|
### KDC Server setup (rhel7mgmt1.myexample.com)
## assume the following servers
## (1) KDC server - 192.168.0.30 : rhel7mgmt1.myexample.com
## (2) KDC client - 192.168.0.20 : rhel7client1.myexample.com
##
## in lieu of DNS, add the following to /etc/hosts file of all the machines
192.168.0.10 rhel7server1 rhel7server1.myexample.com
192.168.0.20 rhel7client1 rhel7client1.myexample.com
192.168.0.30 rhel7mgmt1 rhel7mgmt1.myexample.com
## on rhel7mgmt1
[root@rhel7mgmt1 ~]# yum -y install krb5-server krb5-workstation pam_krb5
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
...
Complete!
## edit kdc.conf
[root@rhel7mgmt1 ~]# cd /var/kerberos/krb5kdc
[root@rhel7mgmt1 krb5kdc]# vi kdc.conf
# - under [realm] change from EXAMPLE.COM => MYEXAMPLE.COM
# - to force krb5 only
# - uncomment master_key_type : master_key_type = aes256-cts
# and add : default_principal_flags = +preauth
/var/kerberos/krb5kdc/kdc.conf |
|
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
MYEXAMPLE.COM = {
# uncomment next 2 lines if we want to be compatible with Kerberos 5 ONLY
master_key_type = aes256-cts
default_principal_flags = +preauth
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
|
## edit /etc/krb5.conf
[root@rhel7mgmt1 ~]# vi /etc/krb5.conf
# - replace all EXAMPLE.COM with MYEXAMPLE.COM
# - uncomment default realm
# - update entries in [realm] with your server details
# - update entries in [domain_realm] with your domain
## edit /var/kerberos/krb5kdc/kadm5.acl
[root@rhel7mgmt1 ~]# vi /var/kerberos/krb5kdc/kadm5.acl
# - change from EXAMPLE.COM to MYEXAMPLE.COM
/var/kerberos/krb5kdc/kadm5.acl |
| */admin@MYEXAMPLE.COM * |
## create KDB database
[root@rhel7mgmt1 krb5kdc]# kdb5_util create -s -r MYEXAMPLE.COM
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'MYEXAMPLE.COM',
master key name 'K/M@MYEXAMPLE.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
## enable and then start the KDC services
[root@rhel7mgmt1 krb5kdc]# systemctl enable krb5kdc kadmin
Created symlink from /etc/systemd/system/multi-user.target.wants/krb5kdc.service to /usr/lib/systemd/system/krb5kdc.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/kadmin.service to /usr/lib/systemd/system/kadmin.service.
[root@rhel7mgmt1 krb5kdc]# systemctl start krb5kdc
[root@rhel7mgmt1 krb5kdc]# systemctl start kadmin
## create an admin principal for this system
## root/admin => either root or admin
[root@rhel7mgmt1 krb5kdc]# kadmin.local
Authenticating as principal root/admin@MYEXAMPLE.COM with password.
kadmin.local: addprinc root/admin
WARNING: no policy specified for root/admin@MYEXAMPLE.COM; defaulting to no policy
Enter password for principal "root/admin@MYEXAMPLE.COM":
Re-enter password for principal "root/admin@MYEXAMPLE.COM":
Principal "root/admin@MYEXAMPLE.COM" created.
## add user
kadmin.local: addprinc krbtest
WARNING: no policy specified for krbtest@MYEXAMPLE.COM; defaulting to no policy
Enter password for principal "krbtest@MYEXAMPLE.COM":
Re-enter password for principal "krbtest@MYEXAMPLE.COM":
Principal "krbtest@MYEXAMPLE.COM" created.
## add kdc server into kerberos database
kadmin.local: addprinc -randkey host/rhel7mgmt1.myexample.com
WARNING: no policy specified for host/rhel7mgmt1.myexample.com@MYEXAMPLE.COM; defaulting to no policy
Principal "host/rhel7mgmt1.myexample.com@MYEXAMPLE.COM" created.
## add a local copy stored in a keytab file - it will create /etc/krb5.keytab
kadmin.local: ktadd host/rhel7mgmt1.myexample.com
Entry for principal host/rhel7mgmt1.myexample.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/rhel7mgmt1.myexample.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/rhel7mgmt1.myexample.com with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/rhel7mgmt1.myexample.com with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/rhel7mgmt1.myexample.com with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/rhel7mgmt1.myexample.com with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/rhel7mgmt1.myexample.com with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/rhel7mgmt1.myexample.com with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.
kadmin.local: quit
## edit ssh_config
## this is for testing SSH locally, this setting is for the SSH client side,
## not required if not doing SSH locally
[root@rhel7mgmt1 krb5kdc]# vi /etc/ssh/ssh_config
# uncomment GSSAPIAuthentication & set the value to yes
# uncomment GSSAPIDelegateCredentials & set the value to yes
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
## edit sshd_config, ensure UseDNS and GSSAPIAuthentication are set to yes
UseDNS yes
GSSAPIAuthentication yes
## reload sshd and enable kerberos authentication
[root@rhel7mgmt1 krb5kdc]# systemctl reload sshd
[root@rhel7mgmt1 krb5kdc]# authconfig --enablekrb5 --update
## create a service for kerberos to ensure the required firewall ports are open
[root@rhel7mgmt1 ~]# cd /etc/firewalld/services
[root@rhel7mgmt1 services]# vi kerberos.xml
/etc/firewalld/services/kerberos.xml |
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>Kerberos</short>
<description>Kerberos network authentication protocol server</description>
<port protocol="tcp" port="88"/>
<port protocol="udp" port="88"/>
<port protocol="tcp" port="749"/>
</service> |
## apply the firewall rule
[root@rhel7mgmt1 services]# firewall-cmd --permanent --add-service=kerberos
success
[root@rhel7mgmt1 services]# firewall-cmd --reload
success
## create user and then test locally
[root@rhel7mgmt1 services]# useradd krbtest
[root@rhel7mgmt1 services]# su - krbtest
[krbtest@rhel7mgmt1 ~]$ kinit
Password for krbtest@MYEXAMPLE.COM:
[krbtest@rhel7mgmt1 ~]$ klist
Ticket cache: KEYRING:persistent:1001:1001
Default principal: krbtest@MYEXAMPLE.COM
Valid starting Expires Service principal
06/17/2020 12:51:10 06/18/2020 12:51:07 krbtgt/MYEXAMPLE.COM@MYEXAMPLE.COM
## when you ssh in this session, you should be able to login without being further prompted for password
## for the kerberos authentication to work the source IP used to connect must resolve back to the hostname added as the host principal earlier
[krbtest@rhel7mgmt1 ~]$ ssh rhel7mgmt1.myexample.com
The authenticity of host 'rhel7mgmt1.myexample.com (192.168.0.30)' can't be established.
ECDSA key fingerprint is SHA256:vNpmvuXbPajqQUZz4J+wzqni3r6SN0oxJE70Uy6iabg.
ECDSA key fingerprint is MD5:6f:05:e9:4e:37:25:b5:99:e0:49:99:14:d4:1c:e5:cc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'rhel7mgmt1.myexample.com,192.168.0.30' (ECDSA) to the list of known hosts.
Last login: Wed Jun 17 12:51:03 2020
[krbtest@rhel7mgmt1 ~]$
|
Titles 
Categories