In this tutorial you will learn:
- What is Kerberos and how it works
- Configure the Kerberos Server (KDC)
- Configure the Client
- Test the Kerberos Authentication
- Keytab Creation
Kerberos Overview.
Software Requirements and Conventions Used
| Category | Requirements, Conventions or Software Version Used |
|---|---|
| System | Ubuntu 18.04 |
| Software | Kerberos Server and Admin Packages |
| Other | Privileged access to your Linux system as root or via the sudo command. |
| Conventions | # - requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command $ - requires given linux commands to be executed as a regular non-privileged user |
What is Kerberos and how it works
The client authenticates itself to the Authentication Server (AS) which forwards the username to a key distribution center (KDC). The KDC issues a ticket-granting ticket (TGT), which is time stamped and encrypts it using the ticket-granting service's (TGS) secret key and returns the encrypted result to the user's workstation. This is done infrequently, typically at user logon; the TGT expires at some point although it may be transparently renewed by the user's session manager while they are logged in.
When the client needs to communicate with another node ("principal" in Kerberos parlance) to some service on that node the client sends the TGT to the TGS, which usually shares the same host as the KDC. Service must be registered at TGT with a Service Principal Name (SPN). The client uses the SPN to request access to this service. After verifying that the TGT is valid and that the user is permitted to access the requested service, the TGS issues ticket and session keys to the client. The client then sends the ticket to the service server (SS) along with its service request.Configure the Kerberos Server (KDC)
Time synchronization and DNS plays an important role in order to work KDC properly. If the time difference is more than 5 minutes authentication will fail. The FQDN’s should ideally resolve in a proper environment, here we do get by with modifying/etc/hosts but using DNS properly is recommended. Execute the below command to install Kerberos admin server and KDE (key distribution center): # apt install krb5-kdc krb5-admin-server krb5-configIt will ask the following three things one by one
- Kerberos Realm. (here I have used UBUNTUBOX.COM)
- Kerberos server hostname - kdc.ubuntubox.com
- Hostname of the administrative (password changing) server for Kerberos Realm UBUNTUBOX.COM - kdc.ubuntubox.com
Providing Kerberos Realm.
Providing Kerberos Server FQDN.
Providing Admin Server FQDN.
Configuring krb5 Admin Server.
# krb5_newrealmIt will ask to enter a password for database creation and after that, it will start Kerberos KDC krb5kdc and Kerberos administrative servers kadmind processes.
root@kdc:~# krb5_newrealm
This script should be run on the master KDC/admin server to initialize
a Kerberos realm. It will ask you to type in a master key password.
This password will be used to generate a key that is stored in
/etc/krb5kdc/stash. You should try to remember this password, but it
is much more important that it be a strong password than that it be
remembered. However, if you lose the password and /etc/krb5kdc/stash,
you cannot decrypt your Kerberos database.
Loading random data
Initializing database '/var/lib/krb5kdc/principal' for realm 'UBUNTUBOX.COM',
master key name 'K/This email address is being protected from spambots. You need JavaScript enabled to view it.
'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
Now that your realm is set up you may wish to create an administrative
principal using the addprinc subcommand of the kadmin.local program.
Then, this principal can be added to /etc/krb5kdc/kadm5.acl so that
you can use the kadmin program on other computers. Kerberos admin
principals usually belong to a single user and end in /admin. For
example, if jruser is a Kerberos administrator, then in addition to
the normal jruser principal, a jruser/admin principal should be
created.
Don't forget to set up DNS information so your clients can find your
KDC and admin servers. Doing so is documented in the administration
guide.
root@kdc:~#
Open /etc/krb5kdc/kadm5.acl file with any of the text editor and uncomment the last line so that the file would look like. vim /etc/krb5kdc/kadm5.acl
# This file Is the access control list for krb5 administration.
# When this file is edited run service krb5-admin-server restart to activate
# One common way to set up Kerberos administration is to allow any principal
# ending in /admin is given full administrative rights.
# To enable this, uncomment the following line:
*/admin *
Configure the Client
Execute the below command to install and setup Kerberos client.# apt install krb5-userAgain it will ask 3 thing one by one like KDC Server setup.
