Difference between revisions of "Kerberos"

From ArchWiki
Jump to navigation Jump to search
m (→‎NFS: Mention NTP again)
m (Pitfalls, clarify, make server names consistent again)
Line 13: Line 13:
 
It is '''highly''' recommended to use a [[Time#Time synchronization|time sync daemon]] to keep client/server clocks in sync.
 
It is '''highly''' recommended to use a [[Time#Time synchronization|time sync daemon]] to keep client/server clocks in sync.
  
If hostname resolution has not been configured, you can manually add your clients and server to the {{man|5|hosts}} file of each machine.
+
If hostname resolution has not been configured, you can manually add your clients and server to the {{man|5|hosts}} file of each machine. Note that the FQDN (myclient.example.com) must be the first hostname after the IP address in the hosts file.
  
 
== Server configuration ==
 
== Server configuration ==
Line 24: Line 24:
  
 
[realms]
 
[realms]
# use "kdc = ..." if real admins haven't put SRV records int DNS
+
# use "kdc = ..." if the kerberos SRV records aren't in DNS (see Advanced section)
 
     EXAMPLE.COM = {
 
     EXAMPLE.COM = {
         admin_server = kbserver.example.com
+
         admin_server = kerberos.example.com
         kdc = kbserver.example.com
+
         kdc = kerberos.example.com
 
     }
 
     }
  
Line 57: Line 57:
  
 
=== Add principals ===
 
=== Add principals ===
Start the Kerberos administration tool:
+
Start the Kerberos administration tool, using local authentication
 
{{hc|# kadmin.local|Authenticating as principal root/admin@EXAMPLE.COM with password.
 
{{hc|# kadmin.local|Authenticating as principal root/admin@EXAMPLE.COM with password.
 
kadmin.local:}}
 
kadmin.local:}}
  
Add the admin user to the Kerberos database:
+
Add the admin user principal to the Kerberos database:
 
{{hc|kadmin.local: addprinc root/admin|<nowiki>
 
{{hc|kadmin.local: addprinc root/admin|<nowiki>
 
WARNING: no policy specified for root/admin@EXAMPLE.COM; defaulting to no policy
 
WARNING: no policy specified for root/admin@EXAMPLE.COM; defaulting to no policy
Line 69: Line 69:
 
</nowiki>}}
 
</nowiki>}}
  
Add a user to the Kerberos database:
+
Add a user principal to the Kerberos database:
{{hc|kadmin.local: addprinc myuser@EXAMPLE.COM|<nowiki>
+
{{hc|kadmin.local: addprinc myuser@EXAMPLE.COM|<nowiki>
 
WARNING: no policy specified for myuser@EXAMPLE.COM; defaulting to no policy
 
WARNING: no policy specified for myuser@EXAMPLE.COM; defaulting to no policy
 
Enter password for principal "myuser@EXAMPLE.COM": ***
 
Enter password for principal "myuser@EXAMPLE.COM": ***
Line 77: Line 77:
 
</nowiki>}}
 
</nowiki>}}
  
Add the KDC to the Kerberos database:
+
Add the KDC principal to the Kerberos database:
{{hc|kadmin.local: addprinc -randkey host/kbserver.example.com|<nowiki>
+
{{hc|kadmin.local: addprinc -randkey host/kerberos.example.com|<nowiki>
WARNING: no policy specified for host/kbserver.example.com@EXAMPLE.COM; defaulting to no policy
+
WARNING: no policy specified for host/kerberos.example.com@EXAMPLE.COM; defaulting to no policy
Principal "host/kbserver.example.com@EXAMPLE.COM" created.
+
Principal "host/kerberos.example.com@EXAMPLE.COM" created.
 
</nowiki>}}
 
</nowiki>}}
  
Finally, Add the KDC to the Kerberos keytab:
+
Finally, Add the KDC principal to the server's keytab:
{{hc|kadmin.local: ktadd host/kbserver.example.com|<nowiki>
+
{{hc|kadmin.local: ktadd host/kerberos.example.com|<nowiki>
Entry for principal host/kbserver.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
+
Entry for principal host/kerberos.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kbserver.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
+
Entry for principal host/kerberos.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
 
</nowiki>}}
 
</nowiki>}}
  
Line 124: Line 124:
  
 
Finally, copy {{ic|/etc/krb5.keytab}} from the server to the client:
 
