Configure Single Sign on Kerberos on CentOS 7

Share on Social Media

Learn how to configure Single Sig On Kerberos on CentOS 7 in this comprehensive guide. Step-by-step instructions and tips to set up Kerberos for seamless authentication across your network. #centlinux #linux #cybersecurity

What is Kerberos?

Kerberos is the most widely used authentication protocol. It provides authentication service for users and other Network Services. The unique feature of Kerberos is that, it never transmits the users’ passwords over network neither in plain text nor in encrypted form. Rather, it uses tickets to authenticate users and services. These tickets are encrypted with unique user and service keys. This arrangement protects the system against eavesdropping and replay attacks.

What is Single Sign on?

The Ticket based system also provides the SSO (Single Sign-On) facility to users. Kerberos is used by various famous remote authentication Software, such as Microsoft Active Directory, FreeIPA, etc.

In this post, we will configure a Kerberos Key Distribution Center (KDC) on CentOS 7. Later on, we will configure a client to use the Single Sign-On feature of the Server.

Recommended Online Training: Learn Bash Shell in Linux for Beginners

745772 0021

System Specification

We have two Virtual machines, one is for the KDC and the other is the client to demonstrate SSO. Both machines have identical configurations.

  • CPU – 2.4 Ghz (1 core)
  • Memory – 800 MB
  • Storage – 8 GB
  • Operating System – CentOS 7.0

I have already configured the prerequisites i.e. Network, DNS and NTP synchronization on both machines. The Hostname and IP addresses are:

S#IP AddressHostnameDescription
1192.168.56.101kerberos.itlab.comKDC Server
2192.168.56.102client.itlab.comClient Machine

Our Kerberos Realm is ITLAB.COM

Read Also: How to configure Kerberos Authentication in Linux

Configure Single Sign on Kerberos on CentOS 7

Install following software packages to configure Single Sign on Kerberos. Here krb5-server is the Kerberos Server. whereas, krb5-workstation, pam_krb5 and sssd packages are required to configure same machine as Kerberos client as well.

# yum -y install krb5-server krb5-workstation pam_krb5 sssd

Now, edit kerberos main configuration file.

# vi /etc/krb5.conf

Uncomment all lines, and replace the default realm EXAMPLE.COM with ITLAB.COM (both upper and lower cases). Also update the kdc and admin-server hostnames (in our case, use the same name for both servers). The final configuration should look like this.

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h  
renew_lifetime = 7d  
forwardable = true  
rdns = false  
default_realm = ITLAB.COM  
default_ccache_name = KEYRING:persistent:%{uid} 

[realms]
ITLAB.COM = {   kdc = kerberos.itlab.com   admin_server = kerberos.itlab.com } 

[domain_realm]
.itlab.com = ITLAB.COM 
itlab.com = ITLAB.COM 

Now, Configure the KDC Server.

# vi /var/kerberos/krb5kdc/kdc.conf

Uncomment all lines and replace the default realm EXAMPLE.COM with ITLAB.COM. The final configuration should look like this.

[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88[realms]
ITLAB.COM = {
  master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal

Configure kadmin ACLs.

# vi /var/kerberos/krb5kdc/kadm5.acl

Update realm here. The final configuration looks like:

*/admin@ITLAB.COM       *

Create the Kerberos database and set a strong password.

# kdb5_util create -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'ITLAB.COM',
master key name 'K/M@ITLAB.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:

Enable and start Kerberos services.

# systemctl enable krb5kdc && systemctl start krb5kdc
Created symlink from /etc/systemd/system/multi-user.target.wants/krb5kdc.service to /usr/lib/systemd/system/krb5kdc.service.
# systemctl enable kadmin && systemctl start kadmin Created symlink from /etc/systemd/system/multi-user.target.wants/kadmin.service to /usr/lib/systemd/system/kadmin.service.

Allow Kerberos services through Linux Firewall.

# firewall-cmd --permanent --add-service=kerberos
success
# firewall-cmd --reload
success

Let’s add entries in our Kerberos database.

# kadmin.local
Authenticating as principal root/admin@ITLAB.COM with password.
kadmin.local: listprincs K/M@ITLAB.COM
kadmin/admin@ITLAB.COM
kadmin/changepw@ITLAB.COM
kadmin/kerberos.itlab.com@ITLAB.COM
kiprop/kerberos.itlab.com@ITLAB.COM
krbtgt/ITLAB.COM@ITLAB.COM

Add Kerberized hosts in our Kerberos database and generate relevant keytabs.

kadmin.local:  addprinc -randkey host/kerberos.itlab.com
WARNING: no policy specified for host/kerberos.itlab.com@ITLAB.COM; defaulting to no policy
Principal "host/kerberos.itlab.com@ITLAB.COM" created.
kadmin.local:  ktadd host/kerberos.itlab.com
Entry for principal host/kerberos.itlab.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kerberos.itlab.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kerberos.itlab.com with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kerberos.itlab.com with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kerberos.itlab.com with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kerberos.itlab.com with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kerberos.itlab.com with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kerberos.itlab.com with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.

Add the client host to Kerberos database, and generate the keytab file, to be placed at the /etc directory of client machine.

kadmin.local:  addprinc -randkey host/client.itlab.com
WARNING: no policy specified for host/client.itlab.com@ITLAB.COM; defaulting to no policy
Principal "host/client.itlab.com@ITLAB.COM" created.
kadmin.local:  ktadd -k /tmp/client1.keytab host/client.itlab.com Entry for principal host/client.itlab.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/client1.keytab.
Entry for principal host/client.itlab.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/client1.keytab.
Entry for principal host/client.itlab.com with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/tmp/client1.keytab.
Entry for principal host/client.itlab.com with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/tmp/client1.keytab.
Entry for principal host/client.itlab.com with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/tmp/client1.keytab.
Entry for principal host/client.itlab.com with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/tmp/client1.keytab.
Entry for principal host/client.itlab.com with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/tmp/client1.keytab.
Entry for principal host/client.itlab.com with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/tmp/client1.keytab.

