Learn how to configure Single Sig On Kerberos on CentOS 7 in this comprehensive guide. Step-by-step instructions and tips to set up Kerberos for seamless authentication across your network. #centlinux #linux #cybersecurity
Table of Contents
What is Kerberos?
Kerberos is the most widely used authentication protocol. It provides authentication service for users and other Network Services. The unique feature of Kerberos is that, it never transmits the users’ passwords over network neither in plain text nor in encrypted form. Rather, it uses tickets to authenticate users and services. These tickets are encrypted with unique user and service keys. This arrangement protects the system against eavesdropping and replay attacks.
What is Single Sign on?
The Ticket based system also provides the SSO (Single Sign-On) facility to users. Kerberos is used by various famous remote authentication Software, such as Microsoft Active Directory, FreeIPA, etc.
In this post, we will configure a Kerberos Key Distribution Center (KDC) on CentOS 7. Later on, we will configure a client to use the Single Sign-On feature of the Server.
Recommended Online Training: Learn Bash Shell in Linux for Beginners
System Specification
We have two Virtual machines, one is for the KDC and the other is the client to demonstrate SSO. Both machines have identical configurations.
- CPU – 2.4 Ghz (1 core)
- Memory – 800 MB
- Storage – 8 GB
- Operating System – CentOS 7.0
I have already configured the prerequisites i.e. Network, DNS and NTP synchronization on both machines. The Hostname and IP addresses are:
S# | IP Address | Hostname | Description |
1 | 192.168.56.101 | kerberos.itlab.com | KDC Server |
2 | 192.168.56.102 | client.itlab.com | Client Machine |
Our Kerberos Realm is ITLAB.COM
Read Also: How to configure Kerberos Authentication in Linux
Configure Single Sign on Kerberos on CentOS 7
Install following software packages to configure Single Sign on Kerberos. Here krb5-server is the Kerberos Server. whereas, krb5-workstation, pam_krb5 and sssd packages are required to configure same machine as Kerberos client as well.
# yum -y install krb5-server krb5-workstation pam_krb5 sssd
Now, edit kerberos main configuration file.
# vi /etc/krb5.conf
Uncomment all lines, and replace the default realm EXAMPLE.COM with ITLAB.COM (both upper and lower cases). Also update the kdc and admin-server hostnames (in our case, use the same name for both servers). The final configuration should look like this.
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false default_realm = ITLAB.COM default_ccache_name = KEYRING:persistent:%{uid} [realms] ITLAB.COM = { kdc = kerberos.itlab.com admin_server = kerberos.itlab.com } [domain_realm] .itlab.com = ITLAB.COM itlab.com = ITLAB.COM
Now, Configure the KDC Server.
# vi /var/kerberos/krb5kdc/kdc.conf
Uncomment all lines and replace the default realm EXAMPLE.COM with ITLAB.COM. The final configuration should look like this.
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88[realms]
ITLAB.COM = {
master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
Configure kadmin ACLs.
# vi /var/kerberos/krb5kdc/kadm5.acl
Update realm here. The final configuration looks like:
*/admin@ITLAB.COM *
Create the Kerberos database and set a strong password.
# kdb5_util create -s Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'ITLAB.COM',
master key name 'K/M@ITLAB.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
Enable and start Kerberos services.
# systemctl enable krb5kdc && systemctl start krb5kdc
Created symlink from /etc/systemd/system/multi-user.target.wants/krb5kdc.service to /usr/lib/systemd/system/krb5kdc.service.
# systemctl enable kadmin && systemctl start kadmin Created symlink from /etc/systemd/system/multi-user.target.wants/kadmin.service to /usr/lib/systemd/system/kadmin.service.
Allow Kerberos services through Linux Firewall.
# firewall-cmd --permanent --add-service=kerberos success
# firewall-cmd --reload
success
Let’s add entries in our Kerberos database.
# kadmin.local
Authenticating as principal root/admin@ITLAB.COM with password.
kadmin.local: listprincs K/M@ITLAB.COM
kadmin/admin@ITLAB.COM
kadmin/changepw@ITLAB.COM
kadmin/kerberos.itlab.com@ITLAB.COM
kiprop/kerberos.itlab.com@ITLAB.COM
krbtgt/ITLAB.COM@ITLAB.COM
Add Kerberized hosts in our Kerberos database and generate relevant keytabs.
kadmin.local: addprinc -randkey host/kerberos.itlab.com WARNING: no policy specified for host/kerberos.itlab.com@ITLAB.COM; defaulting to no policy
Principal "host/kerberos.itlab.com@ITLAB.COM" created.
kadmin.local: ktadd host/kerberos.itlab.com
Entry for principal host/kerberos.itlab.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kerberos.itlab.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kerberos.itlab.com with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kerberos.itlab.com with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kerberos.itlab.com with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kerberos.itlab.com with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kerberos.itlab.com with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kerberos.itlab.com with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.
Add the client host to Kerberos database, and generate the keytab file, to be placed at the /etc directory of client machine.
kadmin.local: addprinc -randkey host/client.itlab.com
WARNING: no policy specified for host/client.itlab.com@ITLAB.COM; defaulting to no policy
Principal "host/client.itlab.com@ITLAB.COM" created.
kadmin.local: ktadd -k /tmp/client1.keytab host/client.itlab.com Entry for principal host/client.itlab.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/client1.keytab.
Entry for principal host/client.itlab.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/client1.keytab.
Entry for principal host/client.itlab.com with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/tmp/client1.keytab.
Entry for principal host/client.itlab.com with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/tmp/client1.keytab.
