Configure Single Sign on Kerberos on CentOS 7

Share on Social Media

Learn how to configure Single Sig On Kerberos on CentOS 7 in this comprehensive guide. Step-by-step instructions and tips to set up Kerberos for seamless authentication across your network. #centlinux #linux #cybersecurity

What is Kerberos?

Kerberos is the most widely used authentication protocol. It provides authentication service for users and other Network Services. The unique feature of Kerberos is that, it never transmits the users’ passwords over network neither in plain text nor in encrypted form. Rather, it uses tickets to authenticate users and services. These tickets are encrypted with unique user and service keys. This arrangement protects the system against eavesdropping and replay attacks.

Configure Single Sign on Kerberos on CentOS 7
Configure Single Sign on Kerberos on CentOS 7

What is Single Sign on?

The Ticket based system also provides the SSO (Single Sign-On) facility to users. Kerberos is used by various famous remote authentication Software, such as Microsoft Active Directory, FreeIPA, etc.

In this post, we will configure a Kerberos Key Distribution Center (KDC) on CentOS 7. Later on, we will configure a client to use the Single Sign-On feature of the Server.

Recommended Training: Linux Administration: The Complete Linux Bootcamp in 2025 from Andrei Dumitrescu, Crystal Mind Academy

3371848 9ea9 18

System Specification

We have two Virtual machines, one is for the KDC and the other is the client to demonstrate SSO. Both machines have identical configurations.

  • CPU – 2.4 Ghz (1 core)
  • Memory – 800 MB
  • Storage – 8 GB
  • Operating System – CentOS 7.0

I have already configured the prerequisites i.e. Network, DNS and NTP synchronization on both machines. The Hostname and IP addresses are:

S#IP AddressHostnameDescription
1192.168.56.101kerberos.itlab.comKDC Server
2192.168.56.102client.itlab.comClient Machine

Our Kerberos Realm is ITLAB.COM

Read Also: How to configure Kerberos Authentication in Linux

Configure Single Sign on Kerberos on CentOS 7

Install following software packages to configure Single Sign on Kerberos. Here krb5-server is the Kerberos Server. whereas, krb5-workstation, pam_krb5 and sssd packages are required to configure same machine as Kerberos client as well.

yum -y install krb5-server krb5-workstation pam_krb5 sssd

Now, edit kerberos main configuration file.

vi /etc/krb5.conf

Uncomment all lines, and replace the default realm EXAMPLE.COM with ITLAB.COM (both upper and lower cases). Also update the kdc and admin-server hostnames (in our case, use the same name for both servers). The final configuration should look like this.

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h  
renew_lifetime = 7d  
forwardable = true  
rdns = false  
default_realm = ITLAB.COM  
default_ccache_name = KEYRING:persistent:%{uid} 

[realms]
ITLAB.COM = {   kdc = kerberos.itlab.com   admin_server = kerberos.itlab.com } 

[domain_realm]
.itlab.com = ITLAB.COM 
itlab.com = ITLAB.COM 

Now, Configure the KDC Server.

vi /var/kerberos/krb5kdc/kdc.conf

Uncomment all lines and replace the default realm EXAMPLE.COM with ITLAB.COM. The final configuration should look like this.

[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88[realms]
ITLAB.COM = {
  master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal

Configure kadmin ACLs.

vi /var/kerberos/krb5kdc/kadm5.acl

Update realm here. The final configuration looks like:

*/admin@ITLAB.COM       *

Create the Kerberos database and set a strong password.

kdb5_util create -s

Output:

Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'ITLAB.COM',
master key name 'K/M@ITLAB.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:

Enable and start Kerberos services.

systemctl enable krb5kdc
systemctl start krb5kdc
systemctl enable kadmin
systemctl start kadmin

Allow Kerberos services through Linux Firewall.

firewall-cmd --permanent --add-service=kerberos
firewall-cmd --reload

Let’s add entries in our Kerberos database.

kadmin.local

List principles in Kerberos server.

listprincs

Output:

K/M@ITLAB.COM
kadmin/admin@ITLAB.COM
kadmin/changepw@ITLAB.COM
kadmin/kerberos.itlab.com@ITLAB.COM
kiprop/kerberos.itlab.com@ITLAB.COM
krbtgt/ITLAB.COM@ITLAB.COM

Add Kerberized hosts in our Kerberos database and generate relevant keytabs.

addprinc -randkey host/kerberos.itlab.com

Output:

WARNING: no policy specified for host/kerberos.itlab.com@ITLAB.COM; defaulting to no policy
Principal "host/kerberos.itlab.com@ITLAB.COM" created.
kadmin.local:  ktadd host/kerberos.itlab.com
Entry for principal host/kerberos.itlab.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kerberos.itlab.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kerberos.itlab.com with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kerberos.itlab.com with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kerberos.itlab.com with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kerberos.itlab.com with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kerberos.itlab.com with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kerberos.itlab.com with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.

