22.6 About Kerberos Authentication

22.6.1 Configuring a Kerberos Server
22.6.2 Configuring a Kerberos Client
22.6.3 Enabling Kerberos Authentication

Both LDAP and NIS authentication optionally support Kerberos authentication. In the case of IPA, Kerberos is fully integrated. Kerberos provides a secure connection over standard ports, and it also allows offline logins if you enable credential caching in SSSD.

Figure 22.5 illustrates how a Kerberos Key Distribution Center (KDC) authenticates a principal, which can be a user or a host, and grants a Ticket Granting Ticket (TGT) that the principal can use to gain access to a service.

Figure 22.5 Kerberos Authentication

The figure illustrates how a Kerberos Key Distribution Center (KDC) authenticates a principal, which can be a user or a host, and grants a Ticket Granting Ticket (TGT) that the principal can use to gain access to a service.


The steps in the process are:

  1. A principal name and key are specified to the client.

  2. The client sends the principal name and a request for a TGT to the KDC.

    The KDC generates a session key and a TGT that contains a copy of the session key, and uses the Ticket Granting Service (TGS) key to encrypt the TGT. It then uses the principal's key to encrypt both the already encrypted TGT and another copy of the session key.

  3. The KDC sends the encrypted combination of the session key and the encrypted TGT to the client.

    The client uses the principal's key to extract the session key and the encrypted TGT.

  4. When the client want to use a service, usually to obtain access to a local or remote host system, it uses the session key to encrypt a copy of the encrypted TGT, the client’s IP address, a time stamp, and a service ticket request, and it sends this item to the KDC.

    The KDC uses its copies of the session key and the TGS key to extract the TGT, IP address, and time stamp, which allow it to validate the client. Provided that both the client and its service request are valid, the KDC generates a service session key and a service ticket that contains the client’s IP address, a time stamp, and a copy of the service session key, and it uses the service key to encrypt the service ticket. It then uses the session key to encrypt both the service ticket and another copy of the service session key.

    The service key is usually the host principal's key for the system on which the service provider runs.

  5. The KDC sends the encrypted combination of the service session key and the encrypted service ticket to the client.

    The client uses its copy of the session key to extract the encrypted service ticket and the service session key.

  6. The client sends the encrypted service ticket to the service provider together with the principal name and a time stamp encrypted with the service session key.

    The service provider uses the service key to extract the data in the service session ticket, including the service session key.

  7. The service provider enables the service for the client, which is usually to grant access to its host system.

    If the client and service provider are hosted on different systems, they can each use their own copy of the service session key to secure network communication for the service session.

Note the following points about the authentication handshake:

22.6.1 Configuring a Kerberos Server

If you want to configure any client systems to use Kerberos authentication, it is recommended that you first configure a Kerberos server. You can then configure any clients that you require.

Note

Keep any system that you configure as a Kerberos server very secure, and do not configure it to perform any other service function.

To configure a Kerberos server that can act as a key distribution center (KDC) and a Kerberos administration server:

  1. Configure the server to use DNS and that both direct and reverse name lookups of the server's domain name and IP address work.

    For more information about configuring DNS, see Chapter 13, Name Service Configuration.

  2. Configure the server to use network time synchronization mechanism such as the Network Time Protocol (NTP) or Precision Time Protocol (PTP). Kerberos requires that the system time on Kerberos servers and clients are synchronized as closely as possible. If the system times of the server and a client differ by more than 300 seconds (by default), authentication fails.

    For more information, see Chapter 14, Network Time Configuration.

  3. Install the krb5-libs, krb5-server, and krb5-workstation packages:

    # yum install krb5-libs krb5-server krb5-workstation
  4. Edit /etc/krb5.conf and configure settings for the Kerberos realm, for example:

    [logging]
     default = FILE:/var/log/krb5libs.log
     kdc = FILE:/var/log/krb5kdc.log
     admin_server = FILE:/var/log/kadmind.log
    
    [libdefaults]
     default_realm = MYDOM.COM
     dns_lookup_realm = false
     dns_lookup_kdc = false
     ticket_lifetime = 24h
     renew_lifetime = 7d
     forwardable = true
    
    [realms]
     MYDOM.COM = {
      kdc = krbsvr.mydom.com
      admin_server = krbsvr.mydom.com
     }
    
    [domain_realm]
     .mydom.com = MYDOM.COM
     mydom.com = MYDOM.COM
    
    [appdefaults]
     pam = {
       debug = true
       validate = false
     }

    In this example, the Kerberos realm is MYDOM.COM in the DNS domain mydom.com and krbsvr.mydom.com (the local system) acts as both a KDC and an administration server. The [appdefaults] section configures options for the pam_krb5.so module.

    For more information, see the krb5.conf(5) and pam_krb5(5) manual pages.

