Kerberos Server¶

Kerberos Tests

Server Installation¶

Guides¶

• MIT Kerberos KDC guide http://web.mit.edu/kerberos/krb5-current/doc/krb_admins/install_kdc.html
• Kerberos/LDAP on Ubuntu http://bobcares.com/blog/?p=435
• Spinlock Guide on Kerberos http://techpubs.spinlocksolutions.com/dklar/kerberos.html
• http://www.rjsystems.nl/en/2100-kerberos-openldap-openafs-client.php
• Ubuntu Single Sign On https://help.ubuntu.com/community/SingleSignOn
• Ubuntu Kerberos https://help.ubuntu.com/community/Kerberos
• VISolve's guide http://www.visolve.com/system_services/opensource/security/ssh.php
• Stanford Guide to Kerberos on Debian http://itservices.stanford.edu/service/kerberos/install_debian
• Illinois NCSA Guide to Using Kerberos http://www.ncsa.illinois.edu/UserInfo/Resources/Software/kerberos/unix_clients.html

DNS autodiscovery¶

http://www.rjsystems.nl/en/2100-dns-discovery-kerberos.php

_kerberos._udp.DEV.RU.IS.         IN  SRV  10  0   88  gryla.dev.ru.is.
_kerberos._udp.DEV.RU.IS.         IN  SRV  20  0   88  stekkjarstaur.dev.ru.is.
_kerberos-master._udp.DEV.RU.IS.  IN  SRV   0  0   88  gryla.dev.ru.is.
_kerberos-adm._tcp.DEV.RU.IS.     IN  SRV   0  0  749  stekkjarstaur.dev.ru.is.
_kpasswd._udp.DEV.RU.IS.          IN  SRV   0  0  464  gryla.dev.ru.is.

Don't forget to set autodiscovery up for AFS_Server also!

Getting started¶

1. Install the packages and setup the cache
   

   apt-get install krb5-kdc krb5-admin-server
   

   • Our realm is DEV.RU.IS
   • Kerberos server: kerberos.dev.ru.is
   • Kerberos authoritative server: kerberos.dev.ru.is
   • If you need to fix this later, run dpkg-reconfigure krb5-config
2. Setup the realm, including keys
   

   krb5_newrealm

   • Temp master password: DrWhoNemesis
3. Edit the /etc/krb5.conf
   1. search for [domain_realm] and add these lines after
      

      .dev.ru.is = DEV.RU.IS
      dev.ru.is = DEV.RU.IS
      
      [logging]
          kdc = FILE:/var/log/kerberos/krb5kdc.log
          admin_server = FILE:/var/log/kerberos/kadmin.log
          default = FILE:/var/log/kerberos/krb5lib.log
      

   2. Near the top under [libdefaults]
      

             dns_lookup_realm = true
             dns_lookup_kdc = true
      # need this for AFS                                                              
             allow_weak_crypto = true
      

4. Make the empty log files
   

   sudo mkdir /var/log/kerberos
   sudo touch /var/log/kerberos/{krb5kdc,kadmin,krb5lib}.log
   sudo chmod -R 750  /var/log/kerberos
   

Time¶

1. Kerberos only works if the clocks on clients and servers differ no more than a few minutes. SEtup an NTP server, preferably local.
   

   sudo apt-get install ntp ntpdate

Administrative user and KDC config¶

1. Create an administrative user through kadmin.local
   

   kadmin.local
   addprinc -policy admin administrator
   addprinc -policy admin root/admin
   

   • Our temp admin password is: MadameMing!
     

     quit

2. Edit /etc/krb5kdc/kadm5.acl and add
   

   */admin *
   administrator *
   * il
   */root admc host/*
   

3. Then restart the servers
   

   service krb5-admin-server restart
   service krb5-kdc restart
   

4. Set some requirements for principals
   

   sudo kadmin.local
   Authenticating as principal root/admin@SPINLOCK.HR with password.
   
   kadmin.local:  add_policy -minlength 8 -minclasses 3 admin
   kadmin.local:  add_policy -minlength 16 -minclasses 4 host
   kadmin.local:  add_policy -minlength 8 -minclasses 4 service
   kadmin.local:  add_policy -minlength 8 -minclasses 2 user
   
   kadmin.local:  quit
   

   
   h2. Configuration

1. /etc/krb5kdcs/krb5prop.sh is run every hour on kerberos.dev.ru.is which propogates the full database to kerberos-1 and kerberos-2
2. crontab entry for root
   

