Skip to content

Instantly share code, notes, and snippets.

@k4mrul

k4mrul/kerberos_setup.md

Forked from ashrithr/kerberos_setup.md
Created December 14, 2018 06:30
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save k4mrul/e31141c6b84256cd4f31f82fcb5d29b5 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save k4mrul/e31141c6b84256cd4f31f82fcb5d29b5 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. @ashrithr ashrithr revised this gist Sep 15, 2014. 1 changed file with 29 additions and 0 deletions.
    29 changes: 29 additions & 0 deletions kerberos_ssh.md
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,29 @@
    # Setting up SSH to use Kerberos Authentication

    **Pre-Req**: Make sure you can issue a `kinit -k host/fqdn@REALM` and get back a kerberos ticket without having to specify a password.

    ## Step1: Configuring SSH Server

    Configure `/etc/ssh/sshd_config` file to include the following lines:

    ```
    KerberosAuthentication yes
    GSSAPIAuthentication yes
    GSSAPICleanupCredentials yes
    UsePAM no
    ```

    Now, restart the ssh daemon.

    ## Step2: Configure the SSH Client

    Configure `/etc/ssh_config` to include following lines:

    ```
    Host *.domain.com
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials yes
    ```

    > Note: make sure you change the domain to match your environment.
  2. @ashrithr ashrithr revised this gist Aug 2, 2014. 1 changed file with 3 additions and 7 deletions.
    10 changes: 3 additions & 7 deletions kerberos_setup.md
    View file
    Original file line number Diff line number Diff line change
    @@ -158,13 +158,9 @@ Transfer your `/etc/krb5.conf` (which got created from above command) from the
    KDC server to the client. Hop onto the client server, install the Kerberos
    client package and add some host principals:

    ```
    kadmin -w hadoop -p kadmin/admin -q 'list princs'
    ```

    ```
    [root@client ~]# yum install krb5-workstation
    [root@client ~]# kadmin.local
    kadmin.local: addpinc --randkey host/client.example.com
    kadmin.local: ktadd host/kdc.example.com
    [root@client ~]# kadmin -p root/admin
    kadmin: addpinc --randkey host/client.example.com
    kadmin: ktadd host/kdc.example.com
    ```
  3. @ashrithr ashrithr revised this gist Aug 2, 2014. 1 changed file with 6 additions and 0 deletions.
    6 changes: 6 additions & 0 deletions kerberos_setup.md
    View file
    Original file line number Diff line number Diff line change
    @@ -148,6 +148,12 @@ kadmin.local: addprinc -randkey host/kdc.cw.com
    kadmin.local: ktadd host/kdc.cw.com
    ```

    ## Setup kerberos client

    ```
    yum -y install krb5-workstation
    ```

    Transfer your `/etc/krb5.conf` (which got created from above command) from the
    KDC server to the client. Hop onto the client server, install the Kerberos
    client package and add some host principals:
  4. @ashrithr ashrithr created this gist Aug 2, 2014.
    164 changes: 164 additions & 0 deletions kerberos_setup.md
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,164 @@
    # Installing Kerberos on Redhat 7

    This installation is going to require 2 servers one acts as kerberos KDC server
    and the other machine is going to be client. Lets assume the FQDN's are (here
    `cw.com` is the domain name, make a note of the domain name here):
    * Kerberos KDC Server: kdc.cw.com
    * Kerberos Client: kclient.cw.com

    > Important: Make sure that both systems have their hostnames properly set and
    > both systems have the hostnames and IP addresses of both systems in
    > `/etc/hosts`. Your server and client must be able to know the IP and hostname
    > of the other system as well as themselves.
    Pre-Requisites:

    Setup and install NTP

    ```
    yum -y install ntp
    ntpdate 0.rhel.pool.ntp.org
    systemctl start ntpd.service
    systemctl enable ntpd.service
    ```

