System configuration and management part 2

Configure a system to authenticate using Kerberos

`### KDC Server setup (rhel7mgmt1.myexample.com)`

## assume the following servers

            ## (1) KDC server - 192.168.0.30 : rhel7mgmt1.myexample.com

            ## (2) KDC client - 192.168.0.20 : rhel7client1.myexample.com 

            ##

            ## in lieu of DNS, add the following to /etc/hosts file of all the machines

192.168.0.10  rhel7server1 rhel7server1.myexample.com

            192.168.0.20  rhel7client1 rhel7client1.myexample.com

            192.168.0.30  rhel7mgmt1   rhel7mgmt1.myexample.com

            

            ## on rhel7mgmt1

            

            [root@rhel7mgmt1 ~]# yum -y install krb5-server krb5-workstation pam_krb5

                         Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager

            ...

            Complete!

## edit kdc.conf

            

            [root@rhel7mgmt1 ~]# cd /var/kerberos/krb5kdc

            

            [root@rhel7mgmt1 krb5kdc]# vi kdc.conf

            

            

            # - under [realm] change from EXAMPLE.COM => MYEXAMPLE.COM

            # - to force krb5 only

            # - uncomment master_key_type : master_key_type = aes256-cts

            #   and add : default_principal_flags = +preauth

/var/kerberos/krb5kdc/kdc.conf

[kdcdefaults] kdc_ports = 88 kdc_tcp_ports = 88 [realms] MYEXAMPLE.COM = { # uncomment next 2 lines if we want to be compatible with Kerberos 5 ONLY master_key_type = aes256-cts default_principal_flags = +preauth acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal }

## edit /etc/krb5.conf

             [root@rhel7mgmt1 ~]# vi /etc/krb5.conf

            

            # - replace all EXAMPLE.COM with MYEXAMPLE.COM

            # - uncomment default realm

            # - update entries in [realm] with your server details

            # - update entries in [domain_realm] with your domain

/etc/krb5.conf

# Configuration snippets may be placed in this directory as well

                        includedir /etc/krb5.conf.d/

                        

                        [logging]

                         default = FILE:/var/log/krb5libs.log

                         kdc = FILE:/var/log/krb5kdc.log

                         admin_server = FILE:/var/log/kadmind.log

                        

                        [libdefaults]

                         dns_lookup_realm = false

                         ticket_lifetime = 24h

                         renew_lifetime = 7d

                         forwardable = true

                         rdns = false

                         default_realm = MYEXAMPLE.COM

                         default_ccache_name = KEYRING:persistent:%{uid}

                        

                        [realms]

                         MYEXAMPLE.COM = {

                          kdc = rhel7mgmt1.myexample.com

                          admin_server = rhel7mgmt1.myexample.com

                         }

                        

                        [domain_realm]

 .myexample.com = MYEXAMPLE.COM

                         myexample.com = MYEXAMPLE.COM

## edit /var/kerberos/krb5kdc/kadm5.acl

[root@rhel7mgmt1 ~]# vi /var/kerberos/krb5kdc/kadm5.acl # - change from EXAMPLE.COM to MYEXAMPLE.COM

