client, you have to provide a login/password. Then, you get a ticket that allows you to log in to all the other Kerberos clients in the same realm and you don’t need to provide a password any more as long as your ticket is valid.
Note: To delete a ticket, use the kdestroy command.

Source: RHEL 5 Deployment Guide.

(No Ratings Yet)
Loading...
3 comments on “KERBEROS: Configure a system to authenticate using Kerberos.
  1. scfewyy says:
    April 25, 2015 at 9:51 am

    You should first edit the sshd_config file and add/uncomment the two GSSAPI* lines:

    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials yes

    because if not you will receive an error:

    [root@r2 ~]# kadmin -q “addprinc -randkey host/r2.example.com”
    Authenticating as principal root/admin@EXAMPLE.COM with password.
    Password for root/admin@EXAMPLE.COM:
    kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
    [root@r2 ~]# vim /etc/ssh/ssh_config
    [root@r2 ~]# service sshd restart
    Stopping sshd: [ OK ]
    Starting sshd: [ OK ]
    [root@r2 ~]# kadmin -q “addprinc -randkey host/r2.example.com”
    Authenticating as principal root/admin@EXAMPLE.COM with password.
    Password for root/admin@EXAMPLE.COM:
    WARNING: no policy specified for host/r2.example.com@EXAMPLE.COM; defaulting to no policy
    Principal “host/r2.example.com@EXAMPLE.COM” created.

  2. mbrito says:
    May 22, 2015 at 4:58 am

    For me the client and server always ask for password… There must be same other setting , no?!

Leave a Reply

Upcoming Events (Local Time)

There are no events.

Follow me on Twitter

Archives

xhampster
vceplus-200-125    | boson-200-125    | training-cissp    | actualtests-cissp    | techexams-cissp    | gratisexams-300-075    | pearsonitcertification-210-260    | examsboost-210-260    | examsforall-210-260    | dumps4free-210-260    | reddit-210-260    | cisexams-352-001    | itexamfox-352-001    | passguaranteed-352-001    | passeasily-352-001    | freeccnastudyguide-200-120    | gocertify-200-120    | passcerty-200-120    | certifyguide-70-980    | dumpscollection-70-980    | examcollection-70-534    | cbtnuggets-210-065    | examfiles-400-051    | passitdump-400-051    | pearsonitcertification-70-462    | anderseide-70-347    | thomas-70-533    | research-1V0-605    | topix-102-400    | certdepot-EX200    | pearsonit-640-916    | itproguru-70-533    | reddit-100-105    | channel9-70-346    | anderseide-70-346    | theiia-IIA-CIA-PART3    | certificationHP-hp0-s41    | pearsonitcertification-640-916    | anderMicrosoft-70-534    | cathMicrosoft-70-462    | examcollection-cca-500    | techexams-gcih    | mslearn-70-346    | measureup-70-486    | pass4sure-hp0-s41    | iiba-640-916    | itsecurity-sscp    | cbtnuggets-300-320    | blogged-70-486    | pass4sure-IIA-CIA-PART1    | cbtnuggets-100-101    | developerhandbook-70-486    | lpicisco-101    | mylearn-1V0-605    | tomsitpro-cism    | gnosis-101    | channel9Mic-70-534    | ipass-IIA-CIA-PART1    | forcerts-70-417    | tests-sy0-401    | ipasstheciaexam-IIA-CIA-PART3    | mostcisco-300-135    | buildazure-70-533    | cloudera-cca-500    | pdf4cert-2v0-621    | f5cisco-101    | gocertify-1z0-062    | quora-640-916    | micrcosoft-70-480    | brain2pass-70-417    | examcompass-sy0-401    | global-EX200    | iassc-ICGB    | vceplus-300-115    | quizlet-810-403    | cbtnuggets-70-697    | educationOracle-1Z0-434    | channel9-70-534    | officialcerts-400-051    | examsboost-IIA-CIA-PART1    | networktut-300-135    | teststarter-300-206    | pluralsight-70-486    | coding-70-486    | freeccna-100-101    | digitaltut-300-101    | iiba-CBAP    | virtuallymikebrown-640-916    | isaca-cism    | whizlabs-pmp    | techexams-70-980    | ciscopress-300-115    | techtarget-cism    | pearsonitcertification-300-070    | testking-2v0-621    | isacaNew-cism    | simplilearn-pmi-rmp    | simplilearn-pmp    | educationOracle-1z0-809    | education-1z0-809    | teachertube-1Z0-434    | villanovau-CBAP    | quora-300-206    | certifyguide-300-208    | cbtnuggets-100-105    | flydumps-70-417    | gratisexams-1V0-605    | ituonline-1z0-062    | techexams-cas-002    | simplilearn-70-534    | pluralsight-70-697    | theiia-IIA-CIA-PART1    | itexamtips-400-051    | pearsonitcertification-EX200    | pluralsight-70-480    | learn-hp0-s42    | giac-gpen    | mindhub-102-400    | coursesmsu-CBAP    | examsforall-2v0-621    | developerhandbook-70-487    | root-EX200    | coderanch-1z0-809    | getfreedumps-1z0-062    | comptia-cas-002    | quora-1z0-809    | boson-300-135    | killtest-2v0-621    | learncia-IIA-CIA-PART3    | computer-gcih    | universitycloudera-cca-500    | itexamrun-70-410    | certificationHPv2-hp0-s41    | certskills-100-105    | skipitnow-70-417    | gocertify-sy0-401    | prep4sure-70-417    | simplilearn-cisa    |
http://www.pmsas.pr.gov.br/wp-content/    | http://www.pmsas.pr.gov.br/wp-content/    |