Getting started with Kerberos
A lot of people don’t know what Kerberos does, let alone, what and how to set it up. This is a very basic write up about Kerberos. What are the main components in it, and how to enable it on 2 Linux machines very easily.
A very basic setup involves a Kerberos server and a client. There can of course be one or more clients. Additionally, the server itself can act as a one of the clients of this server.
To get started, here’s the Wikipedia link.
2 essential precautions need to be taken care of when setting up.
- The server and client need to sync up on time. The client usually picks up time from the server, so take care to have clocks in sync.
- The server and client machines should be accessible over network. If the server resolution fails, the whole protocol might fail in the least.
Here I’m ping(ing) my own machine with the name instead of the localhost as you can see, to check my laptop is resolvable. Essentially, what is means is your DNS should be working properly between client(s) and server.
$ping PT074.domain
PING PT074 (127.0.1.1) 56(84) bytes of data.
64 bytes from PT074 (127.0.1.1): icmp_seq=1 ttl=64 time=0.032 ms
64 bytes from PT074 (127.0.1.1): icmp_seq=2 ttl=64 time=0.063 ms
64 bytes from PT074 (127.0.1.1): icmp_seq=3 ttl=64 time=0.028 ms
64 bytes from PT074 (127.0.1.1): icmp_seq=4 ttl=64 time=0.040 msKerberos Server Setup
I will be setting up on Ubuntu machine. On Redhat Linux, there are similar yum based commands.
$sudo apt install krb5-kdc krb5-admin-server
..
It will ask for Realm.
Enter your REALM(REALM074 in my case) and your own KERBEROS server names.
Now run,
$sudo krb5_newrealm
This script should be run on the master KDC/admin server to initialize
a Kerberos realm. It will ask you to type in a master key password.
This password will be used to generate a key that is stored in
/etc/krb5kdc/stash. You should try to remember this password, but it
is much more important that it be a strong password than that it be
remembered. However, if you lose the password and /etc/krb5kdc/stash,
you cannot decrypt your Kerberos database.
Loading random data
Initializing database '/var/lib/krb5kdc/principal' for realm 'REALM074',
master key name 'K/M@REALM074'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:Now that your realm is set up you may wish to create an administrative
principal using the addprinc subcommand of the kadmin.local program.
Then, this principal can be added to /etc/krb5kdc/kadm5.acl so that
you can use the kadmin program on other computers. Kerberos admin
principals usually belong to a single user and end in /admin. For
example, if jruser is a Kerberos administrator, then in addition to
the normal jruser principal, a jruser/admin principal should be
created.Don't forget to set up DNS information so your clients can find your
KDC and admin servers. Doing so is documented in the administration
guide.
I set up my password, as abc123 for now, and then continued. As you can see, my database was successfully created.
It asks to setup (or add) principal in your environment and this is the most important step and things which will be repeated over time. I will cover this below.
$sudo file /var/lib/krb5kdc/principal
/var/lib/krb5kdc/principal: Berkeley DB 1.85/1.86 (Btree, version 3, native byte-order)$sudo ls -lhrt /var/lib/krb5kdc/
total 16K
-rw------- 1 root root 8.0K Jan 3 12:43 principal.kadm5
-rw------- 1 root root 0 Jan 3 12:43 principal.kadm5.lock
-rw------- 1 root root 0 Jan 3 12:53 principal.ok
-rw------- 1 root root 8.0K Jan 3 12:53 principal
It has also created an ACL (Access Control list) file /etc/krb5kdc/kadm5.acl
$sudo cat /etc/krb5kdc/kadm5.acl
# This file Is the access control list for krb5 administration.
# When this file is edited run /etc/init.d/krb5-admin-server restart to activate
# One common way to set up Kerberos administration is to allow any principal
# ending in /admin is given full administrative rights.
# To enable this, uncomment the following line:
# */admin *Edit this file, remove the comment on the last line and restart your Kerberos server.
$vi /etc/krb5kdc/kadm5.acl
$cat /etc/krb5kdc/kadm5.acl
# This file Is the access control list for krb5 administration.
# When this file is edited run /etc/init.d/krb5-admin-server restart to activate
# One common way to set up Kerberos administration is to allow any principal
# ending in /admin is given full administrative rights.
# To enable this, uncomment the following line:
*/admin *
$/etc/init.d/krb5-admin-server restart
[ ok ] Restarting krb5-admin-server (via systemctl): krb5-admin-server.service.
$Also, note that one more file is created,
sudo cat /etc/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 750,88[realms]
REALM074 = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
default_principal_flags = +preauth
}
As you can see, this is also working with REALM074.
Note: In a real world, the REALM will be your company domain or the machines network domain. Here, I’m creating with a dummy REALM for demonstration purposes.
As a last step,
You can check proper realms in the /etc/krb5.conf file, it has added this REALM074 as well. It shows where the KDC server is and where the admin server is as well.
$cat /etc/krb5.conf......................
[realms]
REALM074 = {
kdc = 127.0.0.1
admin_server = 127.0.0.1
}
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu:88
kdc = kerberos-1.mit.edu:88
kdc = kerberos-2.mit.edu:88
admin_server = kerberos.mit.edu
default_domain = mit.edu
}
........................