/var/kerberos/krb5kdc/kadm5.acl

*/admin@MYEXAMPLE.COM *

## create KDB database [root@rhel7mgmt1 krb5kdc]# kdb5_util create -s -r MYEXAMPLE.COM Loading random data Initializing database '/var/kerberos/krb5kdc/principal' for realm 'MYEXAMPLE.COM', master key name 'K/M@MYEXAMPLE.COM' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: ## enable and then start the KDC services [root@rhel7mgmt1 krb5kdc]# systemctl enable krb5kdc kadmin Created symlink from /etc/systemd/system/multi-user.target.wants/krb5kdc.service to /usr/lib/systemd/system/krb5kdc.service. Created symlink from /etc/systemd/system/multi-user.target.wants/kadmin.service to /usr/lib/systemd/system/kadmin.service. [root@rhel7mgmt1 krb5kdc]# systemctl start krb5kdc [root@rhel7mgmt1 krb5kdc]# systemctl start kadmin ## create an admin principal for this system ## root/admin => either root or admin
[root@rhel7mgmt1 krb5kdc]# kadmin.local Authenticating as principal root/admin@MYEXAMPLE.COM with password. kadmin.local: addprinc root/admin WARNING: no policy specified for root/admin@MYEXAMPLE.COM; defaulting to no policy Enter password for principal "root/admin@MYEXAMPLE.COM": Re-enter password for principal "root/admin@MYEXAMPLE.COM": Principal "root/admin@MYEXAMPLE.COM" created. ## add user kadmin.local: addprinc krbtest WARNING: no policy specified for krbtest@MYEXAMPLE.COM; defaulting to no policy Enter password for principal "krbtest@MYEXAMPLE.COM": Re-enter password for principal "krbtest@MYEXAMPLE.COM": Principal "krbtest@MYEXAMPLE.COM" created. ## add kdc server into kerberos database kadmin.local: addprinc -randkey host/rhel7mgmt1.myexample.com WARNING: no policy specified for host/rhel7mgmt1.myexample.com@MYEXAMPLE.COM; defaulting to no policy Principal "host/rhel7mgmt1.myexample.com@MYEXAMPLE.COM" created. ## add a local copy stored in a keytab file - it will create /etc/krb5.keytab
kadmin.local: ktadd host/rhel7mgmt1.myexample.com Entry for principal host/rhel7mgmt1.myexample.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. Entry for principal host/rhel7mgmt1.myexample.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. Entry for principal host/rhel7mgmt1.myexample.com with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab. Entry for principal host/rhel7mgmt1.myexample.com with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab. Entry for principal host/rhel7mgmt1.myexample.com with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab. Entry for principal host/rhel7mgmt1.myexample.com with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab. Entry for principal host/rhel7mgmt1.myexample.com with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab. Entry for principal host/rhel7mgmt1.myexample.com with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab. kadmin.local: quit ## edit ssh_config ## this is for testing SSH locally, this setting is for the SSH client side, ## not required if not doing SSH locally [root@rhel7mgmt1 krb5kdc]# vi /etc/ssh/ssh_config # uncomment GSSAPIAuthentication & set the value to yes # uncomment GSSAPIDelegateCredentials & set the value to yes GSSAPIAuthentication yes GSSAPIDelegateCredentials yes ## edit sshd_config, ensure UseDNS and GSSAPIAuthentication are set to yes UseDNS yes GSSAPIAuthentication yes ## reload sshd and enable kerberos authentication [root@rhel7mgmt1 krb5kdc]# systemctl reload sshd [root@rhel7mgmt1 krb5kdc]# authconfig --enablekrb5 --update ## create a service for kerberos to ensure the required firewall ports are open [root@rhel7mgmt1 ~]# cd /etc/firewalld/services [root@rhel7mgmt1 services]# vi kerberos.xml

/etc/firewalld/services/kerberos.xml

<?xml version="1.0" encoding="utf-8"?>

                        <service>

                          <short>Kerberos</short>

                          <description>Kerberos network authentication protocol server</description>

                          <port protocol="tcp" port="88"/>

                          <port protocol="udp" port="88"/>

                          <port protocol="tcp" port="749"/>

                        </service>

## apply the firewall rule [root@rhel7mgmt1 services]# firewall-cmd --permanent --add-service=kerberos success [root@rhel7mgmt1 services]# firewall-cmd --reload success
## create user and then test locally [root@rhel7mgmt1 services]# useradd krbtest [root@rhel7mgmt1 services]# su - krbtest [krbtest@rhel7mgmt1 ~]$ kinit Password for krbtest@MYEXAMPLE.COM: [krbtest@rhel7mgmt1 ~]$ klist Ticket cache: KEYRING:persistent:1001:1001 Default principal: krbtest@MYEXAMPLE.COM Valid starting Expires Service principal 06/17/2020 12:51:10 06/18/2020 12:51:07 krbtgt/MYEXAMPLE.COM@MYEXAMPLE.COM ## when you ssh in this session, you should be able to login without being further prompted for password ## for the kerberos authentication to work the source IP used to connect must resolve back to the hostname added as the host principal earlier [krbtest@rhel7mgmt1 ~]$ ssh rhel7mgmt1.myexample.com The authenticity of host 'rhel7mgmt1.myexample.com (192.168.0.30)' can't be established. ECDSA key fingerprint is SHA256:vNpmvuXbPajqQUZz4J+wzqni3r6SN0oxJE70Uy6iabg. ECDSA key fingerprint is MD5:6f:05:e9:4e:37:25:b5:99:e0:49:99:14:d4:1c:e5:cc. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'rhel7mgmt1.myexample.com,192.168.0.30' (ECDSA) to the list of known hosts. Last login: Wed Jun 17 12:51:03 2020 [krbtest@rhel7mgmt1 ~]$

back to Objectives

Configure a System to Authenticate Using Kerberos - Client Setup

`### KDC Client Setup (rhel7client1.myexample.com)`

## install the requied packages [root@rhel7client1 ~]# yum -y install krb5-workstation pam_krb5 Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager ... Complete! ## edit /etc/krb5.conf and use the same config as the server

