LFCS – Kerberos Authentication (Ubuntu)

Jarret B

Well-Known Member
Staff member
Joined
May 22, 2017
Messages
372
Reaction score
432
Credits
13,798
Kerberos is an authentication method which helps improve security between systems. For systems that need to access another, such as Secure Shell (SSH), Kerberos is a great way to keep the connection secure.

If you have read the previous article on Kerberos Authentication with CentOS, this will not be too different.

Network Time Protocol (NTP)

In CentOS, setting up the systems to have their time synchronized is a must. Ubuntu 18.04 has its time synced with an Internet Time Server automatically. All Ubuntu systems should be synchronized and require no further modifications.

You can see the current date and time with the ‘timedatectl’ command. If the output should show the following line: ‘System clock synchronized: no’, then run the command ‘systemctl restart systemd-timesyncd’. Wait a few minutes and check if the system synced the time.

Fully Qualified Domain Name (FQDN)

To make this work, the systems need to be able to ‘see’ each other using a Domain Name. In previous articles of for the LFCS Certification, we covered setting up FQDN. I will give it a quick once-over here.

I have two systems, one will be ‘Server1’ and the other ‘Server2’. ‘Server1’ will be the Kerberos server, while ‘Server2’ will act as a Kerberos Client.

You’ll need to edit the ‘hosts’ file located at ‘/etc/hosts’. You’ll need to add a line for each system, before the loopback (127.0.0.1) lines. It should be the IP Address, tab, the FQDN, tab and the simple Host Name, or NetBIOS Name. In my case, the two lines would look like the following:

10.0.2.46server1.linux.orgserver1
10.0.2.47server2.linux.orgserver2


NOTE: Make system name changes as you need for your network. Be aware of the differences between my ‘Server1’ and ‘Server2’. ‘Server1’ is the Kerberos Server, while ‘Server2’ is merely a Kerberos Client.

The first line you add should be for the local system. For ‘server2,’ the ‘server2’ line would be first and the ‘server1’ line would be second. This will allow you to use the FQDN or the simple Host Name when connecting to a remote server.

To change the actual Host Name, use the command:

Code:
hostnamectl set-hostname <FQDN>

For example, on ‘Server1’ the command would be ‘hostnamectl set-hostname server1.linux.org’. Change the host name on all systems.

To test the host name change on a system, run the command ‘hostname’ and it should respond with the FQDN that you entered previously. You can also ping the FQDN of the second server from the first server and vice versa. Don’t forget to also ping the simple Host Name from the opposite server as well.

Now, we are ready for Kerberos.

Install and Configure Kerberos Server

Kerberos comprises three parts:

  1. TGS – Ticket Granting Server
  2. Kerberos Database – Stores all passwords and identification of all allowed users
  3. AS – Authentication Server that actually performs the authentication
Once a user signs in, they are granted a ‘ticket’ that grants them access for 24 hours.

To make the Kerberos Server that will perform the three functions, you need to execute the following command:

Code:
sudo apt install -y krb5-kdc krb5-admin-server krb5-config

During the installation of the files, you will be asked for three pieces of information:

Realm: linux.org
Server: Server1.linux.org
Administrative Server: Server1.linux.org


You will be prompted that the Kerberos Service will not automatically start and that you can finish the installation with the command ‘sudo krb5_newrealm’. Select ‘<OK>’ and at a prompt type in ‘sudo krb5_newrealm’ then press ‘Enter’. The Kerberos installation should be performed and completed. You will be asked for the Kerberos Administration Password. Verify it, but make sure you use a strong password.

Now that we have a password set, we need an administrative account for Kerberos. To create the account, execute the command:

Code:
sudo kadmin.local

You are now in a console for the ‘kadmin’ program. Issue the commands:

Code:
addprinc root/admin
addprinc -randkey host/server1.linux.org
ktadd host/server1.linux.org
quit

The first line will create a new user named ‘root’ that has admin rights. After the command is entered, you will be prompted for a password for the Kerberos ‘root’ admin account. The second and third lines will add the user to the Kerberos Database. The ‘quit’ command will exit the ‘kadmin’ console.