   23 * * * * /etc/krb5kdc/krb5prop.sh # sync from master

   
   h3. Server Keys

• Make a principal and a keytab
  

  sudo kadmin -p root/admin
  [sudo] password for foley: 
  Authenticating as principal root/admin with password.
  Password for root/admin@DEV.RU.IS: 
  kadmin:  addprinc -policy service -randkey host/gryla.dev.ru.is
  Principal "host/gryla.dev.ru.is@DEV.RU.IS" created.
  kadmin:  ktadd -k /etc/krb5.keytab -norandkey host/gryla.dev.ru.is
  kadmin: Principal -norandkey does not exist.
  Entry for principal host/gryla.dev.ru.is with kvno 2, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab.
  Entry for principal host/gryla.dev.ru.is with kvno 2, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab.
  Entry for principal host/gryla.dev.ru.is with kvno 2, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
  Entry for principal host/gryla.dev.ru.is with kvno 2, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
  

Kerberos slave server¶

• http://tldp.org/HOWTO/Kerberos-Infrastructure-HOWTO/server-replication.html
• http://www.rjsystems.nl/en/2100-kerberos-slave.php

Install for kerberos master¶

1. Setup the dump location
   

   mkdir -p /var/lib/krb5dc/
   /var/lib/krb5dc/from_master

2. Now setup the dump and sync scripts into /etc/krb5kdc/krb5prop.sh
   

   #!/bin/bash
   /usr/sbin/kdb5_util dump /var/lib/krb5kdc/slave_datatrans
   /usr/sbin/kprop kerberos-1.dev.ru.is
   /usr/sbin/kprop kerberos-2.dev.ru.is
   
   chmod o+x krb5prop.sh@
   Now setup the crontab
   sudo crontab -e@
   30 * * * * /etc/krb5kdc/krb5prop.sh # sync from master

Install for slave¶

This example is for stekkjarstaur.dev.ru.is. Change the hostname as neccessary.

1. Install the servers and xinetd
   1. sudo apt-get install krb5-kdc xinetd
2. Get kerberos principals setup
   

   addprinc -randkey host/stekkjarstaur.dev.ru.is
   ktadd host/stekkjarstaur.dev.ru.is
   Entry for principal host/stekkjarstaur.dev.ru.is with kvno 2, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab.
   Entry for principal host/stekkjarstaur.dev.ru.is with kvno 2, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab.
   Entry for principal host/stekkjarstaur.dev.ru.is with kvno 2, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
   Entry for principal host/stekkjarstaur.dev.ru.is with kvno 2, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
   

3. Login to the slaves and make sure that kpropd is setup in xinetd
   

   sudo emacs /etc/xinetd.d/krb_prop

   1. Put this inside the file
      

      # default: on
      service krb_prop
      {
              disable         = no
              socket_type     = stream
              id              = krb_prop
              protocol        = tcp
              user            = root
              wait            = no
              server          = /usr/sbin/kpropd
      }

   2. Restart xinetd
      

      sudo service xinetd restart

   3. Note that this will not show up as an open port in nmap, I do not know why.
4. Initialize an empty kerberos database
   

   kdb5_util create
   Loading random data
   Initializing database '/etc/krb5kdc/principal' for realm 'DEV.RU.IS',
   master key name 'K/M@DEV.RU.IS'
   You will be prompted for the database Master Password.
   It is important that you NOT FORGET this password.
   Enter KDC database master key: 
   Re-enter KDC database master key to verify: 
   

