Tuesday, December 21, 2010

Debian Kerberos Master

Kerberos is a network authentication protocol. The idea is to be a secure, single sign-on authentication provider.
  1. Install Kerberos Server.
    apt-get -y install rsyslog krb5-{admin-server,user,doc}
    
  2. Create realm (this may take a long time, up to few minutes).
    krb5_newrealm
    
  3. Activate Kerberos administration by authorizing admin access (file /etc/krb5kdc/kadm5.acl).
    # ...
    */admin *
    admin *
    
  4. Setup logging (new file /etc/logrotate.d/krb5):
    /var/log/krb5/kadmin.log /var/log/krb5/kdc.log {
            daily
            missingok
            rotate 7
            compress
            delaycompress
            notifempty
    }
    
    Create log directory
    mkdir /var/log/krb5
    
  5. Realm Configuration (file /etc/krb5.conf). In our case the kerberos server name is kdc1 and there is alias to it krb (used for administration purpose).
    [libdefaults]
            default_realm = DEV.LOCAL
    
    [realms]
            DEV.LOCAL = {
                    kdc = kdc1.dev.local
                    # kdc = kdc2.dev.local
                    admin_server = krb.dev.local
            }
    
    [domain_realm]
            .dev.local = DEV.LOCAL
            dev.local = DEV.LOCAL
    
    [logging]
            kdc = FILE:/var/log/krb5/kdc.log
            admin_server = FILE:/var/log/krb5/kadmin.log
    
  6. Restart kerberos services.
    invoke-rc.d krb5-admin-server restart ; \
    invoke-rc.d krb5-kdc restart
    
  7. Open another console and have a look at log files.
    cd /var/log/krb5/ ; \
    tail -f kadmin.log kdc.log
    
  8. Ensure services are running.
    root@kdc1:~# netstat -tunlp
    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
    tcp        0      0 0.0.0.0:464             0.0.0.0:*               LISTEN      840/kadmind     
    tcp        0      0 0.0.0.0:749             0.0.0.0:*               LISTEN      840/kadmind     
    tcp6       0      0 :::464                  :::*                    LISTEN      840/kadmind     
    udp        0      0 0.0.0.0:464             0.0.0.0:*                           840/kadmind     
    udp        0      0 0.0.0.0:88              0.0.0.0:*                           861/krb5kdc     
    udp        0      0 0.0.0.0:750             0.0.0.0:*                           861/krb5kdc     
    
So far we have the services up and running, however in order to administer it we need create an administrative account:
  1. Add admin principal:
    kadmin.local -q "addprinc admin"
    
  2. Add host (kdc1) principal:
    kadmin.local -q "addprinc -randkey host/kdc1.dev.local"
    
    kadmin.local -q "ktadd host/kdc1.dev.local"
    
Now let test it:
root@kdc1:~# kinit admin && klist && kdestroy 
Password for admin@DEV.LOCAL: 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@DEV.LOCAL

Valid starting     Expires            Service principal
12/21/10 18:05:14  12/22/10 04:05:14  krbtgt/DEV.LOCAL@DEV.LOCAL
 renew until 12/22/10 18:05:11
Read more here.

No comments :

Post a Comment