How to Install Kerberos 5 Server
Kerberos is a network authentication protocol. Kerberos provides a strong cryptographic authentication against the devices which lets the client & servers to communicate in a more secured manner. It is designed to address network security problems and it is usually used to address the intrusion and other security problems within the network.
To implement the Kerberos, we need to have the centralized authentication service running on server. This service is called KEY DISTRIBUTION CENTER (KDC). A server registered with KDC is trusted by all other computers in the Kerberos realm.
Sample krb5.conf File
Here’s an example krb5.conf file that contains all the REALM and domain to REALM mapping information,
# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = N0WHERE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
EXAMPLE.COM = {
kdc = kerberos.n0where.net
admin_server = kerberos.n0where.net
}
[domain_realm]
.n0where.net = N0WHERE.NET
n0where.net = N0WHERE.NET
Install Kerberos KDC server
For security reason, it is recommended to run the Kerberos (KDC) server on a separate server.
Download and install the krb5 server package.
# rpm -ivh krb5-server-1.10.3-10.el6_4.6.x86_64.rpm
Preparing... ########################################### [100%]
1:krb5-server ########################################### [100%]
Verify that the following rpm are installed before configuring KDC:
# rpm -qa | grep -i krb5
pam_krb5-2.3.11-9.el6.x86_64
krb5-server-1.10.3-10.el6_4.6.x86_64
krb5-workstation-1.10.3-10.el6_4.6.x86_64
krb5-libs-1.10.3-10.el6_4.6.x86_64
Modify /etc/krb5.conf File
Change /etc/krb5.conf to reflect like the below with the appropriate REALM and DOMAIN_REALM mappings.
# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = N0WHERE.NET
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
MYREALM.COM = {
kdc = server1.n0where.net
admin_server = server1.n0where.net
}
[domain_realm]
.n0where.net = N0WHERE.NET
n0where.net = N0WHERE.NET
Modify kdc.conf File
Also the kdc.conf should be modified as shown below.
# cat /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
N0WHERE.NET = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
Create KDC database
Next, create the KDC database using the kdb5_util command as shown below. As this stage, enter the appropriate pasword for the KDC database master key.
# /usr/sbin/kdb5_util create -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'N0WHERE.NET',
master key name 'K/M@N0WHERE.NET'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
Assign Administrator Privilege
The users can be granted administrator privileges to the database using the file /var/kerberos/krb5kdc/kadm5.acl.
# cat /var/kerberos/krb5kdc/kadm5.acl
*/admin@N0WHERE.NET *
In the above example, any principal in the N0WHERE.NET with an admin instance has all administrator privileges.
Create a Principal
Create the principal using the following command. In this example, I created the principal with the user name “eluser”.
# kadmin.local -q "addprinc eluser/admin"
Authenticating as principal root/admin@N0WHERE.NET with password.
WARNING: no policy specified for eluser/admin@N0WHERE.NET; defaulting to no policy
Enter password for principal "eluser/admin@N0WHERE.NET":
Re-enter password for principal "eluser/admin@N0WHERE.NET":
Principal "eluser/admin@N0WHERE.NET" created.
Start the Kerberos Service
Start the KDC and kadmin daemons as shown below.
# service krb5kdc start
Starting Kerberos 5 KDC: [ OK ]
# service kadmin start
Starting Kerberos 5 Admin Server: [ OK ]
Configure Kerberos Client
Configure the Kerberos client to authenticate against the KDC database:
Now let’s see how to configure the krb5 client to authenticate against the Kerberos KDC database we created above.
Step 1: Install the krb5-libs and krb5-workstation packages on the client machine.
Step 2: Copy the /etc/krb5.conf from the KDC server to the client machine.
Step 3: Now we need to create the principal for the client in the KDC/Kerberos database.
You can use the below commands to create the principal for the client machine on the KDC master server. In the example below we are creating a host principal for the client server2.n0where.net on the master KDC server server1.n0where.net
# kadmin.local -q "addprinc host/server2.n0where.net"
Authenticating as principal root/admin@N0WHERE.NET with password.
WARNING: no policy specified for host/server1.n0where.net@N0WHERE.NET; defaulting to no policy
Enter password for principal "host/server1.n0where.net@N0WHERE.NET":
Re-enter password for principal "host/server1.n0where.net@N0WHERE.NET":
Principal "host/server1.n0where.net@N0WHERE.NET" created.
Step 4: Extract the krb5.keytab for the client from the KDC master server using the below command:
# kadmin.local -q "ktadd -k /etc/krb5.keytab host/server2.n0where.net"
Authenticating as principal root/admin@N0WHERE.NET with password.
Entry for principal host/server2.n0where.net with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/server2.n0where.net with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/server2.n0where.net with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/server2.n0where.net with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/server2.n0where.net with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/server2.n0where.net with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/krb5.keytab.
From now on, everytime you establish a SSH, RSH connection the host verifies its identity against the KDC database using keytab file and it establishes secure connection over the Kerberos.
Ktadd is used a generate new keytab or add a principal to an existing keytab from the kadmin command.
Ktremove is used to remove the principal from an existing keytab. The command to remove the principal that we created above is,
kadmin.local -q "ktremove -k /etc/krb5.keytab –q all"
Delete a KDC database
For some reason, if you have to delete a KDC database, use the following command:
# kdb5_util -r N0WHERE.NET destroy
kdb5_util: Deleting KDC database stored in /usr/local/var/krb5kdc/principal, you sure
(type yes to confirm)? <== yes
OK, deleting database '/usr/local/var/krb5kdc/principal'...
-f option in the above command forces the deletion of KDC database.
Backup and Restore KDC Database
To backup a KDC database to a file, use krb5_util_dump.
# kdb5_util dump kdcfile
# ls -l kdcfile
-rw-------. 1 root root 5382 Apr 10 07:25 kdcfile
To restore the KDC database from the dump file created in the above step, do the following:
# kdb5_util load kdcfile