LFCS – Kerberos Authentication (CentOS7)

Jarret B

Well-Known Member
Staff member
Joined
May 22, 2017
Messages
364
Reaction score
403
Credits
13,257
Kerberos is an authentication method that can assign a user a ‘ticket’ after the first sign-on. Once a user has entered a correct password, then they are granted a ‘ticket’ to allow connection again without a password. The key thing to remember is that the ‘ticket’ expires after a certain amount of time.

Kerberos Authentication is a security measure that adds a level of security between two network systems. Once granted, the two systems ‘trust’ each other.

Kerberos is made up of three important parts:
  1. TGS – Ticket Granting Server
  2. Kerberos Database – Stores all passwords and identification of all allowed users
  3. AS – Authentication Server that actually performs the authentication
Because the tickets are granted on a timed basis, all systems need to be synchronized to the same time. For this reason, all systems need to use the Network Time Protocol (NTP).

Network Time Protocol (NTP)

For this to work, each system needs NTP. If you are using your VirtualBox servers to use as testing, make sure you do this on all servers. In a real environment, all systems, even the clients, need to sync the time.

One system will be set up as the ‘Time Server’ and all other systems will sync to that server. A backup time server can be set in the case that the ‘Time Server’ should be down. Having a backup can help if a server is taken down, even for routine maintenance.

On Server1, perform the following command:

sudo yum install -y ntp

Once the package is installed, the configuration file will need to be edited. The file to edit is ‘/etc/ntp.conf’. The changes to make are the following:

#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

Remove the comment hash mark and change the IP Address to match your network. My line would look like:

restrict 192.168.56.0 mask 255.255.255.0 nomodify notrap

The line will allow systems on the local network to query the Time Server to sync clocks, but not alter the time on the NTP Server.

Just below the modified line, there is a list of four servers that will be contacted by the NTP Server. You can modify these, but the default should be fine. For Server2, these lines will be modified.

Now that the changes have been made, we need to restart the service and enable it to auto-start when the system starts. Perform the following two commands to make this happen:

sudo systemctl restart ntpd
sudo systemctl enable ntpd


We can check the NTP Daemon to see what servers it is querying for time synchronization with the command ‘sudo ntpq -p’. A list will be produced and the default time server is the one with the asterisk at the beginning.

Next, we need to open the firewall for the NTP Server. The following two commands are used. The first will open the specific port, the second reloads the firewall daemon for the changes to take effect:

sudo firewall-cmd --add-service=ntp --permanent
sudo firewall-cmd --reload


If you went over the article ‘LFCS – Creating OpenLDAP Server on CentOS 7’ then you have already set up Server1 and server2 in the Hosts file. If not, you need to edit the ‘/etc/hosts’ and add Server1 and Server2. For an NTP Server, we really need the other systems that will be querying for time sync.

Other than setting the Hosts file, we need to actually change the hostname. To do this on Server1, use the command:

sudo hostnamectl set-hostname server1.linux.org

If you run the command ‘hostname’ the full FQDN should be shown. Change the hostnames to match what you are using on your network. Perform the hostname change on Server2 as well. This step is VERY important.

We now need to set up Server2. For Server2, go ahead and update the Hosts file and add Server1. It must be able to contact the NTP Server by using it’s Domain Name or IP Address.

Install the NTP Daemon as we did on Server1:

sudo yum install -y ntp

Edit the file ‘/etc/ntp.conf’ and remove the following three lines:

server 1.centos.pool.ntp.org iburst
server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst


Move the line ‘server 0.centos.pool.ntp.org iburst’ down and insert a line for server1:

server server1.linux.org iburst prefer

Make sure to add ‘prefer’ at the end so that server1 is the preferred NTP Server. If Server1 is offline for any reason, then server2 will contact the NTP Server that was left in the list. You need to restart and enable the service to start every time the system boots with the commands:

sudo systemctl restart ntpd
sudo systemctl enable ntpd


If you issue the command ‘ntpq -p’ you should see server1 with an asterisk next to it to show it is the NTP Server being used. For more information, use the command ‘ntpq -c as’. For extreme troubleshooting, see the log at ‘/var/log/messages’. Use a command such as ‘cat varlog/messages | grep ntp’ for specific lines only dealing with NTP.