Add the client host to Kerberos database, and generate the keytab file, to be placed at the /etc directory of client machine.

addprinc -randkey host/client.itlab.com

Output:

WARNING: no policy specified for host/client.itlab.com@ITLAB.COM; defaulting to no policy
Principal "host/client.itlab.com@ITLAB.COM" created.
kadmin.local:  ktadd -k /tmp/client1.keytab host/client.itlab.com
Entry for principal host/client.itlab.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/client1.keytab.
Entry for principal host/client.itlab.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/client1.keytab.
Entry for principal host/client.itlab.com with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/tmp/client1.keytab.
Entry for principal host/client.itlab.com with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/tmp/client1.keytab.
Entry for principal host/client.itlab.com with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/tmp/client1.keytab.
Entry for principal host/client.itlab.com with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/tmp/client1.keytab.
Entry for principal host/client.itlab.com with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/tmp/client1.keytab.
Entry for principal host/client.itlab.com with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/tmp/client1.keytab.

Add a user in Kerberos database to used for login to kerberized hosts.

addprinc kuser1

Output:

WARNING: no policy specified for kuser1@ITLAB.COM; defaulting to no policy
Enter password for principal "kuser1@ITLAB.COM":
Re-enter password for principal "kuser1@ITLAB.COM":
Principal "kuser1@ITLAB.COM" created.

Create an OS user for authorization purpose. This step is not required, if you are using an LDAP Directory. In that case, user should be added to LDAP Directory.

useradd kuser1

Configure the Kerberos authentication.

authconfig --update --enablekrb5 \
--krb5kdc=kerberos.itlab.com \
--krb5adminserver=kerberos.itlab.com \
--krb5realm=ITLAB.COM

Now login with kuser1 to kerberos server using ssh.

ssh kuser1@kerberos

Check the tickets that was provided to the kuser1.

klist

Output:

Ticket cache: KEYRING:persistent:1000:krb_ccache_gXNDEWJ
Default principal: kuser1@ITLAB.COM
Valid starting       Expires              Service principal
06/15/2018 14:54:47  06/16/2018 14:50:54  host/kerberos.itlab.com@ITLAB.COM
06/15/2018 14:50:54  06/16/2018 14:50:54  krbtgt/ITLAB.COM@ITLAB.COM

Configure CentOS 7 as Kerberos Client

Now, login to client.itlab.com machine, configure it for Kerberos authentication.
Install necessary packages.

yum -y install krb5-workstation sssd pam_krb5

Copy the respective keytab from kerberos machine to client machine. Copy krb5.conf as well, to avoid edit it again.

scp root@kerberos:/tmp/client1.keytab /etc/krb5.keytab
scp root@kerberos:/etc/krb5.conf /etc/krb5.conf

Add local user kuser1 for Authorization purpose.

useradd kuser1

Configure the Kerberos authentication.

authconfig --update --enablekrb5 \
--krb5kdc=kerberos.itlab.com \
--krb5adminserver=kerberos.itlab.com \
--krb5realm=ITLAB.COM

Test Kerberos Configurations

Now test Single Sign-On with ssh.

ssh kuser1@client.itlab.com
klist

Output:

Ticket cache: KEYRING:persistent:1000:krb_ccache_Ud91x2t
Default principal: kuser1@ITLAB.COM
Valid starting       Expires              Service principal
06/15/2018 15:22:53  06/16/2018 15:22:52  krbtgt/ITLAB.COM@ITLAB.COM
ssh kuser1@kerberos.itlab.com
klist

Output:

Ticket cache: KEYRING:persistent:1000:krb_ccache_gXNDEWJ
Default principal: kuser1@ITLAB.COM
Valid starting       Expires              Service principal
06/15/2018 14:54:47  06/16/2018 14:50:54  host/kerberos.itlab.com@ITLAB.COM
06/15/2018 14:50:54  06/16/2018 14:50:54  krbtgt/ITLAB.COM@ITLAB.COM
ssh kuser1@client.itlab.com
klist

Output:

Ticket cache: KEYRING:persistent:1000:krb_ccache_Ud91x2t
Default principal: kuser1@ITLAB.COM
Valid starting       Expires              Service principal
06/15/2018 15:24:29  06/16/2018 15:22:52  host/client.itlab.com@ITLAB.COM
06/15/2018 15:23:15  06/16/2018 15:22:52  host/kerberos.itlab.com@ITLAB.COM
06/15/2018 15:22:53  06/16/2018 15:22:52  krbtgt/ITLAB.COM@ITLAB.COM

Look at the output of the last klist command. The session obtain a TGT (Ticket Granting Ticket) and two TGS (Ticket Granting Service) tickets, and it is never asking for the password again. whereas, it is authenticating to different servers using these Tickets and providing Single Sign-On facility.

Our Kerberos 5 Server is working fine and providing Single Sign-on facility to users.

Conclusion – Configure Single Sign on Kerberos

Configuring Single Sign on Kerberos on CentOS 7 enhances security and simplifies user authentication across your network. By following this guide, you should now have Kerberos set up for seamless authentication.

Searching for a skilled Linux admin? From server management to security, I ensure seamless operations for your Linux systems. Find out more on my Fiverr profile!

Streamline authentication with Kerberos SSO on CentOS 7 today!

Looking for something?

Leave a Reply