23.6.2 Configuring a Kerberos Client

Setting up a Kerberos client on a system allows it to use Kerberos to authenticate users who are defined in NIS or LDAP, and to provide secure remote access by using commands such as ssh with GSS-API enabled or the Kerberos implementation of telnet.

To set up a system as a Kerberos client:

  1. Configure the client system to use DNS and that both direct and reverse name lookups of the domain name and IP address for both the client and the Kerberos server work.

    For more information about configuring DNS, see Chapter 13, Name Service Configuration.

  2. Configure the system to use a network time synchronization protocol such as the Network Time Protocol (NTP). Kerberos requires that the system time on Kerberos servers and clients are synchronized as closely as possible. If the system times of the server and a client differ by more than 300 seconds (by default), authentication fails.

    To configure the server as an NTP client:

    1. Install the ntp package:

      # yum install ntp
    2. Edit /etc/ntp.conf and configure the settings as required. See the ntp.conf(5) manual page and http://www.ntp.org.

    3. Start the ntpd service and configure it to start following system reboots.

      # service ntpd start
      # chkconfig ntpd on
  3. Install the krb5-libs and krb5-workstation packages:

    # yum install krb5-libs krb5-workstation
  4. Copy the /etc/krb5.conf file to the system from the Kerberos server.

  5. Use the Authentication Configuration GUI or authconfig to set up the system to use Kerberos with either NIS or LDAP, for example:

    # authconfig --enablenis --enablekrb5 --krb5realm=MYDOM.COM \
      --krb5adminserver=krbsvr.mydom.com --krb5kdc=krbsvr.mydom.com \
      --update

    See Section 23.6.3, “Enabling Kerberos Authentication”.

  6. On the Kerberos KDC, use either kadmin or kadmin.local to add a host principal for the client, for example:

    # kadmin.local -q "addprinc -randkey host/client.mydom.com"
  7. On the client system, use kadmin to cache the key for its host principal in /etc/kadm5.keytab, for example:

    # kadmin -q "ktadd -k /etc/kadm5.keytab host/client.mydom.com"
  8. To use ssh and related OpenSSH commands to connect from Kerberos client system to another Kerberos client system:

    1. On the remote Kerberos client system, verify that GSSAPIAuthentication is enabled in /etc/ssh/sshd_config:

      GSSAPIAuthentication yes
    2. On the local Kerberos client system, enable GSSAPIAuthentication and GSSAPIDelegateCredentials in the user's .ssh/config file:

      GSSAPIAuthentication yes
      GSSAPIDelegateCredentials yes

      Alternatively, the user can specify the -K option to ssh.

    3. Test that the principal can obtain a ticket and connect to the remote system, for example:

      $ kinit principal_name@MYDOM.COM
      $ ssh username@remote.mydom.com

    To allow use of the Kerberos versions of rlogin, rsh, and telnet, which are provided in the krb5-appl-clients package, you must enable the corresponding services on the remote client.

For more information, see the kadmin(1) manual page.