Friday, 27 June 2014

Deployment of Kerberos #Redhat

Objective: Installation and configuration of Kerberos

Environment: Redhat 5.1 32-bit

Package version: 

Kerberos - 1.6
OpenLDAP - 2.3.27

I had already explained the mechanism behind kerberos in my previous article, in this article I would be kerberosing SSH/TELNET as a service.

Pre-requsites:

I had configured NTP, DNS, OpenLDAP as an authentication, I would leave it to reader to configure and would not be explaining in this article, instead would focus on kerberos.

Make sure your NTP synchronized to all the servers, as it must generate the kerberos tickets TTL,

Hostname && Services:

1. Server - OpenLDAP and KDC center [ Authentication Server (AS) && Ticket Granting Server (TGS) ]

2. Client1 - an application server generally refers to Kerberized programs that clients communicate with using Kerberos tickets for authentication.

3. Client2 - This would be an user (i.e typically would be an LDAP user)which is used for testing the kerberos.

Testing results would be the below:

Once the Client2 user logs to the application server(Client1), it should NOT prompt for the password as it would have already generated an ticket for the user from the  KDC ( AS+TGS) to authenticate SSH service to application server.

Installation:

Install the below packages, 

· krb5-libs
· pam_krb5
· krb5-workstation
· krb5-auth-dialog
. Xinetd

Config files: 
/etc/krb5.conf - file used by kerberos libraries
/var/kerberos/krb5kdc/kdc.conf - config file for KDC.
/var/kerberos/krb5kdc/kdc.conf - file defined for ACL.

Explanation of config file:


· [logging] – sets the way Kerberos component will perform there logging, the components that use the logging parameters are the KDC and Kerberos Admin Server both are used when you will use Linux as the Kerberos server, our Kerberos server is the Active Directory so we can leave the default for the logging section.

· [libdefaults] - Contains various default values used by the Kerberos V5 library. Values like default encryption type and if to use dns lookups or not.

· [realms] – list of realms and where to find there Kerberos server and some other realm related information.

· [domain_realm] – this file the mapping file from domain names to Kerberos realms.

· [appdefaults] – Contains default values that can be used by Kerberos V5 applications.

KDC SERVER

[root@server ~]# cat /etc/krb5.conf 
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
  kdc = server.example.com:88
  admin_server = server.example.com:749
  default_domain = example.com
 }

[domain_realm]

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }
[root@server ~]# 



[root@server ~]#  cat /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
 v4_mode = nopreauth
 kdc_tcp_ports = 88

[realms]
  #master_key_type = des3-hmac-sha1
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
 }
[root@server ~]# 




[root@server krb5kdc]# cat kadm5.acl 

*/admin@EXAMPLE.COM *
[root@server krb5kdc]# 

[root@server ~]# ls /var/kerberos/krb5kdc/

kadm5.acl  kdc.conf
[root@server krb5kdc]#

We need to create the database containing all the principles and their passwords. An utility called kdb5_util is mainly used for low level maintenance( creation, dumping, saving, destruction of KDC DB and etc )

During creation, you will be prompted for the master password. It is the main key that is used by Kerberos to encrypt all the principals' keys in its database. Without it, Kerberos won't be able to parse it. For later convenience, this master password can be stored in a stash file, in order to avoid to retype it each time you restart Kerberos

[root@server krb5kdc]# kdb5_util create 
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'EXAMPLE.COM',
master key name 'K/M@EXAMPLE.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: 
Re-enter KDC database master key to verify: 

[root@server krb5kdc]# ls
kadm5.acl  kdc.conf  principal  principal.kadm5  principal.kadm5.lock  principal.ok
[root@server krb5kdc]# 


Connection to administration server is done through kadmin. Since we did not create any principal yet, connecting to administration server is impossible, as KDC can not authenticate us. So, we use the "local" counterpart of kadmin, kadmin.local, to connect. It will access directly the Kerberos administration interface without password, but can only be run as root on the KDC's host.

[root@server krb5kdc]# kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local: 

First, we will list the content of the database, through the listprincs command. You will notice that the database contains already some principals. They are needed for Kerberos to work,during ticket negotiations.


