How to configure Kerberos Authentication in Linux

Share on Social Media

A comprehensive guide to configuring Kerberos authentication in Linux. Follow these steps to set up Kerberos for secure, centralized authentication on your Linux systems. #centlinux #linux #freeipa

Problem Statement

This Red Hat Certified Engineer (RHCE) exam objective, requires you to know, how to configure a Linux system to authenticate using Kerberos. This objective didn’t require you to know how to configure a Kerberos Server. However, for the sake of practice you can configure your own Kerberos Server using FreeIPA. (Please read our previous post Configure Identity Management with FreeIPA Server)

We have already wrote an article about authenticating a Red Hat Enterprise Linux (RHEL) 7 machine with Kerberos (or more specifically FreeIPA) server by using ipa-client package (Configure a Linux Machine as FreeIPA Client). Now, we will see how to authenticate a Red Hat Enterprise Linux (RHEL) 7 machine with Kerberos server without using ipa-client.

What is a Kerberos Server?

A Kerberos server is a central component of the Kerberos authentication protocol, which provides secure, centralized authentication services for networks. It plays a crucial role in verifying user identities and facilitating secure communication between clients and servers in a networked environment. Here’s a detailed look at what a Kerberos server is, its components, and how it works.

Key Components of Kerberos

  1. Key Distribution Center (KDC):
    • Role: The KDC is the primary server in a Kerberos authentication system. It is responsible for issuing and managing authentication tokens called tickets.
    • Components:
      • Authentication Server (AS): Authenticates users and issues Ticket-Granting Tickets (TGTs).
      • Ticket-Granting Server (TGS): Issues service tickets for access to specific services based on the TGT.
  2. Kerberos Database:
    • Role: Stores user credentials and secret keys for users and services. This database is used by the KDC to verify identities and issue tickets.
    • Contents:
      • User Principals: Entries for each user, including usernames and secret keys.
      • Service Principals: Entries for each service, including service names and keys.
  3. Kerberos Tickets:
    • Ticket-Granting Ticket (TGT): A ticket obtained after initial authentication with the AS, used to request access to other services.
    • Service Ticket: A ticket obtained from the TGS for accessing specific services.
  4. Kerberos Protocol:
    • Authentication Process:
      1. Login Request: The user logs in and provides their credentials.
      2. AS Authentication: The AS verifies the user and issues a TGT.
      3. Service Request: The user presents the TGT to the TGS to request access to a service.
      4. Service Ticket Issuance: The TGS issues a service ticket for the requested service.
      5. Service Access: The user presents the service ticket to the service server for access.

How Kerberos Works

  1. User Authentication:
    • When a user attempts to log in, they provide their username and password.
    • The client sends an authentication request to the AS component of the KDC.
    • The AS verifies the credentials and, if valid, issues a Ticket-Granting Ticket (TGT).
  2. Ticket-Granting Ticket (TGT):
    • The TGT is encrypted with the user’s secret key and contains a session key for communication between the client and the TGS.
    • The client uses the TGT to request service tickets for specific services from the TGS.
  3. Service Ticket Request:
    • The client presents the TGT to the TGS to obtain a service ticket for a desired service.
    • The TGS verifies the TGT and issues a service ticket encrypted with the service’s secret key.
  4. Service Access:
    • The client presents the service ticket to the service server.
    • The service server decrypts the ticket and verifies its validity. If valid, the client gains access to the service.

Benefits of Using a Kerberos Server

  1. Secure Authentication:
    • Kerberos provides strong, mutual authentication between clients and servers using encrypted tickets.
  2. Single Sign-On (SSO):
    • Users can access multiple services with a single login session, improving convenience and security.
  3. Centralized Authentication:
    • Kerberos centralizes the authentication process, which simplifies management and improves security.
  4. Mutual Authentication:
    • Both clients and servers authenticate each other, preventing man-in-the-middle attacks.
  5. Ticket-Based System:
    • Reduces the need for repeatedly sending passwords over the network, as authentication is done through tickets.

Common Kerberos Implementations

  • MIT Kerberos: An open-source implementation of the Kerberos protocol developed by MIT.
  • Heimdal Kerberos: An open-source Kerberos implementation that is compatible with the MIT Kerberos protocol.
  • Microsoft Active Directory: A Kerberos-based authentication service used in Windows environments.

Example of a Kerberos Authentication Flow

  1. Client Request:
    • User requests access to a service.
  2. AS Response:
    • Kerberos Authentication Server issues a TGT.
  3. TGT Presentation:
    • Client presents TGT to the Ticket-Granting Server.
  4. TGS Response:
    • Ticket-Granting Server issues a service ticket.
  5. Service Access:
    • Client uses the service ticket to access the service.

Kerberos Authentication Diagram

plaintextCopy code+----------+            +---------+            +---------+
|  Client  | -- (1) --> |   AS    | -- (2) --> |   TGS   | -- (3) --> |  Service  |
|          |            |         |            |         |            |           |
|          | <-(4)- TGT -|         | <-(5)- Service Ticket -|         |
+----------+            +---------+            +---------+

Common Kerberos Commands

CommandDescription
kinit [user]Authenticate as a user and obtain a TGT.
klistList Kerberos tickets held by the client.
kdestroyDestroy Kerberos tickets and destroy the TGT.
kadminKerberos administration tool for managing principals and policies.
kpasswdChange a user’s Kerberos password.
Common Kerberos Commands

Summary

A Kerberos server is essential for secure and centralized authentication in networked environments. By managing authentication tickets and maintaining user credentials, it ensures that communication between clients and servers is secure and efficient. Whether you’re using MIT Kerberos, Heimdal Kerberos, or Active Directory, understanding the Kerberos server’s role and functionality can help you set up and manage secure authentication systems effectively.

