Kerberos 5, a quick start

May 3, 2008

i still maintain this, it's not complete Kerberos is a network authentication protocol created by MIT, it's uses symmetric-key cryptography to authenticate users to network services. from wikipedia: "Kerberos uses as its basis the Needham-Schroeder protocol. It makes use of a trusted third party, termed a key distribution center (KDC), which consists of two logically separate parts: an Authentication Server (AS) and a Ticket Granting Server (TGS). Kerberos works on the basis of "tickets" which serve to prove the identity of users. The KDC maintains a database of secret keys; each entity on the network — whether a client or a server — shares a secret key known only to itself and to the KDC. Knowledge of this key serves to prove an entity's identity. For communication between two entities, the KDC generates a session key which they can use to secure their interactions." This quick howto explain how to run Kerberos server/client using two machines, i use Centos 5 for this.. * Some Kerberos Terminology: i will not explain all Kerberos Terminology, you can refer to another guides for this. - Principal: a unique name of a user or service allowed to authenticate using kerberos, it's follows the form user[/instance]@REALM, instance is optional. all principals in realm have their own key. - realm: a network that uses kerberos, usually is the same as the DNS domain name with uppercase letters. - ticket: a temporary credentials that verify the identity of a client for a particular service. - kinit: a command allows a principal who has already logged in to obtain and cache the initial ticket-granting ticket (TGT). - keytab: a file includes an unencrypted list of principals and their keys, it's used by the servers to retrieve the keys they needs from keytab instead of using kinit. - Key Distribution Center (KDC): a service that issues Kerberos tickets. - ticket-granting server (TGS): a server that issues tickets for a desired service. - ticket-granting ticket: a special ticket that allows the client to obtain additional tickets without applying for them from the KDC. ---------- Configuring a Kerberos 5 Server: * ensure that time synchronization and DNS (you can use hosts file) are functioning correctly on the server and client machines before configuring Kerberos, in this way Kerberos prevent an attacker from using an old ticket to masquerade as a valid user. maybe you can use ntp to do synchronization. * yum install krb5-libs krb5-server krb5-workstation * edit /etc/krb5.conf and /var/kerberos/krb5kdc.conf files to reflect the realm and domain-to-realm mappings, for example this is my krb5.conf file: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = TEST.LAB dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms] EXAMPLE.COM = { kdc = m1.test.lab:88 admin_server = m1.test.lab:749 default_domain = test.lab } [domain_realm] .test.lab = TEST.LAB test.lab = TEST.LAB [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } i used TEST.LAB as realm, kdc is my kerberos server, and i maped my domain to it's realm in [domain_realm] section. for kdc.conf file, this is my configuration: [kdcdefaults] acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab v4_mode = nopreauth [realms] TEST.LAB = { supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3 } * create te database: [root@m1 ~]# /usr/kerberos/sbin/kdb5_util create -s Loading random data Initializing database '/var/kerberos/krb5kdc/principal' for realm 'TEST.LAB', master key name 'K/M@TEST.LAB' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: [root@m1 ~]# -s option forces creation of a stashe file in wic hthe master server key is stored, with stash file kerberos server will not prompts the user for the master server password every time it starts. * edit /var/kerberos/krb5kdc/kadm5.acl file and change realm to yours. my file: */admin@TEST.LAB * this file used by kadmin to determine which principals have administrative access to the Kerberos database and their level of access. * now the first step is to add our System Administrator, so we can use Kerberos remotely from any client. we will use kadmin.local command for this. [root@m1 ~]# kadmin.local Authenticating as principal root/admin@TEST.LAB with password. kadmin.local: ? Available kadmin.local requests: add_principal, addprinc, ank Add principal delete_principal, delprinc Delete principal modify_principal, modprinc Modify principal change_password, cpw Change password get_principal, getprinc Get principal list_principals, listprincs, get_principals, getprincs List principals add_policy, addpol Add policy modify_policy, modpol Modify policy delete_policy, delpol Delete policy get_policy, getpol Get policy list_policies, listpols, get_policies, getpols List policies get_privs, getprivs Get privileges ktadd, xst Add entry(s) to a keytab ktremove, ktrem Remove entry(s) from a keytab lock Lock database exclusively (use with extreme caution!) unlock Release exclusive database lock list_requests, lr, ? List available requests. quit, exit, q Exit program. kadmin.local: addprinc sysadmin WARNING: no policy specified for sysadmin@TEST.LAB; defaulting to no policy Enter password for principal "sysadmin@TEST.LAB": Re-enter password for principal "sysadmin@TEST.LAB": Principal "sysadmin@TEST.LAB" created.

Posted in Life