From ArchWiki
Revision as of 02:44, 14 March 2017 by Mal (talk | contribs) (Naming consistency)
Jump to navigation Jump to search

Kerberos is a network authentication system.

krb5 documentation


Install the krb5 package, if it isn't already installed, and configure it to your needs. Ex:

    default_realm = EXAMPLE.COM
    permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac camellia128-cts-cmac

        admin_server =
        supported_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac camellia128-cts-cmac

[domain_realm] = EXAMPLE.COM = EXAMPLE.COM

    kdc          = SYSLOG:NOTICE
    admin_server = SYSLOG:NOTICE
    default      = SYSLOG:NOTICE

Add DNS records:
kerberos           A
_kerberos          TXT "EXAMPLE.COM"
_kerberos._udp     SRV 0 0  88
_kerberos-adm._udp SRV 0 0 750

Don't forget reverse DNS!

Add ALLOW rules to your firewall for both tcp and udp on ports 88 and 750 (krb5 documentation says tcp is used on both, though mine isn't listening for tcp on 750)

Create the database:

# krb5_util -r EXAMPLE.COM create -s

Enable and start the krb5-kdc service.

Start kadmin, using the local root user instead of kerberos authentication:

# kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.

You can do most things

Basic Commands

Add a human principal (user):

kadmin.local:  add_principal myuser@EXAMPLE.COM
WARNING: no policy specified for myuser@EXAMPLE.COM; defaulting to no policy
Enter password for principal "myuser@EXAMPLE.COM": ***
Re-enter password for principal "myuser@EXAMPLE.COM": ***
Principal "myuser@EXAMPLE.COM" created.

Add a service principal:

kadmin.local:  add_principal -randkey nfs/

SSH Authentication

Make sure both your ssh server and ssh client configurations include this line, then restart the server

GSSAPIAuthentication yes

Generate a service principal

kadmin.local:  add_principal -randkey host/

Generate the keytab for the server

kadmin.local:  ktadd -keytab /root/someserver.krb5.keytab
# scp /etc/krb5.keytab
# chmod 600 /etc/krb5.keytab

Get a ticket-granting ticket on the ssh client

$ kinit myuser@EXAMPLE.COM
Password for myuser@EXAMPLE.COM: ***

Debug with

$ ssh -v