Finally, copy {{ic|/etc/krb5.keytab}} from the server to the client:
{{bc|<nowiki># scp kbserver.example.com:/etc/krb5.keytab /etc/krb5.keytab
+
{{bc|<nowiki># scp kerberos.example.com:/etc/krb5.keytab /etc/krb5.keytab
 
# chmod 600 /etc/krb5.keytab</nowiki>}}
 
# chmod 600 /etc/krb5.keytab</nowiki>}}
  
Line 216: Line 216:
  
 
Pass the -v option to ssh to make sure it works:
 
Pass the -v option to ssh to make sure it works:
{{hc|$ ssh kbserver.example.com -v|<nowiki>
+
{{hc|$ ssh kerberos.example.com -v|<nowiki>
 
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
 
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
 
debug1: Next authentication method: gssapi-with-mic
 
debug1: Next authentication method: gssapi-with-mic
Line 238: Line 238:
 
Valid starting      Expires              Service principal
 
Valid starting      Expires              Service principal
 
08/30/2017 15:37:40  08/31/2017 15:37:40  krbtgt/EXAMPLE.COM@EXAMPLE.COM
 
08/30/2017 15:37:40  08/31/2017 15:37:40  krbtgt/EXAMPLE.COM@EXAMPLE.COM
08/30/2017 15:53:04  08/31/2017 15:37:40  host/kbserver.example.com@EXAMPLE.COM
+
08/30/2017 15:53:04  08/31/2017 15:37:40  host/kerberos.example.com@EXAMPLE.COM
 
</nowiki>}}
 
</nowiki>}}
  
 
== NFS ==
 
== NFS ==
  
Using an NTP daemon on both the client and the server is strongly recommended. Clock drift will cause this to break, and the error message will not be helpful.
+
First, configure your [[NFS#Server|NFS server]] server. Also see [[NFS/Troubleshooting|NFS Troubleshooting]].
 +
Configuring a [[Time#Time synchronization|time sync daemon]] on both the clients and the server is strongly recommended. Clock drift will cause this to break, and the error message will not be helpful.
  
 
=== Create service principals ===
 
=== Create service principals ===
Line 261: Line 262:
  
 
=== NFS Server ===
 
=== NFS Server ===
Add the Kerberos export option:
+
 
 +
Add a Kerberos export option:
 +
* sec=krb5 uses kerberos for authentication only, and transmits the data unauthenticated and unencrypted.
 +
* sec=krb5i uses kerberos for authentication and integrity checking, but still transmits data unencrypted.
 +
* sec=krb5p uses kerberos for authentication and encryption.
 
{{hc|/etc/exports|<nowiki>
 
{{hc|/etc/exports|<nowiki>
 
/srv/export *(rw,async,no_subtree_check,no_root_squash,sec=krb5)
 
/srv/export *(rw,async,no_subtree_check,no_root_squash,sec=krb5)
 
</nowiki>}}
 
</nowiki>}}
  
And reload the server:
+
And reload the exports:
  # exportfs -ra
+
  # exportfs -arv
  
 
=== NFS Client ===
 
=== NFS Client ===
Mount the server by passing the sec=krb5 mount option:
+
Mount the exported directory:
  # mount -o sec=krb5 nfsserver:/srv/export /mnt/
+
  # mount nfsserver:/srv/export /mnt/
 +
You can add -vv for verbose information, and may need -t nfs4 and -o sec=krb5p or your chosen security option.
  
 
Check that it worked with the {{ic|mount}} command:
 
Check that it worked with the {{ic|mount}} command:
 
{{hc|mount {{!}} grep krb5|<nowiki>
 
{{hc|mount {{!}} grep krb5|<nowiki>
 
nfsserver:/srv/export on /mnt type nfs4 (rw,relatime,vers=4.1,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=krb5,clientaddr=192.168.100.139,local_lock=none,addr=192.168.100.136)
 
nfsserver:/srv/export on /mnt type nfs4 (rw,relatime,vers=4.1,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=krb5,clientaddr=192.168.100.139,local_lock=none,addr=192.168.100.136)
 
 
</nowiki>}}
 
</nowiki>}}
  

Revision as of 18:18, 31 August 2017

Kerberos is a network authentication system. See krb5 documentation.

Installation

Install the krb5 package on your clients and server.

It is highly recommended to use a time sync daemon to keep client/server clocks in sync.

If hostname resolution has not been configured, you can manually add your clients and server to the hosts(5) file of each machine. Note that the FQDN (myclient.example.com) must be the first hostname after the IP address in the hosts file.

