{"id":36,"date":"2008-05-03T02:25:39","date_gmt":"2008-05-03T00:25:39","guid":{"rendered":"http:\/\/blog.sqawasmi.com\/?p=36"},"modified":"2008-10-04T10:17:13","modified_gmt":"2008-10-04T08:17:13","slug":"kerberos-5-a-quick-start","status":"publish","type":"post","link":"https:\/\/blog.sqawasmi.com\/index.php\/2008\/05\/03\/kerberos-5-a-quick-start\/","title":{"rendered":"Kerberos 5, a quick start"},"content":{"rendered":"

i still maintain this, it’s not complete<\/span><\/p>\n

Kerberos is a network authentication protocol created by MIT, it’s uses symmetric-key cryptography to authenticate users to network services.
\nfrom wikipedia: “Kerberos uses as its basis the Needham-Schroeder protocol. It makes use of a trusted third party, termed a key distribution center (KDC), which consists of two logically separate parts: an Authentication Server (AS) and a Ticket Granting Server (TGS). Kerberos works on the basis of “tickets” which serve to prove the identity of users.<\/p>\n

The KDC maintains a database of secret keys; each entity on the network \u2014 whether a client or a server \u2014 shares a secret key known only to itself and to the KDC. Knowledge of this key serves to prove an entity’s identity. For communication between two entities, the KDC generates a session key which they can use to secure their interactions.”<\/p>\n

This quick howto explain how to run Kerberos server\/client using two machines, i use Centos 5 for this..<\/p>\n

* Some Kerberos Terminology:
\ni will not explain all Kerberos Terminology, you can refer to another guides for this.
\n– Principal: a unique name of a user or service allowed to authenticate using kerberos, it’s follows the form user[\/instance]@REALM, instance is optional. all principals in realm have their own key.
\n– realm: a network that uses kerberos, usually is the same as the DNS domain name with uppercase letters.
\n– ticket: a temporary credentials that verify the identity of a client for a particular service.
\n– kinit: a command allows a principal who has already logged in to obtain and cache the initial ticket-granting ticket (TGT).
\n– keytab: a file includes an unencrypted list of principals and their keys, it’s used by the servers to retrieve the keys they needs from keytab instead of using kinit.
\n– Key Distribution Center (KDC): a service that issues Kerberos tickets.
\n– ticket-granting server (TGS): a server that issues tickets for a desired service.
\n– ticket-granting ticket: a special ticket that allows the client to obtain additional tickets without applying for them from the KDC.<\/p>\n

———-<\/p>\n

Configuring a Kerberos 5 Server:
\n* ensure that time synchronization and DNS (you can use hosts file) are functioning correctly on the server and client machines before configuring Kerberos, in this way Kerberos prevent an attacker from using an old ticket to masquerade as a valid user. maybe you can use ntp to do synchronization.<\/p>\n

* yum install krb5-libs krb5-server krb5-workstation
\n* edit \/etc\/krb5.conf and \/var\/kerberos\/krb5kdc.conf files to reflect the realm and domain-to-realm mappings, for example this is my krb5.conf file:<\/p>\n

[logging]
\ndefault = FILE:\/var\/log\/krb5libs.log
\nkdc = FILE:\/var\/log\/krb5kdc.log
\nadmin_server = FILE:\/var\/log\/kadmind.log<\/p>\n

[libdefaults]
\ndefault_realm = TEST.LAB
\ndns_lookup_realm = false
\ndns_lookup_kdc = false
\nticket_lifetime = 24h
\nforwardable = yes<\/p>\n

[realms]
\nEXAMPLE.COM = {
\nkdc = m1.test.lab:88
\nadmin_server = m1.test.lab:749
\ndefault_domain = test.lab
\n}<\/p>\n

[domain_realm]
\n.test.lab = TEST.LAB
\ntest.lab = TEST.LAB<\/p>\n

[kdc]
\nprofile = \/var\/kerberos\/krb5kdc\/kdc.conf<\/p>\n

[appdefaults]
\npam = {
\ndebug = false
\nticket_lifetime = 36000
\nrenew_lifetime = 36000
\nforwardable = true
\nkrb4_convert = false
\n}<\/p>\n

i used TEST.LAB as realm, kdc is my kerberos server, and i maped my domain to it’s realm in [domain_realm] section.
\nfor kdc.conf file, this is my configuration:<\/p>\n

[kdcdefaults]
\nacl_file = \/var\/kerberos\/krb5kdc\/kadm5.acl
\ndict_file = \/usr\/share\/dict\/words
\nadmin_keytab = \/var\/kerberos\/krb5kdc\/kadm5.keytab
\nv4_mode = nopreauth<\/p>\n

