KERBEROS: Configure a KDC.

Share this link

Presentation

Kerberos is an authentication protocol that was developed at MIT in 1988.
A client connects to a KDC server (Kerberos Distribution Center) by using a principal (kind of login) and get a ticket. As long as the ticket is valid, the client can access some services and doesn’t need to authenticate any more.
Both client (here kbclient.example.com) and KDC server (here kbserver.example.com) must be inside the same realm (usually your domain name written in upper case, here EXAMPLE.COM).

Prerequisites

Before configuring Kerberos, NTP synchronization and hostname resolution must be working.
If DNS is not configured, add the following lines in the /etc/hosts file (replace the specified ip addresses with yours):

192.168.1.11 kbserver.example.com
192.168.1.12 kbclient.example.com

Server Configuration

Install the Kerberos packages:

# yum install -y krb5-server krb5-workstation pam_krb5

First, edit the /var/kerberos/krb5kdc/kdc.conf file and replace EXEMPLE.COM with your own realm.
Then, in the /etc/krb5.conf file, replace EXAMPLE.COM with your own realm, example.com with your own domain name, and kerberos.example.com with your own KDC server name (here kbserver.example.com).
Finally, edit the /var/kerberos/krb5kdc/kadm5.acl file and replace EXEMPLE.COM with your own realm.

Create the Kerberos database (replace EXAMPLE.COM with you own realm):

# kdb5_util create -s -r EXAMPLE.COM
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'EXAMPLE.COM',
master key name 'K/M@EXAMPLE.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: example
Re-enter KDC database master key to verify: example

Start the Kerberos services:

# service krb5kdc start
# service kadmin start

Activate the Kerberos services at boot:

# chkconfig krb5kdc on
# chkconfig kadmin on

Create a user for test:

# useradd user01

Create the main principals:

# kadmin.local -q "addprinc root/admin"
Authenticating as principal root/admin@EXAMPLE.COM with password.
WARNING: no policy specified for root/admin@EXAMPLE.COM; defaulting to no policy
Enter password for principal "root/admin@EXAMPLE.COM": kerberos
Re-enter password for principal "root/admin@EXAMPLE.COM": kerberos
Principal "root/admin@EXAMPLE.COM" created.

# kadmin.local -q "addprinc user01"
Authenticating as principal root/admin@EXAMPLE.COM with password.
WARNING: no policy specified for user01@EXAMPLE.COM; defaulting to no policy
Enter password for principal "user01@EXAMPLE.COM": user01
Re-enter password for principal "user01@EXAMPLE.COM": user01
Principal "user01@EXAMPLE.COM" created.

# kadmin.local -q "addprinc -randkey host/kbserver.example.com"
Authenticating as principal root/admin@EXAMPLE.COM with password.
WARNING: no policy specified for host/kbserver.example.com@EXAMPLE.COM; defaulting to no policy
Principal "host/kbserver.example.com@EXAMPLE.COM" created.

# kadmin.local -q "ktadd -k /etc/krb5.keytab host/kbserver.example.com"
Authenticating as principal root/admin@EXAMPLE.COM with password.
Entry for principal host/kbserver.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kbserver.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kbserver.example.com with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kbserver.example.com with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kbserver.example.com with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kbserver.example.com with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/krb5.keytab.

Edit the /etc/ssh/ssh_config file and add/uncomment the following lines:

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

Reload the sshd service configuration:

# service sshd reload

Configure the PAM component with a text interface:

# authconfig-tui

Select “[*] Use Kerberos” in the Authentication column, then Next and OK.

Alternatively, configure the PAM component at the command line:

# authconfig --enablekrb5 --update

Add the following rules to the firewall (port 88 for Kerberos itself, port 749 for kadmin communication):

# iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 88 -j ACCEPT
# iptables -I INPUT -m state --state NEW -m udp -p udp --dport 88 -j ACCEPT
# iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 749 -j ACCEPT

Save the firewall configuration:

# service iptables save

Test your configuration (here kbserver.example.com is the KDC server name):

# kinit user01
Password for user01@EXAMPLE.COM: user01
# ssh user01@kbserver.example.com
$ klist
Ticket cache: FILE:/tmp/krb5cc_500_dxkBby1591
Default principal: user01@EXAMPLE.COM

Valid starting Expires Service principal
02/12/14 17:30:55 02/13/14 17:30:00 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 02/12/14 17:30:00

Now, you should be able to quit and reconnect without giving any password.
Note: To delete a ticket, use the kdestroy command.

