Kerberos is a network authentication protocol.
Kerberos provides a strong cryptographic authentication against the devices which lets the client & servers to communicate in a more secured manner. It is designed to address network security problems.
When firewalls acts a solution to address the intrusion from the external networks, Kerberos usually used to address the intrusion and other security problems within the network.
The current version of Kerberos is version 5 which is called as KRB5.
To implement the Kerberos, we need to have the centralized authentication service running on server.
This service is called KEY DISTRIBUTION CENTER (KDC).
A server registered with KDC is trusted by all other computers in the Kerberos realm.
Sample krb5.conf File
Here’s an example krb5.conf file that contains all the REALM and domain to REALM mapping information,
# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com
admin_server = kerberos.example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
Install Kerberos KDC server
For security reason, it is recommended to run the Kerberos (KDC) server on a separate server.
Download and install the krb5 server package.
# rpm -ivh krb5-server-1.10.3-10.el6_4.6.x86_64.rpm Preparing... ########################################### [100%] 1:krb5-server ########################################### [100%]
Verify that the following rpm are installed before configuring KDC:
# rpm -qa | grep -i krb5 pam_krb5-2.3.11-9.el6.x86_64 krb5-server-1.10.3-10.el6_4.6.x86_64 krb5-workstation-1.10.3-10.el6_4.6.x86_64 krb5-libs-1.10.3-10.el6_4.6.x86_64
Modify /etc/krb5.conf File
Change /etc/krb5.conf to reflect like the below with the appropriate REALM and DOMAIN_REALM mappings.
# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MYREALM.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
MYREALM.COM = {
kdc = elserver1.example.com
admin_server = elserver1.example.com
}
[domain_realm]
.myrealm.com = MYREALM.COM
myrealm.com = MYREALM.COM
Modify kdc.conf File
Also the kdc.conf should be modified as shown below.
# cat /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
MYREALM.COM = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
Create KDC database
Next, create the KDC database using the kdb5_util command as shown below. As this stage, enter the appropriate pasword for the KDC database master key.
# /usr/sbin/kdb5_util create -s Loading random data Initializing database '/var/kerberos/krb5kdc/principal' for realm 'MYREALM.COM', master key name 'K/M@MYREALM.COM' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify:
Assign Administrator Privilege
The users can be granted administrator privileges to the database using the file /var/kerberos/krb5kdc/kadm5.acl.
# cat /var/kerberos/krb5kdc/kadm5.acl */admin@MYREALM.COM *
In the above example, any principal in the MYREALM with an admin instance has all administrator privileges.
Create a Principal
Create the principal using the following command. In this example, I created the principal with the user name “eluser”.
# kadmin.local -q "addprinc eluser/admin" Authenticating as principal root/admin@MYREALM.COM with password. WARNING: no policy specified for eluser/admin@MYREALM.COM; defaulting to no policy Enter password for principal "eluser/admin@MYREALM.COM": Re-enter password for principal "eluser/admin@MYREALM.COM": Principal "eluser/admin@MYREALM.COM" created.
Start the Kerberos Service
Start the KDC and kadmin daemons as shown below.
# service krb5kdc start Starting Kerberos 5 KDC: [ OK ] # service kadmin start Starting Kerberos 5 Admin Server: [ OK ]
Configure Kerberos Client
Configure the Kerberos client to authenticate against the KDC database:
Now let’s see how to configure the krb5 client to authenticate against the Kerberos KDC database we created above.
Step 1: Install the krb5-libs and krb5-workstation packages on the client machine.
Step 2: Copy the /etc/krb5.conf from the KDC server to the client machine.
Step 3: Now we need to create the principal for the client in the KDC/Kerberos database.
You can use the below commands to create the principal for the client machine on the KDC master server. In the below example the I am creating a host principal for the client elserver3.example.com on the master KDC server elserver1.example.com
# kadmin.local -q "addprinc host/elserver3.example.com" Authenticating as principal root/admin@MYREALM.COM with password. WARNING: no policy specified for host/elserver1.example.com@MYREALM.COM; defaulting to no policy Enter password for principal "host/elserver1.example.com@MYREALM.COM": Re-enter password for principal "host/elserver1.example.com@MYREALM.COM": Principal "host/elserver1.example.com@MYREALM.COM" created.
Step 4: Extract the krb5.keytab for the client from the KDC master server using the below command:
# kadmin.local -q "ktadd -k /etc/krb5.keytab host/elserver3.example.com" Authenticating as principal root/admin@MYREALM.COM with password. Entry for principal host/elserver3.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/elserver3.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/elserver3.example.com with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/elserver3.example.com with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/elserver3.example.com with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/elserver3.example.com with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/krb5.keytab.
This completes the configuration. You are all done at this stage.
From now on, everytime you establish a SSH, RSH connection the host verifies its identity against the KDC database using keytab file and it establishes secure connection over the Kerberos.
Ktadd is used a generate new keytab or add a principal to an existing keytab from the kadmin command.
Ktremove is used to remove the principal from an existing keytab. The command to remove the principal that we created above is,
kadmin.local -q "ktremove -k /etc/krb5.keytab –q all"
Delete a KDC database
For some reason, if you have to delete a KDC database, use the following command:
# kdb5_util -r MYREALM.COM destroy kdb5_util: Deleting KDC database stored in /usr/local/var/krb5kdc/principal, you sure (type yes to confirm)? <== yes OK, deleting database '/usr/local/var/krb5kdc/principal'...
-f option in the above command forces the deletion of KDC database.
Backup and Restore KDC Database
To backup a KDC database to a file, use krb5_util_dump.
# kdb5_util dump kdcfile # ls -l kdcfile -rw-------. 1 root root 5382 Apr 10 07:25 kdcfile
To restore the KDC database from the dump file created in the above step, do the following:
# kdb5_util load kdcfile
My name is Ramesh Natarajan. I will be posting instruction guides, how-to, troubleshooting tips and tricks on Linux, database, hardware, security and web. My focus is to write articles that will either teach you or help you resolve a problem. Read more about