Difference between revisions of "Kerberos"

From ArchWiki
Jump to navigation Jump to search
(Create basic krb5 server setup notes)
 
m (Naming consistency)
Line 64: Line 64:
  
 
Add a service principal:
 
Add a service principal:
{{bc|kadmin.local:  add_principal -randkey nfs/servername.example.com@EXAMPLE.COM}}
+
{{bc|kadmin.local:  add_principal -randkey nfs/someserver.example.com@EXAMPLE.COM}}
  
 
== SSH Authentication ==
 
== SSH Authentication ==
Line 71: Line 71:
  
 
Generate a service principal
 
Generate a service principal
{{bc|kadmin.local:  add_principal -randkey host/servername.example.com@EXAMPLE.COM}}
+
{{bc|kadmin.local:  add_principal -randkey host/someserver.example.com@EXAMPLE.COM}}
  
 
Generate the keytab for the server
 
Generate the keytab for the server

Revision as of 02:44, 14 March 2017

Kerberos is a network authentication system.

krb5 documentation

Server

Install the krb5 package, if it isn't already installed, and configure it to your needs. Ex:

/etc/krb5.conf
[libdefaults]
    default_realm = EXAMPLE.COM
    permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac camellia128-cts-cmac

[realms]
    EXAMPLE.COM = {
        admin_server = kerberos.example.com
        supported_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac camellia128-cts-cmac
    }

[domain_realm]
    example.com = EXAMPLE.COM
    .example.com = EXAMPLE.COM

[logging]
    kdc          = SYSLOG:NOTICE
    admin_server = SYSLOG:NOTICE
    default      = SYSLOG:NOTICE

Add DNS records:

db.example.com
kerberos           A   1.2.3.4
_kerberos          TXT "EXAMPLE.COM"
_kerberos._udp     SRV 0 0  88 kerberos.example.com.
_kerberos-adm._udp SRV 0 0 750 kerberos.example.com.

Don't forget reverse DNS!

Add ALLOW rules to your firewall for both tcp and udp on ports 88 and 750 (krb5 documentation says tcp is used on both, though mine isn't listening for tcp on 750)

Create the database:

# krb5_util -r EXAMPLE.COM create -s

Enable and start the krb5-kdc service.

Start kadmin, using the local root user instead of kerberos authentication:

# kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local:

You can do most things

Basic Commands

Add a human principal (user):

kadmin.local:  add_principal myuser@EXAMPLE.COM
WARNING: no policy specified for myuser@EXAMPLE.COM; defaulting to no policy
Enter password for principal "myuser@EXAMPLE.COM": ***
Re-enter password for principal "myuser@EXAMPLE.COM": ***
Principal "myuser@EXAMPLE.COM" created.

Add a service principal:

kadmin.local:  add_principal -randkey nfs/someserver.example.com@EXAMPLE.COM

SSH Authentication

Make sure both your ssh server and ssh client configurations include this line, then restart the server

GSSAPIAuthentication yes

Generate a service principal

kadmin.local:  add_principal -randkey host/someserver.example.com@EXAMPLE.COM

Generate the keytab for the server

kadmin.local:  ktadd -keytab /root/someserver.krb5.keytab
# scp kerberos.example.com:/root/someserver.krb5.keytab /etc/krb5.keytab
# chmod 600 /etc/krb5.keytab

Get a ticket-granting ticket on the ssh client

$ kinit myuser@EXAMPLE.COM
Password for myuser@EXAMPLE.COM: ***

Debug with

$ ssh someserver.example.com -v