Thursday 16 April 2015

Kerberos Configuration in RHEL7/CentOS7

NOTE: 1) Ensure that DNS Server or '/etc/hosts' file  is configured for the network.
            2) Ensure that Time Synchronization is configured on all machines in the network.

Kerberos Realm: MYCOMPANY.COM
DNS Domain Name: mycompany.com
Kerberos Server: meru.mycompany.com

SSH Server: server1.mycompany.com
SSH Client: server2.mycompany.com

Configure Kerberos Server:


NOTE: All commands are to be executed as 'root' user.

1) Install packages.
[root@meru ~]# yum -y install krb5-server krb5-libs

2) Edit the file '/etc/krb5.conf'. Make the following changes.
     
       default_realm = MYCOMPANY.COM
       [realms]
       MYCOMPANY.COM = {
       kdc = meru.mycompany.com
       admin_server = meru.mycompany.com
       }

       [domain_realm]
       .mycompany.com = MYCOMPANY.COM
       mycompany.com = MYCOMPANY.COM


3) Edit the file '/var/kerberos/krb5kdc/kdc.conf'. Make the following changes.
       [realms]
        MYCOMPANY.COM = {
         #master_key_type = aes256-cts
         acl_file = /var/kerberos/krb5kdc/kadm5.acl
         dict_file = /usr/share/dict/words
         admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
         supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac- sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
       }

4) Open Firewall Ports. KDC - 88(tcp/udp) , kadmind - 749(tcp/udp)
[root@meru ~]# firewall-cmd --zone=public --add-service=kerberos --permanent 
[root@meru ~]# firewall-cmd --zone=public --add-port=749/tcp --permanent 
[root@meru ~]# firewall-cmd --zone=public --add-port=749/udp --permanent 
[root@meru ~]# firewall-cmd --reload

5) Create Kerberos database that stores keys for the kerberos realm.
[root@meru ~]# kdb5_util create -s

6) Edit the file '/var/kerberos/krb5kdc/kadm5.acl'. This file is used by 'kadmind' to determine which principals have admin access to the kerberos database.
       */admin@MYCOMPANY.COM   *


7) Create the first principal.
[root@meru ~]# kadmin.local -q "addprinc shabbir/admin"

8) Start Kerberos Service
[root@meru ~]# systemctl start krb5kdc 
[root@meru ~]# systemctl start kadmin


Configure SSH Server:

1) Install packages.
[root@server1 ~]# yum -y install krb5-workstation krb5-libs

2) Copy the file '/etc/krb5.conf' from the Kerberos Server (meru.mycompany.com).
[root@server1 ~]# scp root@meru.mycompany.com:/etc/krb5.conf  /etc/krb5.conf

 3) Create host principal in the kerberos database and extract keys for the host.
[root@server1 ~]# kadmin -p shabbir/admin -w shabbir
          kadmin:  addprinc -randkey host/server1.mycompany.com

          kadmin:  ktadd host/server1.mycompany.com
          kadmin:  quit 
 
4) Edit the file '/etc/ssh/sshd_config' and enable kerberos authentication.
       KerberosAuthentication yes
      KerberosTicketCleanup yes
      GSSAPIAuthentication yes
      GSSAPICleanupCredentials yes

5) Restart 'sshd' and make sure firewall port is open.
[root@server1 ~]# systemctl restart sshd

[root@server1 ~]# firewall-cmd --zone=public --add-service=ssh --permanent 
[root@server1 ~]# firewall-cmd --reload

Configure SSH Client:

1) Install packages
[root@server2 ~]# yum -y install krb5-workstation krb5-libs

2) Create user principal for user 'batul' in the kerberos database.
[root@server2 ~]# kadmin -p shabbir/admin -w shabbir        
          kadmin:  addprinc batul
          kadmin:  quit

3) Copy the file '/etc/krb5.conf' from the Kerberos Server (meru.mycompany.com)
[root@server2 ~]# scp root@meru.mycompany.com:/etc/krb5.conf  /etc/krb5.conf

4) Create user 'batul
[root@server2 ~]# useradd batul
[root@server2 ~]# passwd batul

5) Login as user 'batul' and obtain a  ticket.
[root@server2 ~]# su - batul

[batul@server2 ~]$  kinit batul

6) View the ticket
[batul@server2 ~]$  klist

7) Log in to the SSH Server. (server1.mycompany.com)
[batul@server2 ~]$ ssh batul@server1.mycompany.com


8) After quitting the ssh session, destroy the ticket.
[batul@server2 ~]$  kdestroy


1 comment:

  1. SSN FULLZ AVAILABLE

    Fresh & valid spammed USA SSN+Dob Leads with DL available in bulk.

    >>1$ each SSN+DOB
    >>3$ each with SSN+DOB+DL
    >>5$ each for premium fullz (700+ credit score with replacement guarantee)

    Prices are negotiable in bulk order
    Serious buyer contact me no time wasters please
    Bulk order will be preferable

    CONTACT
    Telegram > @leadsupplier
    ICQ > 752822040
    Email > leads.sellers1212@gmail.com

    OTHER STUFF YOU CAN GET

    SSN+DOB Fullz
    CC's with CVV's (vbv & non-vbv)
    USA Photo ID'S (Front & back)

    All type of tutorials available
    (Carding, spamming, hacking, scam page, Cash outs, dumps cash outs)

    SQL Injector
    Premium Accounts (Netflix, Pornhub, etc)
    Paypal Logins
    Bitcoin Cracker
    SMTP Linux Root
    DUMPS with pins track 1 and 2
    WU & Bank transfers
    Socks, rdp's, vpn
    Php mailer
    Server I.P's
    HQ Emails with passwords
    All types of tools & tutorials.. & much more

    Looking for long term business
    For trust full vendor, feel free to contact

    CONTACT
    Telegram > @leadsupplier
    ICQ > 752822040
    Email > leads.sellers1212@gmail.com

    ReplyDelete