And more importantly, it also has,
[libdefaults]
default_realm = REALM074[domain_realm]
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.media.mit.edu = MEDIA-LAB.MIT.EDU
media.mit.edu = MEDIA-LAB.MIT.EDU
You might need to add more lines in this, to have any resolution in your domain to this REALM074.
e.g. you might have let’s say MYCOMPANY.COM (instead of REALM074 as currently shown) as your REALM and DOMAIN,
In this case, this file might need to include in the [domain_realm] list
.mycompany.com = MYCOMPANY.COM
mycompany.com = MYCOMPANY.COMand so on.
To enable SSH including Kerberos,
cat /etc/ssh/ssh_config |grep GSS
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# GSSAPIKeyExchange no
# GSSAPITrustDNS no
GSSAPIAuthentication yes
GSSAPIDelegateCredentials noAs you can see, this GSSAPIAuthentication yes is already enabled during setup.
Restart the server, once after every configuration is done.
$/etc/init.d/krb5-admin-server restart
[ ok ] Restarting krb5-admin-server (via systemctl): krb5-admin-server.service.
$The Kerberos server is now setup and working.
$sudo systemctl status krb5-kdc.service
● krb5-kdc.service - Kerberos 5 Key Distribution Center
Loaded: loaded (/lib/systemd/system/krb5-kdc.service; enabled; vendor preset:
Active: active (running) since Thu 2019-01-03 12:43:32 IST; 38min ago
Process: 1661 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid $DAEMON_ARG
Main PID: 1662 (krb5kdc)
CGroup: /system.slice/krb5-kdc.service
└─1662 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pidJan 03 12:43:32 IT074 systemd[1]: Starting Kerberos 5 Key Distribution Center...
Jan 03 12:43:32 IT074 krb5kdc[1661]: setting up network...
Jan 03 12:43:32 IT074 krb5kdc[1662]: commencing operation
Jan 03 12:43:32 IT074 systemd[1]: Started Kerberos 5 Key Distribution Center.
$sudo systemctl status krb5-admin-server.service
● krb5-admin-server.service - Kerberos 5 Admin Server
Loaded: loaded (/lib/systemd/system/krb5-admin-server.service; enabled; vendo
Active: active (running) since Thu 2019-01-03 12:50:43 IST; 31min ago
Main PID: 2196 (kadmind)
CGroup: /system.slice/krb5-admin-server.service
└─2196 /usr/sbin/kadmind -noforkJan 03 12:50:43 IT074 kadmind[2196]: setsockopt(11,IPV6_V6ONLY,1) worked
Jan 03 12:50:43 IT074 kadmind[2196]: listening on fd 12: tcp 0.0.0.0.464
Jan 03 12:50:43 IT074 kadmind[2196]: listening on fd 11: tcp ::.464
Jan 03 12:50:43 IT074 kadmind[2196]: listening on fd 13: rpc 0.0.0.0.749
Jan 03 12:50:43 IT074 kadmind[2196]: setsockopt(14,IPV6_V6ONLY,1) worked
Jan 03 12:50:43 IT074 kadmind[2196]: listening on fd 14: rpc ::.749
Jan 03 12:50:43 IT074 kadmind[2196]: set up 6 sockets
Jan 03 12:50:43 IT074 kadmind[2196]: Seeding random number generator
Jan 03 12:50:43 IT074 kadmind[2196]: kadmind: starting...
Jan 03 12:50:43 IT074 kadmind[2196]: starting
Add Principal to kerberos
Run sudo kadmin.local command.
$sudo kadmin.local
Authenticating as principal root/admin@REALM074 with password.
kadmin.local:In the kadmin.local prompt, within kerberos, setup one or more principals with this.
kadmin.local: addprinc vikram
WARNING: no policy specified for vikram@REALM074; defaulting to no policy
Enter password for principal "vikram@REALM074":
Re-enter password for principal "vikram@REALM074":
Principal "vikram@REALM074" created.Here, I have created a single principal, ‘vikram’ within the realm ‘REALM074’.
This is mentioned in the last line, Principal “vikram@REALM074” created.
kadmin.local: listprincs
K/M@REALM074
kadmin/admin@REALM074
kadmin/changepw@REALM074
kadmin/it074@REALM074
kiprop/it074@REALM074
krbtgt/REALM074@REALM074
vikram@REALM074The idea is to pickup our kerberos token and present this to servers (machines) that trust this kdc.
Setting up Kerberos Client
On your client machine, add your kerberos server entry to /etc/hosts
And then install the client
sudo apt-get install krb5-userThis will ask for your REALM, admin hostname and kdc hostname.
To test and check, whether things are working, we will request our key from the server.
$kinit vikram@REALM074
Password for vikram@REALM074:
If successful, this command will show no output, else will show error messages.
To check,
$klist
Ticket cache: FILE:/tmp/krb5cc_1001
Default principal: vikram@REALM074Valid starting Expires Service principal
2019-01-03T13:43:47 2019-01-03T23:43:47 krbtgt/REALM074@REALM074
renew until 2019-01-04T13:43:42
If this didn’t work, we will not have any key listed here. You can try this command before doing a kinit to verify this.
This is the basic of setting up kerberos client.
We did partly, setup ssh on the server. There can be additional steps, to have ssh configured with kerberos and also, have specific applications setup with kerberos enabled. So far, we have just setup basic. With this knowledge, you can have an advanced setup and enable multiple applications.