Entry for principal host/client.itlab.com with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/tmp/client1.keytab.
Entry for principal host/client.itlab.com with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/tmp/client1.keytab.
Entry for principal host/client.itlab.com with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/tmp/client1.keytab.
Entry for principal host/client.itlab.com with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/tmp/client1.keytab.
Add a user in Kerberos database to used for login to kerberized hosts.
kadmin.local: addprinc kuser1 WARNING: no policy specified for kuser1@ITLAB.COM; defaulting to no policy
Enter password for principal "kuser1@ITLAB.COM":
Re-enter password for principal "kuser1@ITLAB.COM":
Principal "kuser1@ITLAB.COM" created.
Create an OS user for authorization purpose. This step is not required, if you are using an LDAP Directory. In that case, user should be added to LDAP Directory.
# useradd kuser1
Configure the Kerberos authentication.
# authconfig --update --enablekrb5 --krb5kdc=kerberos.itlab.com --krb5adminserver=kerberos.itlab.com --krb5realm=ITLAB.COM
Now login with kuser1 to kerberos server using ssh.
$ ssh kuser1@kerberos
The authenticity of host 'kerberos (192.168.56.101)' can't be established.
ECDSA key fingerprint is 22:fa:59:75:3e:fa:24:73:a2:c3:cc:8f:24:bd:11:db.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'kerberos,192.168.56.101' (ECDSA) to the list of known hosts.
Last login: Fri Jun 15 14:50:54 2018
Check the tickets that was provided to the kuser1.
$ klist
Ticket cache: KEYRING:persistent:1000:krb_ccache_gXNDEWJ
Default principal: kuser1@ITLAB.COM Valid starting Expires Service principal
06/15/2018 14:54:47 06/16/2018 14:50:54 host/kerberos.itlab.com@ITLAB.COM
06/15/2018 14:50:54 06/16/2018 14:50:54 krbtgt/ITLAB.COM@ITLAB.COM
Configure CentOS 7 as Kerberos Client
Now, login to client.itlab.com machine, configure it for Kerberos authentication.
Install necessary packages.
# yum -y install krb5-workstation sssd pam_krb5
Copy the respective keytab from kerberos machine to client machine. Copy krb5.conf as well, to avoid edit it again.
# scp root@kerberos:/tmp/client1.keytab /etc/krb5.keytab root@kerberos's password:
client1.keytab 100% 586 0.6KB/s 00:00
# scp root@kerberos:/etc/krb5.conf /etc/krb5.conf
root@kerberos's password:
krb5.conf 100% 472 0.5KB/s 00:00
Add local user kuser1 for Authorization purpose.
# useradd kuser1
Configure the Kerberos authentication.
# authconfig --update --enablekrb5 --krb5kdc=kerberos.itlab.com --krb5adminserver=kerberos.itlab.com --krb5realm=ITLAB.COM
Test Kerberos Configurations
Now test Single Sign-On with ssh.
# ssh kuser1@client.itlab.com kuser1@client.itlab.com's password:
$ klist
Ticket cache: KEYRING:persistent:1000:krb_ccache_Ud91x2t
Default principal: kuser1@ITLAB.COM
Valid starting Expires Service principal
06/15/2018 15:22:53 06/16/2018 15:22:52 krbtgt/ITLAB.COM@ITLAB.COM
$ ssh kuser1@kerberos.itlab.com
Last login: Fri Jun 15 15:02:53 2018 from kerberos.itlab.com
$ klist
Ticket cache: KEYRING:persistent:1000:krb_ccache_gXNDEWJ
Default principal: kuser1@ITLAB.COM
Valid starting Expires Service principal
06/15/2018 14:54:47 06/16/2018 14:50:54 host/kerberos.itlab.com@ITLAB.COM
06/15/2018 14:50:54 06/16/2018 14:50:54 krbtgt/ITLAB.COM@ITLAB.COM
$ ssh kuser1@client.itlab.com
Last login: Fri Jun 15 15:23:45 2018 from kerberos.itlab.com
$ klist
Ticket cache: KEYRING:persistent:1000:krb_ccache_Ud91x2t
Default principal: kuser1@ITLAB.COM
Valid starting Expires Service principal
06/15/2018 15:24:29 06/16/2018 15:22:52 host/client.itlab.com@ITLAB.COM
06/15/2018 15:23:15 06/16/2018 15:22:52 host/kerberos.itlab.com@ITLAB.COM
06/15/2018 15:22:53 06/16/2018 15:22:52 krbtgt/ITLAB.COM@ITLAB.COM
Look at the output of the last klist command. The session obtain a TGT (Ticket Granting Ticket) and two TGS (Ticket Granting Service) tickets, and it is never asking for the password again. whereas, it is authenticating to different servers using these Tickets and providing Single Sign-On facility.
Our Kerberos 5 Server is working fine and providing Single Sign-on facility to users.
If you are new to Linux and facing difficulty in working at Linux Bash prompt. We recommend that, you should read The Linux Command Line, 2nd Edition: A Complete Introduction by William Shotts.
Conclusion – Configure Single Sign on Kerberos
Configuring Single Sign on Kerberos on CentOS 7 enhances security and simplifies user authentication across your network. By following this guide, you should now have Kerberos set up for seamless authentication.
For further assistance or customized solutions to optimize your SSO setup, I offer professional services tailored to your needs. Explore my Fiverr services for more details: Linux Security Expert. Let’s ensure your authentication system is robust and efficient!
Streamline authentication with Kerberos SSO on CentOS 7 today!