Login
    How to Setup Kerberos Server and Client on Ubuntu 18.04 LTS

    How to Setup Kerberos Server and Client on Ubuntu 18.04 LTS

    How to Setup Kerberos Server and Client on Ubuntu 18.04 LTS

    Kerberos is a network authentication protocol that uses symmetric key cryptography and requires authorization from a trusted third party to authenticate client-server applications. It was originally developed by the Massachusetts Institute of Technology (MIT) to protect the network services provided by the Athena project.

    In the modern world, Kerberos is often used as a third-party authentication service. This means that all clients trust Kerberos’ judgment about another clients’ identity.eval(ez_write_tag([[580,400],’howtoforge_com-medrectangle-3′,’ezslot_2′,121,’0′,’0′]));

    In this tutorial, we will show you how to set up Kerberos authentication between two Ubuntu 18.04 servers. We will install and configure the Kerberos server on the Ubuntu server and then install the Kerberos client on the other. Finally, we will test the authentication of the SSH service with the Kerberos server.

    Prerequisites

    • Ubuntu server 18.04
      • 10.10.10.15     krb5.ahmad.io   krb5
      • 10.10.10.16     client1.ahmad.io    client1
    • Root privileges

    What we will do:

    1. Setup FQDN File
    2. Install KDC Kerberos Server
    3. Configure KDC Kerberos Server
    4. Install and Configure Kerberos Client
    5. Testing

    Step 1 – Setup FQDN

    First of all, we must configure the FQDN on the Kerberos server and then edit the ‘/etc/hosts’ file of the server.

     

    Change the FQDN of the Kerberos server using the following command.

    hostnamectl set-hostname krb5.ahmad.io

    After that, edit the ‘/etc/hosts’ file using vim editor.

    vim /etc/hosts

    Change the IP address and FQDN with your own and paste into it.

    10.10.10.15     krb5.ahmad.io   krb5

    Save and close.eval(ez_write_tag([[580,400],’howtoforge_com-medrectangle-4′,’ezslot_1′,108,’0′,’0′]));

    Now test using the ‘ping’ command below and make sure the FQDN is resolved to the right IP address.

    ping -c 3 $(hostname -f)

    Hostname configuration

    Step 2 – Install KDC Kerberos Server

    Now we’re going to install the Kerberos server on the ‘krb5’ server with IP address ‘10.10.10.15’ and the FQDN is ‘krb5.ahmad.io’.

    Install Kerberos server using the following apt command.

    sudo apt install krb5-kdc krb5-admin-server krb5-config -y

    During the installation, you will be asked about the Kerberos Realm, the Kerberos server of the Realm, and the Admin server.

    By default, the Kerberos will use the Kerberos server domain name as a REALM, ‘AHMAD.IO‘.

    The Kerberos server is ‘krb5.ahmad.io‘.

    Set server name

    And the Admin server same as the Kerberos server ‘krb5.ahmad.io‘.

    admin server name

    Once the installation is finished, you will be shown the Kerberos service is failed to run. It’s fine because we will configure on the next stage.

    Step 3 – Configure KDC Kerberos Server

    Now generate a new strong master password for the Kerberos REALM using the following command.

    sudo krb5_newrealm

    Type your strong password and the REALM password will be generated at the ‘/etc/krb5kdc/stash’ file.

    Configure KDC Kerberos Server

    After that, we need to create the admin user (admin principal) for the KDC Kerberos server, add the Kerberos server hostname to the database, and then create the keytab for the Kerberos server.

    Run the ‘kadmin.local’ command-line interface for Kerberos administration command below.

    sudo kadmin.local

    Create a new admin user principal called ‘root’.

    addprinc root/admin

    Type the strong password for the ‘root’ admin principal.

    Add the KDC Kerberos server to the database and create the keytab file for the KDC host.

    addprinc -randkey host/krb5.ahmad.io
    ktadd host/krb5.ahmad.io

    Then close the ‘kadmin.local’ utility.

    quit

    Configure kerberos server

    Next, we need to add the ‘root’ admin principle to the access control list by editing the ‘/etc/krb5kdc/kadm5.acl’ file.

    vim /etc/krb5kdc/kadm5.acl

    Add the following configuration.

    root/admin * 

    Save and close the configuration, then restart the Kerberos service.

    sudo systemctl restart krb5-admin-server.service

    And the configuration of KDC Kerberos server has been completed.