Add a user in Kerberos database to used for login to kerberized hosts.

kadmin.local:  addprinc kuser1
WARNING: no policy specified for kuser1@ITLAB.COM; defaulting to no policy
Enter password for principal "kuser1@ITLAB.COM":
Re-enter password for principal "kuser1@ITLAB.COM":
Principal "kuser1@ITLAB.COM" created.

Create an OS user for authorization purpose. This step is not required, if you are using an LDAP Directory. In that case, user should be added to LDAP Directory.

# useradd kuser1

Configure the Kerberos authentication.

# authconfig --update --enablekrb5 --krb5kdc=kerberos.itlab.com --krb5adminserver=kerberos.itlab.com --krb5realm=ITLAB.COM

Now login with kuser1 to kerberos server using ssh.

$ ssh kuser1@kerberos
The authenticity of host 'kerberos (192.168.56.101)' can't be established.
ECDSA key fingerprint is 22:fa:59:75:3e:fa:24:73:a2:c3:cc:8f:24:bd:11:db.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'kerberos,192.168.56.101' (ECDSA) to the list of known hosts.
Last login: Fri Jun 15 14:50:54 2018

Check the tickets that was provided to the kuser1.

$ klist
Ticket cache: KEYRING:persistent:1000:krb_ccache_gXNDEWJ
Default principal: kuser1@ITLAB.COM Valid starting       Expires              Service principal
06/15/2018 14:54:47  06/16/2018 14:50:54  host/kerberos.itlab.com@ITLAB.COM
06/15/2018 14:50:54  06/16/2018 14:50:54  krbtgt/ITLAB.COM@ITLAB.COM

Configure CentOS 7 as Kerberos Client

Now, login to client.itlab.com machine, configure it for Kerberos authentication.
Install necessary packages.

# yum -y install krb5-workstation sssd pam_krb5

Copy the respective keytab from kerberos machine to client machine. Copy krb5.conf as well, to avoid edit it again.

# scp root@kerberos:/tmp/client1.keytab /etc/krb5.keytab
root@kerberos's password:
client1.keytab                                                                          100%  586     0.6KB/s   00:00
# scp root@kerberos:/etc/krb5.conf /etc/krb5.conf
root@kerberos's password:
krb5.conf                                                                               100%  472     0.5KB/s   00:00

Add local user kuser1 for Authorization purpose.

# useradd kuser1

Configure the Kerberos authentication.

# authconfig --update --enablekrb5 --krb5kdc=kerberos.itlab.com --krb5adminserver=kerberos.itlab.com --krb5realm=ITLAB.COM

Test Kerberos Configurations

Now test Single Sign-On with ssh.

# ssh kuser1@client.itlab.com
kuser1@client.itlab.com's password:
$ klist
Ticket cache: KEYRING:persistent:1000:krb_ccache_Ud91x2t
Default principal: kuser1@ITLAB.COM

Valid starting       Expires              Service principal
06/15/2018 15:22:53  06/16/2018 15:22:52  krbtgt/ITLAB.COM@ITLAB.COM

$ ssh kuser1@kerberos.itlab.com
Last login: Fri Jun 15 15:02:53 2018 from kerberos.itlab.com

$ klist
Ticket cache: KEYRING:persistent:1000:krb_ccache_gXNDEWJ
Default principal: kuser1@ITLAB.COM

Valid starting       Expires              Service principal
06/15/2018 14:54:47  06/16/2018 14:50:54  host/kerberos.itlab.com@ITLAB.COM
06/15/2018 14:50:54  06/16/2018 14:50:54  krbtgt/ITLAB.COM@ITLAB.COM

$ ssh kuser1@client.itlab.com
Last login: Fri Jun 15 15:23:45 2018 from kerberos.itlab.com

$ klist
Ticket cache: KEYRING:persistent:1000:krb_ccache_Ud91x2t
Default principal: kuser1@ITLAB.COM

Valid starting       Expires              Service principal
06/15/2018 15:24:29  06/16/2018 15:22:52  host/client.itlab.com@ITLAB.COM
06/15/2018 15:23:15  06/16/2018 15:22:52  host/kerberos.itlab.com@ITLAB.COM
06/15/2018 15:22:53  06/16/2018 15:22:52  krbtgt/ITLAB.COM@ITLAB.COM

Look at the output of the last klist command. The session obtain a TGT (Ticket Granting Ticket) and two TGS (Ticket Granting Service) tickets, and it is never asking for the password again. whereas, it is authenticating to different servers using these Tickets and providing Single Sign-On facility.

Our Kerberos 5 Server is working fine and providing Single Sign-on facility to users.

If you are new to Linux and facing difficulty in working at Linux Bash prompt. We recommend that, you should read The Linux Command Line, 2nd Edition: A Complete Introduction by William Shotts.

Conclusion – Configure Single Sign on Kerberos

Configuring Single Sign on Kerberos on CentOS 7 enhances security and simplifies user authentication across your network. By following this guide, you should now have Kerberos set up for seamless authentication.

For further assistance or customized solutions to optimize your SSO setup, I offer professional services tailored to your needs. Explore my Fiverr services for more details: Linux Security Expert. Let’s ensure your authentication system is robust and efficient!

Streamline authentication with Kerberos SSO on CentOS 7 today!

Leave a Comment