We need to add ‘root’ to an Access List Control (ACL). Edit the file ‘/etc/krb5kdc/kadm5.acl’. Add the following line before saving the file and exiting the editor:

root/admin *

Restart the Kerberos Service with:

Code:
sudo systemctl restart krb5-admin-server.service

The method to add users, systems or services to Kerberos is a ‘Principal’. The ‘Principal’ is a rule that gives out a ‘ticket’ to allow access. Once a ‘ticket’ is given, the user, system or service is ‘trusted’ until the ‘ticket’ expires.

Unlike CentOS, Ubuntu already has the Firewall open for Kerberos.

To see the Principals in the database, use the command ‘listprincs’. Of course, to use the command, you need to be logged in as an administrative user. Since we set up ‘root’, you must switch to the ‘root’ user account with ‘sudo su’.

Let’s set up an account named ‘sshc’, for ‘SSH Client’. Perform the following command:

Code:
useradd -m -s /bin/bash sshc

Now, we need to add the user to the Kerberos Database as ‘root’ (sudo su):

Code:
kadmin.local
addprinc sshc
quit

The second command will prompt you for a password for the password for the new user account.

Now, you need to enable SSH to use Kerberos. Edit the file ‘/etc/ssh/sshd_config’. Find the lines:

#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes


Change the two lines to:

GSSAPIAuthentication yes
GSSAPICleanupCredentials yes


Save the changes and, at a prompt, run ‘systemctl restart sshd’ to restart the service for the changes to take effect.

At this point, ‘Server1’ should be completed. Now we can look at the client system.

Install and Configure Kerberos Client

These procedures will need to be performed on all Kerberos Client systems.

NOTE: Any system where a user will be accessing SSH using Kerberos needs to have the Kerberos Client installed on it.

Perform the FQDN Host Name changes and edit the ‘Hosts’ file.

Install the necessary files with the command:

Code:
sudo apt install -y krb5-user auth-client-config libpam-ccreds libpam-krb5

During the installation, you will be prompted for similar options as you were on the Kerberos Server (Server1).

Realm: linux.org
Kerberos Server: Server1.linux.org
Administrative Server: Server1.linux.org


Now that we configured the location of the Kerberos Server, when you run ‘kadmin’ from the client system, it will access the Kerberos Server (Server1). You need to be logged in as the ‘root’ user since it takes the current user as the user to log into the Kerberos Server. If you need, set up your username as an account on the Kerberos Server.

After issuing the command ‘kadmin’ you need to perform the following commands to add the client system:

Code:
addprinc -randkey host/server2.linux.org
ktadd host/server2.linux.org
quit

Now, the system ‘server2.linux.org’ is added to the Kerberos Database. This will allow the ‘Server2’ system to be used to connect to the Kerberos Server and to be allowed to use the Kerberos encryption.

To add the client ‘sshc’ we need to perform:

Code:
useradd -m -s /bin/bash sshc
su - sshc
kinit sshc

You should be prompted for a password for the ‘sshc’ user account. Once these steps are completed, you can issue the ‘klist’ command to see that a ‘ticket’ has been issued to the current user.

Make sure the current user is ‘sshc’ and you can connect to ‘Server1’ using SSH with Kerberos with the command:

Code:
ssh server1.linux.org

Exit from the SSH connection and then issue the ‘ssh’ command as above. You should connect without being asked for a password.

If you are not currently logged in as the ‘sshc’ user, or whatever user account you made, the password will not be accepted.

NOTE: The password not being accepted will not work even if you tried ‘ssh [email protected]’. Unless you are logged into the current console as ‘sshc’ then there is no Kerberos ‘ticket.

Conclusion

I hope you find this a fairly simple process. Once a ‘ticket is issued, you do not need to enter the password every time you connect to a Kerberos Authenticated System. Once your user has the ticket, you just simply connect.

Now that we’ve covered Kerberos, we can start looking at Linux Networking.
 

Members online


Top