Tuesday, December 21, 2010

Debian Kerberos Master

Kerberos is a network authentication protocol. The idea is to be a secure, single sign-on authentication provider.
  1. Install Kerberos Server. 
    apt-get -y install rsyslog krb5-{admin-server,user,doc}
  2. Create realm (this may take a long time, up to few minutes). 
    krb5_newrealm
  3. Activate Kerberos administration by authorizing admin access (file /etc/krb5kdc/kadm5.acl). 
    # ...
*/admin *
admin *
  4. Setup logging (new file /etc/logrotate.d/krb5): 
    /var/log/krb5/kadmin.log /var/log/krb5/kdc.log {
        daily
        missingok
        rotate 7
        compress
        delaycompress
        notifempty
}
    Create log directory 
    mkdir /var/log/krb5
  5. Realm Configuration (file /etc/krb5.conf). In our case the kerberos server name is kdc1 and there is alias to it krb (used for administration purpose). 
    [libdefaults]
        default_realm = DEV.LOCAL

[realms]
        DEV.LOCAL = {
                kdc = kdc1.dev.local
                # kdc = kdc2.dev.local
                admin_server = krb.dev.local
        }

[domain_realm]
        .dev.local = DEV.LOCAL
        dev.local = DEV.LOCAL

[logging]
        kdc = FILE:/var/log/krb5/kdc.log
        admin_server = FILE:/var/log/krb5/kadmin.log
  6. Restart kerberos services. 
    invoke-rc.d krb5-admin-server restart ; \
invoke-rc.d krb5-kdc restart
  7. Open another console and have a look at log files. 
    cd /var/log/krb5/ ; \
tail -f kadmin.log kdc.log
  8. Ensure services are running. 
    root@kdc1:~# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:464             0.0.0.0:*               LISTEN      840/kadmind     
tcp        0      0 0.0.0.0:749             0.0.0.0:*               LISTEN      840/kadmind     
tcp6       0      0 :::464                  :::*                    LISTEN      840/kadmind     
udp        0      0 0.0.0.0:464             0.0.0.0:*                           840/kadmind     
udp        0      0 0.0.0.0:88              0.0.0.0:*                           861/krb5kdc     
udp        0      0 0.0.0.0:750             0.0.0.0:*                           861/krb5kdc
So far we have the services up and running, however in order to administer it we need create an administrative account:
  1. Add admin principal: 
    kadmin.local -q "addprinc admin"
  2. Add host (kdc1) principal: 
    kadmin.local -q "addprinc -randkey host/kdc1.dev.local"

kadmin.local -q "ktadd host/kdc1.dev.local"
Now let test it: 
root@kdc1:~# kinit admin && klist && kdestroy 
Password for admin@DEV.LOCAL: 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@DEV.LOCAL

Valid starting     Expires            Service principal
12/21/10 18:05:14  12/22/10 04:05:14  krbtgt/DEV.LOCAL@DEV.LOCAL
 renew until 12/22/10 18:05:11
Read more here.
Posted by Andriy Kornatskyy at 7:00 PM
Labels: , , ,

No comments :

Post a Comment

Subscribe to: Post Comments ( Atom )