I would go on to add an user 'user1' and admin principles to a DB.

kadmin.local:  addprinc user1
WARNING: no policy specified for user1@EXAMPLE.COM; defaulting to no policy
Enter password for principal "user1@EXAMPLE.COM": 
Re-enter password for principal "user1@EXAMPLE.COM": 
Principal "user1@EXAMPLE.COM" created.
kadmin.local:  
kadmin.local:  addprinc root/admin
WARNING: no policy specified for root/admin@EXAMPLE.COM; defaulting to no policy
Enter password for principal "root/admin@EXAMPLE.COM": 
Re-enter password for principal "root/admin@EXAMPLE.COM": 
Principal "root/admin@EXAMPLE.COM" created.
kadmin.local:

kadmin.local:  addprinc -randkey host/client1.EXAMPLE.com
WARNING: no policy specified for host/client1.EXAMPLE.com@EXAMPLE.COM; defaulting to no policy
Principal "host/client1.EXAMPLE.com@EXAMPLE.COM" created.
kadmin.local:  listprincs

kadmin.local:  

Start the kerberos and admin services  

[root@server ~]# service krb5kdc start
[root@server ~]# service kadmin start

APPLICATION SERVER

Install the package krb5-workstation.
Sync the time.
Make sure your GSSAPI authentication is enabled in /etc/ssh/sshd_config
 74 GSSAPIAuthentication yes
 75 GSSAPICleanupCredentials yes

[root@client1 ~]# service sshd restart

Execute authconfig-tui in the client to add the required PAM modules.

[root@client1 ~]# authconfig-tui


On application server, run kadmin authenticating as root/admin after making the machine as a client of kerberos server.

[root@client1 ~]# kadmin -p root/admin
Authenticating as principal root/admin with password.
Password for root/admin@EXAMPLE.COM
kadmin:  
kadmin:  listprincs
kadmin:  

Extract KDC host principal in local key tab file using kadmin service.

kadmin:  ktadd -k /etc/krb5.keytab host/client1.EXAMPLE.com
Entry for principal host/client1.EXAMPLE.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/client1.EXAMPLE.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/client1.EXAMPLE.com with kvno 3, encryption type DES with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/client1.EXAMPLE.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5.keytab.
kadmin:  
kadmin:  quit
[root@client1 ~]# 


CLIENT SERVER

- client authenticate to the application server without password as the ticket was granted for the server for communication.

-bash-3.1$ kinit
-bash-3.1$ klist
Ticket cache: FILE:/tmp/krb5cc_505
Default principal: user1@EXAMPLE.COM

Valid starting     Expires            Service principal
06/27/14 09:11:26  06/28/14 09:11:26  krbtgt/EXAMPLE.COM@EXAMPLE.COM
06/27/14 09:11:47  06/28/14 09:11:26  host/client1.EXAMPLE.com@EXAMPLE.COM


Kerberos 4 ticket cache: /tmp/tkt505
klist: You have no tickets cached
-bash-3.1$ 

-bash-3.1$ ssh user1@client1
Could not create directory '/home/user1/.ssh'.
The authenticity of host 'client1 (192.168.10.101)' can't be established.
RSA key fingerprint is 19:6b:9c:62:02:be:07:a9:0b:d9:72:86:f1:73:14:59.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/user1/.ssh/known_hosts).
Last login: Fri Jun 27 09:15:19 2014 from client1.EXAMPLE.com
Could not chdir to home directory /home/user1: No such file or directory
-bash-3.1$ 

-bash-3.1$ id
uid=505(user1) gid=505(user1) groups=505(user1)
-bash-3.1$ hostname
client1
-bash-3.1$ 

TELNET was also made as a service for authentication

I was able to telnet to the user 'user1' without password.

-bash-3.1$ hostname
client2
-bash-3.1$ 
-bash-3.1$ telnet -Fxl user1 client1
Trying 192.168.10.101...
Connected to client1.EXAMPLE.com (192.168.10.101).
Escape character is '^]'.
Waiting for encryption to be negotiated...
[ Kerberos V5 accepts you as ``user1@EXAMPLE.COM'' ]
[ Kerberos V5 accepted forwarded credentials ]
done.
Last login: Fri Jun 27 09:40:52 from client2
No directory /home/user1!
Logging in with home = "/".
-bash-3.1$ hostname
client1
-bash-3.1$ klist
Ticket cache: FILE:/tmp/krb5cc_p5086
Default principal: user1@EXAMPLE.COM

Valid starting     Expires            Service principal
06/27/14 09:41:12  06/28/14 09:09:57  krbtgt/EXAMPLE.COM@EXAMPLE.COM

Installed and configured successfully.