Lab46 Wiki

User Tools

Site Tools

You are here: start » user » jbrant » csit1320 » kerberos_install
user:jbrant:csit1320:kerberos_install

Table of Contents

Server installation of Kerberos

The server installation basically consists of just two packages

apt-get install krb5-{admin-server,kdc} Default Kerberos version 5 realm? STUDENT.LAB

Does DNS contain pointers to your realm's Kerberos Servers? No

Add locations of default Kerberos servers to /etc/krb5.conf? Yes

Create the Kerberos KDC configuration automatically? Yes

Should the data be purged as well as the package files? No

Run the Kerberos V5 administration daemon (kadmind)? Yes

Kerberos servers for your realm: vm14.student.lab

Administrative server for your Kerberos realm: vm14.atudent.lab

Create the Kerberos KDC configuration automatically? Yes

To create the Kerberos realm, invoke Debian-specific command krb5_newrealm.

krb5_newrealm

Enter your master password for kerberos. PASSWORD

Kerberos Configuration

Next need to edit the Kerberos config file, /etc/krb5.conf. That file also needs to be the same on all Kerberos servers and clients belonging to the same realm. /etc/krb5.conf is split into sections; you should search for section ”[domain_realm]” and append your definition:

.student.lab = STUDENT.LAB student.lab = STUDENT.LAB At the bottom of the file add the logging section: [logging]

kdc = FILE:/var/log/kerberos/krb5kdc.log admin_server = FILE:/var/log/kerberos/kadmin.log default = FILE:/var/log/kerberos/krb5lib.log

After editing /etc/krb5.conf use scp to copy it to vm15 and vm16

next we need to edit the ”[libdefaults]” in /etc/krb5.conf (usually at the top of the file) and append the following definition:
allow_weak_crypto = false
Now we need to apply the changes we made.

invoke-rc.d krb5-admin-server restart
invoke-rc.d krb5-kdc restart
Next we need to test the changes.

kadmin.local
Authenticating as principal root/admin@STUDENT.LAB with password.

kadmin.local: listprincs 

K/M@STUDENT.LAB
kadmin/admin@STUDENT.LAB 
kadmin/changepw@STUDENT.LAB 
kadmin/history@STUDENT.LAB 
kadmin/krb1.STUDENT.LAB@STUDENT.LAB
krbtgt/STUDENT.LAB@STUDENT.LAB

kadmin.local: quit

vi /etc/krb5kdc/kadm5.acl

Check to make sure is has the line below
*/admin *

next we need to restart the krb5-admin-server
invoke-rc.d krb5-admin-server restart

Next we need to create four basic policies: kadmin.local
Authenticating as principal root/admin@STUDENT.LAB with password.

kadmin.local: add_policy -minlength 8 -minclasses 3
Kadmin kadmin.local: add_policy -minlength 8 -minclasses 4 host
kadmin.local: add_policy -minlength 8 -minclasses 4 service
kadmin.local: add_policy -minlength 8 -minclasses 2 user

kadmin.local: quit

Principal creation

Next we need to create the principal for the root kadmin.local Authenticating as principal root/admin@STUDENT.LAB with password.

kadmin.local: addprinc -policy admin root/admin

Enter password for principal “root/admin@STUDENT.LAB”: PASSWORD Re-enter password for principal “root/admin@STUDENT.LAB”: PASSWORD Principal “root/admin@STUDENT.LAB” created.

kadmin.local: quit

Creating first unprivileged principal

Next we need add an unprivileged account.
kadmin -p root/admin
Authenticating as principal root/admin@STUDENT.LAB with password.