Everything should be syncing now, so it is time to enable Kerberos.

Install and Configure KDC

The KDC is the Key Distribution Center. The KDC works as two parts: the Ticket Granting Server (TGS) and Authentication Server (AS). When a client needs to access a service that is protected by Kerberos, the AS authenticates a client and grants a ticket (TGS). The ticket is valid for 24 hours or until the client logs out.

For generating tickets, we need to have the ability to create random keys. To create random keys, we need random numbers. Install the following package:

sudo yum install -y rng-tools.x86_64

Edit the file ‘/usr/lib/systemd/system/rngd.service’ and change the line ‘ExecStart=sbin/rngd -f’ to ‘ExecStart=sbin/rngd -f -r /dev/urandom’. Save the file and then we need to reload the new information, start the service and enable it to auto-start:

sudo systemctl daemon-reload
sudo systemctl start rngd
sudo systemctl enable rngd


The first command reloads the systemd management configuration information, which include rngd.

Now, we need to install the Kerberos server and client packages. Use the command:

sudo yum install -y krb5-server krb5-workstation krb5-client pam_krb5.x86_64

After the installation is completed, switch to the folder ‘/var/kerberos/krb5kdc’. Within the folder are two files: kadm5.acl and kdc.conf. Edit both files and find an entry of ‘EXAMPLE.COM’. Change these to match your DNS naming convention. I changed mine to ‘LINUX.ORG’. Save and exit your editor.

We now need to edit our client configuration. Edit the file ‘/etc/krb5.conf’. You need to uncomment the following line and change the DNS name:

# default_realm = EXAMPLE.COM

Uncomment the four lines under ‘[realms]’. Change the DNS names for ‘kdc’ and ‘admin-server’ to your main server. Both lines for me became ‘server1.linux.org’. Don’t forget to change the DNS name on the line right under ‘[realms]’. Save and exit your editor.

Now, we need to create the database for the keys. The command is:

sudo kdb5_util create -s -r LINUX.ORG

You will be prompted to create the database password and then verify it. The database is located at ‘/var/kerberos/krb5kdc’ There should now be four new files in the folder which all start with ‘principal’ in the file name.

We now need to start and enable two services: ‘krb5kdc’ and ‘kadmin’.

sudo systemctl start kadmin krb5kdc
sudo systemctl enable kadmin krb5kdc


The Kerberos Server and Client is installed and configured on Server1. You can verify that Kerberos is running with the command ‘sudo netstat -ltnp’. You should see two lines that contain the program name of ‘krb5kdc’, one for IP4 and for IP6. Since Port 88 is being monitored b the server, we know Kerberos is running.

Now, we can configure the Kerberos Principals.

Kerberos Principals

A Kerberos Principal is a rule that allows a ticket to be given to a specific user, host or service. If a Principal is set to allow access to a specific user, then the user can authenticate themselves. Once authenticated, the user is given a ticket for access.

We need to make sure that the Kerberos Principal Password can be changed over the network. We need to enable the option to allow ‘kpasswd’ to work through the firewall. The following command should take care of it:

sudo firewall-cmd --add-service=kpasswd --permanent

Kerberos needs to be allowed on the Firewall, so perform the following:

sudo firewall-cmd --add-service=kerberos --permanent

The Kerberos Admin Server needs to allow port 749 for Kerberos using TCP. Use the following:

sudo firewall-cmd --add-port=749/tcp --permanent

Now that we have made changes, we need to reload all of the changes so they take affect:

sudo firewall-cmd --reload

Now that the basics are out of the way, we can start managing the principals. Use the command ‘sudo kadmin.local’ to start an interactive command interface.

