Friday, 27 June 2014

Deployment of Kerberos #Redhat

Objective: Installation and configuration of Kerberos

Environment: Redhat 5.1 32-bit

Package version: 

Kerberos - 1.6
OpenLDAP - 2.3.27

I had already explained the mechanism behind kerberos in my previous article, in this article I would be kerberosing SSH/TELNET as a service.

Pre-requsites:

I had configured NTP, DNS, OpenLDAP as an authentication, I would leave it to reader to configure and would not be explaining in this article, instead would focus on kerberos.

Make sure your NTP synchronized to all the servers, as it must generate the kerberos tickets TTL,

Hostname && Services:

1. Server - OpenLDAP and KDC center [ Authentication Server (AS) && Ticket Granting Server (TGS) ]

2. Client1 - an application server generally refers to Kerberized programs that clients communicate with using Kerberos tickets for authentication.

3. Client2 - This would be an user (i.e typically would be an LDAP user)which is used for testing the kerberos.

Testing results would be the below:

Once the Client2 user logs to the application server(Client1), it should NOT prompt for the password as it would have already generated an ticket for the user from the  KDC ( AS+TGS) to authenticate SSH service to application server.

Installation:

Install the below packages, 

· krb5-libs
· pam_krb5
· krb5-workstation
· krb5-auth-dialog
. Xinetd

Config files: 
/etc/krb5.conf - file used by kerberos libraries
/var/kerberos/krb5kdc/kdc.conf - config file for KDC.
/var/kerberos/krb5kdc/kdc.conf - file defined for ACL.

Explanation of config file:


· [logging] – sets the way Kerberos component will perform there logging, the components that use the logging parameters are the KDC and Kerberos Admin Server both are used when you will use Linux as the Kerberos server, our Kerberos server is the Active Directory so we can leave the default for the logging section.

· [libdefaults] - Contains various default values used by the Kerberos V5 library. Values like default encryption type and if to use dns lookups or not.

· [realms] – list of realms and where to find there Kerberos server and some other realm related information.

· [domain_realm] – this file the mapping file from domain names to Kerberos realms.

· [appdefaults] – Contains default values that can be used by Kerberos V5 applications.

KDC SERVER

[root@server ~]# cat /etc/krb5.conf 
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
  kdc = server.example.com:88
  admin_server = server.example.com:749
  default_domain = example.com
 }

[domain_realm]

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }
[root@server ~]# 



[root@server ~]#  cat /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
 v4_mode = nopreauth
 kdc_tcp_ports = 88

[realms]
  #master_key_type = des3-hmac-sha1
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
 }
[root@server ~]# 




[root@server krb5kdc]# cat kadm5.acl 

*/admin@EXAMPLE.COM *
[root@server krb5kdc]# 

[root@server ~]# ls /var/kerberos/krb5kdc/

kadm5.acl  kdc.conf
[root@server krb5kdc]#

We need to create the database containing all the principles and their passwords. An utility called kdb5_util is mainly used for low level maintenance( creation, dumping, saving, destruction of KDC DB and etc )

During creation, you will be prompted for the master password. It is the main key that is used by Kerberos to encrypt all the principals' keys in its database. Without it, Kerberos won't be able to parse it. For later convenience, this master password can be stored in a stash file, in order to avoid to retype it each time you restart Kerberos

[root@server krb5kdc]# kdb5_util create 
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'EXAMPLE.COM',
master key name 'K/M@EXAMPLE.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: 
Re-enter KDC database master key to verify: 

[root@server krb5kdc]# ls
kadm5.acl  kdc.conf  principal  principal.kadm5  principal.kadm5.lock  principal.ok
[root@server krb5kdc]# 


Connection to administration server is done through kadmin. Since we did not create any principal yet, connecting to administration server is impossible, as KDC can not authenticate us. So, we use the "local" counterpart of kadmin, kadmin.local, to connect. It will access directly the Kerberos administration interface without password, but can only be run as root on the KDC's host.

