Kerbereos Configuration

Kerberos is a computer network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. The protocol was named after the character Kerberos (or Cerberus) from Greek mythology, the ferocious three-headed guard dog of Hades. Its designers aimed it primarily at a client–server model and it provides mutual authentication—both the user and the server verify each other’s identity. Kerberos protocol messages are protected against eavesdropping and replay attacks.
                                                                  SERVER SIDE CONFIGURATION:
Installing Kerberos on Server(Node01)
Pre-Requisites:OEL 6.10
Step 1: Setup and install NTP
yum -y install ntp
Step 2:Installing & Configuring KDC Server:
yum -y install krb5-server krb5-libs
**Ensure the default realm is set your domain name in capital case**
Step 3: Adjust /var/kerberos/krb5kdc/kdc.conf on the KDC- should be same as given below
[root@node01 ~]# cat /var/kerberos/krb5kdc/kdc.conf
default_realm = APPARCHET.COM
[kdcdefaults]
 v4_mode = nopreauth
 kdc_ports = 0
[realms]
 APPARCHET.COM = {
 kdc_ports = 88
 admin_keytab = /etc/kadm5.keytab
 database_name = /var/kerberos/krb5kdc/principal
 acl_file = /var/kerberos/krb5kdc/kadm5.acl
 key_stash_file = /var/kerberos/krb5kdc/stash
 max_life = 10h 0m 0s
 max_renewable_life = 7d 0h 0m 0s
 master_key_type = des3-hmac-sha1
 supported_enctypes = arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
 default_principal_flags = +preauth
 }
Step 4 : Adjust /var/kerberos/krb5kdc/kadm5.acl as given below:
BEFORE
[root@node01 ~]# cat /var/kerberos/krb5kdc/kadm5.acl
*/admin@EXAMPLE.COM *
[root@node01 ~]# vi /var/kerberos/krb5kdc/kadm5.acl
AFTER
[root@node01 ~]# cat /var/kerberos/krb5kdc/kadm5.acl
*/admin@APPARCHET.COM *
[root@node01 ~]#
Step 5 :Creating KDC database to hold our sensitive Kerberos data
**Create the database and set a good password which you can remember.**
This command also stashes your password on the KDC so you don’t have to enter it each time you start the KDC:
[root@node01 ~]# kdb5_util create -r APPARCHET.COM -s
Loading random data
Initializing database ‘/var/kerberos/krb5kdc/principal’ for realm ‘APPARCHET.COM’,
master key name ‘K/M@APPARCHET.COM’
You will be prompted for the database Master Password.
**It is important that you NOT FORGET this password.**
Enter KDC database master key:
Re-enter KDC database master key to verify:
**VERY IMPORTANT STEP**
Important: Hadoop is unable to use a non-default realm. The Kerberos default realm is configured in the
libdefaults property in the /etc/krb5.conf file on every host in the cluster:
[libdefaults]
 default_realm = EXAMPLE.COM
Step 6:Setup krb5.conf exactly same way below
[root@node01 krb5kdc]# cat /etc/krb5.conf
[libdefaults]
default_realm = APPARCHET.COM
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
APPARCHET.COM = {
kdc = node01.APPARCHET.COM
admin_server = node01.APPARCHET.COM
}
[domain_realm]
.APPARCHET.COM = APPARCHET.COM
APPARCHET.COM = APPARCHET.COM
Step 7: Login into kerberos and add principals & setup config as below:
[root@node01 etc]# kadmin.local
Authenticating as principal root/admin@APPARCHET.COM with password.
kadmin.local:  addprinc root/admin
WARNING: no policy specified for root/admin@APPARCHET.COM; defaulting to no policy
Enter password for principal “root/admin@APPARCHET.COM”:
Re-enter password for principal “root/admin@APPARCHET.COM”:
Principal “root/admin@APPARCHET.COM” created.
kadmin.local:  addprinc user1
WARNING: no policy specified for user1@APPARCHET.COM; defaulting to no policy
Enter password for principal “user1@APPARCHET.COM”:
Re-enter password for principal “user1@APPARCHET.COM”:
Principal “user1@APPARCHET.COM” created.
kadmin.local:  addprinc -randkey host/node01.apparchet.com
WARNING: no policy specified for host/node01.apparchet.com@APPARCHET.COM; defaulting to no policy
Principal “host/node01.apparchet.com@APPARCHET.COM” created.
**Adding Keytab Entry files”
kadmin.local:  ktadd host/node01.apparchet.com
Entry for principal host/node01.apparchet.com with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/node01.apparchet.com with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/node01.apparchet.com with kvno 2, encryption type des-cbc-crc added to keytab FILE:/etc/krb5.keytab.
