Software >> OS >> Unix >> Linux >> RHEL >> 7 >> RHCE >> System configuration and management part 2

Configure a system to authenticate using Kerberos

 

### KDC Server setup (rhel7mgmt1.myexample.com)

## assume the following servers
## (1) KDC server - 192.168.0.30 : rhel7mgmt1.myexample.com
## (2) KDC client - 192.168.0.20 : rhel7client1.myexample.com
##
## in lieu of DNS, add the following to /etc/hosts file of all the machines

192.168.0.10  rhel7server1 rhel7server1.myexample.com
192.168.0.20  rhel7client1 rhel7client1.myexample.com
192.168.0.30  rhel7mgmt1   rhel7mgmt1.myexample.com

## on rhel7mgmt1

[root@rhel7mgmt1 ~]# yum -y install krb5-server krb5-workstation pam_krb5
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
...
Complete!


## edit kdc.conf

[root@rhel7mgmt1 ~]# cd /var/kerberos/krb5kdc

[root@rhel7mgmt1 krb5kdc]# vi kdc.conf


# - under [realm] change from
EXAMPLE.COM => MYEXAMPLE.COM
# - to force krb5 only
# - uncomment master_key_type : master_key_type = aes256-cts
#   and add : default_principal_flags = +preauth


/var/kerberos/krb5kdc/kdc.conf

[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
 MYEXAMPLE.COM = {
  # uncomment next 2 lines if we want to be compatible with Kerberos 5 ONLY
  master_key_type = aes256-cts
  default_principal_flags = +preauth
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal

 }


## edit /etc/krb5.conf


[root@rhel7mgmt1 ~]# vi /etc/krb5.conf

# - replace all
EXAMPLE.COM with MYEXAMPLE.COM
# - uncomment default realm
# - update entries in [realm] with your server details
# - update entries in [domain_realm] with your domain


/etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_realm = MYEXAMPLE.COM
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 MYEXAMPLE.COM = {
  kdc = rhel7mgmt1.myexample.com
  admin_server = rhel7mgmt1.myexample.com
 }

[domain_realm]
 .myexample.com = MYEXAMPLE.COM
 myexample.com = MYEXAMPLE.COM


## edit /var/kerberos/krb5kdc/kadm5.acl


[root@rhel7mgmt1 ~]# vi /var/kerberos/krb5kdc/kadm5.acl

# - change from EXAMPLE.COM to MYEXAMPLE.COM
 

/var/kerberos/krb5kdc/kadm5.acl
*/admin@MYEXAMPLE.COM    *


## create KDB database

[root@rhel7mgmt1 krb5kdc]# kdb5_util create -s -r MYEXAMPLE.COM
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'MYEXAMPLE.COM',
master key name 'K/M@MYEXAMPLE.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:

## enable and then start the KDC services

[root@rhel7mgmt1 krb5kdc]# systemctl enable krb5kdc kadmin
Created symlink from /etc/systemd/system/multi-user.target.wants/krb5kdc.service to /usr/lib/systemd/system/krb5kdc.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/kadmin.service to /usr/lib/systemd/system/kadmin.service.

[root@rhel7mgmt1 krb5kdc]# systemctl start krb5kdc

[root@rhel7mgmt1 krb5kdc]# systemctl start kadmin


## create an admin principal for this system
## root/admin => either root or admin


[root@rhel7mgmt1 krb5kdc]# kadmin.local
Authenticating as principal root/admin@MYEXAMPLE.COM with password.
kadmin.local:  addprinc root/admin
WARNING: no policy specified for root/admin@MYEXAMPLE.COM; defaulting to no policy
Enter password for principal "root/admin@MYEXAMPLE.COM":
Re-enter password for principal "root/admin@MYEXAMPLE.COM":
Principal "root/admin@MYEXAMPLE.COM" created.



## add user

kadmin.local:  addprinc krbtest
WARNING: no policy specified for krbtest@MYEXAMPLE.COM; defaulting to no policy
Enter password for principal "krbtest@MYEXAMPLE.COM":
Re-enter password for principal "krbtest@MYEXAMPLE.COM":
Principal "krbtest@MYEXAMPLE.COM" created.


## add kdc server into kerberos database


kadmin.local:  addprinc -randkey host/rhel7mgmt1.myexample.com
WARNING: no policy specified for host/rhel7mgmt1.myexample.com@MYEXAMPLE.COM; defaulting to no policy
Principal "host/rhel7mgmt1.myexample.com@MYEXAMPLE.COM" created.


## add a local copy stored in a keytab file - it will create /etc/krb5.keytab


kadmin.local:  ktadd host/rhel7mgmt1.myexample.com
Entry for principal host/rhel7mgmt1.myexample.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/rhel7mgmt1.myexample.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/rhel7mgmt1.myexample.com with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/rhel7mgmt1.myexample.com with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/rhel7mgmt1.myexample.com with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/rhel7mgmt1.myexample.com with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/rhel7mgmt1.myexample.com with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/rhel7mgmt1.myexample.com with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.

kadmin.local:  quit


## edit ssh_config
## this is for testing SSH locally, this setting is for the SSH client side,
## not required if n
ot doing SSH locally