[realms]
\nTEST.LAB = {
\nsupported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
\n}<\/p>\n

* create te database:
\n[root@m1 ~]# \/usr\/kerberos\/sbin\/kdb5_util create -s
\nLoading random data
\nInitializing database ‘\/var\/kerberos\/krb5kdc\/principal’ for realm ‘TEST.LAB’,
\nmaster key name ‘K\/M@TEST.LAB’
\nYou will be prompted for the database Master Password.
\nIt is important that you NOT FORGET this password.
\nEnter KDC database master key:
\nRe-enter KDC database master key to verify:
\n[root@m1 ~]#<\/p>\n

-s option forces creation of a stashe file in wic hthe master server key is stored, with stash file kerberos server will not prompts the user for the master server password every time it starts.<\/p>\n

* edit \/var\/kerberos\/krb5kdc\/kadm5.acl file and change realm to yours. my file:<\/p>\n

*\/admin@TEST.LAB *<\/p>\n

this file used by kadmin to determine which principals have administrative access to the Kerberos database and their level of access.<\/p>\n

* now the first step is to add our System Administrator, so we can use Kerberos remotely from any client.
\nwe will use kadmin.local command for this.
\n[root@m1 ~]# kadmin.local
\nAuthenticating as principal root\/admin@TEST.LAB with password.
\nkadmin.local: ?
\nAvailable kadmin.local requests:<\/p>\n

add_principal, addprinc, ank
\nAdd principal
\ndelete_principal, delprinc
\nDelete principal
\nmodify_principal, modprinc
\nModify principal
\nchange_password, cpw Change password
\nget_principal, getprinc Get principal
\nlist_principals, listprincs, get_principals, getprincs
\nList principals
\nadd_policy, addpol Add policy
\nmodify_policy, modpol Modify policy
\ndelete_policy, delpol Delete policy
\nget_policy, getpol Get policy
\nlist_policies, listpols, get_policies, getpols
\nList policies
\nget_privs, getprivs Get privileges
\nktadd, xst Add entry(s) to a keytab
\nktremove, ktrem Remove entry(s) from a keytab
\nlock Lock database exclusively (use with extreme caution!)
\nunlock Release exclusive database lock
\nlist_requests, lr, ? List available requests.
\nquit, exit, q Exit program.<\/p>\n

kadmin.local: addprinc sysadmin
\nWARNING: no policy specified for sysadmin@TEST.LAB; defaulting to no policy
\nEnter password for principal “sysadmin@TEST.LAB”:
\nRe-enter password for principal “sysadmin@TEST.LAB”:
\nPrincipal “sysadmin@TEST.LAB” created.<\/p>\n

Related Images:<\/h3>","protected":false},"excerpt":{"rendered":"

i still maintain this, it’s not complete<\/p>\n

Kerberos is a network authentication protocol created by MIT, it’s uses symmetric-key cryptography to authenticate users to network services.
\nfrom wikipedia: “Kerberos uses as its basis the Needham-Schroeder protocol. It makes use of a trusted third party, termed a key distribution center (KDC), which consists of two logically separate parts: an Authentication Server (AS) and a Ticket Granting Server (TGS). Kerberos works on the basis of “tickets” which serve to prove the identity of users.<\/p>\n

The KDC maintains a database of <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"ngg_post_thumbnail":0,"footnotes":""},"categories":[12],"tags":[],"class_list":["post-36","post","type-post","status-publish","format-standard","hentry","category-about-my-life"],"_links":{"self":[{"href":"https:\/\/blog.sqawasmi.com\/index.php\/wp-json\/wp\/v2\/posts\/36","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.sqawasmi.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.sqawasmi.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.sqawasmi.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.sqawasmi.com\/index.php\/wp-json\/wp\/v2\/comments?post=36"}],"version-history":[{"count":2,"href":"https:\/\/blog.sqawasmi.com\/index.php\/wp-json\/wp\/v2\/posts\/36\/revisions"}],"predecessor-version":[{"id":326,"href":"https:\/\/blog.sqawasmi.com\/index.php\/wp-json\/wp\/v2\/posts\/36\/revisions\/326"}],"wp:attachment":[{"href":"https:\/\/blog.sqawasmi.com\/index.php\/wp-json\/wp\/v2\/media?parent=36"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.sqawasmi.com\/index.php\/wp-json\/wp\/v2\/categories?post=36"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.sqawasmi.com\/index.php\/wp-json\/wp\/v2\/tags?post=36"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}