====== Server installation of Kerberos ====== The server installation basically consists of just two packages **apt-get install krb5-{admin-server,kdc} ** Default Kerberos version 5 realm? **STUDENT.LAB** Does DNS contain pointers to your realm's Kerberos Servers? **No** Add locations of default Kerberos servers to /etc/krb5.conf? **Yes** Create the Kerberos KDC configuration automatically? **Yes** Should the data be purged as well as the package files? **No** Run the Kerberos V5 administration daemon (kadmind)? **Yes** Kerberos servers for your realm: **vm14.student.lab** Administrative server for your Kerberos realm: **vm14.atudent.lab** Create the Kerberos KDC configuration automatically? **Yes** To create the Kerberos realm, invoke Debian-specific command krb5_newrealm. **krb5_newrealm** Enter your master password for kerberos. //PASSWORD// ====== Kerberos Configuration ====== Next need to edit the Kerberos config file, /etc/krb5.conf. That file also needs to be the same on all Kerberos servers and clients belonging to the same realm. /etc/krb5.conf is split into sections; you should search for section ”[domain_realm]” and append your definition: **.student.lab = STUDENT.LAB ** **student.lab = STUDENT.LAB** At the bottom of the file add the logging section: [logging] **kdc = FILE:/var/log/kerberos/krb5kdc.log** **admin_server = FILE:/var/log/kerberos/kadmin.log** **default = FILE:/var/log/kerberos/krb5lib.log** After editing /etc/krb5.conf use scp to copy it to vm15 and vm16 next we need to edit the ”[libdefaults]” in /etc/krb5.conf (usually at the top of the file) and append the following definition: \\ allow_weak_crypto = **false** \\ Now we need to apply the changes we made. **invoke-rc.d krb5-admin-server restart** \\ **invoke-rc.d krb5-kdc restart ** \\ Next we need to test the changes. **kadmin.local** \\ Authenticating as principal root/admin@STUDENT.LAB with password. kadmin.local: **listprincs ** K/M@STUDENT.LAB kadmin/admin@STUDENT.LAB kadmin/changepw@STUDENT.LAB kadmin/history@STUDENT.LAB kadmin/krb1.STUDENT.LAB@STUDENT.LAB krbtgt/STUDENT.LAB@STUDENT.LAB kadmin.local: **quit** **vi /etc/krb5kdc/kadm5.acl** Check to make sure is has the line below \\ */admin * next we need to restart the krb5-admin-server \\ ** invoke-rc.d krb5-admin-server restart** Next we need to create four basic policies: **kadmin.local**\\ Authenticating as principal root/admin@STUDENT.LAB with password. **kadmin.local: add_policy -minlength 8 -minclasses 3** \\ **Kadmin kadmin.local: add_policy -minlength 8 -minclasses 4 host** \\ **kadmin.local: add_policy -minlength 8 -minclasses 4 service** \\ **kadmin.local: add_policy -minlength 8 -minclasses 2 user** \\ kadmin.local: **quit** ====== Principal creation ====== Next we need to create the principal for the root kadmin.local Authenticating as principal root/admin@STUDENT.LAB with password. kadmin.local: **addprinc -policy admin root/admin** Enter password for principal “root/admin@STUDENT.LAB”: //PASSWORD// Re-enter password for principal “root/admin@STUDENT.LAB”: //PASSWORD// Principal “root/admin@STUDENT.LAB” created. kadmin.local: **quit** Creating first unprivileged principal Next we need add an unprivileged account.