Configuring Kerberos Network Application Servers

Network application servers are hosts that provide access using one or more of the following network applications: ftp, rcp, rlogin, rsh, ssh, and telnet. Only a few steps are required to enable the Kerberos version of these commands on a server.

How to Configure a Kerberos Network Application Server

This procedure uses the following configuration parameters:

• Application server = boston

• admin principal = kws/admin

• DNS domain name = example.com

• Realm name = EXAMPLE.COM

Before You Begin

This procedure requires that the master KDC has been configured. To fully test the process, several Kerberos clients must be configured.

1. (Optional) Install the NTP client or another clock synchronization mechanism.

   See Synchronizing Clocks Between KDCs and Kerberos Clients for information about NTP.

2. Add principals for the new server and update the server's keytab.

   The following command reports the existence of the host principal:

   boston # klist -k |grep host 4 host/boston.example.com@EXAMPLE.COM 4 host/boston.example.com@EXAMPLE.COM 4 host/boston.example.com@EXAMPLE.COM 4 host/boston.example.com@EXAMPLE.COM

   If the command does not return a principal, then create new principals using the following steps.

   How to use the Graphical Kerberos Administration Tool to add a principal is explained in How to Create a New Kerberos Principal. The example in the following steps shows how to add the required principals using the command line. You must log in with one of the admin principal names that you created when configuring the master KDC.

   boston # /usr/sbin/kadmin -p kws/admin Enter password: <Type kws/admin password> kadmin:

   1. Create the server's host principal.

      The host principal is used:

      • To authenticate traffic when using the remote commands, such as rsh and ssh.

      • By pam_krb5 to prevent KDC spoofing attacks by using the host principal to verify that a user's Kerberos credential was obtained from a trusted KDC.

      • To allow the root user to automatically acquire a Kerberos credential without requiring that a root principal exist. This can be useful when doing a manual NFS mount where the share requires a Kerberos credential.

      This principal is required if traffic using the remote application is to be authenticated using the Kerberos service. If the server has multiple hostnames associated with it, then create a principal for each hostname using the FQDN form of the hostname.

      kadmin: addprinc -randkey host/boston.example.com Principal "host/boston.example.com" created. kadmin:

   2. Add the server's host principal to the server's keytab.

      If the kadmin command is not running, restart it with a command similar to the following: /usr/sbin/kadmin -p kws/admin

      If the server has multiple hostnames associated with it, then add a principal to the keytab for each hostname.

      kadmin: ktadd host/boston.example.com Entry for principal host/boston.example.com with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal host/boston.example.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal host/boston.example.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal host/boston.example.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal host/boston.example.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/krb5.keytab. kadmin:

   3. Quit kadmin.

      kadmin: quit