Server configuration

Domain creation

Edit /etc/krb5.conf to configure your domain:

/etc/krb5.conf
[libdefaults]
    default_realm = EXAMPLE.COM

[realms]
# use "kdc = ..." if the kerberos SRV records aren't in DNS (see Advanced section)
    EXAMPLE.COM = {
        admin_server = kerberos.example.com
        kdc = kerberos.example.com
    }

[domain_realm]
    example.com = EXAMPLE.COM
    .example.com = EXAMPLE.COM

[logging]
    kdc          = CONSOLE
    admin_server = CONSOLE
    default      = CONSOLE

This file's format is described in the MIT Kerberos documentation

Create the database:

# kdb5_util -r EXAMPLE.COM create -s
Loading random data                                                             
Initializing database '/var/lib/krb5kdc/principal' for realm 'EXAMPLE.COM',                  
master key name 'K/M@EXAMPLE.COM'
You will be prompted for the database Master Password.                          
It is important that you NOT FORGET this password.                              
Enter KDC database master key: ***
Re-enter KDC database master key to verify: ***

Finally, enable and start the Kerberos services:

# systemctl enable krb5-kdc krb5-kadmind
# systemctl start krb5-kdc krb5-kadmind

Add principals

Start the Kerberos administration tool, using local authentication

# kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local:

Add the admin user principal to the Kerberos database:

kadmin.local: addprinc root/admin
WARNING: no policy specified for root/admin@EXAMPLE.COM; defaulting to no policy
Enter password for principal "root/admin@EXAMPLE.COM": ***
Re-enter password for principal "root/admin@EXAMPLE.COM": ***
Principal "root/admin@EXAMPLE.COM" created.

Add a user principal to the Kerberos database:

kadmin.local: addprinc myuser@EXAMPLE.COM
WARNING: no policy specified for myuser@EXAMPLE.COM; defaulting to no policy
Enter password for principal "myuser@EXAMPLE.COM": ***
Re-enter password for principal "myuser@EXAMPLE.COM": ***
Principal "myuser@EXAMPLE.COM" created.

Add the KDC principal to the Kerberos database:

kadmin.local: addprinc -randkey host/kerberos.example.com
WARNING: no policy specified for host/kerberos.example.com@EXAMPLE.COM; defaulting to no policy
Principal "host/kerberos.example.com@EXAMPLE.COM" created.

Finally, Add the KDC principal to the server's keytab:

kadmin.local: ktadd host/kerberos.example.com
Entry for principal host/kerberos.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kerberos.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.

You should now be able to get a Kerberos ticket:

$ kinit
Password for myuser@EXAMPLE.COM: ***
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: myuser@EXAMPLE.COM

Valid starting       Expires              Service principal
08/30/2017 14:26:09  08/31/2017 14:26:09  krbtgt/EXAMPLE.COM@EXAMPLE.COM

Client configuration

Join the domain

Edit /etc/krb5.conf to match your server's configuration. You can simply copy this file from the server.

Create client principals

Start the Kerberos administration tool on the Kerberos server:

# kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.

Add the client to the Kerberos database:

kadmin.local: addprinc -randkey host/kbclient.example.com
WARNING: no policy specified for host/kbclient.example.com@EXAMPLE.COM; defaulting to no policy
Principal "host/kbclient.example.com@EXAMPLE.COM" created.

Finally, add the client to the Kerberos keytab:

kadmin.local:  ktadd host/kbclient.example.com
Entry for principal host/kbclient.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kbclient.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.

Finally, copy /etc/krb5.keytab from the server to the client:

# scp kerberos.example.com:/etc/krb5.keytab /etc/krb5.keytab
# chmod 600 /etc/krb5.keytab

You should now be able to get a Kerberos ticket on the client:

$ kinit
Password for myuser@EXAMPLE.COM: ***
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: myuser@EXAMPLE.COM

Valid starting       Expires              Service principal
08/30/2017 15:36:10  08/31/2017 15:36:10  krbtgt/EXAMPLE.COM@EXAMPLE.COM

Advanced configuration

DNS records

db.example.com
kerberos           A   1.2.3.4
_kerberos          TXT "EXAMPLE.COM"
_kerberos._udp     SRV 0 0  88 kerberos.example.com.
_kerberos-adm._udp SRV 0 0 750 kerberos.example.com.

Do not forget reverse DNS.

