User Tools

Site Tools


user:jbrant:csit1320:kerberos_install

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
user:jbrant:csit1320:kerberos_install [2010/05/13 19:14] – created jbrantuser:jbrant:csit1320:kerberos_install [2010/05/15 11:28] (current) jbrant
Line 1: Line 1:
 +====== Server installation of Kerberos ======
 + 
 +The server installation basically consists of just two packages 
  
 +**apt-get install krb5-{admin-server,kdc}
 +**
 +Default Kerberos version 5 realm? **STUDENT.LAB**
 +
 +Does DNS contain pointers to your realm's Kerberos Servers? **No**
 +
 +Add locations of default Kerberos servers to /etc/krb5.conf? **Yes**
 +
 +Create the Kerberos KDC configuration automatically? **Yes**
 +
 +Should the data be purged as well as the package files? **No**
 +
 +Run the Kerberos V5 administration daemon (kadmind)? **Yes**
 +
 +Kerberos servers for your realm: **vm14.student.lab**
 +
 +Administrative server for your Kerberos realm: **vm14.atudent.lab**
 +
 +Create the Kerberos KDC configuration automatically? **Yes**
 +
 +To create the Kerberos realm, invoke Debian-specific command krb5_newrealm.
 +
 +**krb5_newrealm**
 +
 +Enter your master password for kerberos. //PASSWORD// 
 +
 +====== Kerberos Configuration ======
 +
 +Next need to edit the Kerberos config file, /etc/krb5.conf. That file also needs to be the same on all Kerberos servers and clients belonging to the same realm. 
 +/etc/krb5.conf is split into sections; you should search for section ”[domain_realm]” and append your definition:
 +
 +**.student.lab = STUDENT.LAB **
 +**student.lab = STUDENT.LAB** 
 +At the bottom of the file add the logging section:
 +[logging]
 +
 +**kdc = FILE:/var/log/kerberos/krb5kdc.log**
 +**admin_server = FILE:/var/log/kerberos/kadmin.log**
 +**default = FILE:/var/log/kerberos/krb5lib.log**
 +
 +After editing /etc/krb5.conf use scp to copy it to vm15 and vm16
 +
 +next we need to edit the ”[libdefaults]” in /etc/krb5.conf (usually at the top of the file) and append the following definition: \\ allow_weak_crypto = **false** \\
 +Now we need to apply the changes we made.  
 +
 +**invoke-rc.d krb5-admin-server restart** \\
 +**invoke-rc.d krb5-kdc restart ** \\
 +Next we need to test the changes. 
 +
 +**kadmin.local** \\
 +Authenticating as principal root/admin@STUDENT.LAB with password.
 +
 +kadmin.local: **listprincs
 +**
 +<code>
 +K/M@STUDENT.LAB
 +kadmin/admin@STUDENT.LAB 
 +kadmin/changepw@STUDENT.LAB 
 +kadmin/history@STUDENT.LAB 
 +kadmin/krb1.STUDENT.LAB@STUDENT.LAB
 +krbtgt/STUDENT.LAB@STUDENT.LAB
 +</code>
 +
 +kadmin.local: **quit**
 +
 +**vi /etc/krb5kdc/kadm5.acl**
 +
 +Check to make sure is has the line below \\
 +*/admin * 
 +
 +next we need to restart the krb5-admin-server  \\
 +** invoke-rc.d krb5-admin-server restart**
 +
 +Next we need to create four basic policies:
 +**kadmin.local**\\
 +Authenticating as principal root/admin@STUDENT.LAB with password.
 +
 +**kadmin.local: add_policy -minlength 8 -minclasses 3** \\
 +**Kadmin kadmin.local: add_policy -minlength 8 -minclasses 4 host** \\
 +**kadmin.local: add_policy -minlength 8 -minclasses 4 service** \\
 +**kadmin.local: add_policy -minlength 8 -minclasses 2 user** \\
 +
 +kadmin.local: **quit**
 +
 +====== Principal creation ======
 +
 +
 +Next we need to create the principal for the root kadmin.local Authenticating as principal root/admin@STUDENT.LAB with password.
 +
 +kadmin.local: **addprinc -policy admin root/admin**
 +
 +Enter password for principal “root/admin@STUDENT.LAB”: //PASSWORD// 
 +Re-enter password for principal “root/admin@STUDENT.LAB”: //PASSWORD// 
 +Principal “root/admin@STUDENT.LAB” created.
 +
 +kadmin.local: **quit**
 +
 +Creating first unprivileged principal
 +
 +Next we need add an unprivileged account.\\
 +**kadmin -p root/admin** \\
 +Authenticating as principal root/admin@STUDENT.LAB with password.
 +
 +Password for root/admin@STUDENT.LAB: //PASSWORD//
 +
 +kadmin: **addprinc -policy user mirko**
 +
 +Enter password for principal “mirko@STUDENT.LAB”: **PASSWORD** \\
 +Re-enter password for principal “mirko@STUDENT.LAB”: **PASSWORD** \\
 +Principal “mirko@STUDENT.LAB” created.
 +
 +kadmin: **quit**
 +
 +let check our tickets:
 +**klist -5f**
 +
 +klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