Recommended Online Training: Learn Bash Shell in Linux for Beginners

745772 0021

Linux Server Specification

We have a RHEL 7.6 client and a FreeIPA server with following specifications.

FreeIPA Server

  • Hostname – ipaserver.example.com
  • IP Address – 192.168.116.200/24

Kerberos Client

  • Hostname – client2.example.com
  • IP Address – 192.168.116.202/24

Configure Kerberos Server

Although the Kerberos server-side configuration are not the requirement of RHCE objectives, but since you are practicing in your own test environment. Therefore, it is good to know about the server-side configuration of adding a Kerberos Client.

Add client2.example.com machine to Kerberos Server.

Connect to ipaserver.example.com and execute following commands.

# kinit admin
Password for admin@EXAMPLE.COM:
# ipa host-add --ip-address 192.168.116.202 client2.example.com
--------------------------------
Added host "client2.example.com"
--------------------------------
  Host name: client2.example.com
  Principal name: host/client2.example.com@EXAMPLE.COM
  Password: False
  Keytab: False
  Managed by: client2.example.com

# ipa dnsrecord-add example.com client2 --ttl=3600 --a-ip-address=192.168.116.202
  Record name: client2
  Time to live: 3600
  A record: 192.168.116.202

Generate the Kerberos keytab for client2.example.com.

# ipa-getkeytab -s ipaserver.example.com -p host/client2.example.com -k /var/ftp/pub/client2.keytab
Keytab successfully retrieved and stored in: /var/ftp/pub/client2.keytab
# chmod 644 /var/ftp/pub/client2.keytab

Configure Kerberos Authentication on Linux Clients

Connect to client2.example.com and configure Kerberos authentication.

Configure DNS resolution.

# nmcli connection modify eno16777728 ipv4.dns 192.168.116.200
# nmcli connection down eno16777728 ; nmcli connection up eno16777728
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/1)

Install required Packages using yum command.

# yum install -y krb5-workstation sssd pam_krb5

I have already installed the required packages. Therefore yum perform no action for my machine.

Download keytab file from ipaserver.example.com.

# wget ftp://ipaserver/pub/client2.keytab -O /etc/krb5.keytab
   --2018-07-29 02:20:07--  ftp://ipaserver/pub/client2.keytab
           => â/etc/krb5.keytabâ
Resolving ipaserver (ipaserver)... 192.168.116.200
Connecting to ipaserver (ipaserver)|192.168.116.200|:21... connected.
Logging in as anonymous ... Logged in!
==> SYST ... done.    ==> PWD ... done.
==> TYPE I ... done.  ==> CWD (1) /pub ... done.
==> SIZE client2.keytab ... 492
==> PASV ... done.    ==> RETR client2.keytab ... done.
Length: 492 (unauthoritative)

100%[======================================>] 492         --.-K/s   in 0s

2018-07-29 02:20:07 (53.8 MB/s) - â/etc/krb5.keytabâ saved [492]

# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 host/client2.example.com@EXAMPLE.COM
   1 host/client2.example.com@EXAMPLE.COM
   1 host/client2.example.com@EXAMPLE.COM
   1 host/client2.example.com@EXAMPLE.COM
   1 host/client2.example.com@EXAMPLE.COM
   1 host/client2.example.com@EXAMPLE.COM

Our keytab is now in place. Let’s configure Kerberos authentication now.

# authconfig --update --enablekrb5 --krb5realm=EXAMPLE.COM --krb5kdc=ipaserver.example.com --krb5adminserver=ipaserver.example.com

We have successfully configure our Red Hat Enterprise Linux (RHEL) 7 machine to authenticate with Kerberos server.

If you are new to Linux and facing difficulty in working at Linux Bash prompt. We recommend that, you should read The Linux Command Line, 2nd Edition: A Complete Introduction by William Shotts.

Final Thoughts

Congratulations on setting up Kerberos authentication in Linux! With this guide, you now have the knowledge to configure secure, centralized authentication for your Linux systems, enhancing both security and efficiency in your network environment.

If you found this guide helpful and need additional support for Kerberos configuration, Linux administration, or other IT tasks, I’m here to help! Visit my Fiverr profile to explore my range of professional services, including:

  • Kerberos Authentication Setup: Expert configuration of Kerberos for secure authentication in your Linux environment.
  • Linux System Administration: Comprehensive support for Linux server management, maintenance, and troubleshooting.
  • Network Security Solutions: Implement and manage security measures to protect your network and systems.
  • Custom Scripting and Automation: Develop scripts and automation solutions for efficient system administration.

Check out my Fiverr profile to find the perfect solution for your IT needs. I look forward to assisting you with your next project!

Thank you for following along with this guide, and best of luck with your Kerberos authentication setup!

Leave a Comment