Pages

Wednesday, July 6, 2016

How to install and configure kerbores for ssh authentication

How to install and configure kerbores for ssh authentication

Time should be in synchoroes between server and clients . Ticket is time based .
All variables are case senstive


In server :

Server Hostname : master



1. Install krb packages


yum install krb5-server krb5-libs krb5-auth-dialog
yum install krb5-pkinit-openssl


2. Edit kdc.conf & kadm5.acl files

Location : /var/kerberos/krb5kdc/

Currently only kdc.conf & kadm5.acl files located here

cd /var/kerberos/krb5kdc/

vi kdc.conf


Change EXAMPLE.COM to your relam

[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88

[realms]
COMPANY.COM= {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}





3.


vi kadm5.acl


Edit */admin@COMPANY.COM *


*/admin@COMPANY.COM *


4. Edit krb5.conf
Location : /etc/



vi /etc/krb5.conf



[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = COMPANY.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

[realms]
COMPANY.COM = {
kdc = master.COMPANY.COM
admin_server = master.COMPANY.COM
}

[domain_realm]
.COMPANY.COM = COMPANY.COM
COMPANY.COM = COMPANY.COM




5. Create Kerbores Database


cd /var/kerberos/krb5kdc/

kdb5_util create -s -r COMPANY.COM

Provide username/password

Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'COMPANY.COM',
master key name 'K/M@COMPANY.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
kdb5_util: File exists while creating database '/var/kerberos/krb5kdc/principal'



This action will create new files

principal ,principal.kadm5 etc

6. start krb5kdc service

service krb5kdc start


Starting Kerberos 5 KDC: [ OK ]

7. Access kadmin.local

kadmin.local

Authenticating as principal root/admin@COMPANY.COM with password.

kadmin.local:

8. In the kadmin.local add principal
a.
kadmin.local: listprincs

This will list it

b.
kadmin.local: addprinc root/admin

This will add principal root to admin group

Add Host Names



c.
kadmin.local: addprinc -randkey hosts/master.COMPANY.COM


d.
kadmin.local: ktadd hosts/master.COMPANY.COM

Add oracle user

e.

kadmin.local: addprinc oracle



9 . To get user token during login , then kerbores authentication should be enabled



authconfig-tui

OR


setup
(Then select authentication option)




Select Kerberos option



























Next and provide the kerbores server OPTION ( by default it will load from /etc/krb5. File


10. Verify login action (Existing user oracle)




a.
ssh -l oracle master

b.
kinit

Password for oracle@COMPANY.COM:

c.

klist

Ticket cache: FILE:/tmp/krb5cc_500
Default principal: oracle@COMPANY.COM

Valid starting Expires Service principal
07/06/16 23:35:47 07/07/16 23:35:47 krbtgt/COMPANY.COM@COMPANY.COM
renew until 07/06/16 23:35:47




11. Add the user with out password



a.

adduser sterin

b. Add in Kerberos DB


kadmin.local


kadmin.local: addprinc sterin

Provide username and password

c. Login using ssh


ssh -l sterin master

Now password is not stored in /etc/passwd of linux server, it will take from Kerberos DB

sterin@master's password:
[sterin@master ~]$ klist


Ticket cache: FILE:/tmp/krb5cc_501_Oc6cOn
Default principal: sterin@COMPANY.COM

Valid starting Expires Service principal
07/07/16 00:45:54 07/08/16 00:45:54 krbtgt/COMPANY.COM@COMPANY.COM
renew until 07/07/16 00:45:54

12. Check local user not in Kerberos DB


adduser notinkb
passwd notinkb

Changing password for user notinkb.
New password:
BAD PASSWORD: it is based on a dictionary word
Retype new password:
passwd: all authentication tokens updated successfully.


ssh -l notinkb master



kinit


kinit: Client not found in Kerberos database while getting initial credentials




To enable service in every restart 






 /sbin/chkconfig --add  krb5kdc
 /sbin/chkconfig krb5kdc on







In client

hostname client1.company.com




yum install krb5-workstation krb5-libs krb5-auth-dialog


2. Change the authentication ,by running setup command

Select Kerberos

























provide server details








3. Now try with user

4.klist will show the ticker details



Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)