This tutorial covers gradual guide to setup a Kerberos Server (KDC) and Kerberos Enabled Client, then testing the setup by obtaining a Kerberos Ticket from the KDC server.
In this tutorial you will learn:
- What is Kerberos and how it works
- Configure the Kerberos Server (KDC)
- Configure the Client
- Test the Kerberos Authentication
- Keytab Creation
Software Requirements and Conventions Used
|Category||Requirements, Conventions or Software Version Used|
|Software||Kerberos Server and Admin Packages|
|Other||Privileged access to your Linux system as root or via the
# – requires given linux commands to be executed with root privileges either directly as a root user or by use of
$ – requires given linux commands to be executed as a regular non-privileged user
What is Kerberos and how it works
Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography.
The client authenticates itself to the Authentication Server (AS) which forwards the username to a key distribution center (KDC). The KDC issues a ticket-granting ticket (TGT), which is time stamped and encrypts it using the ticket-granting service’s (TGS) secret key and returns the encrypted result to the user’s workstation. This is done infrequently, typically at user logon; the TGT expires at some point although it may be transparently renewed by the user’s session manager while they are logged in.
When the client needs to communicate with another node (“principal” in Kerberos parlance) to some service on that node the client sends the TGT to the TGS, which usually shares the same host as the KDC. Service must be registered at TGT with a Service Principal Name (SPN). The client uses the SPN to request access to this service. After verifying that the TGT is valid and that the user is permitted to access the requested service, the TGS issues ticket and session keys to the client. The client then sends the ticket to the service server (SS) along with its service request.
Configure the Kerberos Server (KDC)
Time synchronization and DNS plays an important role in order to work KDC properly. If the time difference is more than 5 minutes authentication will fail. The FQDN’s should ideally resolve in a proper environment, here we do get by with modifying
/etc/hosts but using DNS properly is recommended.
Execute the below command to install Kerberos admin server and KDE (key distribution center):
# apt install krb5-kdc krb5-admin-server krb5-config
It will ask the following three things one by one
- Kerberos Realm. (here I have used UBUNTUBOX.COM)
- Kerberos server hostname – kdc.ubuntubox.com
- Hostname of the administrative (password changing) server for Kerberos Realm UBUNTUBOX.COM – kdc.ubuntubox.com
Now execute the below command to setup realm.
It will ask to enter a password for database creation and after that, it will start Kerberos KDC krb5kdc and Kerberos administrative servers kadmind processes.
root@kdc:~# krb5_newrealm This script should be run on the master KDC/admin server to initialize a Kerberos realm. It will ask you to type in a master key password. This password will be used to generate a key that is stored in /etc/krb5kdc/stash. You should try to remember this password, but it is much more important that it be a strong password than that it be remembered. However, if you lose the password and /etc/krb5kdc/stash, you cannot decrypt your Kerberos database. Loading random data Initializing database '/var/lib/krb5kdc/principal' for realm 'UBUNTUBOX.COM', master key name 'K/M@UBUNTUBOX.COM' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: Now that your realm is set up you may wish to create an administrative principal using the addprinc subcommand of the kadmin.local program. Then, this principal can be added to /etc/krb5kdc/kadm5.acl so that you can use the kadmin program on other computers. Kerberos admin principals usually belong to a single user and end in /admin. For example, if jruser is a Kerberos administrator, then in addition to the normal jruser principal, a jruser/admin principal should be created. Don't forget to set up DNS information so your clients can find your KDC and admin servers. Doing so is documented in the administration guide. root@kdc:~#
/etc/krb5kdc/kadm5.acl file with any of the text editor and uncomment the last line so that the file would look like.
# This file Is the access control list for krb5 administration. # When this file is edited run service krb5-admin-server restart to activate # One common way to set up Kerberos administration is to allow any principal # ending in /admin is given full administrative rights. # To enable this, uncomment the following line: */admin *
Now the Kerberos server setup process completed successfully.
Configure the Client
Execute the below command to install and setup Kerberos client.
# apt install krb5-user
Again it will ask 3 thing one by one like KDC Server setup.