    > RHEL 7 comes with *systemd* as the default service manager. Here is a handy
    > guide for mapping service and chkconfig command [here](http://fedoraproject.org/wiki/SysVinit_to_Systemd_Cheatsheet)
    Packages required:
    * KDC server package: krb5-server
    * Admin package: krb5-libs
    * Client package: krb5-workstation

    Configuration Files:
    * /var/kerberos/krb5kdc/kdc.conf
    * /var/kerberos/krb5kdc/kadm5.acl
    * /etc/krb5.conf

    Important Paths:
    * KDC path: /var/kerberos/krb5kdc/

    ## Installing & Configuring KDC Server:

    ```
    yum -y install krb5-server krb5-libs
    ```

    Primary configuration file is 'krb5.conf':
    * Ensure the default realm is set your domain name in capital case

    Sample '/etc/krb5.conf'

    ```
    [libdefaults]
    default_realm = CW.COM
    dns_lookup_realm = false
    dns_lookup_kdc = false
    ticket_lifetime = 24h
    forwardable = true
    udp_preference_limit = 1000000
    default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
    default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
    permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
    [realms]
    CW.COM = {
    kdc = kdc.cw.com:88
    admin_server = kdc.cw.com:749
    default_domain = cw.com
    }
    [domain_realm]
    .cw.com = CW.COM
    cw.com = CW.COM
    [logging]
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmin.log
    default = FILE:/var/log/krb5lib.log
    ```

    Adjust `/var/kerberos/krb5kdc/kdc.conf` on the KDC:

    ```
    default_realm = CW.COM
    [kdcdefaults]
    v4_mode = nopreauth
    kdc_ports = 0
    [realms]
    CW.COM = {
    kdc_ports = 88
    admin_keytab = /etc/kadm5.keytab
    database_name = /var/kerberos/krb5kdc/principal
    acl_file = /var/kerberos/krb5kdc/kadm5.acl
    key_stash_file = /var/kerberos/krb5kdc/stash
    max_life = 10h 0m 0s
    max_renewable_life = 7d 0h 0m 0s
    master_key_type = des3-hmac-sha1
    supported_enctypes = arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
    default_principal_flags = +preauth
    }
    ```

    Adjust `/var/kerberos/krb5kdc/kadm5.acl` on KDC:

    ```
    */[email protected] *
    ```

    ## Creating KDC database to hold our sensitive Kerberos data

    Create the database and set a good password which you can remember. This command
    also stashes your password on the KDC so you don’t have to enter it each time
    you start the KDC:

    ```
    kdb5_util create -r CW.COM -s
    ```

    > This command may take a while to complete based on the CPU power
    Now on the KDC create a admin principal and also a test user (user1):

    ```
    [root@kdc ~]# kadmin.local
    kadmin.local: addprinc root/admin
    kadmin.local: addprinc user1
    kadmin.local: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin
    kadmin.local: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/changepw
    kadmin.local: exit
    ```

    Let’s start the Kerberos KDC and kadmin daemons:

    ```
    systemctl start krb5kdc.service
    systemctl start kadmin.service
    systemctl enable krb5kdc.service
    systemctl enable kadmin.service
    ```

    Now, let’s create a principal for our KDC server and stick it in it’s keytab:

    ```
    [root@kdc ~]# kadmin.local
    kadmin.local: addprinc -randkey host/kdc.cw.com
    kadmin.local: ktadd host/kdc.cw.com
    ```

    Transfer your `/etc/krb5.conf` (which got created from above command) from the
    KDC server to the client. Hop onto the client server, install the Kerberos
    client package and add some host principals:

    ```
    kadmin -w hadoop -p kadmin/admin -q 'list princs'
    ```

    ```
    [root@client ~]# yum install krb5-workstation
    [root@client ~]# kadmin.local
    kadmin.local: addpinc --randkey host/client.example.com
    kadmin.local: ktadd host/kdc.example.com
    ```