[root@server krb5kdc]# kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local: 

First, we will list the content of the database, through the listprincs command. You will notice that the database contains already some principals. They are needed for Kerberos to work,during ticket negotiations.


I would go on to add an user 'user1' and admin principles to a DB.

kadmin.local:  addprinc user1
WARNING: no policy specified for user1@EXAMPLE.COM; defaulting to no policy
Enter password for principal "user1@EXAMPLE.COM": 
Re-enter password for principal "user1@EXAMPLE.COM": 
Principal "user1@EXAMPLE.COM" created.
kadmin.local:  
kadmin.local:  addprinc root/admin
WARNING: no policy specified for root/admin@EXAMPLE.COM; defaulting to no policy
Enter password for principal "root/admin@EXAMPLE.COM": 
Re-enter password for principal "root/admin@EXAMPLE.COM": 
Principal "root/admin@EXAMPLE.COM" created.
kadmin.local:

kadmin.local:  addprinc -randkey host/client1.EXAMPLE.com
WARNING: no policy specified for host/client1.EXAMPLE.com@EXAMPLE.COM; defaulting to no policy
Principal "host/client1.EXAMPLE.com@EXAMPLE.COM" created.
kadmin.local:  listprincs

kadmin.local:  

Start the kerberos and admin services  

[root@server ~]# service krb5kdc start
[root@server ~]# service kadmin start

APPLICATION SERVER

Install the package krb5-workstation.
Sync the time.
Make sure your GSSAPI authentication is enabled in /etc/ssh/sshd_config
 74 GSSAPIAuthentication yes
 75 GSSAPICleanupCredentials yes

[root@client1 ~]# service sshd restart

Execute authconfig-tui in the client to add the required PAM modules.

[root@client1 ~]# authconfig-tui


On application server, run kadmin authenticating as root/admin after making the machine as a client of kerberos server.

[root@client1 ~]# kadmin -p root/admin
Authenticating as principal root/admin with password.
Password for root/admin@EXAMPLE.COM
kadmin:  
kadmin:  listprincs
kadmin:  

Extract KDC host principal in local key tab file using kadmin service.

kadmin:  ktadd -k /etc/krb5.keytab host/client1.EXAMPLE.com
Entry for principal host/client1.EXAMPLE.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/client1.EXAMPLE.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/client1.EXAMPLE.com with kvno 3, encryption type DES with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/client1.EXAMPLE.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5.keytab.
kadmin:  
kadmin:  quit
[root@client1 ~]# 


CLIENT SERVER

- client authenticate to the application server without password as the ticket was granted for the server for communication.

-bash-3.1$ kinit
-bash-3.1$ klist
Ticket cache: FILE:/tmp/krb5cc_505
Default principal: user1@EXAMPLE.COM

Valid starting     Expires            Service principal
06/27/14 09:11:26  06/28/14 09:11:26  krbtgt/EXAMPLE.COM@EXAMPLE.COM
06/27/14 09:11:47  06/28/14 09:11:26  host/client1.EXAMPLE.com@EXAMPLE.COM


Kerberos 4 ticket cache: /tmp/tkt505
klist: You have no tickets cached
-bash-3.1$ 

-bash-3.1$ ssh user1@client1
Could not create directory '/home/user1/.ssh'.
The authenticity of host 'client1 (192.168.10.101)' can't be established.
RSA key fingerprint is 19:6b:9c:62:02:be:07:a9:0b:d9:72:86:f1:73:14:59.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/user1/.ssh/known_hosts).
Last login: Fri Jun 27 09:15:19 2014 from client1.EXAMPLE.com
Could not chdir to home directory /home/user1: No such file or directory
-bash-3.1$ 

-bash-3.1$ id
uid=505(user1) gid=505(user1) groups=505(user1)
-bash-3.1$ hostname
client1
-bash-3.1$ 

TELNET was also made as a service for authentication

I was able to telnet to the user 'user1' without password.

