Kerberos 5, a quick start

Date May 3, 2008

i still maintain this, it’s not complete

Kerberos is a network authentication protocol created by MIT, it’s uses symmetric-key cryptography to authenticate users to network services.
from wikipedia: “Kerberos uses as its basis the Needham-Schroeder protocol. It makes use of a trusted third party, termed a key distribution center (KDC), which consists of two logically separate parts: an Authentication Server (AS) and a Ticket Granting Server (TGS). Kerberos works on the basis of “tickets” which serve to prove the identity of users.

The KDC maintains a database of secret keys; each entity on the network — whether a client or a server — shares a secret key known only to itself and to the KDC. Knowledge of this key serves to prove an entity’s identity. For communication between two entities, the KDC generates a session key which they can use to secure their interactions.”

This quick howto explain how to run Kerberos server/client using two machines, i use Centos 5 for this..

* Some Kerberos Terminology:
i will not explain all Kerberos Terminology, you can refer to another guides for this.
– Principal: a unique name of a user or service allowed to authenticate using kerberos, it’s follows the form user[/instance]@REALM, instance is optional. all principals in realm have their own key.
– realm: a network that uses kerberos, usually is the same as the DNS domain name with uppercase letters.
– ticket: a temporary credentials that verify the identity of a client for a particular service.
– kinit: a command allows a principal who has already logged in to obtain and cache the initial ticket-granting ticket (TGT).
– keytab: a file includes an unencrypted list of principals and their keys, it’s used by the servers to retrieve the keys they needs from keytab instead of using kinit.
– Key Distribution Center (KDC): a service that issues Kerberos tickets.
– ticket-granting server (TGS): a server that issues tickets for a desired service.
– ticket-granting ticket: a special ticket that allows the client to obtain additional tickets without applying for them from the KDC.


Configuring a Kerberos 5 Server:
* ensure that time synchronization and DNS (you can use hosts file) are functioning correctly on the server and client machines before configuring Kerberos, in this way Kerberos prevent an attacker from using an old ticket to masquerade as a valid user. maybe you can use ntp to do synchronization.

* yum install krb5-libs krb5-server krb5-workstation
* edit /etc/krb5.conf and /var/kerberos/krb5kdc.conf files to reflect the realm and domain-to-realm mappings, for example this is my krb5.conf file:

default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

default_realm = TEST.LAB
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes

kdc = m1.test.lab:88
admin_server = m1.test.lab:749
default_domain = test.lab

.test.lab = TEST.LAB
test.lab = TEST.LAB

profile = /var/kerberos/krb5kdc/kdc.conf

pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false

i used TEST.LAB as realm, kdc is my kerberos server, and i maped my domain to it’s realm in [domain_realm] section.
for kdc.conf file, this is my configuration:

acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
v4_mode = nopreauth

supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3

* create te database:
[root@m1 ~]# /usr/kerberos/sbin/kdb5_util create -s
Loading random data
Initializing database ‘/var/kerberos/krb5kdc/principal’ for realm ‘TEST.LAB’,
master key name ‘K/M@TEST.LAB’
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
[root@m1 ~]#

-s option forces creation of a stashe file in wic hthe master server key is stored, with stash file kerberos server will not prompts the user for the master server password every time it starts.

* edit /var/kerberos/krb5kdc/kadm5.acl file and change realm to yours. my file:

*/admin@TEST.LAB *

this file used by kadmin to determine which principals have administrative access to the Kerberos database and their level of access.

* now the first step is to add our System Administrator, so we can use Kerberos remotely from any client.
we will use kadmin.local command for this.
[root@m1 ~]# kadmin.local
Authenticating as principal root/admin@TEST.LAB with password.
kadmin.local: ?
Available kadmin.local requests:

add_principal, addprinc, ank
Add principal
delete_principal, delprinc
Delete principal
modify_principal, modprinc
Modify principal
change_password, cpw Change password
get_principal, getprinc Get principal
list_principals, listprincs, get_principals, getprincs
List principals
add_policy, addpol Add policy
modify_policy, modpol Modify policy
delete_policy, delpol Delete policy
get_policy, getpol Get policy
list_policies, listpols, get_policies, getpols
List policies
get_privs, getprivs Get privileges
ktadd, xst Add entry(s) to a keytab
ktremove, ktrem Remove entry(s) from a keytab
lock Lock database exclusively (use with extreme caution!)
unlock Release exclusive database lock
list_requests, lr, ? List available requests.
quit, exit, q Exit program.

kadmin.local: addprinc sysadmin
WARNING: no policy specified for sysadmin@TEST.LAB; defaulting to no policy
Enter password for principal “sysadmin@TEST.LAB”:
Re-enter password for principal “sysadmin@TEST.LAB”:
Principal “sysadmin@TEST.LAB” created.

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • StumbleUpon
  • Technorati
  • Reddit
  • Webnews
  • MisterWong
  • Y!GG

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>