Thursday, 16 April 2015

Kerberos Configuration in RHEL7/CentOS7

NOTE: 1) Ensure that DNS Server or '/etc/hosts' file  is configured for the network.
            2) Ensure that Time Synchronization is configured on all machines in the network.

Kerberos Realm: MYCOMPANY.COM
DNS Domain Name: mycompany.com
Kerberos Server: meru.mycompany.com

SSH Server: server1.mycompany.com
SSH Client: server2.mycompany.com

Configure Kerberos Server:


NOTE: All commands are to be executed as 'root' user.

1) Install packages.
[root@meru ~]# yum -y install krb5-server krb5-libs

2) Edit the file '/etc/krb5.conf'. Make the following changes.
     
       default_realm = MYCOMPANY.COM
       [realms]
       MYCOMPANY.COM = {
       kdc = meru.mycompany.com
       admin_server = meru.mycompany.com
       }

       [domain_realm]
       .mycompany.com = MYCOMPANY.COM
       mycompany.com = MYCOMPANY.COM


3) Edit the file '/var/kerberos/krb5kdc/kdc.conf'. Make the following changes.
       [realms]
        MYCOMPANY.COM = {
         #master_key_type = aes256-cts
         acl_file = /var/kerberos/krb5kdc/kadm5.acl
         dict_file = /usr/share/dict/words
         admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
         supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac- sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
       }

4) Open Firewall Ports. KDC - 88(tcp/udp) , kadmind - 749(tcp/udp)
[root@meru ~]# firewall-cmd --zone=public --add-service=kerberos --permanent 
[root@meru ~]# firewall-cmd --zone=public --add-port=749/tcp --permanent 
[root@meru ~]# firewall-cmd --zone=public --add-port=749/udp --permanent 
[root@meru ~]# firewall-cmd --reload

5) Create Kerberos database that stores keys for the kerberos realm.
[root@meru ~]# kdb5_util create -s

6) Edit the file '/var/kerberos/krb5kdc/kadm5.acl'. This file is used by 'kadmind' to determine which principals have admin access to the kerberos database.
       */admin@MYCOMPANY.COM   *


7) Create the first principal.
[root@meru ~]# kadmin.local -q "addprinc shabbir/admin"

8) Start Kerberos Service
[root@meru ~]# systemctl start krb5kdc 
[root@meru ~]# systemctl start kadmin


Configure SSH Server:

1) Install packages.
[root@server1 ~]# yum -y install krb5-workstation krb5-libs

2) Copy the file '/etc/krb5.conf' from the Kerberos Server (meru.mycompany.com).
[root@server1 ~]# scp root@meru.mycompany.com:/etc/krb5.conf  /etc/krb5.conf

 3) Create host principal in the kerberos database and extract keys for the host.
[root@server1 ~]# kadmin -p shabbir/admin -w shabbir
          kadmin:  addprinc -randkey host/server1.mycompany.com

          kadmin:  ktadd host/server1.mycompany.com
          kadmin:  quit 
 
4) Edit the file '/etc/ssh/sshd_config' and enable kerberos authentication.
       KerberosAuthentication yes
      KerberosTicketCleanup yes
      GSSAPIAuthentication yes
      GSSAPICleanupCredentials yes

5) Restart 'sshd' and make sure firewall port is open.
[root@server1 ~]# systemctl restart sshd

[root@server1 ~]# firewall-cmd --zone=public --add-service=ssh --permanent 
[root@server1 ~]# firewall-cmd --reload

Configure SSH Client:

1) Install packages
[root@server2 ~]# yum -y install krb5-workstation krb5-libs

2) Create user principal for user 'batul' in the kerberos database.
[root@server2 ~]# kadmin -p shabbir/admin -w shabbir        
          kadmin:  addprinc batul
          kadmin:  quit

3) Copy the file '/etc/krb5.conf' from the Kerberos Server (meru.mycompany.com)
[root@server2 ~]# scp root@meru.mycompany.com:/etc/krb5.conf  /etc/krb5.conf

4) Create user 'batul
[root@server2 ~]# useradd batul
[root@server2 ~]# passwd batul

5) Login as user 'batul' and obtain a  ticket.
[root@server2 ~]# su - batul

[batul@server2 ~]$  kinit batul

6) View the ticket
[batul@server2 ~]$  klist

7) Log in to the SSH Server. (server1.mycompany.com)
[batul@server2 ~]$ ssh batul@server1.mycompany.com


8) After quitting the ssh session, destroy the ticket.
[batul@server2 ~]$  kdestroy


No comments:

Post a Comment