Install Kerberos server and client on debian¶
In this tutorial, we will install MIT Kerberos server and client on a debian 11 server.
1. Prerequisite¶
1.1 Setup NTP server¶
As we mentioned above, kerberos is time sensitive, we need to use a Network Time Protocol (NTP) server to synchronize the time. You can follow this page https://vitux.com/how-to-setup-ntp-server-and-client-on-debian-11/
1.2 DNS server setup¶
Before installing the Kerberos server, a properly configured DNS server is needed for your domain. Since the Kerberos Realm by convention matches the domain name.
1.3 Some basic krb information¶
Realm: CASD.LOCAL KDC server url: kdc01.casd.local (10.50.5.57) backup KDC server url: kdc02.casd.local (not deployed for now) admin principal: pliu/admin user principal: hadoop
It is strongly recommended that your network-authenticated users have their uid in a different range (say, starting at 5000) than that of your local users.
2. Server Installation¶
For the server side, we will install an MIT kerberos V5. As we mentioned above, a KDC requires an Authentication Server (AS) and Ticket-Granting Server (TGS)
To manage the KDC server, we need some admin tools which will be provided by the krb5-admin-server
# step 1: install the krb5-kdc and krb5-admin-server packages.
sudo apt install krb5-kdc krb5-admin-server
# 1st prompt will ask you the default REALM name, enter CASD.LOCAL
# 2nd prompt will ask you the url/ip of the kdc server url, enter kdc01.casd.local or ip, if you have two kdc server, you can use space to separate them.
# 3rd prompt will ask you the url/ip of the admin server url, enter kdc01.casd.local or ip(we install it on the same).
# step2: create a new realm
# The default realm in step 1 is the configuration for connection. We need to create the realm
sudo krb5_newrealm
# suppose the reaml name is CASD.LOCAL
# step3: create principals(user account) by using admin tools
# login to admin tools
sudo kadmin.local
# create new principals (user accounts)
# note the / in pliu/admin here is only for human, nothing special for kdc.
# as we did not specify the realm, the default realm will be added to the principals
kadmin.local: addprinc pliu/admin
kadmin.local: addprinc hadoop
# step4: Add the appropriate Access Control List (ACL) permissions for the new admin user.
sudo vim /etc/krb5kdc/kadm5.acl
# add below lines
pliu/admin@CASD.LOCAL *
# The above line grants pliu/admin the ability to perform any operation on all principals in the realm. You can
# configure principals with more restrictive privileges.
# step5: restart the krb5-admin-server for the new ACL to take affect
sudo systemctl restart krb5-admin-server.service
In this setup, the KDC uses a local database to store user login/password; we can connect kerberos to a ldap server.
3. Server configuration¶
There are three main config files you need to pay attention: - /etc/krb5.conf - /etc/krb5kdc/kdc.conf - /etc/krb5kdc/kadm5.acl
3.1 /etc/krb5.conf (Kerberos Client & General Configuration)¶
This configuration file is required by both krb clients and the KDC server to specify general Kerberos settings.
It has three key sections:
- [libdefaults]: General Kerberos settings (default realm, ticket options).
- [realms]: Defines realms and their corresponding KDC and admin server.
- [domain_realm]: Maps domain names to Kerberos realms.
Below is an example of the krb5.conf
[libdefaults]
default_realm = CASD.EU
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
dns_lookup_kdc = false
[realms]
CASD.EU = {
kdc = kdc.casd.eu
admin_server = kdc.casd.eu
default_domain = casd.eu
}
[domain_realm]
.casd.eu = CASD.EU
casd.eu = CASD.EU
3.2 /etc/krb5kdc/kdc.conf (KDC-Specific Configuration)¶
This configuration file is only used by the KDC (Key Distribution Center). It controls how the KDC manages
authentication, tickets, and encryption.
It has three key section:
- [kdcdefaults]: Defines which ports the KDC listens on.
- [realms]: KDC-specific settings for managing tickets, database, and encryption of a domain.
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
CASD.EU = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = /etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
key_stash_file = /etc/krb5kdc/stash
max_life = 24h
max_renewable_life = 7d
supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal
}
3.3 /etc/krb5kdc/kadm5.acl (ACL for KDC)¶
The /etc/krb5kdc/kadm5.acl file controls who can manage Kerberos principals (users, services, and hosts).
# general form
principal privilege
# some example
# the admin principal has full admin access (can add/delete principal, reset passwords, etc.)
admin@CASD.EU *
# user1 can change their own password but nothing else
user1@CASD.EU x
# service/admin can add and change principals, but not delete them
service/admin@CASD.EU ac
| Symbol | Privilege |
|---|---|
| * | Full access |
| a | Add principal |
| d | Delete principal |
| m | Modify principal |
| c | Change password |
| x | Change own password |
4. Client installation¶
You will now need to configure a Linux system as a Kerberos client. This will allow access to any kerberized services once a user has successfully logged into the system.
# step1: install packages
sudo apt install krb5-user
# step2: Configure the krb client config
sudo dpkg-reconfigure krb5-config
# The dpkg-reconfigure adds entries to the /etc/krb5.conf file for your Realm. You should have entries similar to the following:
[libdefaults]
default_realm = CASD.LOCAL
...
[realms]
CASD.LOCAL = {
kdc = 10.50.5.57
admin_server = 10.50.5.57
}
# step3: Test the configuration by requesting a ticket using the kinit utility
kinit pliu@CASD.LOCAL
# step4: Check the generated ticket
klist
if you want to use krb for ssh authentication, you need to install libpam-krb5 libpam-ccreds auth-client-config
sudo auth-client-config -a -p kerberos_exampleuse theauth-client-configto configure thelibpam-krb5module to request a ticket during login
4.1 kadmin¶
kadmin and kadmin.local are command-line interfaces to the Kerberos V5 administration system. They provide
nearly identical functionalities; the difference is that kadmin.local directly accesses the KDC database, while
kadmin performs operations using kadmind.
With sudo kadmin.local you have the admin console in the krb server locally. You can also access the admin console
remotely. You can find the complete doc here.
4.2 kutil¶
The ktutil command invokes a command interface from which an administrator can read, write, or edit entries in a keytab or Kerberos V4 srvtab file. You can find the detailed documentation of ktutil
Create a new keytab with existing principal and password. We can choose different encryption algorithm
ktutil: add_entry -password -p pengfei@CASD.LOCAL -k 1 -e
aes128-cts-hmac-sha1-96
Password for pengfei@CASD.LOCAL:
ktutil: add_entry -password -p pengfei@CASD.LOCAL -k 1 -e
aes256-cts-hmac-sha1-96
Password for pengfei@CASD.LOCAL:
ktutil: write_kt keytab
ktutil:
Read an existing keytab
ktutil: read_kt /etc/krb5.keytab
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 2 host/sssd-test.casd.local@CASD.LOCAL
2 2 host/sssd-test.casd.local@CASD.LOCAL
3 2 auth-agent/sssd-test.casd.local@CASD.LOCAL
4 2 auth-agent/sssd-test.casd.local@CASD.LOCAL
Reference¶
https://www.easyredmine.com/documentation-of-easy-redmine/article/how-to-set-up-kerberos-authentication https://blog.csdn.net/qq_43536701/article/details/109854270