/etc/krb5.conf

# Configuration snippets may be placed in this directory as well

                        includedir /etc/krb5.conf.d/

                        

                        [logging]

                         default = FILE:/var/log/krb5libs.log

                         kdc = FILE:/var/log/krb5kdc.log

                         admin_server = FILE:/var/log/kadmind.log

                        

                        [libdefaults]

                         dns_lookup_realm = false

                         ticket_lifetime = 24h

                         renew_lifetime = 7d

                         forwardable = true

                         rdns = false

                         default_realm = MYEXAMPLE.COM

                         default_ccache_name = KEYRING:persistent:%{uid}

                        

                        [realms]

                         MYEXAMPLE.COM = {

                          kdc = rhel7mgmt1.myexample.com

                          admin_server = rhel7mgmt1.myexample.com

                         }

                        

                        [domain_realm]

 .myexample.com = MYEXAMPLE.COM

                         myexample.com = MYEXAMPLE.COM

## connect to kadmin server and then add the host principal for this client [root@rhel7client1 ~]# kadmin Authenticating as principal root/admin@MYEXAMPLE.COM with password. Password for root/admin@MYEXAMPLE.COM: kadmin: addprinc -randkey host/rhel7client1.myexample.com WARNING: no policy specified for host/rhel7client1.myexample.com@MYEXAMPLE.COM; defaulting to no policy Principal "host/rhel7client1.myexample.com@MYEXAMPLE.COM" created. kadmin: ktadd host/rhel7client1.myexample.com Entry for principal host/rhel7client1.myexample.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. Entry for principal host/rhel7client1.myexample.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. Entry for principal host/rhel7client1.myexample.com with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab. Entry for principal host/rhel7client1.myexample.com with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab. Entry for principal host/rhel7client1.myexample.com with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab. Entry for principal host/rhel7client1.myexample.com with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab. Entry for principal host/rhel7client1.myexample.com with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab. Entry for principal host/rhel7client1.myexample.com with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab. kadmin: quit ## edit /etc/ssh/ssh_config [root@rhel7client1 ~]# vi /etc/ssh/ssh_config
# uncomment GSSAPIAuthentication & set the value to yes # uncomment GSSAPIDelegateCredentials & set the value to yes GSSAPIAuthentication yes GSSAPIDelegateCredentials yes ## enable authentication using kerberos [root@rhel7client1 ~]# authconfig --enablekrb5 --update## create the user [root@rhel7client1 ~]# useradd krbtest## verify kerberos authentication for the krbtest user from this Kerberos client[root@rhel7client1 ~]# su - krbtest [krbtest@rhel7client1 ~]$ kinit Password for krbtest@MYEXAMPLE.COM: [krbtest@rhel7client1 ~]$ klist Ticket cache: KEYRING:persistent:1001:1001 Default principal: krbtest@MYEXAMPLE.COM Valid starting Expires Service principal 06/17/2020 13:22:16 06/18/2020 13:22:12 krbtgt/MYEXAMPLE.COM@MYEXAMPLE.COM [krbtest@rhel7client1 ~]$ ssh rhel7mgmt1.myexample.com The authenticity of host 'rhel7mgmt1.myexample.com (192.168.0.30)' can't be established. ECDSA key fingerprint is SHA256:vNpmvuXbPajqQUZz4J+wzqni3r6SN0oxJE70Uy6iabg. ECDSA key fingerprint is MD5:6f:05:e9:4e:37:25:b5:99:e0:49:99:14:d4:1c:e5:cc. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'rhel7mgmt1.myexample.com,192.168.0.30' (ECDSA) to the list of known hosts. Last login: Wed Jun 17 12:52:16 2020 from rhel7mgmt1.myexample.com [krbtest@rhel7mgmt1 ~]$

back to Objectives