-bash-3.1$ hostname
client2
-bash-3.1$ 
-bash-3.1$ telnet -Fxl user1 client1
Trying 192.168.10.101...
Connected to client1.EXAMPLE.com (192.168.10.101).
Escape character is '^]'.
Waiting for encryption to be negotiated...
[ Kerberos V5 accepts you as ``user1@EXAMPLE.COM'' ]
[ Kerberos V5 accepted forwarded credentials ]
done.
Last login: Fri Jun 27 09:40:52 from client2
No directory /home/user1!
Logging in with home = "/".
-bash-3.1$ hostname
client1
-bash-3.1$ klist
Ticket cache: FILE:/tmp/krb5cc_p5086
Default principal: user1@EXAMPLE.COM

Valid starting     Expires            Service principal
06/27/14 09:41:12  06/28/14 09:09:57  krbtgt/EXAMPLE.COM@EXAMPLE.COM

Installed and configured successfully.

Wednesday, 25 June 2014

Kerberos mechanism explained

Objective: 
Understanding the mechanism behind kerberos.

How does kerberos work ?

This part of the article will explain the mechanisms behind Kerberos: 
Ticket exchange principles
Key Distribution Center(KDC)
Authentication mechanisms.

A commonly found description for Kerberos is "a secure, single sign on, trusted third party
mutual authentication service". It doesn't store any information about UIDs, GIDs, or home's
path. In order to propagate this information to hosts, you will eventually need yellow page
services: NIS, LDAP, or Samba

As Kerberos is only dealing with Authentication, it does neither Authorization, nor Accounting. it delegates those to the services requesting Kerberos' help for user's identification. Anyway, Kerberos being a "service" by itself, it can partially provide such functionalities, but in a very limited range.

Ticket Exchange Service

Kerberos' communication is designed to provide a distributed secure authentication service, through secret key cryptography.

For a user, the secret key is his "hashed password" (the password is reworked through a one-
way hash function and the resulted string is used as a key), usually stored in the Key
Distribution Center. For a service, the key is a random generated sequence, acting like a
password; it is also stored in Key Distribution Center, and in a file called a keytab on the
machine's service side.

The Kerberos communication is based around tickets. Tickets are a kind of encrypted data
scheme that is transmitted over the network, and stored on the client's side. The type of storage
depends on the client's operating system and configuration. Traditionally, it's stored as a small
file in /tmp, for compatibility reasons

The main central part of a Kerberos network is the the Key Distribution Center (KDC). It
consists of three parts:

• an Authentication Server, which answers requests for Authentication issued by clients.
Here, we're in the AS_REQUEST and AS_REPLY challenging part (see below for details),
where the client gets a Ticket Granting Ticket (TGT).

• a Ticket Granting Server, which issues Ticket Granting Service (TGS) to a client. This is
the TGS_REQUEST and TGS_REPLY part, where a client gets a TGS that allows him to
authenticate to a service accessible on the network.

• a database, that stores all the secret keys (clients' and services' ones), as well as some
information relating to Kerberos accounts (creation date, policies, ...).

Authentication mechanism—Ticket Granting Tickets  

AS_REQUEST & AS_REPLY, in conclusion Authentication mechanism can be represented as below which is self explanatory.

Service's use mechanism—Ticket Granting Service

TGS_REQUEST & TGS_REPLY in conclusion service's use mechanism can be represented as below which is self explanatory.



Conclusion

We can divide the Kerberos protocol into three main steps:

1. Authentication process, where the user (and host) obtain a Ticket Granting Ticket (TGT)
as authentication token,

2. Service request process, where the user obtain a Ticket Granting Service (TGS) to access
a service,

3. Service access, where the user (and host) use TGS to authenticate and access a specific
service

The service access step is not really Kerberos related, but merely depends on the service we are
authenticating to.


The below tutorial will explain the same in simplicity. 

I would further write an article to demonstrate deploying kerberos on Linux.