   1. Make sure this password is the same as the main master password to avoid a possible problem
5. Setup the ACL file
   

   vi /etc/krb5kdc/kpropd.acl

   1. Add the principals of the master server
      

      host/gryla.dev.ru.is@DEV.RU.IS

Kerberized Clients¶

Install¶

1. Install the packages
   

   sudo apt-get install krb5-clients

2. Install openbsd's inetd server and config
   

   sudo apt-get install openbsd-inetd
   sudo apt-get install krb5-rsh-server
   
   sudo update-rc.d -f openbsd-inetd remove
   sudo update-rc.d openbsd-inetd defaults
   
   sudo update-inetd --enable kshell
   sudo update-inetd --enable eklogin
   
   sudo invoke-rc.d openbsd-inetd restart
   

3. Setup the keytab on the host
   

   sudo kadmin
   [sudo] password for foley: 
   Authenticating as principal foley/admin@DEV.RU.IS with password.
   Password for foley/admin@DEV.RU.IS: 
   kadmin:  addprinc -policy service -randkey host/stekkjarstaur.dev.ru.is
   Principal "host/stekkjarstaur.dev.ru.is@DEV.RU.IS" created.
   kadmin:  ktadd -k /etc/krb5.keytab -norandkey host/gryla.dev.ru.is
   kadmin: Principal -norandkey does not exist.
   Entry for principal host/gryla.dev.ru.is with kvno 2, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab.
   Entry for principal host/gryla.dev.ru.is with kvno 2, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab.
   Entry for principal host/gryla.dev.ru.is with kvno 2, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
   Entry for principal host/gryla.dev.ru.is with kvno 2, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
   
   

4. Test with encryption and the ProtocolNew
   

   krb5-rsh -x -PN gryla.dev.ru.is /bin/bash

   1. You should now be able to run commands on the host!

Changing Max Ticket Lifetime¶

From http://serverfault.com/questions/132123/how-to-change-the-kerberos-default-ticket-lifetime

Do this on each of the kerberos servers: kerberos, kerberos-1, kerberos-2

1. Become root
   

    ksu 

2. edit /etc/krb5kdc/kdc.conf
3. Change these values to ones you want.
   

           max_life = 168h 0m 0s
           max_renewable_life = 30d 0h 0m 0s
   

4. Restart the kdc
   

   service krb5-kdc restart

5. Fire up kadmin
   

   kadmin

   1. Change the max lifetime of the main tgt
      

      modprinc -maxlife 168hours krbtgt/DEV.RU.IS

   2. Change the max lifetime of the principal you want to be longer
      

      modprinc -maxlife 168hours host/syslab.hir.is

6. Test the modification
   1. As a host
      

      kinit -k -l 168h

   2. or for a normal principal
      

      kinit -l 168h foley

AFS token lifetime¶

This is controlled partially by the afs entry in kerberos database. From http://docs.openafs.org/AdminGuide/ch02s10.html

1. Fire up kadmin
   

   kadmin

2. Set the lifetimes on the AFS principal
   

   modprinc -maxlife 168hours afs/dev.ru.is
   
   h2. Issues
   
   * You may get an connection refused.  It usually means that the port is not correct.  Add this line to the server's /etc/inetd.conf
   <pre> klogin          stream  tcp     nowait  root    /usr/sbin/tcpd  /usr/sbin/klogin\
   d -5ec
   </pre>
   
   * If kerberos has issues, check on the PTR records and other DNS config.  It is one of the things that gets checked by kerberos
   ** Look into /etc/hosts and make sure that it matches the hostname in the ke
   
   h1. LDAP install
   
   # Install packages
   <pre>apt-get install slapd ldap-utils libsasl2-modules-gssapi-mit</pre>
   # Configure the administrator password for slapd (https://help.ubuntu.com/community/OpenLDAPServer)
   <pre>slappasswd</pre>
   ## Set password to: waynegretzky
   ## Take the output: {SSHA}7UP8FDS0CZ8H8Hj8XPEtYkoeg0Cgy9bh
   
   # Create organizational units in initial file @tree.ldif
   <pre>dn: ou=users,dc=dev,dc=ru,dc=is
   objectClass: organizationalUnit
   ou:users
   
   dn: ou=groups,dc=dev,dc=ru,dc=is
   objectClass: organizationalUnit
   ou: groups
   </pre>
   # Then add it to the ldap database
   <pre>ldapadd -x -D "cn=admin,dc=dev,dc=ru,dc=is" -W -f tree.ldif</pre>
   # These directions are unfinished due to inconsistencies in the config files and Ubuntu 10.04.  LDAP is not critical to AFS, so installation and instructions will be delayed for now --foley