[root@rhel7mgmt1 krb5kdc]# vi /etc/ssh/ssh_config


# uncomment GSSAPIAuthentication & set the value to yes
# uncomment GSSAPIDelegateCredentials & set the value to yes

   GSSAPIAuthentication yes
   GSSAPIDelegateCredentials yes


## edit sshd_config, ensure UseDNS and GSSAPIAuthentication are set to yes

UseDNS yes
GSSAPIAuthentication yes


## reload sshd and enable kerberos authentication


[root@rhel7mgmt1 krb5kdc]# systemctl reload sshd

[root@rhel7mgmt1 krb5kdc]# authconfig --enablekrb5 --update


## create a service for kerberos to ensure the required firewall ports are open


[root@rhel7mgmt1 ~]# cd /etc/firewalld/services

[root@rhel7mgmt1 services]# vi kerberos.xml

/etc/firewalld/services/kerberos.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>Kerberos</short>
  <description>Kerberos network authentication protocol server</description>
  <port protocol="tcp" port="88"/>
  <port protocol="udp" port="88"/>
  <port protocol="tcp" port="749"/>
</service>


## apply the firewall rule

[root@rhel7mgmt1 services]# firewall-cmd --permanent --add-service=kerberos
success

[root@rhel7mgmt1 services]# firewall-cmd --reload
success


## create user and then test locally

[root@rhel7mgmt1 services]# useradd krbtest

[root@rhel7mgmt1 services]# su - krbtest

[krbtest@rhel7mgmt1 ~]$ kinit
Password for krbtest@MYEXAMPLE.COM:

[krbtest@rhel7mgmt1 ~]$ klist
Ticket cache: KEYRING:persistent:1001:1001
Default principal: krbtest@MYEXAMPLE.COM

Valid starting       Expires              Service principal
06/17/2020 12:51:10  06/18/2020 12:51:07  krbtgt/MYEXAMPLE.COM@MYEXAMPLE.COM


## when you ssh in this session, you should be able to login without being further prompted for password
## for the kerberos authentication to work the source IP used to connect must resolve back to the hostname added as the host principal earlier


[krbtest@rhel7mgmt1 ~]$ ssh rhel7mgmt1.myexample.com
The authenticity of host 'rhel7mgmt1.myexample.com (192.168.0.30)' can't be established.
ECDSA key fingerprint is SHA256:vNpmvuXbPajqQUZz4J+wzqni3r6SN0oxJE70Uy6iabg.
ECDSA key fingerprint is MD5:6f:05:e9:4e:37:25:b5:99:e0:49:99:14:d4:1c:e5:cc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'rhel7mgmt1.myexample.com,192.168.0.30' (ECDSA) to the list of known hosts.
Last login: Wed Jun 17 12:51:03 2020
[krbtest@rhel7mgmt1 ~]$


back to Objectives

 

Configure a System to Authenticate Using Kerberos - Client Setup


### KDC Client Setup (rhel7client1.myexample.com)


## install the requied packages

[root@rhel7client1 ~]# yum -y install krb5-workstation pam_krb5
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
...
Complete!


## edit /etc/krb5.conf and use the same config as the server

/etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_realm = MYEXAMPLE.COM
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 MYEXAMPLE.COM = {
  kdc = rhel7mgmt1.myexample.com
  admin_server = rhel7mgmt1.myexample.com
 }

[domain_realm]
 .myexample.com = MYEXAMPLE.COM
 myexample.com = MYEXAMPLE.COM


## connect to kadmin server and then add the host principal for this client

[root@rhel7client1 ~]# kadmin
Authenticating as principal root/admin@MYEXAMPLE.COM with password.
Password for root/admin@MYEXAMPLE.COM:

kadmin:  addprinc -randkey host/rhel7client1.myexample.com
WARNING: no policy specified for host/rhel7client1.myexample.com@MYEXAMPLE.COM; defaulting to no policy
Principal "host/rhel7client1.myexample.com@MYEXAMPLE.COM" created.

kadmin:  ktadd host/rhel7client1.myexample.com
Entry for principal host/rhel7client1.myexample.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/rhel7client1.myexample.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/rhel7client1.myexample.com with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/rhel7client1.myexample.com with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/rhel7client1.myexample.com with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/rhel7client1.myexample.com with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/rhel7client1.myexample.com with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/rhel7client1.myexample.com with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.

kadmin:  quit


## edit /etc/ssh/ssh_config

[root@rhel7client1 ~]# vi /etc/ssh/ssh_config


# uncomment GSSAPIAuthentication & set the value to yes
# uncomment GSSAPIDelegateCredentials & set the value to yes

   GSSAPIAuthentication yes
   GSSAPIDelegateCredentials yes


## enable authentication using kerberos

[root@rhel7client1 ~]# authconfig --enablekrb5 --update


## create the user

[root@rhel7client1 ~]# useradd krbtest


## verify kerberos authentication for the krbtest user from this Kerberos client


[root@rhel7client1 ~]# su - krbtest

[krbtest@rhel7client1 ~]$ kinit
Password for krbtest@MYEXAMPLE.COM:

[krbtest@rhel7client1 ~]$ klist
Ticket cache: KEYRING:persistent:1001:1001
Default principal: krbtest@MYEXAMPLE.COM

Valid starting       Expires              Service principal
06/17/2020 13:22:16  06/18/2020 13:22:12  krbtgt/MYEXAMPLE.COM@MYEXAMPLE.COM

[krbtest@rhel7client1 ~]$ ssh rhel7mgmt1.myexample.com
The authenticity of host 'rhel7mgmt1.myexample.com (192.168.0.30)' can't be established.
ECDSA key fingerprint is SHA256:vNpmvuXbPajqQUZz4J+wzqni3r6SN0oxJE70Uy6iabg.
ECDSA key fingerprint is MD5:6f:05:e9:4e:37:25:b5:99:e0:49:99:14:d4:1c:e5:cc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'rhel7mgmt1.myexample.com,192.168.0.30' (ECDSA) to the list of known hosts.
Last login: Wed Jun 17 12:52:16 2020 from rhel7mgmt1.myexample.com
[krbtest@rhel7mgmt1 ~]$


back to Objectives