Source: RHEL 5 Deployment Guide.

Additional Resources

You can also have a look at the MIT Kerberos Documentation.

(No Ratings Yet)
Loading...
One comment on “KERBEROS: Configure a KDC.
  1. Freelancer says:

    Works great 🙂

Leave a Reply

Upcoming Events (Local Time)

There are no events.

Follow me on Twitter

Archives

vceplus-200-125    | boson-200-125    | training-cissp    | actualtests-cissp    | techexams-cissp    | gratisexams-300-075    | pearsonitcertification-210-260    | examsboost-210-260    | examsforall-210-260    | dumps4free-210-260    | reddit-210-260    | cisexams-352-001    | itexamfox-352-001    | passguaranteed-352-001    | passeasily-352-001    | freeccnastudyguide-200-120    | gocertify-200-120    | passcerty-200-120    | certifyguide-70-980    | dumpscollection-70-980    | examcollection-70-534    | cbtnuggets-210-065    | examfiles-400-051    | passitdump-400-051    | pearsonitcertification-70-462    | anderseide-70-347    | thomas-70-533    | research-1V0-605    | topix-102-400    | certdepot-EX200    | pearsonit-640-916    | itproguru-70-533    | reddit-100-105    | channel9-70-346    | anderseide-70-346    | theiia-IIA-CIA-PART3    | certificationHP-hp0-s41    | pearsonitcertification-640-916    | anderMicrosoft-70-534    | cathMicrosoft-70-462    | examcollection-cca-500    | techexams-gcih    | mslearn-70-346    | measureup-70-486    | pass4sure-hp0-s41    | iiba-640-916    | itsecurity-sscp    | cbtnuggets-300-320    | blogged-70-486    | pass4sure-IIA-CIA-PART1    | cbtnuggets-100-101    | developerhandbook-70-486    | lpicisco-101    | mylearn-1V0-605    | tomsitpro-cism    | gnosis-101    | channel9Mic-70-534    | ipass-IIA-CIA-PART1    | forcerts-70-417    | tests-sy0-401    | ipasstheciaexam-IIA-CIA-PART3    | mostcisco-300-135    | buildazure-70-533    | cloudera-cca-500    | pdf4cert-2v0-621    | f5cisco-101    | gocertify-1z0-062    | quora-640-916    | micrcosoft-70-480    | brain2pass-70-417    | examcompass-sy0-401    | global-EX200    | iassc-ICGB    | vceplus-300-115    | quizlet-810-403    | cbtnuggets-70-697    | educationOracle-1Z0-434    | channel9-70-534    | officialcerts-400-051    | examsboost-IIA-CIA-PART1    | networktut-300-135    | teststarter-300-206    | pluralsight-70-486    | coding-70-486    | freeccna-100-101    | digitaltut-300-101    | iiba-CBAP    | virtuallymikebrown-640-916    | isaca-cism    | whizlabs-pmp    | techexams-70-980    | ciscopress-300-115    | techtarget-cism    | pearsonitcertification-300-070    | testking-2v0-621    | isacaNew-cism    | simplilearn-pmi-rmp    | simplilearn-pmp    | educationOracle-1z0-809    | education-1z0-809    | teachertube-1Z0-434    | villanovau-CBAP    | quora-300-206    | certifyguide-300-208    | cbtnuggets-100-105    | flydumps-70-417    | gratisexams-1V0-605    | ituonline-1z0-062    | techexams-cas-002    | simplilearn-70-534    | pluralsight-70-697    | theiia-IIA-CIA-PART1    | itexamtips-400-051    | pearsonitcertification-EX200    | pluralsight-70-480    | learn-hp0-s42    | giac-gpen    | mindhub-102-400    | coursesmsu-CBAP    | examsforall-2v0-621    | developerhandbook-70-487    | root-EX200    | coderanch-1z0-809    | getfreedumps-1z0-062    | comptia-cas-002    | quora-1z0-809    | boson-300-135    | killtest-2v0-621    | learncia-IIA-CIA-PART3    | computer-gcih    | universitycloudera-cca-500    | itexamrun-70-410    | certificationHPv2-hp0-s41    | certskills-100-105    | skipitnow-70-417    | gocertify-sy0-401    | prep4sure-70-417    | simplilearn-cisa    |
http://www.pmsas.pr.gov.br/wp-content/    | http://www.pmsas.pr.gov.br/wp-content/    |