\\ **kadmin -p root/admin** \\ Authenticating as principal root/admin@STUDENT.LAB with password. Password for root/admin@STUDENT.LAB: //PASSWORD// kadmin: **addprinc -policy user mirko** Enter password for principal “mirko@STUDENT.LAB”: **PASSWORD** \\ Re-enter password for principal “mirko@STUDENT.LAB”: **PASSWORD** \\ Principal “mirko@STUDENT.LAB” created. kadmin: **quit** let check our tickets: **klist -5f** klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) kinit Password for mirko@STUDENT.LAB: //PASSWORD// **klist -5f** Ticket cache: FILE:/tmp/krb5cc_1000 \\ Default principal: mirko@STUDENT.LAB Valid starting Expires Service principal 04/12/2010 08:30:33 04/13/2010 08:30:33 krbtgt/STUDENT.LAB@STUDENT.LAB renew until 04/13/2010 22:30:34, Flags: FPRIA **kdestroy** This thows away the ticket ====== Installing krb5-rsh-server ====== Next we need to install the krb5-rsh-server. **apt-get install openbsd-inetd** \\ **apt-get install krb5-rsh-server** **update-rc.d -f openbsd-inetd remove** \\ **update-rc.d openbsd-inetd defaults** update-inetd –enable kshell update-inetd –enable eklogin **invoke-rc.d openbsd-inetd restart** we need to export the key to a keytab file\\ **kadmin -p root/admin** \\ Authenticating as principal root/admin@STUDENT.LAB with password. Password for root/admin@STUDENT.LAB: //PASSWORD// kadmin: **addprinc -policy service -randkey host/vm15.STUDENT.LAB ** Principal “host/vm15.STUDENT.LAB@STUDENT.LAB” created. kadmin: **addprinc -policy service -randkey host/vm16.STUDENT.LAB ** Principal “host/vm16.STUDENT.LAB@STUDENT.LAB” created. kadmin: **ktadd -k /etc/krb5.keytab -norandkey host/vm15.STUDENT.LAB** Entry for principal host/vm15.STUDENT.LAB@STUDENT.LAB with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/vm15.STUDENT.LAB@STUDENT.LAB with kvno 3, encryption type ArcFour cbc mode with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/vm15.monarch.STUDENT.LAB@STUDENT.LAB with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/vm15.STUDENT.LAB@STUDENT.LAB with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab. kadmin:** ktadd -k /etc/krb5.keytab -norandkey host/vm16.STUDENT.LAB** Entry for principal host/vm16.STUDENT.LAB@STUDENT.LAB with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/vm16.STUDENT.LAB@STUDENT.LAB with kvno 3, encryption type ArcFour cbc mode with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/vm16.monarch.STUDENT.LAB@STUDENT.LAB with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/vm16.STUDENT.LAB@STUDENT.LAB with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab. kadmin: **quit** ====== Installing krb5-clients ====== Let's install kerberized versions of the basic client programs: apt-get install krb5-clients Obtain Kerberos ticket: **kinit** Password for USERNAME@STUDENT.LAB: PASSWORD Connect: krb5-rsh -x -PN VM14.STUDENT.LAB Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. You have new mail. ====== Pam files Configuration ====== **cd /etc** \\ cp -a pam.d pam.d,orig enter the below command as a safety net. **cp -a pam.d,orig/* pam.d/** We need to make sure that only the following lines are active in each of the indicated files. **vi /etc/pam.d/common-account** \\ account sufficient pam_unix.so \\ account sufficient pam_krb5.so \\ account required pam_deny.so **vi /etc/pam.d/common-auth** \\ auth sufficient pam_unix.so nullok_secure \\ auth sufficient pam_krb5.so use_first_pass \\ auth required pam_deny.so \\ **vi /etc/pam.d/common-password** \\ password sufficient pam_unix.so nullok obscure md5 \\ password sufficient pam_krb5.so use_first_pass \\ password required pam_deny.so ** vi /etc/pam.d/common-session** \\ session required pam_limits.so \\ session optional pam_krb5.so \\ session optional pam_unix.so restart vm14.student.lab If everything is working ====== Configuration of client systems ====== log on to vm15 and vm16. Enter: **apt-get install libpam-krb5** **apt-get install krb5-user** once this is done log back in to vm14.student.lab and do **scp /etc/pam.d/common* root@vm16.student.lab** \\ **scp /etc/pam.d/common* root@vm15.student.lab** ====== Reference ====== http://techpubs.spinlocksolutions.com/dklar/kerberos.html