kadmin.local:  quit
Step 8 : Change the config files of ssh_config
[root@node01 etc]# vi /etc/ssh/ssh_config
[root@node01 etc]#
# Host *
#   ForwardAgent no
#   ForwardX11 no
#   RhostsRSAAuthentication no
#   RSAAuthentication yes
#   PasswordAuthentication yes
#   HostbasedAuthentication no
   GSSAPIAuthentication yes         <<< Uncomment this line and change the value to yes
   GSSAPIDelegateCredentials yes    <<< Uncomment this line and change the value to yes
#   GSSAPIKeyExchange no
#   GSSAPITrustDNS no
#   BatchMode no
#   CheckHostIP yes
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/identity
Step 9: Reload the sshd service
[root@node01 etc]# service reload sshd
reload: unrecognized service
[root@node01 etc]# service  sshd reload
Reloading sshd:
                                      [  OK  ]
[root@node01 etc]# authconfig –enablekrb5 –update
[root@node01 etc]#
Step 10:Restart ‘krb5kdc’ & ‘kadmin’ service via the commad below:
[root@node01 etc]# service krb5kdc restart
Stopping Kerberos 5 KDC:                                   [FAILED]
Starting Kerberos 5 KDC:                                   [  OK  ]
[root@node01 etc]# service kadmin restart
Stopping Kerberos 5 Admin Server:                          [FAILED]
Starting Kerberos 5 Admin Server:                          [  OK  ]
[root@node01 etc]#
Step 11:Login into the required user
[root@node01 etc]# su – neeld
Step 12: Intialize the kerberos for the given user by the command below:
[neeld@node01 ~]$ kinit
Password for neeld@APPARCHET.COM:
[neeld@node01 ~]$
[neeld@node01 ~]$
Step 13: Use ‘klist’ to show the user details of the kerberos security:
[neeld@node01 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: neeld@APPARCHET.COM
Valid starting     Expires            Service principal
11/24/18 05:07:42  11/24/18 15:07:42  krbtgt/APPARCHET.COM@APPARCHET.COM
renew until 11/25/18 05:07:33
[neeld@node01 ~]$
[neeld@node01 ~]$
                                                    SUCCESSFULLY INSTALLED & CONFIGURED KERBEROS ON SERVER
                                                                    CLIENT SIDE CONFIGURATION:
Step 1: Create same user on node02 as created on node01(server)
[root@node02 etc]# useradd neeld
[root@node02 etc]# passwd neeld
Changing password for user neeld.
New password:
BAD PASSWORD: it is based on a dictionary word
Retype new password:
passwd: all authentication tokens updated successfully.
[root@node02 etc]# kadmin
Authenticating as principal root/admin@APPARCHET.COM with password.
Password for root/admin@APPARCHET.COM:
kadmin:
kadmin:  addprinc -randkey host/node02.apparchet.com
WARNING: no policy specified for host/node02.apparchet.com@APPARCHET.COM; defaulting to no policy
Principal “host/node02.apparchet.com@APPARCHET.COM” created.
Step 2: Add key tables for node02
kadmin:  ktadd host/node02.apparchet.com
Entry for principal host/node02.apparchet.com with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/node02.apparchet.com with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/node02.apparchet.com with kvno 2, encryption type des-cbc-crc added to keytab FILE:/etc/krb5.keytab.
kadmin:  quit
Step 3: Change the config files of ssh_config
[root@node02 etc]# vi /etc/ssh/ssh_config
[root@node02 etc]#
# Host *
#   ForwardAgent no
#   ForwardX11 no
#   RhostsRSAAuthentication no
#   RSAAuthentication yes
#   PasswordAuthentication yes
#   HostbasedAuthentication no
   GSSAPIAuthentication yes         <<< Uncomment this line and change the value to yes
   GSSAPIDelegateCredentials yes    <<< Uncomment this line and change the value to yes
#   GSSAPIKeyExchange no
#   GSSAPITrustDNS no
#   BatchMode no
#   CheckHostIP yes
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/identity
Step 4: Reload the sshd service
[root@node02 etc]# service sshd reload
Reloading sshd:                                            [  OK  ]
[root@node02 etc]#
[root@node02 etc]#
[root@node02 etc]# authconfig –enablekrb5 –update
Step 5:Su to newly created user on node02(neeld)
[root@node02 etc]# su – neeld
Step 6:
What does Kinit do?
kinit is used to obtain and cache Kerberos ticket-granting tickets. This tool is similar in functionality
to the kinit tool that are commonly found in other Kerberos implementations, such as SEAM and MIT Reference implementations.
[neeld@node02 ~]$ kinit
Password for neeld@APPARCHET.COM:
What does klist do?
klist displays the entries in the local credentials cache and key table. After the user has modified the
credentials cache with kinit or modified the keytab with ktab, the only way to verify the changes is to
view the contents of the credentials cache and/or keytab using klist. klist does not change the Kerberos database.
[neeld@node02 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: neeld@APPARCHET.COM
Valid starting     Expires            Service principal
11/24/18 06:09:33  11/24/18 16:09:33  krbtgt/APPARCHET.COM@APPARCHET.COM
renew until 11/25/18 06:09:16
Test by doing kerberos server(node01).It should connect without asking password because kerberos
 authentication has setup between the client(node02) & server(node01).
[neeld@node02 ~]$ ssh node01
The authenticity of host ‘node01 (192.168.1.6)’ can’t be established.
RSA key fingerprint is a0:82:01:8a:61:ad:41:44:9e:1d:91:2e:47:f9:05:f4.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘node01,192.168.1.6’ (RSA) to the list of known hosts.
[neeld@node01 ~]$
The above passwordless login to node01 shows that kerberos has been setup sucessfully.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: