How to install Kerberos KDC Server and Client on Ubuntu 18.04

by

This tutorial covers gradual guide to setup a Kerberos Server (KDC) and Kerberos Enabled Client, then testing the setup by obtaining a Kerberos Ticket from the KDC server.

In this tutorial you will learn:

  • What is Kerberos and how it works
  • Configure the Kerberos Server (KDC)
  • Configure the Client
  • Test the Kerberos Authentication
  • Keytab Creation

Kerberos Overview

Kerberos Overview.

Software Requirements and Conventions Used

Software Requirements and Linux Command Line Conventions
Category Requirements, Conventions or Software Version Used
System Ubuntu 18.04
Software Kerberos Server and Admin Packages
Other Privileged access to your Linux system as root or via the sudo command.
Conventions # – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command
$ – requires given linux commands to be executed as a regular non-privileged user

What is Kerberos and how it works

Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography.

The client authenticates itself to the Authentication Server (AS) which forwards the username to a key distribution center (KDC). The KDC issues a ticket-granting ticket (TGT), which is time stamped and encrypts it using the ticket-granting service’s (TGS) secret key and returns the encrypted result to the user’s workstation. This is done infrequently, typically at user logon; the TGT expires at some point although it may be transparently renewed by the user’s session manager while they are logged in.

When the client needs to communicate with another node (“principal” in Kerberos parlance) to some service on that node the client sends the TGT to the TGS, which usually shares the same host as the KDC. Service must be registered at TGT with a Service Principal Name (SPN). The client uses the SPN to request access to this service. After verifying that the TGT is valid and that the user is permitted to access the requested service, the TGS issues ticket and session keys to the client. The client then sends the ticket to the service server (SS) along with its service request.

Configure the Kerberos Server (KDC)

Time synchronization and DNS plays an important role in order to work KDC properly. If the time difference is more than 5 minutes authentication will fail. The FQDN’s should ideally resolve in a proper environment, here we do get by with modifying /etc/hosts but using DNS properly is recommended.

Execute the below command to install Kerberos admin server and KDE (key distribution center):

# apt install krb5-kdc krb5-admin-server krb5-config

It will ask the following three things one by one

  1. Kerberos Realm. (here I have used UBUNTUBOX.COM)
  2. Kerberos server hostname – kdc.ubuntubox.com
  3. Hostname of the administrative (password changing) server for Kerberos Realm UBUNTUBOX.COM – kdc.ubuntubox.com
Providing Kerberos Realm

Providing Kerberos Realm.
Providing Kerberos Server FQDN

Providing Kerberos Server FQDN.
Providing Admin Server FQDN

Providing Admin Server FQDN.
Configuring krb5 Admin Server

Configuring krb5 Admin Server.

Now execute the below command to setup realm.

# krb5_newrealm

It will ask to enter a password for database creation and after that, it will start Kerberos KDC krb5kdc and Kerberos administrative servers kadmind processes.

root@kdc:~# krb5_newrealm 
This script should be run on the master KDC/admin server to initialize
a Kerberos realm.  It will ask you to type in a master key password.
This password will be used to generate a key that is stored in
/etc/krb5kdc/stash.  You should try to remember this password, but it
is much more important that it be a strong password than that it be
remembered.  However, if you lose the password and /etc/krb5kdc/stash,
you cannot decrypt your Kerberos database.
Loading random data
Initializing database '/var/lib/krb5kdc/principal' for realm 'UBUNTUBOX.COM',
master key name 'K/M@UBUNTUBOX.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: 
Re-enter KDC database master key to verify: 


Now that your realm is set up you may wish to create an administrative
principal using the addprinc subcommand of the kadmin.local program.
Then, this principal can be added to /etc/krb5kdc/kadm5.acl so that
you can use the kadmin program on other computers.  Kerberos admin
principals usually belong to a single user and end in /admin.  For
example, if jruser is a Kerberos administrator, then in addition to
the normal jruser principal, a jruser/admin principal should be
created.
Don't forget to set up DNS information so your clients can find your
KDC and admin servers.  Doing so is documented in the administration
guide.
root@kdc:~#

Open /etc/krb5kdc/kadm5.acl file with any of the text editor and uncomment the last line so that the file would look like.

vim /etc/krb5kdc/kadm5.acl
# This file Is the access control list for krb5 administration.
# When this file is edited run service krb5-admin-server restart to activate
# One common way to set up Kerberos administration is to allow any principal 
# ending in /admin  is given full administrative rights.
# To enable this, uncomment the following line:
 */admin *

Now the Kerberos server setup process completed successfully.

Configure the Client

Execute the below command to install and setup Kerberos client.