Password for root/admin@STUDENT.LAB: PASSWORD

kadmin: addprinc -policy user mirko

Enter password for principal “mirko@STUDENT.LAB”: PASSWORD
Re-enter password for principal “mirko@STUDENT.LAB”: PASSWORD
Principal “mirko@STUDENT.LAB” created.

kadmin: quit

let check our tickets: klist -5f

klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)

kinit

Password for mirko@STUDENT.LAB: PASSWORD klist -5f

Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: mirko@STUDENT.LAB

Valid starting Expires Service principal 04/12/2010 08:30:33 04/13/2010 08:30:33 krbtgt/STUDENT.LAB@STUDENT.LAB 

    renew until 04/13/2010 22:30:34, Flags: FPRIA

kdestroy This thows away the ticket

Installing krb5-rsh-server

Next we need to install the krb5-rsh-server.

apt-get install openbsd-inetd
apt-get install krb5-rsh-server

update-rc.d -f openbsd-inetd remove
update-rc.d openbsd-inetd defaults

update-inetd –enable kshell update-inetd –enable eklogin

invoke-rc.d openbsd-inetd restart

we need to export the key to a keytab file
kadmin -p root/admin
Authenticating as principal root/admin@STUDENT.LAB with password.

Password for root/admin@STUDENT.LAB: PASSWORD

kadmin: addprinc -policy service -randkey host/vm15.STUDENT.LAB Principal “host/vm15.STUDENT.LAB@STUDENT.LAB” created.

kadmin: addprinc -policy service -randkey host/vm16.STUDENT.LAB Principal “host/vm16.STUDENT.LAB@STUDENT.LAB” created.

kadmin: ktadd -k /etc/krb5.keytab -norandkey host/vm15.STUDENT.LAB

Entry for principal host/vm15.STUDENT.LAB@STUDENT.LAB with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab.

Entry for principal host/vm15.STUDENT.LAB@STUDENT.LAB with kvno 3, encryption type ArcFour cbc mode with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab.

Entry for principal host/vm15.monarch.STUDENT.LAB@STUDENT.LAB with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.

Entry for principal host/vm15.STUDENT.LAB@STUDENT.LAB with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.

kadmin: ktadd -k /etc/krb5.keytab -norandkey host/vm16.STUDENT.LAB

Entry for principal host/vm16.STUDENT.LAB@STUDENT.LAB with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab.

Entry for principal host/vm16.STUDENT.LAB@STUDENT.LAB with kvno 3, encryption type ArcFour cbc mode with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab.

Entry for principal host/vm16.monarch.STUDENT.LAB@STUDENT.LAB with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.

Entry for principal host/vm16.STUDENT.LAB@STUDENT.LAB with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.

kadmin: quit

Installing krb5-clients

Let's install kerberized versions of the basic client programs: apt-get install krb5-clients

Obtain Kerberos ticket:

kinit

Password for USERNAME@STUDENT.LAB: PASSWORD Connect:

krb5-rsh -x -PN VM14.STUDENT.LAB

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. You have new mail.

Pam files Configuration

cd /etc
cp -a pam.d pam.d,orig

enter the below command as a safety net.

cp -a pam.d,orig/* pam.d/

We need to make sure that only the following lines are active in each of the indicated files.

vi /etc/pam.d/common-account
account sufficient pam_unix.so
account sufficient pam_krb5.so
account required pam_deny.so

vi /etc/pam.d/common-auth
auth sufficient pam_unix.so nullok_secure
auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so

vi /etc/pam.d/common-password
password sufficient pam_unix.so nullok obscure md5
password sufficient pam_krb5.so use_first_pass
password required pam_deny.so vi /etc/pam.d/common-session
session required pam_limits.so
session optional pam_krb5.so
session optional pam_unix.so

restart vm14.student.lab If everything is working

Configuration of client systems

log on to vm15 and vm16. Enter:

apt-get install libpam-krb5

apt-get install krb5-user

once this is done log back in to vm14.student.lab and do

scp /etc/pam.d/common* root@vm16.student.lab
scp /etc/pam.d/common* root@vm15.student.lab

Reference

http://techpubs.spinlocksolutions.com/dklar/kerberos.html

user/jbrant/csit1320/kerberos_install.txt · Last modified: 2010/05/15 07:28 by jbrant