Knowledge is Power

And if you look for it as for silver and search for

it as for hidden treasure, then you will

understand the fear of the LORD and find the

knowledge of God.

(Proverbs 2:4-5)

Kerberos Server Setup

on CentOS 5.8

Jeong Chul

tland12.wordpress.com

Computer Science

ITC and RUPP in Cambodia

Kerberos Server Setup on CentOS 5.8 Part 1 Theory Step 1 Kerberos system Step 2 Kerberos Version 4, 5 overview Step 3 Kerberos Authentication Step 4 Using Kadmin & Ticket control Step 5 Kerberos Server Testing Environment Step 6 Configuration Prerequisite

Part 2 Practice Step 7 Packages Installation Step 8 KDC Configuration Step 9 Application Server Configuration Step 10 Kerberos Testing – SSH and Telnet server Step 11 Packet Capture using WireShark

Step 1 Kerberos System

1.Kerberos a. Secure network authentication system developed by MIT in mid of 1990’s Based around credentials called tickets Tickets secured by secret key encryption b. Three participants Key Distribution Center (KDC – AS &TGS) Application Servers (network services) Client users

2.Principals a. A principal identifies each participant in a Kerberos authentication Users and network services Identified by primary, instance, and realm Ex: root/admin@CHUL.COM b. Each principal has a password Passwords are used as encryption keys Users memorize passwords Services store passwords in a keytab file KDC knows all passwords

Step 2. Kerberos 4 Overview

Step 2. Kerberos v5 Dialogue

Step 3 Kerberos Authentication

1. Initial Authentication User enters username and password

Login program sends request for a TGT for that principal to KDC

KDC sends the login program a TGT encrypted using the user's password

If the login program can decrypt the TGT with the password provided by the

user, the user is authenticated

2. Ticket Authentication Client sends request for a service ticket to the KDC's ticket granting service

KDC sends client two identical copies

One encrypted with the TGT

One encrypted with the service password

Client sends the network service

Ticket encrypted with service's password

A timestamp encrypted with the ticket

Step 4 Using Kadmin and Ticket control 1.Kadmin , the tool to manage Kerberos principals a. Can manage Kerberos principals

• addprinc, delprinc, modprinc, cpw

b. Can set and manage password policies

• Password aging, minimum length, history

• addpol, delpol, modpol, getpol, listpols

c. Can extract principals into keytab file

• ktadd, randomizes password

2.Kerberos Clients a. Set up /etc/krb5.conf for the realm

b. Gets initial TGT

kinit to get a new TGT

klist lists available credentials

kdestroy deletes all credentials

ktutil can be used to view keytab files

c. Tickets stored in /tmp/krb5cc_UID

Step 5 Kerberos Server Testing Environment

1.sever.chul.com: 192.168.80.25 on CentOS 5.8 Kerberos Server (KDC – AS and TGS) Client for testing – ‘linux’ 2.client.chul.com: 192.168.80.10 on CentOS 5.8 Application server - Telnet and SSH server Client for packet capture – ‘linux’ 3. Kerberos Realm: CHUL.COM

Step 6 Configuration Prerequisite

1. Name Resolution Hosts file on both servers

# cat /etc/hosts 127.0.0.1 localhost.localdomain localhost

192.168.80.25 server.chul.com server

192.168.80.10 client.chul.com client

2. Time sync on both servers

# system-config-time Network time protocol ->Enable time protocol

Time Zone -> Phnom_Penh

Step 7 Package Installation

1.Kerberos Packages checking

# rpm –qa | grep krb5

krb5-workstation-1.6.1-70.el5

krb5-server-1.6.1-70.el5

krb5-libs-1.6.1-70.el5

krb5-auth-dialog-0.7-1

krb5-server-ldap-1.6.1-70.el5

pam_krb5-2.2.14-22.el5

2. Packages Installation using yum

# yum install krb5-server krb5-workstation krb5-server-ldap

pam_krb5 krb5-auth-dailog krb5-libs

Step 8 KDC Configuration (1)