- Kerberos Realm – UBUNTUBOX.COM
- Hostname for the KDC Server – kdc.ubuntubox.com
- Hostname of Admin server – kdc.ubuntubox.com
Test the Kerberos Authentication
addprinc "principal_name"
root@kdc:~# kadmin.local Authenticating as principal root/This email address is being protected from spambots. You need JavaScript enabled to view it. with password. kadmin.local: addprinc sandipb WARNING: no policy specified for This email address is being protected from spambots. You need JavaScript enabled to view it.; defaulting to no policy Enter password for principal "This email address is being protected from spambots. You need JavaScript enabled to view it.": Re-enter password for principal "This email address is being protected from spambots. You need JavaScript enabled to view it.": Principal "This email address is being protected from spambots. You need JavaScript enabled to view it." created. kadmin.local:To delete a principal from KDC, run the following command.
delprinc "principal_name"
root@kdc:~# kadmin.local: Authenticating as principal root/This email address is being protected from spambots. You need JavaScript enabled to view it. with password. kadmin.local: delprinc sandipb Are you sure you want to delete the principal "This email address is being protected from spambots. You need JavaScript enabled to view it."? (yes/no): yes Principal "This email address is being protected from spambots. You need JavaScript enabled to view it." deleted. Make sure that you have removed this principal from all ACLs before reusing. kadmin.local:Now, to authenticate in Kerberos and Obtain a Ticket from the KDC Server run the following command in client node.
Note: Tickets will be destroyed when you restart your computer, when you run the command kdestroy, or when they expire. You will need to run kinit again after any of these occur.
# kinit sandipb
root@kdcclient:~# kinit sandipb Password for This email address is being protected from spambots. You need JavaScript enabled to view it. : root@kdcclient:~# root@kdcclient:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: This email address is being protected from spambots. You need JavaScript enabled to view it. Valid starting Expires Service principal 2018-12-29T19:38:53 2018-12-30T05:38:53 krbtgt/This email address is being protected from spambots. You need JavaScript enabled to view it. renew until 2018-12-30T19:38:38 root@kdcclient:~#To check the details of the principal run the below command in KDC Server.
getprinc "principal_name"
root@kdc:~# kadmin.local Authenticating as principal root/This email address is being protected from spambots. You need JavaScript enabled to view it. with password. kadmin.local: getprinc sandipb Principal: This email address is being protected from spambots. You need JavaScript enabled to view it. Expiration date: [never] Last password change: Sun Dec 30 19:30:59 +04 2018 Password expiration date: [never] Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Sun Dec 30 19:30:59 +04 2018 (root/This email address is being protected from spambots. You need JavaScript enabled to view it.) Last successful authentication: Sun Dec 30 19:38:53 +04 2018 Last failed authentication: [never] Failed password attempts: 0 Number of keys: 2 Key: vno 1, aes256-cts-hmac-sha1-96 Key: vno 1, aes128-cts-hmac-sha1-96 MKey: vno 1 Attributes: REQUIRES_PRE_AUTH Policy: [none] kadmin.local:
Keytab Creation
root@kdc:~# ktutil ktutil: add_entry -password -p This email address is being protected from spambots. You need JavaScript enabled to view it. -k 1 -e aes256-cts-hmac-sha1-96 Password for This email address is being protected from spambots. You need JavaScript enabled to view it.: ktutil: add_entry -password -p This email address is being protected from spambots. You need JavaScript enabled to view it. -k 1 -e aes128-cts-hmac-sha1-96 Password for This email address is being protected from spambots. You need JavaScript enabled to view it.: ktutil: wkt sandipkt.keytab ktutil: q root@kdc:~#
root@kdc:~# klist -kte sandipkt.keytab Keytab name: FILE:sandipkt.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 1 2018-12-30T00:35:07 This email address is being protected from spambots. You need JavaScript enabled to view it. (aes256-cts-hmac-sha1-96) 1 2018-12-30T00:35:07 This email address is being protected from spambots. You need JavaScript enabled to view it. (aes128-cts-hmac-sha1-96) root@kdc:~#
root@kdc:~# kinit -k -t sandipkt.keytab sandipb root@kdc:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: This email address is being protected from spambots. You need JavaScript enabled to view it. Valid starting Expires Service principal 2018-12-30T00:36:44 2018-12-30T10:36:44 krbtgt/This email address is being protected from spambots. You need JavaScript enabled to view it. renew until 2018-12-31T00:36:34 root@kdc:~#