- Kerberos Realm – UBUNTUBOX.COM
- Hostname for the KDC Server – kdc.ubuntubox.com
- Hostname of Admin server – kdc.ubuntubox.com
Test the Kerberos Authentication
A Kebs principal is a unique identity to which Kerberos can assign tickets, hence we will create a principal in KDC Server like below.
root@kdc:~# kadmin.local Authenticating as principal root/admin@UBUNTUBOX.COM with password. kadmin.local: addprinc sandipb WARNING: no policy specified for sandipb@UBUNTUBOX.COM; defaulting to no policy Enter password for principal "sandipb@UBUNTUBOX.COM": Re-enter password for principal "sandipb@UBUNTUBOX.COM": Principal "sandipb@UBUNTUBOX.COM" created. kadmin.local:
To delete a principal from KDC, run the following command.
root@kdc:~# kadmin.local: Authenticating as principal root/admin@UBUNTUBOX.COM with password. kadmin.local: delprinc sandipb Are you sure you want to delete the principal "sandipb@UBUNTUBOX.COM"? (yes/no): yes Principal "sandipb@UBUNTUBOX.COM" deleted. Make sure that you have removed this principal from all ACLs before reusing. kadmin.local:
Now, to authenticate in Kerberos and Obtain a Ticket from the KDC Server run the following command in client node.
kdestroy, or when they expire. You will need to run kinit again after any of these occur.
# kinit sandipb
root@kdcclient:~# kinit sandipb Password for sandipb@UBUNTUBOX.COM: root@kdcclient:~# root@kdcclient:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: sandipb@UBUNTUBOX.COM Valid starting Expires Service principal 2018-12-29T19:38:53 2018-12-30T05:38:53 krbtgt/UBUNTUBOX.COM@UBUNTUBOX.COM renew until 2018-12-30T19:38:38 root@kdcclient:~#
To check the details of the principal run the below command in KDC Server.
root@kdc:~# kadmin.local Authenticating as principal root/admin@UBUNTUBOX.COM with password. kadmin.local: getprinc sandipb Principal: sandipb@UBUNTUBOX.COM Expiration date: [never] Last password change: Sun Dec 30 19:30:59 +04 2018 Password expiration date: [never] Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Sun Dec 30 19:30:59 +04 2018 (root/admin@UBUNTUBOX.COM) Last successful authentication: Sun Dec 30 19:38:53 +04 2018 Last failed authentication: [never] Failed password attempts: 0 Number of keys: 2 Key: vno 1, aes256-cts-hmac-sha1-96 Key: vno 1, aes128-cts-hmac-sha1-96 MKey: vno 1 Attributes: REQUIRES_PRE_AUTH Policy: [none] kadmin.local:
A keytab is a file containing pairs of Kerberos principals and encrypted keys (which are derived from the Kerberos password). You can use a keytab file to authenticate to various remote systems using Kerberos without entering a password. However, when you change your Kerberos password, you will need to recreate all your keytabs.
root@kdc:~# ktutil ktutil: add_entry -password -p sandipb@UBUNTUBOX.COM -k 1 -e aes256-cts-hmac-sha1-96 Password for sandipb@UBUNTUBOX.COM: ktutil: add_entry -password -p sandipb@UBUNTUBOX.COM -k 1 -e aes128-cts-hmac-sha1-96 Password for sandipb@UBUNTUBOX.COM: ktutil: wkt sandipkt.keytab ktutil: q root@kdc:~#
root@kdc:~# klist -kte sandipkt.keytab Keytab name: FILE:sandipkt.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 1 2018-12-30T00:35:07 sandipb@UBUNTUBOX.COM (aes256-cts-hmac-sha1-96) 1 2018-12-30T00:35:07 sandipb@UBUNTUBOX.COM (aes128-cts-hmac-sha1-96) root@kdc:~#
root@kdc:~# kinit -k -t sandipkt.keytab sandipb root@kdc:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: sandipb@UBUNTUBOX.COM Valid starting Expires Service principal 2018-12-30T00:36:44 2018-12-30T10:36:44 krbtgt/UBUNTUBOX.COM@UBUNTUBOX.COM renew until 2018-12-31T00:36:34 root@kdc:~#
An authentication is critical for the security of computer systems, traditional authentication methods are not suitable for use in computer networks.The Kerberos authentication system is well suited for authentication of users in such environments.