  5. Edit /var/kerberos/krb5kdc/kdc.conf and configure settings for the key distribution center, for example:

    kdcdefaults]
     kdc_ports = 88
     kdc_tcp_ports = 88
    
    [realms]
     MYDOM.COM = {
      #master_key_type = aes256-cts
      master_key_type = des-hmac-sha1
      default_principal_flags = +preauth
      acl_file = /var/kerberos/krb5kdc/kadm5.acl
      dict_file = /usr/share/dict/words
      admin_keytab = /etc/kadm5.keytab
      supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal \
      arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
     }

    For more information, see the kdc.conf(5) manual page.

  6. Create the Kerberos database and store the database password in a stash file:

    # /usr/sbin/kdb5_util create -s
  7. Edit /var/kerberos/krb5kdc/kadm5.acl and define the principals who have administrative access to the Kerberos database, for example:

    */admin@EXAMPLE.COM     *

    In this example, any principal who has an instance of admin, such as alice/admin@MYDOM.COM, has full administrative control of the Kerberos database for the MYDOM.COM domain. Ordinary users in the database usually have an empty instance, for example bob@MYDOM.COM. These users have no administrative control other than being able to change their password, which is stored in the database.

  8. Create a principal for each user who should have the admin instance, for example:

    # kadmin.local -q "addprinc alice/admin"
  9. Cache the keys that kadmind uses to decrypt administration Kerberos tickets in /etc/kadm5.keytab:

    # kadmin.local -q "ktadd -k /etc/kadm5.keytab kadmin/admin"
    # kadmin.local -q "ktadd -k /etc/kadm5.keytab kadmin/changepw"
  10. Start the KDC and administration services and configure them to start following system reboots:

    # service krb5kdc start
    # service kadmin start
    # chkconfig krb5kdc on
    # chkconfig kadmin on 
  11. Add principals for users and the Kerberos server and cache the key for the server's host principal in /etc/kadm5.keytab by using either kadmin.local or kadmin, for example:

    # kadmin.local -q "addprinc bob"
    # kadmin.local -q "addprinc -randkey host/krbsvr.mydom.com"
    # kadmin.local -q "ktadd -k /etc/kadm5.keytab host/krbsvr.mydom.com"
  12. Allow incoming TCP connections to ports 88, 464, and 749 and UDP datagrams on UDP port 88, 464, and 749:

    # iptables -I INPUT -s subnet_addr/prefix_length -p tcp \
      -m state --state NEW -m tcp -–dport 88 -j ACCEPT
    # iptables -I INPUT -s subnet_addr/prefix_length -p tcp \
      -m state --state NEW -m tcp -–dport 464 -j ACCEPT
    # iptables -I INPUT -s subnet_addr/prefix_length -p tcp \
      -m state --state NEW -m tcp -–dport 749 -j ACCEPT
    # iptables -I INPUT -s subnet_addr/prefix_length -p udp \
      -m udp -–dport 88 -j ACCEPT
    # iptables -I INPUT -s subnet_addr/prefix_length -p udp \
      -m udp -–dport 464 -j ACCEPT
    # iptables -I INPUT -s subnet_addr/prefix_length -p udp \
      -m udp -–dport 749 -j ACCEPT
    # service iptables save

    where subnet_addr/prefix_length specifies the network address, for example 192.168.1.0/24.

    krb5kdc services requests on TCP port 88 and UDP port 88, and kadmind services requests on TCP ports 464 and 749 and UDP ports 464 and 749.

    In addition, you might need to allow TCP and UDP access on different ports for other applications.

For more information, see the kadmin(1) manual page.

22.6.2 Configuring a Kerberos Client

Setting up a Kerberos client on a system allows it to use Kerberos to authenticate users who are defined in NIS or LDAP, and to provide secure remote access by using commands such as ssh with GSS-API enabled or the Kerberos implementation of telnet.

To set up a system as a Kerberos client:

  1. Configure the client system to use DNS and that both direct and reverse name lookups of the domain name and IP address for both the client and the Kerberos server work.

    For more information about configuring DNS, see Chapter 13, Name Service Configuration.

  2. Configure the system to use a network time synchronization protocol such as the Network Time Protocol (NTP). Kerberos requires that the system time on Kerberos servers and clients are synchronized as closely as possible. If the system times of the server and a client differ by more than 300 seconds (by default), authentication fails.

    To configure the server as an NTP client:

    1. Install the ntp package:

      # yum install ntp
    2. Edit /etc/ntp.conf and configure the settings as required. See the ntp.conf(5) manual page and http://www.ntp.org.

