Difference between revisions of "Kerberos"

From ArchWiki
Jump to navigation Jump to search
m (add ja link)
(add kadmin acl info)
Line 66: Line 66:
 
Add a service principal:
 
Add a service principal:
 
{{bc|kadmin.local:  add_principal -randkey nfs/someserver.example.com@EXAMPLE.COM}}
 
{{bc|kadmin.local:  add_principal -randkey nfs/someserver.example.com@EXAMPLE.COM}}
 +
 +
=== Configuring kadmin ACL ===
 +
Create a principal for administration:
 +
{{hc|kadmin.local:  add_principal myuser/admin@EXAMPLE.COM|<nowiki>
 +
WARNING: no policy specified for myuser/admin@EXAMPLE.COM; defaulting to no policy
 +
Enter password for principal "myuser/admin@EXAMPLE.COM": ***
 +
Re-enter password for principal "myuser/admin@EXAMPLE.COM": ***
 +
Principal "myuser/admin@EXAMPLE.COM" created.
 +
</nowiki>}}
 +
 +
Add the user to the kadmin ACL file:
 +
{{hc|/var/lib/krb5kdc/kadm5.acl|myuser/admin@EXAMPLE.COM *}}
 +
This file's format is described in the MIT Kerberos [https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/kadm5_acl.html documentation]
 +
 +
Configure kdc.conf:
 +
{{hc|/var/lib/krb5kdc/kdc.conf|<nowiki>
 +
[kdcdefaults]
 +
    kdc_ports = 750,88
 +
 +
[realms]
 +
    EXAMPLE.COM = {
 +
        database_name = /var/lib/krb5kdc/principal
 +
        acl_file = /var/lib/krb5kdc/kadm5.acl
 +
        key_stash_file = /var/lib/krb5kdc/.k5.EXAMPLE.COM
 +
        kdc_ports = 750,88
 +
        max_life = 10h 0m 0s
 +
        max_renewable_life = 7d 0h 0m 0s
 +
    }
 +
</nowiki>}}
 +
This file's format is described in the MIT Kerberos [https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/kdc_conf.html documentation]
 +
 +
Restart the kdc and kadmin daemons:
 +
{{bc|sudo systemctl restart krb5-kdc krb5-kadmin}}
 +
 +
You can now use kadmin as your own user, authenticating with kerberos:
 +
 +
{{hc|$ kadmin|<nowiki>
 +
Authenticating as principal myuser/admin@EXAMPLE.COM with password.
 +
Password for myuser/admin@EXAMPLE.COM: ***
 +
kadmin:
 +
</nowiki>}}
 +
  
 
== SSH Authentication ==
 
== SSH Authentication ==

Revision as of 16:06, 31 March 2017

Kerberos is a network authentication system. See krb5 documentation.

Server

Install the krb5 package, if it is not already installed, and configure it to your needs. For example:

/etc/krb5.conf
[libdefaults]
    default_realm = EXAMPLE.COM
    permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac camellia128-cts-cmac

[realms]
    EXAMPLE.COM = {
        admin_server = kerberos.example.com
        supported_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac camellia128-cts-cmac
    }

[domain_realm]
    example.com = EXAMPLE.COM
    .example.com = EXAMPLE.COM

[logging]
    kdc          = SYSLOG:NOTICE
    admin_server = SYSLOG:NOTICE
    default      = SYSLOG:NOTICE

Add DNS records:

db.example.com
kerberos           A   1.2.3.4
_kerberos          TXT "EXAMPLE.COM"
_kerberos._udp     SRV 0 0  88 kerberos.example.com.
_kerberos-adm._udp SRV 0 0 750 kerberos.example.com.

Do not forget reverse DNS.

Tango-inaccurate.pngThe factual accuracy of this article or section is disputed.Tango-inaccurate.png

Reason: krb5 documentation says tcp is used on both, though mine is not listening for tcp on 750. (Discuss in Talk:Kerberos#)

Add ALLOW rules to your firewall for both tcp and udp on ports 88 and 750.

Create the database:

# krb5_util -r EXAMPLE.COM create -s

Enable and start the krb5-kdc service.

Start kadmin, using the local root user instead of kerberos authentication:

# kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local:

Basic Commands

Add a human principal (user):

kadmin.local:  add_principal myuser@EXAMPLE.COM
WARNING: no policy specified for myuser@EXAMPLE.COM; defaulting to no policy
Enter password for principal "myuser@EXAMPLE.COM": ***
Re-enter password for principal "myuser@EXAMPLE.COM": ***
Principal "myuser@EXAMPLE.COM" created.

Add a service principal:

kadmin.local:  add_principal -randkey nfs/someserver.example.com@EXAMPLE.COM

Configuring kadmin ACL

Create a principal for administration:

kadmin.local:  add_principal myuser/admin@EXAMPLE.COM
WARNING: no policy specified for myuser/admin@EXAMPLE.COM; defaulting to no policy
Enter password for principal "myuser/admin@EXAMPLE.COM": ***
Re-enter password for principal "myuser/admin@EXAMPLE.COM": ***
Principal "myuser/admin@EXAMPLE.COM" created.

Add the user to the kadmin ACL file:

/var/lib/krb5kdc/kadm5.acl
myuser/admin@EXAMPLE.COM *

This file's format is described in the MIT Kerberos documentation

Configure kdc.conf:

/var/lib/krb5kdc/kdc.conf
[kdcdefaults]
    kdc_ports = 750,88

[realms]
    EXAMPLE.COM = {
        database_name = /var/lib/krb5kdc/principal
        acl_file = /var/lib/krb5kdc/kadm5.acl
        key_stash_file = /var/lib/krb5kdc/.k5.EXAMPLE.COM
        kdc_ports = 750,88
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
    }

This file's format is described in the MIT Kerberos documentation

Restart the kdc and kadmin daemons:

sudo systemctl restart krb5-kdc krb5-kadmin

You can now use kadmin as your own user, authenticating with kerberos:

$ kadmin
Authenticating as principal myuser/admin@EXAMPLE.COM with password.
Password for myuser/admin@EXAMPLE.COM: ***
kadmin:


SSH Authentication

Make sure both your SSH server and client configurations include this line, then restart the server:

GSSAPIAuthentication yes

Generate a service principal:

kadmin.local:  add_principal -randkey host/someserver.example.com@EXAMPLE.COM

Generate the keytab for the server:

kadmin.local:  ktadd -keytab /root/someserver.krb5.keytab
# scp kerberos.example.com:/root/someserver.krb5.keytab /etc/krb5.keytab
# chmod 600 /etc/krb5.keytab

Get a ticket-granting ticket on the ssh client:

$ kinit myuser@EXAMPLE.COM
Password for myuser@EXAMPLE.COM: ***

Debug with:

$ ssh someserver.example.com -v