UP  |  HOME

Kerberos

Table of Contents

My Kerberos documentation is largely based off: http://techpubs.spinlocksolutions.com/dklar/kerberos.html

Installation and base configuration

apt install krb5-kdc krb5-admin-server

Realm should be set to MY_REALM. Keyserver is kdc.

Create a new realm: 

krb5_newrealm

A master password is created that needs to be stored securely.

Set up krb5.conf

Listing 1: /etc/krb5.conf
[libdefaults]
    default_realm = MY_REALM
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true
    ticket_lifetime = 2d
    fcc-mit-ticketflags = true

[realms]
    MY_REALM = {
        kdc = kdc_host.name
        admin_server = kdc_host.name
        default_domain = my_domain
    }

[domain_realm]
    .my_domain = MY_REALM
    my_domain = MY_REALM

[login]
    krb4_convert = true
    krb4_get_tickets = false

Enable admin principals by editing /etc/krb5kdc/kadm5.acl.

Listing 2: /etc/krb5kdc/kadm5.acl
*/admin *

Restart Kerberos. 

systemctl restart krb5-kdc krb5-admin-server

Creating policies and principals

Creating policies (admin, host, service, user): 

kadmin.local
At kadmin.local: prompt
addpol -maxlife "1 year" -minlength 40 -minclasses 4 -history 3 -maxfailure 0 admin
addpol -maxlife "1 year" -minlength 40 -minclasses 4 -history 2 -failurecountinterval "1 hour" -lockoutduration 0 -maxfailure 4 host
addpol -maxlife "1 year" -minlength 40 -minclasses 4 -history 2 -failurecountinterval "1 hour" -lockoutduration 0 -maxfailure 4 service
addpol -maxlife "1 year" -minlength 10 -minclasses 3 -history 2 -failurecountinterval "1 hour" -lockoutduration "3 hours" -maxfailure 5 user

Add a regular user principal:

At kadmin.local: prompt
addprinc -policy user <username>

Add a service principal and export the key (for use on other machines):

At kadmin.local: prompt
addprinc -policy service -randkey nfs/kdc_host.name@MY_REALM
ktadd -k /path/to/file.keytab -norandkey nfs/kdc_host.name@MY_REALM

The exported file can be copied to the client machine's /etc/krb5.keytab. Services using kerberos for authentication need to be restarted for the keytab to take effect.

Setup longer ticket life:

Listing 3: /etc/krb5kdc/kdc.conf (excerpt)
[realms]
    MY_REALM = {
        max_life = 2d
        max_renewable_life = 2d
    }
Listing 4: /etc/krb5.conf (excerpt)
[libdefaults]
    ticket_lifetime = 2d

Setup principals (krbtgt and user principals):

At kadmin.local: prompt
modprinc -maxlife "2 days" -maxrenewlife "2 days" krbtgt/MY_REALM
modprinc -maxlife "2 days" -maxrenewlife "2 days" username