Difference between revisions of "Kerberos"

From ArchWiki
Jump to navigation Jump to search
m (Naming consistency)
(a few style improvements)
Line 4: Line 4:
 
{{Related articles end}}
 
{{Related articles end}}
  
[[Wikipedia:Kerberos_(protocol)|Kerberos]] is a network authentication system.
+
[[Wikipedia:Kerberos_(protocol)|Kerberos]] is a network authentication system. See [https://web.mit.edu/kerberos/krb5-1.12/doc/admin/index.html krb5 documentation].
  
[https://web.mit.edu/kerberos/krb5-1.12/doc/admin/index.html krb5 documentation]
+
== Server ==
  
== Server ==
+
Install the {{Pkg|krb5}} package, if it is not already installed, and configure it to your needs. For example:
Install the {{Pkg|krb5}} package, if it isn't already installed, and configure it to your needs. Ex:
 
  
 
{{hc|/etc/krb5.conf|<nowiki>
 
{{hc|/etc/krb5.conf|<nowiki>
Line 39: Line 38:
 
_kerberos-adm._udp SRV 0 0 750 kerberos.example.com.
 
_kerberos-adm._udp SRV 0 0 750 kerberos.example.com.
 
}}
 
}}
Don't forget reverse DNS!
 
  
Add ALLOW rules to your firewall for both tcp and udp on ports 88 and 750 (krb5 documentation says tcp is used on both, though mine isn't listening for tcp on 750)
+
Do not forget reverse DNS.
 +
 
 +
Add ALLOW rules to your firewall for both tcp and udp on ports 88 and 750 (krb5 documentation says tcp is used on both, though mine is not listening for tcp on 750).
  
 
Create the database:
 
Create the database:
{{hc|# krb5_util -r EXAMPLE.COM create -s|}}
+
# krb5_util -r EXAMPLE.COM create -s
  
 
Enable and start the krb5-kdc service.
 
Enable and start the krb5-kdc service.
Line 51: Line 51:
 
{{hc|# kadmin.local|Authenticating as principal root/admin@EXAMPLE.COM with password.
 
{{hc|# kadmin.local|Authenticating as principal root/admin@EXAMPLE.COM with password.
 
kadmin.local:}}
 
kadmin.local:}}
 
You can do most things
 
  
 
=== Basic Commands ===
 
=== Basic Commands ===
Line 67: Line 65:
  
 
== SSH Authentication ==
 
== SSH Authentication ==
Make sure both your ssh server and ssh client configurations include this line, then restart the server
+
 
 +
Make sure both your [[SSH]] server and client configurations include this line, then restart the server:
 
{{bc|GSSAPIAuthentication yes}}
 
{{bc|GSSAPIAuthentication yes}}
  
Generate a service principal
+
Generate a service principal:
 
{{bc|kadmin.local:  add_principal -randkey host/someserver.example.com@EXAMPLE.COM}}
 
{{bc|kadmin.local:  add_principal -randkey host/someserver.example.com@EXAMPLE.COM}}
  
Generate the keytab for the server
+
Generate the keytab for the server:
 
{{bc|kadmin.local:  ktadd -keytab /root/someserver.krb5.keytab}}
 
{{bc|kadmin.local:  ktadd -keytab /root/someserver.krb5.keytab}}
 
{{bc|<nowiki># scp kerberos.example.com:/root/someserver.krb5.keytab /etc/krb5.keytab
 
{{bc|<nowiki># scp kerberos.example.com:/root/someserver.krb5.keytab /etc/krb5.keytab
 
# chmod 600 /etc/krb5.keytab</nowiki>}}
 
# chmod 600 /etc/krb5.keytab</nowiki>}}
  
Get a ticket-granting ticket on the ssh client
+
Get a ticket-granting ticket on the ssh client:
 
{{hc|$ kinit myuser@EXAMPLE.COM|Password for myuser@EXAMPLE.COM: ***}}
 
{{hc|$ kinit myuser@EXAMPLE.COM|Password for myuser@EXAMPLE.COM: ***}}
  
Debug with
+
Debug with:
 
{{bc|$ ssh someserver.example.com -v}}
 
{{bc|$ ssh someserver.example.com -v}}

Revision as of 12:10, 15 March 2017

Kerberos is a network authentication system. See krb5 documentation.

Server

Install the krb5 package, if it is not already installed, and configure it to your needs. For example:

/etc/krb5.conf
[libdefaults]
    default_realm = EXAMPLE.COM
    permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac camellia128-cts-cmac

[realms]
    EXAMPLE.COM = {
        admin_server = kerberos.example.com
        supported_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac camellia128-cts-cmac
    }

[domain_realm]
    example.com = EXAMPLE.COM
    .example.com = EXAMPLE.COM

[logging]
    kdc          = SYSLOG:NOTICE
    admin_server = SYSLOG:NOTICE
    default      = SYSLOG:NOTICE

Add DNS records:

db.example.com
kerberos           A   1.2.3.4
_kerberos          TXT "EXAMPLE.COM"
_kerberos._udp     SRV 0 0  88 kerberos.example.com.
_kerberos-adm._udp SRV 0 0 750 kerberos.example.com.

Do not forget reverse DNS.

Add ALLOW rules to your firewall for both tcp and udp on ports 88 and 750 (krb5 documentation says tcp is used on both, though mine is not listening for tcp on 750).

Create the database:

# krb5_util -r EXAMPLE.COM create -s

Enable and start the krb5-kdc service.

Start kadmin, using the local root user instead of kerberos authentication:

# kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local:

Basic Commands

Add a human principal (user):

kadmin.local:  add_principal myuser@EXAMPLE.COM
WARNING: no policy specified for myuser@EXAMPLE.COM; defaulting to no policy
Enter password for principal "myuser@EXAMPLE.COM": ***
Re-enter password for principal "myuser@EXAMPLE.COM": ***
Principal "myuser@EXAMPLE.COM" created.

Add a service principal:

kadmin.local:  add_principal -randkey nfs/someserver.example.com@EXAMPLE.COM

SSH Authentication

Make sure both your SSH server and client configurations include this line, then restart the server:

GSSAPIAuthentication yes

Generate a service principal:

kadmin.local:  add_principal -randkey host/someserver.example.com@EXAMPLE.COM

Generate the keytab for the server:

kadmin.local:  ktadd -keytab /root/someserver.krb5.keytab
# scp kerberos.example.com:/root/someserver.krb5.keytab /etc/krb5.keytab
# chmod 600 /etc/krb5.keytab

Get a ticket-granting ticket on the ssh client:

$ kinit myuser@EXAMPLE.COM
Password for myuser@EXAMPLE.COM: ***

Debug with:

$ ssh someserver.example.com -v