    3. Start the ntpd service and configure it to start following system reboots.

      # service ntpd start
      # chkconfig ntpd on
  3. Install the krb5-libs and krb5-workstation packages:

    # yum install krb5-libs krb5-workstation
  4. Copy the /etc/krb5.conf file to the system from the Kerberos server.

  5. Use the Authentication Configuration GUI or authconfig to set up the system to use Kerberos with either NIS or LDAP, for example:

    # authconfig --enablenis --enablekrb5 --krb5realm=MYDOM.COM \
      --krb5adminserver=krbsvr.mydom.com --krb5kdc=krbsvr.mydom.com \
      --update

    See Section 22.6.3, “Enabling Kerberos Authentication”.

  6. On the Kerberos KDC, use either kadmin or kadmin.local to add a host principal for the client, for example:

    # kadmin.local -q "addprinc -randkey host/client.mydom.com"
  7. On the client system, use kadmin to cache the key for its host principal in /etc/kadm5.keytab, for example:

    # kadmin -q "ktadd -k /etc/kadm5.keytab host/client.mydom.com"
  8. To use ssh and related OpenSSH commands to connect from Kerberos client system to another Kerberos client system:

    1. On the remote Kerberos client system, verify that GSSAPIAuthentication is enabled in /etc/ssh/sshd_config:

      GSSAPIAuthentication yes
    2. On the local Kerberos client system, enable GSSAPIAuthentication and GSSAPIDelegateCredentials in the user's .ssh/config file:

      GSSAPIAuthentication yes
      GSSAPIDelegateCredentials yes

      Alternatively, the user can specify the -K option to ssh.

    3. Test that the principal can obtain a ticket and connect to the remote system, for example:

      $ kinit principal_name@MYDOM.COM
      $ ssh username@remote.mydom.com

    To allow use of the Kerberos versions of rlogin, rsh, and telnet, which are provided in the krb5-appl-clients package, you must enable the corresponding services on the remote client.

For more information, see the kadmin(1) manual page.

22.6.3 Enabling Kerberos Authentication

To be able to use Kerberos authentication with an LDAP or NIS client, use yum to install the krb5-libs and krb5-workstation packages.

If you use the Authentication Configuration GUI (system-config-authentication) and select LDAP or NIS as the user account database, select Kerberos password as the authentication method and enter values for:

Realm

The name of the Kerberos realm.

KDCs

A comma-separated list of Key Distribution Center (KDC) servers that can issue Kerberos ticket granting tickets and service tickets.

Admin Servers

A comma-separated list of Kerberos administration servers.

Alternatively, you can use DNS to configure these settings:

  • Select the Use DNS to resolve hosts to realms check box to look up the name of the realm defined as a TXT record in DNS, for example:

    _kerberos.mydom.com    IN TXT "MYDOM.COM"
  • Select the Use DNS to locate KDCs for realms check box to look up the KDCs and administration servers defined as SVR records in DNS, for example:

    _kerberos._tcp.mydom.com      IN SVR 1  0 88  krbsvr.mydom.com
    _kerberos._udp.mydom.com      IN SVR 1  0 88  krbsvr.mydom.com
    _kpasswd._udp.mydom.com       IN SVR 1  0 464 krbsvr.mydom.com
    _kerberos-adm._tcp.mydom.com  IN SVR 1  0 749 krbsvr.mydom.com

Figure 22.6 shows the Authentication Configuration GUI with LDAP selected as the user account database and Kerberos selected for authentication.

Figure 22.6 Authentication Configuration of LDAP with Kerberos Authentication

The figure shows the Authentication Configuration GUI with LDAP selected as the user account database and Kerberos selected for authentication.


Alternatively, you can use the authconfig command to configure Kerberos authentication with LDAP, for example:

# authconfig --enableldap \
  --ldapbasedn="dc=mydom,dc=com" --ldapserver=ldap://ldap.mydom.com:389 \
  [--enableldaptls --ldaploadcacert=https://ca-server.mydom.com/CAcert.pem] \
  --enablekrb5  \
  --krb5realm=MYDOM.COM | --enablekrb5realmdns \
  --krb5kdc=krbsvr.mydom.com --krb5adminserver=krbsvr.mydom.com | --enablekrb5kdcdns \
  --update

or with NIS:

# authconfig --enablenis \
  --enablekrb5 \
  --krb5realm=MYDOM.COM | --enablekrb5realmdns \
  --krb5kdc=krbsvr.mydom.com --krb5adminserver=krbsvr.mydom.com | --enablekrb5kdcdns \
  --update

The --enablekrb5 option enables Kerberos authentication by modifying the PAM configuration files in /etc/pam.d to use the pam_krb5.so module. The --enableldap and --enablenis options configure /etc/nsswitch.conf to enable the system to use LDAP or NIS for information services.

For more information, see the authconfig(8), nsswitch.conf(5), and pam_krb5(5) manual pages.