Firewall

Tango-inaccurate.pngThe factual accuracy of this article or section is disputed.Tango-inaccurate.png

Reason: krb5 documentation says tcp is used on both, though mine is not listening for tcp on 750. (Discuss in Talk:Kerberos#)

Add ALLOW rules to your firewall for both tcp and udp on ports 88 and 750.

Configuring kadmin ACL

Create a principal for administration:

kadmin.local:  add_principal myuser/admin@EXAMPLE.COM
WARNING: no policy specified for myuser/admin@EXAMPLE.COM; defaulting to no policy
Enter password for principal "myuser/admin@EXAMPLE.COM": ***
Re-enter password for principal "myuser/admin@EXAMPLE.COM": ***
Principal "myuser/admin@EXAMPLE.COM" created.

Add the user to the kadmin ACL file:

/var/lib/krb5kdc/kadm5.acl
myuser/admin@EXAMPLE.COM *

This file's format is described in the MIT Kerberos documentation

Configure kdc.conf:

/var/lib/krb5kdc/kdc.conf
[kdcdefaults]
    kdc_ports = 750,88

[realms]
    EXAMPLE.COM = {
        database_name = /var/lib/krb5kdc/principal
        acl_file = /var/lib/krb5kdc/kadm5.acl
        key_stash_file = /var/lib/krb5kdc/.k5.EXAMPLE.COM
        kdc_ports = 750,88
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
    }

This file's format is described in the MIT Kerberos documentation

Restart the kdc and kadmin daemons:

sudo systemctl restart krb5-kdc krb5-kadmind

You can now use kadmin as your own user, authenticating with kerberos:

$ kadmin
Authenticating as principal myuser/admin@EXAMPLE.COM with password.
Password for myuser/admin@EXAMPLE.COM: ***
kadmin:

SSH Authentication

Modify your SSH server configuration to enable GSSAPI authentication:

/etc/ssh/sshd_config
# GSSAPI Options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

And modify your client configuration to send GSSAPI requests:

/etc/ssh/ssh_config
Host *
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes

Get a ticket-granting ticket on the client before using ssh:

$ kinit myuser@EXAMPLE.COM
Password for myuser@EXAMPLE.COM: ***

Pass the -v option to ssh to make sure it works:

$ ssh kerberos.example.com -v
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Authentication succeeded (gssapi-with-mic).
Authenticated to krb5-server ([192.168.100.136]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
Last login: Wed Aug 30 15:52:41 2017 from 192.168.100.1

You should now see a host ticket on the client:

$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: myuser@EXAMPLE.COM

Valid starting       Expires              Service principal
08/30/2017 15:37:40  08/31/2017 15:37:40  krbtgt/EXAMPLE.COM@EXAMPLE.COM
08/30/2017 15:53:04  08/31/2017 15:37:40  host/kerberos.example.com@EXAMPLE.COM

NFS

First, configure your NFS server server. Also see NFS Troubleshooting. Configuring a time sync daemon on both the clients and the server is strongly recommended. Clock drift will cause this to break, and the error message will not be helpful.

Create service principals

Create service principals for both your NFS client and your NFS server on the KDC:

kadmin.local: addprinc -randkey nfs/nfsclient.example.com
WARNING: no policy specified for nfs/nfsclient.example.com@EXAMPLE.COM; defaulting to no policy
Principal "nfs/nfsclient.example.com@EXAMPLE.COM" created.

And add to the keytab:

kadmin.local: ktadd nfs/nfsclient.example.com
Entry for principal nfs/nfsclient.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/nfsclient.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.

Then distribute /etc/krb5.keytab to your NFS clients and server.

NFS Server

Add a Kerberos export option:

  • sec=krb5 uses kerberos for authentication only, and transmits the data unauthenticated and unencrypted.
  • sec=krb5i uses kerberos for authentication and integrity checking, but still transmits data unencrypted.
  • sec=krb5p uses kerberos for authentication and encryption.
/etc/exports
/srv/export *(rw,async,no_subtree_check,no_root_squash,sec=krb5)

And reload the exports:

# exportfs -arv

NFS Client

Mount the exported directory:

# mount nfsserver:/srv/export /mnt/

You can add -vv for verbose information, and may need -t nfs4 and -o sec=krb5p or your chosen security option.

Check that it worked with the mount command:

mount | grep krb5
nfsserver:/srv/export on /mnt type nfs4 (rw,relatime,vers=4.1,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=krb5,clientaddr=192.168.100.139,local_lock=none,addr=192.168.100.136)

See also