# apt install krb5-user

Again it will ask 3 thing one by one like KDC Server setup.

  1. Kerberos Realm – UBUNTUBOX.COM
  2. Hostname for the KDC Server – kdc.ubuntubox.com
  3. Hostname of Admin server – kdc.ubuntubox.com

Test the Kerberos Authentication

A Kebs principal is a unique identity to which Kerberos can assign tickets, hence we will create a principal in KDC Server like below.

addprinc "principal_name"
root@kdc:~# kadmin.local
Authenticating as principal root/admin@UBUNTUBOX.COM with password.
kadmin.local:  addprinc sandipb
WARNING: no policy specified for sandipb@UBUNTUBOX.COM; defaulting to no policy
Enter password for principal "sandipb@UBUNTUBOX.COM": 
Re-enter password for principal "sandipb@UBUNTUBOX.COM": 
Principal "sandipb@UBUNTUBOX.COM" created.
kadmin.local:

To delete a principal from KDC, run the following command.

delprinc "principal_name"
root@kdc:~# kadmin.local:  
Authenticating as principal root/admin@UBUNTUBOX.COM with password.
kadmin.local:  delprinc sandipb
Are you sure you want to delete the principal "sandipb@UBUNTUBOX.COM"? (yes/no): yes
Principal "sandipb@UBUNTUBOX.COM" deleted.
Make sure that you have removed this principal from all ACLs before reusing.
kadmin.local:

Now, to authenticate in Kerberos and Obtain a Ticket from the KDC Server run the following command in client node.

Note: Tickets will be destroyed when you restart your computer, when you run the command
kdestroy, or when they expire. You will need to run kinit again after any of these occur.
# kinit sandipb
root@kdcclient:~# kinit sandipb
Password for sandipb@UBUNTUBOX.COM: 
root@kdcclient:~# 
root@kdcclient:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: sandipb@UBUNTUBOX.COM

Valid starting       Expires              Service principal
2018-12-29T19:38:53  2018-12-30T05:38:53  krbtgt/UBUNTUBOX.COM@UBUNTUBOX.COM
	renew until 2018-12-30T19:38:38
root@kdcclient:~#

To check the details of the principal run the below command in KDC Server.

getprinc "principal_name"
root@kdc:~# kadmin.local
Authenticating as principal root/admin@UBUNTUBOX.COM with password.
kadmin.local:  getprinc sandipb
Principal: sandipb@UBUNTUBOX.COM
Expiration date: [never]
Last password change: Sun Dec 30 19:30:59 +04 2018
Password expiration date: [never]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Sun Dec 30 19:30:59 +04 2018 (root/admin@UBUNTUBOX.COM)
Last successful authentication: Sun Dec 30 19:38:53 +04 2018
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
Key: vno 1, aes256-cts-hmac-sha1-96
Key: vno 1, aes128-cts-hmac-sha1-96
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: [none]
kadmin.local:

Keytab Creation

A keytab is a file containing pairs of Kerberos principals and encrypted keys (which are derived from the Kerberos password). You can use a keytab file to authenticate to various remote systems using Kerberos without entering a password. However, when you change your Kerberos password, you will need to recreate all your keytabs.

root@kdc:~# ktutil
ktutil:  add_entry -password -p sandipb@UBUNTUBOX.COM -k 1 -e aes256-cts-hmac-sha1-96
Password for sandipb@UBUNTUBOX.COM: 
ktutil:  add_entry -password -p sandipb@UBUNTUBOX.COM -k 1 -e aes128-cts-hmac-sha1-96
Password for sandipb@UBUNTUBOX.COM: 
ktutil:  wkt sandipkt.keytab
ktutil:  q
root@kdc:~#

root@kdc:~# klist -kte sandipkt.keytab 
Keytab name: FILE:sandipkt.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   1 2018-12-30T00:35:07 sandipb@UBUNTUBOX.COM (aes256-cts-hmac-sha1-96) 
   1 2018-12-30T00:35:07 sandipb@UBUNTUBOX.COM (aes128-cts-hmac-sha1-96) 
root@kdc:~#

root@kdc:~# kinit -k -t sandipkt.keytab sandipb
root@kdc:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: sandipb@UBUNTUBOX.COM

Valid starting       Expires              Service principal
2018-12-30T00:36:44  2018-12-30T10:36:44  krbtgt/UBUNTUBOX.COM@UBUNTUBOX.COM
	renew until 2018-12-31T00:36:34
root@kdc:~#

Conclusion

An authentication is critical for the security of computer systems, traditional authentication methods are not suitable for use in computer networks.The Kerberos authentication system is well suited for authentication of users in such environments.

Related Linux Tutorials: