Presentation
Kerberos is an authentication protocol that was developed at MIT in 1988.
A client connects to a KDC server (Kerberos Distribution Center) by using a principal (kind of login) and get a ticket. As long as the ticket is valid, the client can access some services and doesn’t need to authenticate any more.
Both client (here kbclient.example.com) and KDC server (here kbserver.example.com) must be inside the same realm (usually your domain name written in upper case, here EXAMPLE.COM).
Prerequisites
Before configuring Kerberos, NTP synchronization and hostname resolution must be working.
If DNS is not configured, add the following lines in the /etc/hosts file (replace the specified ip addresses with yours):
192.168.1.11 kbserver.example.com 192.168.1.12 kbclient.example.com
Server Configuration
Install the Kerberos packages:
# yum install -y krb5-server krb5-workstation pam_krb5
First, edit the /var/kerberos/krb5kdc/kdc.conf file and replace EXEMPLE.COM with your own realm.
Then, in the /etc/krb5.conf file, replace EXAMPLE.COM with your own realm, example.com with your own domain name, and kerberos.example.com with your own KDC server name (here kbserver.example.com).
Finally, edit the /var/kerberos/krb5kdc/kadm5.acl file and replace EXEMPLE.COM with your own realm.
Create the Kerberos database (replace EXAMPLE.COM with you own realm):
# kdb5_util create -s -r EXAMPLE.COM Loading random data Initializing database '/var/kerberos/krb5kdc/principal' for realm 'EXAMPLE.COM', master key name 'K/M@EXAMPLE.COM' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key:exampleRe-enter KDC database master key to verify:example
Start the Kerberos services:
# service krb5kdc start # service kadmin start
Activate the Kerberos services at boot:
# chkconfig krb5kdc on # chkconfig kadmin on
Create a user for test:
# useradd user01
Create the main principals:
# kadmin.local -q "addprinc root/admin" Authenticating as principal root/admin@EXAMPLE.COM with password. WARNING: no policy specified for root/admin@EXAMPLE.COM; defaulting to no policy Enter password for principal "root/admin@EXAMPLE.COM":kerberosRe-enter password for principal "root/admin@EXAMPLE.COM":kerberosPrincipal "root/admin@EXAMPLE.COM" created. # kadmin.local -q "addprinc user01" Authenticating as principal root/admin@EXAMPLE.COM with password. WARNING: no policy specified for user01@EXAMPLE.COM; defaulting to no policy Enter password for principal "user01@EXAMPLE.COM":user01Re-enter password for principal "user01@EXAMPLE.COM":user01Principal "user01@EXAMPLE.COM" created. # kadmin.local -q "addprinc -randkey host/kbserver.example.com" Authenticating as principal root/admin@EXAMPLE.COM with password. WARNING: no policy specified for host/kbserver.example.com@EXAMPLE.COM; defaulting to no policy Principal "host/kbserver.example.com@EXAMPLE.COM" created. # kadmin.local -q "ktadd -k /etc/krb5.keytab host/kbserver.example.com" Authenticating as principal root/admin@EXAMPLE.COM with password. Entry for principal host/kbserver.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/kbserver.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/kbserver.example.com with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/kbserver.example.com with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/kbserver.example.com with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/kbserver.example.com with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/krb5.keytab.
Edit the /etc/ssh/ssh_config file and add/uncomment the following lines:
GSSAPIAuthentication yes GSSAPIDelegateCredentials yes
Reload the sshd service configuration:
# service sshd reload
Configure the PAM component with a text interface:
# authconfig-tui
Select “[*] Use Kerberos” in the Authentication column, then Next and OK.
Alternatively, configure the PAM component at the command line:
# authconfig --enablekrb5 --update
Add the following rules to the firewall (port 88 for Kerberos itself, port 749 for kadmin communication):
# iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 88 -j ACCEPT # iptables -I INPUT -m state --state NEW -m udp -p udp --dport 88 -j ACCEPT # iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 749 -j ACCEPT
Save the firewall configuration:
# service iptables save
Test your configuration (here kbserver.example.com is the KDC server name):
# kinit user01 Password for user01@EXAMPLE.COM:user01# ssh user01@kbserver.example.com $ klist Ticket cache: FILE:/tmp/krb5cc_500_dxkBby1591 Default principal: user01@EXAMPLE.COM Valid starting Expires Service principal 02/12/14 17:30:55 02/13/14 17:30:00 krbtgt/EXAMPLE.COM@EXAMPLE.COM renew until 02/12/14 17:30:00
Now, you should be able to quit and reconnect without giving any password.
Note: To delete a ticket, use the kdestroy command.
Source: RHEL 5 Deployment Guide.
Additional Resources
You can also have a look at the MIT Kerberos Documentation.
Works great 🙂