From SpectLog
Revision as of 08:05, 11 May 2012 by UVSMTID (talk | contribs) (Change category "Red Hat Linux" => "RHEL6")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

: kerberos

Introduction

This page focuses on the commands to enable minimum Kerberos authentication for single service. It is assumed that virtual machines are used. It was tested with RHEL6 and CentOS 6.0.

Create the following virtual machines and preform default OS installation:

  • Kerberos server software (both KDC and Admin services) on kerberos.example.com;
  • Kerberized service (rlogin) on server host server.example.com;
  • Kerberos client software and kerberized client (rlogin) on client host client.example.com.

Servers and clients for services

Kerberos provides authentication service for any other service which needs to authenticate users. This creates confusion as services can act as both servers and clients. For example, any service (HTTP, FTP, SMTP, etc.) is provided by its corresponding server. At the same time all these servers act as clients to Kerberos service.

In order to avoid confusion, service should be explicitly named for clarity.

Commands with context

Instead of shell, many commands are typed for such utilities as kadmin and ktutil. To make this clear, all commands are pretended by the name of the CLI tool.

Using default configuration

In order to minimize changes to initial configuration files, the most of the default configuration will be used. In particular, default Kerberos realm (EXAMPLE.COM), default Kerberos server host name (kerberos.example.com) and domain for service and client hosts (example.com). In fact, none of the Kerberos client configuration files (/etc/krb5.conf) are modified from their default versions.

DNS

Fully functional DNS is assumed. However, properly configured static hostname resolution (via /etc/hosts) should also be acceptable.

NTP

Kerberos relies on well-synchronized clocks between all hosts using it. Configuring NTP service is recommended. Nevertheless, Kerberos has default tolerance of several minutes. It is enough to manually initialize clocks for short term installation.

Choice of kerberized service

As an example of kerberized service, rlogin is used. It was chosen primarily for the simplicity of the demo configuration. For example, ssh requires changes in configuration files and problems are not as easy to troubleshoot.

Configure Kerberos service

Login to Kerberos server host:

shell       : ssh kerberos.example.com

Install Kerberos server software:

shell       : yum install krb5-server

Configure firewall:

shell       : vi /etc/sysconfig/iptables
# Kerberos KDC
-A INPUT -m state --state NEW -m tcp -p tcp --dport 88 -j ACCEPT
# Kerberos Admin
-A INPUT -m state --state NEW -m tcp -p tcp --dport 749 -j ACCEPT

Make the firewall changes effective:

shell       : service iptables restart

Initialize KDC database:

shell       : kdb5_util create -s

Clean up keytab:

shell       : rm /etc/krb5.keytab

Start local Admin:

shell       : kadmin.local

Add principal for Admin:

kadmin.local: addprinc root/admin

Add principal for regular user:

kadmin.local: addprinc visitor

Review existing principals:

kadmin.local: listprincs

Quit Admin:

kadmin.local: quit

Default Kerberos ACL allows anybody with */admin principal to use remote administrator with all privileges:

shell       : cat /var/kerberos/krb5kdc/kadm5.acl

Start KDC service:

shell       : chkconfig krb5kdc on
shell       : service   krb5kdc start

Start Admin service:

shell       : chkconfig kadmin on
shell       : service   kadmin start

Configure Kerberos client

Login to client host:

shell       : ssh client.example.com

Install Kerberos client software

shell       : yum install krb5-workstation

Test Kerberos client and server

Check current time on the host:

shell       : date

Make sure the time is synchronized on all hosts:

  • kerberos.example.com,
  • client.example.com.

Login to client host:

ssh client.example.com

Clean up tickets on the client:

shell       : kdestroy

Try to authenticate and get ticket from the client:

shell       : kinit visitor

Review tickets on the client:

shell       : klist

Try to access Admin from the client:

shell       : kadmin -p root/admin

Configure kerberized service

Login to rlogin server host:

shell       : ssh server.example.com

Install kerberized servers:

shell       : yum install krb5-appl-servers
shell       : yum install krb5-workstation

Open firewall:

shell       : vi /etc/sysconfig/iptables
# rlogin
-A INPUT -m state --state NEW -m tcp -p tcp --dport 543 -j ACCEPT
shell       : service iptables restart

The service acts as a client to Kerberos. Add its principal on KDC server and export the key into default keytab file on the client [1]:

  • Before a service host can use Kerberos to authenticate users who connect using ssh, rsh, or rlogin, it must have its own host principal in the Kerberos database.
shell       : kadmin -p root/admin
kadmin      : addprinc -randkey host/server.example.com
kadmin      : ktadd host/server.example.com

Note that addprinc command adds key to KDC database on Kerberos server (Kerberos host). At the same time ktadd command exports this key to keytab file on Kerberos client (server host).

Review list of keys in default keytab file:

shell       : ktutil
ktutil      : rkt /etc/krb5.keytab
ktutil      : list

Enable xinetd super server for klogin, eklogin, and kshell:

shell       : chkconfig xinetd on

Enable klogin, eklogin, and kshell:

shell       : chkconfig klogin  on
shell       : chkconfig eklogin on
shell       : chkconfig kshell  on

Restart the service to be sure:

shell       : service xinetd restart

Configure kerberized client for kerberized service

Login to client host:

shell       : ssh client.example.com

Install kerberized clients for kerberized service:

shell       : yum install krb5-appl-clients
shell       : yum install krb5-workstation

Test kerberized client with kerberized service

Check current time on the host:

shell       : date

Make sure the time is synchronized on all hosts: kerberos.example.com, server.example.com, client.example.com.

Login to client host:

shell       : ssh client.example.com

Clean up tickets on the client:

shell       : kdestroy

Try to authenticate and get ticket from the client:

shell       : kinit visitor

Review tickets on the client:

shell       : klist

Try to login to kerberized service using kerberized client:

shell       : rlogin server -l visitor

Troubleshooting

Kerberos server-side logs

shell       : tail -f /var/log/krb5kdc.log