1. Configuration on /etc/krb5.conf # vi /etc/krb5.conf [libdefaults]: default_realm = CHUL.COM [realms] CHUL.COM = { kdc = 192.168.80.25:88 admin_server = 192.168.80.25:749 } [domain_realm] should read: [domain_realm] server.chul.com = CHUL.COM client.chul.com = CHUL.COM In [appdefaults], add the following line inside the curly braces for the PAM block so that login program must validate the KDC validate = true

Step 8 KDC Configuration (2)

2.Initialize Kerberos Database

[root@server]# kdb5_util create -r CHUL.COM –s [root@server]# ls /var/kerberos/krb5kdc/principal 3. Edit the [realms] block to /var/kerberos/krb5kdc/kdc.conf # vi /var/kerberos/krb5kdc/kdc.conf [realms] CHUL.COM = { master_key_type = des3-hmac-sha1 default_principal_flags = +preauth

4. Edit /var/kerberos/krb5kdc/kadm5.acl control which administrative privileges are available to which

principals principal, permissions, target principal # vi /var/Kerberos/krb5kdc/kadm5.acl */admin@CHUL.COM * //allow any principal with an instance of admin full access to the database

Step 8 KDC Configuration (3)

5. Add some user and admin principals to the database.

# kadmin.local

kadmin.local: addprinc root/admin //adding admin principal

kadmin.local: addprinc linux //adding user

kadmin.local: listprincs //list principals

kadmin.loal: getprinc linux //show information about principal

6. Create kadmind keytab file kadmin.local:ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin

kadmin.local:ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/changepw

7. Create a host principal for KDC kadmin.local: addprinc -randkey host/server.chul.com

kadmin.local: ktadd -k /etc/krb5.keytab host/server.chul.com

Krb5.keytab file contains the host principal and password for the system

Step 8 KDC Configuration (4)

8. Start the KDC daemons # service krb5kdc start; chkconfig krb5kdc on # service kadmin start; chkconfig kadmin on # ps -ef | grep krb # ps -ef | grep kadmin # netstat -nat | grep :88 //kdc # netstat -nat | grep :749 //kadmin 9. Viewing keytab file # ktutil ktutil: rkt /var/kerberos/krb5kdc/kadm5.keytab ktutil: list

10. Kerberos Log files default = /var/log/krb5libs.log kdc = /var/log/krb5kdc.log admin_server = /var/log/kadmind.log

Step 9 Application Sever Configuration

1. Default configuration

# rpm –qa | grep krb5-workstation

# scp root@server.chul.com:/etc/krb5.conf /etc/krb5.conf

2. Run kadmin and create a host principal for client.chul.com

# kadmin -p root/admin

kadmin: addprinc -randkey host/client.chul.com

kadmin: ktadd -k /etc/krb5.keytab host/client.chul.com

3. On both computers

# system-config-authentication

On the Authentication tab

select the Enable Kerberos Support check box

keep the current Kerberos configuration

Step 10 Kerberos Testing - SSH Server

1 Edit /etc/ssh/ssh_config, on both hosts, and add the following line

to the bottom of the Host * section:

# vi /etc/ssh/ssh_config

GSSAPIAuthentication yes

GSSAPIDelegateCredentials yes

# service sshd restart

2. Access to SSH server using kerberos

On Server

$ klist; kinit

$ ssh linux@client

Step 10 Kerberos Testing -Telnet server 1. Activate kerberos telnet server on Client: # chkconfig krb5-telnet on # cat /etc/xinetd.d/krb5-telnet service telnet { disable = no flags = REUSE socket_type = stream } [root@client]# service xinetd restart

2. Access to telnet server on Server: $ klist ; kinit $ telnet -Fxl linux client.chul.com

Step 11 Packet Capture using WireShark

1.On KDC

2. On Application server

3. Kerberos Packet analysis

Kerberos Setup on CentOS 5.8

Thank you & God bless you!!