Kerberos provides a secure network authentication model using secret-key cryptography. Kerberos can be used with multiple services to offer superior authentication security.
On a Centos system you can review a list of possible programs that are listed for kerberos with yum.
yum list | grep krb5
You will see by default the workstation is installed so it can be an option for authentication.
yum install krb5-server
Edit /etc/krb5.conf
Note that when you edit this file be sure to use your domain and maintain the case on all changes. The realm names should be uppercase and the hostnames for DNS should be lowercase.
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = LOCALNET
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
LOCALNET = {
kdc = kerb.localnet:88
admin_server = kerb.localnet:749
default_domain = localnet
}
[domain_realm]
.localnet = LOCALNET
localnet = LOCALNET
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Edit /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
v4_mode = nopreauth
kdc_tcp_ports = 88
[realms]
LOCALNET = {
#master_key_type = des3-hmac-sha1
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
}
Create the Database
This database stores keys for the Kerberos realm. The -s option creates a stash file where the master key is stored. Access is controlled by the Master Password.
/usr/kerberos/sbin/kdb5_util create -s
Loading random data
Initializing database ‘/var/kerberos/krb5kdc/principal’ for realm ‘LOCALNET’,
master key name ‘K/M@LOCALNET’
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
Edit /var/kerberos/krb5kdc/kadm5.acl
This important file determines the administrators for kerberos.
*/admin@LOCALNET *
The kadmind, once started, allows users to access the server to authenticate.
kadmin.local -q “addprinc mike/admin”
Authenticating as principal root/admin@LOCALNET with password.
WARNING: no policy specified for mike/admin@LOCALNET; defaulting to no policy
Enter password for principal “mike/admin@LOCALNET”:
Re-enter password for principal “mike/admin@LOCALNET”:
Principal “mike/admin@LOCALNET” created.
kadmin.local
Authenticating as principal root/admin@LOCALNET with password.
WARNING: no policy specified for host/basic.localnet@LOCALNET; defaulting to no policy
Principal “host/basic.localnet@LOCALNET” created.
Start Kerberos
service krb5kdc start
service kadmin start
service krb524 start
netstat -aunt
This should show these ports up and running.
tcp 0 0 0.0.0.0:749 0.0.0.0:* LISTEN
udp 0 0 192.168.5.12:88 0.0.0.0:*
udp 0 0 192.168.5.12:750 0.0.0.0:*
test Set Up
kadmin.local
Authenticating as principal root/admin@LOCALNET with password.
kadmin.local: listprincs
K/M@LOCALNET
host/basic.localnet@LOCALNET
kadmin/admin@LOCALNET
kadmin/changepw@LOCALNET
kadmin/history@LOCALNET
kadmin/localhost.localdomain@LOCALNET
krbtgt/LOCALNET@LOCALNET
mike/admin@LOCALNET
Check Tickets
klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
Login as Principal Then Check Tickets
kinit mike/admi n
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: mike/admin@LOCALNET
Valid starting Expires Service principal
02/21/10 04:42:38 02/22/10 04:42:36 krbtgt/LOCALNET@LOCALNET
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
Add a user
kadmin -q “addprinc -policy user tom”
Authenticating as principal mike/admin@LOCALNET with password.
Password for mike/admin@LOCALNET:
Enter password for principal “tom@LOCALNET”:
Re-enter password for principal “tom@LOCALNET”:
Add A Host
kadmin.local -q “ktadd -k /etc/krb5.keytab host/basic.localnet”
Authenticating as principal root/admin@LOCALNET with password.
Entry for principal host/basic.localnet with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/basic.localnet with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/basic.localnet with kvno 3, encryption type DES with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/basic.localnet with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5.keytab.