    Restart Kerberos

    Step 4 – Install and Configure Kerberos Client

    In this step, we’re going to install the Kerberos client on Ubuntu server with IP address ‘10.10.10.16’ and the hostname ‘client1’.

    – Configure FQDN

    Configure the FQDN on the client machine using the following command.

    hostnamectl set-hostname client1.ahmad.io

    After that, edit the ‘/etc/hosts’ file using vim editor.

    vim /etc/hosts

    Paste both KDC Kerberos server and the client as below.

    10.10.10.15     krb5.ahmad.io   krb5
    10.10.10.16     client1.ahmad.io    client1

    Save and close.

    Install and Configure Kerberos Client

    – Install Kerberos Client

    Install Kerberos client packages by running the following apt command.

    sudo apt install -y krb5-user libpam-krb5 libpam-ccreds auth-client-config

    During the installation, you will be asked about the Kerberos Realm, the Kerberos server of the Realm, and the Admin server.

    By default, Kerberos will use the Kerberos server domain name as a REALM, ‘AHMAD.IO‘.

    set server domain

    The Kerberos server is ‘krb5.ahmad.io‘.

    set kerberos server

    And the Admin server same as the Kerberos server ‘krb5.ahmad.io‘.

    set admin server

    And the installation for Kerberos client is finished.

    – Configure Kerberos Client

    From the client machine, connect to the KDC Kerberos server using the ‘kadmin’ command.

    kadmin

    And you will be asked for the password of ‘root/admin’ principle. Type the password and you will be logged in to the KDC Kerberos administration system.

    Now add the client FQDN ‘client1.ahmad.io’ to the Kerberos database and add the keytab file for the client.

    addprinc -randkey host/client1.ahmad.io
    ktadd host/client1.ahmad.io

    Then close the kadmin Kerberos Administration interface.

    quit

    And the configuration of Kerberos client is completed.

    Configure Kerberos Client

    Step 5 – Testing

    For this testing purpose, we’re going to configure the SSH authentication using the Kerberos. The client machine ‘client1.ahmad.io’ will connect to the server ‘krb5.ahmad.io’ through SSH with the Kerberos authentication.

    – Setup ‘krb5.ahmad.io’ Server

    Create a new system user called ‘ammar’.

    useradd -m -s /bin/bash ammar

    Login to the KDC Kerberos administration and add a new principal user called ‘ammar’.

    kadmin.local
    addprinc ammar

    Close the Kerberos Administration interface and edit the ssh configuration ‘/etc/ssh/sshd_config’.

    vim /etc/ssh/sshd_config

    Uncomment the ‘GSSAPIAuthentication’ and enable it by changing the value to ”.

    GSSAPIAuthentication yes
    GSSAPICleanupCredentials yes

    Save and close the configuration, then restart the ssh service.

    systemctl restart sshd

    Test Kerberos authentication

    – Setup ‘client1.ahmad.io’ Machine

    Add new system user ‘ammar’ on the client machine and login into it.

    useradd -m -s /bin/bash ammar
    su - ammar

    After that, initialize the Kerberos user principal ‘ammar’.

    kinit ammar

    Type the password of the user and after that check the available Ticket using the following command.

    klist

    And you will be shown the following result.

    setup client machine

    Now you can connect the ‘krb5.ahmad.io’ server using the SSH Kerberos authentication.

    ssh krb5.ahmad.io

    And you will be connected to the ‘krb5.ahmad.io’ server through SSH with Kerberos authentication.

    test ssh login

    Below is the SSH Log after logged to the server.

    Test successful

    Finally, the installation and configuration of Kerberos server and client on Ubuntu 18.04 has been completed successfully.

    Reference

    https://web.mit.edu/kerberos/

    Leave a Reply