Presentation of Kerberos

Kerberos is an authentication protocol that was developed at MIT in 1988. A client connects to a KDC server (Kerberos Distribution Center) by using a principal (kind of login) and get a ticket. As long as the ticket is valid, the client can access some services and doesn’t need to authenticate any more. Both client (here kbclient.example.com) and KDC server (here kbserver.example.com) must be inside the same realm (usually your domain name written in upper case, here EXAMPLE.COM).

Prerequisites

Before configuring Kerberos, NTP synchronization and hostname resolution must be working. If DNS is not configured, add the following lines in the /etc/hosts file (replace the specified ip addresses with yours):

192.168.1.11 kbserver.example.com
192.168.1.12 kbclient.example.com

Caution: When adding a new line in the /etc/hosts file, you have to write the fully qualified domain name just after the ip address. If you use one or several aliases and add them before the fully qualified domain name, Kerberos will not work.

Server Configuration

Install the Kerberos packages:

# yum install -y krb5-server krb5-workstation pam_krb5

First, edit the /var/kerberos/krb5kdc/kdc.conf file and replace EXAMPLE.COM with your own realm. Optionally, uncomment the master_key_type = aes256-cts line and paste the following line in the [realms] stanza:

default_principal_flags = +preauth

Note: This removes compatibility with Kerberos 4 but improves security.

Then, in the /etc/krb5.conf file, uncomment all the lines, replace EXAMPLE.COM with your own realm, example.com with your own domain name, and kerberos.example.com with your own KDC server name (here kbserver.example.com).

Finally, edit the /var/kerberos/krb5kdc/kadm5.acl file and replace EXAMPLE.COM with your own realm.

Create the Kerberos database (replace EXAMPLE.COM with you own realm):

# kdb5_util create -s -r EXAMPLE.COM
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'EXAMPLE.COM',
master key name 'K/M@EXAMPLE.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: example
Re-enter KDC database master key to verify: example

Note: It can be necessary to type keys on the keyboard to increase the entropy needed for the random data generation!

Start the Kerberos services:

# systemctl start krb5kdc kadmin

Activate the Kerberos services at boot:

# systemctl enable krb5kdc kadmin

Create a user for test:

# useradd user01

Execute the Kerberos administration tool:

# kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.

Create the adminprincipal:

kadmin.local:  addprinc root/admin
Authenticating as principal root/admin@EXAMPLE.COM with password.
WARNING: no policy specified for root/admin@EXAMPLE.COM; defaulting to no policy
Enter password for principal "root/admin@EXAMPLE.COM": kerberos
Re-enter password for principal "root/admin@EXAMPLE.COM": kerberos
Principal "root/admin@EXAMPLE.COM" created.

Create the user01 principal:

kadmin.local:  addprinc user01
Enter password for principal "user01@EXAMPLE.COM": user01
Re-enter password for principal "user01@EXAMPLE.COM": user01
Principal "user01@EXAMPLE.COM" created.

Add the KDC hostname to the Kerberos database:

kadmin.local:  addprinc -randkey host/kbserver.example.com
Authenticating as principal root/admin@EXAMPLE.COM with password.
WARNING: no policy specified for host/kbserver.example.com@EXAMPLE.COM; defaulting to no policy
Principal "host/kbserver.example.com@EXAMPLE.COM" created.

Create a local copy stored by default in the /etc/krb5.keytab file:

kadmin.local:  ktadd host/kbserver.example.com
Authenticating as principal root/admin@EXAMPLE.COM with password.
Entry for principal host/kbserver.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kbserver.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kbserver.example.com with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kbserver.example.com with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kbserver.example.com with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kbserver.example.com with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kbserver.example.com with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kbserver.example.com with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/krb5.keytab.

Exit the Kerberos administration tool:

kadmin.local:  quit

Edit the /etc/ssh/sshd_config file and add/uncomment the following lines:

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

Reload the sshd service configuration:

# systemctl reload sshd

Configure the PAM component at the command line:

# authconfig --enablekrb5 --update

To get the correct firewall configuration (port udp/tcp 88 for Kerberos itself, port tcp 749 for kadmin communication), create the /etc/firewalld/services/kerberos.xml file and paste the following lines:

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>Kerberos</short>
  <description>Kerberos network authentication protocol server</description>
  <port protocol="tcp" port="88"/>
  <port protocol="udp" port="88"/>
  <port protocol="tcp" port="749"/>
</service>

Note: A Kerberos Firewalld configuration file already exists in the /usr/lib/firewalld/services directory but it doesn’t specify the kadmin protocol (749/tcp). This would force all configurations to be made on the KDC server only, which is not very handy.

Add the new service to the firewall :

# firewall-cmd --permanent --add-service=kerberos

Reload the firewall configuration:

# firewall-cmd --reload

Test your configuration (here kbserver.example.com is the KDC server name):

# su - user01
$ kinit
Password for user01@EXAMPLE.COM: user01
$ klist
Ticket cache: KEYRING:persistent:1000:1000
Default principal: user01@EXAMPLE.COM

Valid starting Expires Service principal
07/22/2014 16:48:35 07/23/2014 16:48:11 krbtgt/EXAMPLE.COM@EXAMPLE.COM
 renew until 07/22/2014 16:48:11
$ ssh kbserver.example.com

Now, you should be able to quit and reconnect without giving any password. Note: To delete a ticket, use the kdestroy command.

Source: RHEL 5 Deployment Guide.

Troubleshooting Tip

When troubleshooting Kerberos behaviour as root, you can assign a filename to the KRB5_TRACE environment variable. This will help you trace the various steps followed by Kerberos.

# export KRB5_TRACE=/dev/stdout
# kinit
[2878] 1451496694.41411: Getting initial credentials for root@EXAMPLE.COM
[2878] 1451496694.41547: Sending request (183 bytes) to EXAMPLE.COM
...

Additional Resources

You can also watch Andrew Mallett‘s video about setting up a KDC (23min/2015). The chapter 11 of the RHEL 7 System-Level Authentication Guide deals with the KDC configuration.