Tuesday, December 21, 2010

Debian Kerberos Master

Kerberos is a network authentication protocol. The idea is to be a secure, single sign-on authentication provider.
  1. Install Kerberos Server.
    apt-get -y install rsyslog krb5-{admin-server,user,doc}
  2. Create realm (this may take a long time, up to few minutes).
  3. Activate Kerberos administration by authorizing admin access (file /etc/krb5kdc/kadm5.acl).
    # ...
    */admin *
    admin *
  4. Setup logging (new file /etc/logrotate.d/krb5):
    /var/log/krb5/kadmin.log /var/log/krb5/kdc.log {
            rotate 7
    Create log directory
    mkdir /var/log/krb5
  5. Realm Configuration (file /etc/krb5.conf). In our case the kerberos server name is kdc1 and there is alias to it krb (used for administration purpose).
            default_realm = DEV.LOCAL
            DEV.LOCAL = {
                    kdc = kdc1.dev.local
                    # kdc = kdc2.dev.local
                    admin_server = krb.dev.local
            .dev.local = DEV.LOCAL
            dev.local = DEV.LOCAL
            kdc = FILE:/var/log/krb5/kdc.log
            admin_server = FILE:/var/log/krb5/kadmin.log
  6. Restart kerberos services.
    invoke-rc.d krb5-admin-server restart ; \
    invoke-rc.d krb5-kdc restart
  7. Open another console and have a look at log files.
    cd /var/log/krb5/ ; \
    tail -f kadmin.log kdc.log
  8. Ensure services are running.
    root@kdc1:~# netstat -tunlp
    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
    tcp        0      0   *               LISTEN      840/kadmind     
    tcp        0      0   *               LISTEN      840/kadmind     
    tcp6       0      0 :::464                  :::*                    LISTEN      840/kadmind     
    udp        0      0   *                           840/kadmind     
    udp        0      0    *                           861/krb5kdc     
    udp        0      0   *                           861/krb5kdc     
So far we have the services up and running, however in order to administer it we need create an administrative account:
  1. Add admin principal:
    kadmin.local -q "addprinc admin"
  2. Add host (kdc1) principal:
    kadmin.local -q "addprinc -randkey host/kdc1.dev.local"
    kadmin.local -q "ktadd host/kdc1.dev.local"
Now let test it:
root@kdc1:~# kinit admin && klist && kdestroy 
Password for admin@DEV.LOCAL: 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@DEV.LOCAL

Valid starting     Expires            Service principal
12/21/10 18:05:14  12/22/10 04:05:14  krbtgt/DEV.LOCAL@DEV.LOCAL
 renew until 12/22/10 18:05:11
Read more here.

No comments :

Post a Comment