 +
 +kinit
 +
 +Password for mirko@STUDENT.LAB: //PASSWORD//
 +**klist -5f**
 +
 +Ticket cache: FILE:/tmp/krb5cc_1000 \\
 +Default principal: mirko@STUDENT.LAB
 +
 +Valid starting    Expires              Service principal 
 +04/12/2010 08:30:33 04/13/2010 08:30:33    krbtgt/STUDENT.LAB@STUDENT.LAB
 +
 +      renew until 04/13/2010 22:30:34, Flags: FPRIA
 +
 +**kdestroy** This thows away the ticket 
 +
 +====== Installing krb5-rsh-server ======
 +
 +
 +Next we need to install the krb5-rsh-server. 
 +
 +**apt-get install openbsd-inetd** \\
 +**apt-get install krb5-rsh-server**
 +
 +**update-rc.d -f openbsd-inetd remove** \\
 +**update-rc.d openbsd-inetd defaults**
 +
 +update-inetd –enable kshell update-inetd –enable eklogin
 +
 +**invoke-rc.d openbsd-inetd restart**
 +
 +we need to export the key to a keytab file\\
 +**kadmin -p root/admin** \\
 + Authenticating as principal root/admin@STUDENT.LAB with password.
 +
 +Password for root/admin@STUDENT.LAB: //PASSWORD//
 +
 +kadmin: **addprinc -policy service -randkey host/vm15.STUDENT.LAB
 +**
 +Principal “host/vm15.STUDENT.LAB@STUDENT.LAB” created.
 +
 +kadmin: **addprinc -policy service -randkey host/vm16.STUDENT.LAB
 +**
 +Principal “host/vm16.STUDENT.LAB@STUDENT.LAB” created.
 +
 +kadmin: **ktadd -k /etc/krb5.keytab -norandkey host/vm15.STUDENT.LAB**
 +
 +Entry for principal host/vm15.STUDENT.LAB@STUDENT.LAB with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab.
 +
 +Entry for principal host/vm15.STUDENT.LAB@STUDENT.LAB with kvno 3, encryption type ArcFour cbc mode with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab.
 +
 +Entry for principal host/vm15.monarch.STUDENT.LAB@STUDENT.LAB with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
 +
 +Entry for principal host/vm15.STUDENT.LAB@STUDENT.LAB with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
 +
 +kadmin:** ktadd -k /etc/krb5.keytab -norandkey host/vm16.STUDENT.LAB**
 +
 +Entry for principal host/vm16.STUDENT.LAB@STUDENT.LAB with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab.
 +
 +Entry for principal host/vm16.STUDENT.LAB@STUDENT.LAB with kvno 3, encryption type ArcFour cbc mode with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab.
 +
 +Entry for principal host/vm16.monarch.STUDENT.LAB@STUDENT.LAB with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
 +
 +Entry for principal host/vm16.STUDENT.LAB@STUDENT.LAB with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
 +
 +kadmin: **quit**
 +
 +====== Installing krb5-clients ======
 +
 +Let's install kerberized versions of the basic client programs: apt-get install krb5-clients
 +
 +Obtain Kerberos ticket:
 +
 +**kinit**
 +
 +Password for USERNAME@STUDENT.LAB: PASSWORD
 +Connect: 
 +
 +krb5-rsh -x -PN VM14.STUDENT.LAB
 +
 +
 +
 +Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. You have new mail.
 +
 +====== Pam files Configuration ======
 +
 +**cd /etc** \\
 +cp -a pam.d pam.d,orig
 +
 +enter the below command as a safety net.
 +
 +**cp -a pam.d,orig/* pam.d/**
 +
 +We need to make sure that only the following lines are active in each of the indicated files. 
 +
 +**vi /etc/pam.d/common-account** \\ 
 +account sufficient pam_unix.so \\
 +account sufficient pam_krb5.so \\
 +account required pam_deny.so
 +
 +**vi /etc/pam.d/common-auth** \\ 
 +auth sufficient pam_unix.so nullok_secure \\
 +auth sufficient pam_krb5.so use_first_pass \\
 +auth required pam_deny.so \\
 +
 +**vi /etc/pam.d/common-password** \\
 +password sufficient pam_unix.so nullok obscure md5 \\
 +password sufficient pam_krb5.so use_first_pass \\
 +password required pam_deny.so
 +**
 +vi /etc/pam.d/common-session** \\
 +session required pam_limits.so \\
 +session optional pam_krb5.so \\
 +session optional pam_unix.so 
 +
 +restart vm14.student.lab If everything is working 
 +
 +====== Configuration of client systems ======
 +
 +
 +log on to vm15 and vm16. Enter:
 +
 +**apt-get install libpam-krb5**
 +
 +**apt-get install krb5-user**
 +
 +once this is done log back in to vm14.student.lab and do
 +
 + **scp /etc/pam.d/common* root@vm16.student.lab** \\
 + **scp /etc/pam.d/common* root@vm15.student.lab** 
 +
 +
 +====== Reference ======
 +  
 +
 +http://techpubs.spinlocksolutions.com/dklar/kerberos.html