Current Principals can be listed with the command ‘listprincs’. We can allow the root/admin to login with the command ‘addprinc root/admin’. You should be prompted and asked to verify a password for the root/admin user for Kerberos. We can add another, such as, ‘addprinc tech1’. Again, you’ll be prompted for a password and asked to verify it. We can allow the host to get a ticket from Kerberos with the command ‘addprinc host/server1.linux.org’. Enter and verify the password for each new Principal you add. To see the Principals, use the command ‘listprincs’.

NOTE: Make sure you add a Principal for the current user that usually use or any test users.

The Principals are created, but we need to add keys to the new Principals we added. The command ‘ktadd host/server1.linux.org’ will make the keys. The keys should all be created and you can now exit the interface with the command ‘quit’.

SSH with Kerberos

Now that we have set up Kerberos on Server1 and created some Principals, we can enable SSH to use Kerberos.

We need to enable some settings in the file ‘/etc/ssh/ssh_config’. Open the file in an editor and modify the following two lines:

# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no


Change the lines to:

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes


Now SSH will authenticate using Kerberos as soon as the new settings are reloaded. To reload the SSH settings we changed, perform the following:

sudo systemctl reload sshd
sudo authconfig --enablekrb5 --update


If you list the tokens you have, there should be none listed. To see available tokens, use the command ‘klist’. The result should end with ‘not found’.

To be granted a token, we can use the command ‘kinit’ and you should be asked the Kerberos password for the current user that we set up in the previous section. After entering your password, you should be back at a terminal prompt. When you enter the command ‘klist’, you should see something similar to:

Ticket cache: KEYRING:persistent:1000:1000
Default principal: [email protected]

Valid starting Expires Service principal
02/06/2022 00:13:23 02/07/2022 00:13:23 krbtgt/[email protected]


The token has been granted for 24 hours or until I logout or reject the token.

If I use the command ‘ssh server1.linux.org’ I can connect using SSH and not be prompted for a password. The password is not needed since I have a valid token.

I did just specify that the token can be rejected, or specifically it is destroyed. To destroy a token, use the command ‘kdestroy’ to reject any tokens. If you destroy the token and use ‘klist’ you will see that the token no longer exists for your user.

Adding Kerberos to Clients

It is imperative that your Hosts file contains the addresses of Kerberos clients, or you have a DNS server. Client systems need to have the Kerberos Server in the Hosts file, or use a DNS Server.

You need to install the needed software for Kerberos on the client. In this case, if you are using the VirtualBox servers that we setup initially, use Server2 now. Perform the following command:

sudo yum install -y krb5-workstation pam_krb5.x86_64

You need to make the ‘/etc/krb5.conf’ file the same on Server2 as it is on Server1. The two files should be identical.

From Server2, we can issue the commands:

su -(switch to root user)
kadmin(prompts root password)
listprincs(shows server1)
addprinc -randkey hostserver2.linux.org
listprincs(shows server2)
ktadd host/server2.linux.org(creates keys)
quit


Server2 should now have a key in the Kerberos Database.

We now need to set SSH to use Kerberos as we did for Server1. Open the file ‘/etc/ssh/ssh_config’ in an editor and modify the following two lines:

# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no


Change the lines to:

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

Save the file and perform the following two commands:

sudo systemctl reload sshd
sudo authconfig --enablekrb5 –update


Instead of the last line, you can make the changes from a GUI with the command:

authconfig-tui

Tab to ‘Use Kerberos’ in the second column. Press the space bar to check the item. Tab to ‘Next’ and press Enter. Tab through the next two screens to ‘Next’ and press Enter until you exit the GUI. Perform a ‘sudo systemctl reload sshd’ again.

You can now perform the same steps as before to receive a token:

klist(no token)
kinit(enter password)
klist(shows a token)


If you SSH to server1 with the command ‘ssh [email protected]’ you should not be prompted for a password. The token should allow you into the server.

Conclusion

You have now installed and used Kerberos for authentication.

I hope you can see the ease of using Kerbero by not requiring passwords every time you log into a server.

The next article should cover performing these tasks with Ubuntu.
 

Members online


Latest posts

Top