Home Linux Articles Log In Sign Up
Home / Articles / Linux / authentication / 7 / kerberos

Kerberos Install and Configuration

Configure Kerberos Server

  1. Install Kerberos RPM

    2. Use yum to install following rpm's.

    # yum -y install install krb5-server krb5-libs krb5-workstation
  2. Setup KDC

    3. Add the following configuration. Replace DOMAIN NAME to your desired domain name

    # vi /etc/krb5.conf # Configuration snippets may be placed in this directory as well includedir /etc/krb5.conf.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt default_realm = LINUXTECHSPACE.COM default_ccache_name = KEYRING:persistent:%{uid} [realms] LINUXTECHSPACE.COM = { kdc = kerberos-server.linuxtechspace.com admin_server = kerberos-server.linuxtechspace.com } [domain_realm] .linuxtechspace.com = LINUXTECHSPACE.COM linuxtechspace.com = LINUXTECHSPACE.COM
    # vi /var/kerberos/krb5kdc/kdc.conf [kdcdefaults] kdc_ports = 88 kdc_tcp_ports = 88 [realms] LINUXTECHSPACE.COM = { #master_key_type = aes256-cts acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal }
    # vi /var/kerberos/krb5kdc/kadm5.acl */admin@LINUXTECHSPACE.COM *
  3. Create KDC database

    4. Create Kerberos database. Enter and set master key. Remember this key.

    # kdb5_util create -s -r LINUXTECHSPACE.COM Loading random data Initializing database '/var/kerberos/krb5kdc/principal' for realm 'LINUXTECHSPACE.COM', master key name 'K/M@LINUXTECHSPACE.COM' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify:
  4. Start and Enable Kerberos Services
    5. # systemctl start krb5kdc kadmin # systemctl enable krb5kdc kadmin Created symlink from /etc/systemd/system/multi-user.target.wants/krb5kdc.service to /usr/lib/systemd/system/krb5kdc.service. Created symlink from /etc/systemd/system/multi-user.target.wants/kadmin.service to /usr/lib/systemd/system/kadmin.service.
  5. Add principal records to KDC

    6. Add admin account principal record

    # kadmin.local addprinc root/admin Enter password for principal "root/admin@LINUXTECHSPACE.COM": Re-enter password for principal "root/admin@LINUXTECHSPACE.COM":

    Add testuser account principal record

    # kadmin.local addprinc testuser Enter password for principal "testuser@LINUXTECHSPACE.COM": Re-enter password for principal "testuser@LINUXTECHSPACE.COM":

    Create host key

    # kadmin.local ktadd host/master Entry for principal host/master with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. Entry for principal host/master with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. Entry for principal host/master with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab. Entry for principal host/master with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab. Entry for principal host/master with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab. Entry for principal host/master with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab. Entry for principal host/master with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab. Entry for principal host/master with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.

Display and Modify Principal record

  1. Show a Principal Record
    2. # kadmin.local getprinc testuser Principal: testuser@LINUXTECHSPACE.COM Expiration date: [never] Last password change: Fri May 01 09:00:34 EDT 2020 Password expiration date: [never] Maximum ticket life: 1 day 00:00:00 Maximum renewable life: 0 days 00:00:00 Last modified: Fri May 01 09:00:34 EDT 2020 (root/admin@LINUXTECHSPACE.COM) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 8 Key: vno 1, aes256-cts-hmac-sha1-96 Key: vno 1, aes128-cts-hmac-sha1-96 Key: vno 1, des3-cbc-sha1 Key: vno 1, arcfour-hmac Key: vno 1, camellia256-cts-cmac Key: vno 1, camellia128-cts-cmac Key: vno 1, des-hmac-sha1 Key: vno 1, des-cbc-md5 MKey: vno 1 Attributes: Policy: [none]
  2. Delete a Principal Record
    3. # kadmin.local delprinc testuser

Kerberos Client Configuration

  1. Install Kerberos Workstation RPM
    2. # yum -y install krb5-workstation pam_krb5
  2. Copy Kerberos configuration from Kerberos Server
    3. # scp kerberos-server:/etc/krb.conf /etc/krb.conf
  3. Enable Kerberos Authentication
    4. # authconfig --enablekrb5 --update
  4. Create user account on client server
    5. # useradd testuser
  5. Get a ticket for testuser from KDC
    6. [testuser@kerberos-client ~]$ kinit Password for testuser@LINUXTECHSPACE.COM: [testuser@kerberos-client ~]$ klist Ticket cache: KEYRING:persistent:1003:1003 Default principal: testuser@LINUXTECHSPACE.COM Valid starting Expires Service principal 05/01/2020 09:55:57 05/02/2020 09:55:57 krbtgt/LINUXTECHSPACE.COM@LINUXTECHSPACE.COM [testuser@kerberos-client ~]$
  6. Login as testuser in a new ssh session and enter password which was setup in KDC
    7. login as: testuser testuser@kerberos-client's password: [testuser@kerberos-client ~]$
    We are all done now!.

Linux Tech Space © 2020