How to install Linux Server, DevOps, Ansible

How to configure Kerberos Authentication in Linux

Share on Social Media

Master Kerberos authentication on Linux in just minutes! Boost your system security and avoid falling behind in enterprise-level access control. Don’t miss this essential step-by-step guide! #centlinux #linux #freeipa

Problem Statement

This Red Hat Certified Engineer (RHCE) exam objective, requires you to know, how to configure a Linux system to authenticate using Kerberos. This objective didn’t require you to know how to configure a Kerberos Server. However, for the sake of practice you can configure your own Kerberos Server using FreeIPA. (Please read our previous post Configure Identity Management with FreeIPA Server)

We have already wrote an article about authenticating a Red Hat Enterprise Linux (RHEL) 7 machine with Kerberos (or more specifically FreeIPA) server by using ipa-client package (Configure a Linux Machine as FreeIPA Client). Now, we will see how to authenticate a Red Hat Enterprise Linux (RHEL) 7 machine with Kerberos server without using ipa-client.

How to configure Kerberos Authentication in Linux
How to configure Kerberos Authentication in Linux

What is a Kerberos Server?

A Kerberos server is a central component of the Kerberos authentication protocol, which provides secure, centralized authentication services for networks. It plays a crucial role in verifying user identities and facilitating secure communication between clients and servers in a networked environment. Here’s a detailed look at what a Kerberos server is, its components, and how it works.

Key Components of Kerberos

  1. Key Distribution Center (KDC):
    • Role: The KDC is the primary server in a Kerberos authentication system. It is responsible for issuing and managing authentication tokens called tickets.
    • Components:
      • Authentication Server (AS): Authenticates users and issues Ticket-Granting Tickets (TGTs).
      • Ticket-Granting Server (TGS): Issues service tickets for access to specific services based on the TGT.
  2. Kerberos Database:
    • Role: Stores user credentials and secret keys for users and services. This database is used by the KDC to verify identities and issue tickets.
    • Contents:
      • User Principals: Entries for each user, including usernames and secret keys.
      • Service Principals: Entries for each service, including service names and keys.
  3. Kerberos Tickets:
    • Ticket-Granting Ticket (TGT): A ticket obtained after initial authentication with the AS, used to request access to other services.
    • Service Ticket: A ticket obtained from the TGS for accessing specific services.
  4. Kerberos Protocol:
    • Authentication Process:
      1. Login Request: The user logs in and provides their credentials.
      2. AS Authentication: The AS verifies the user and issues a TGT.
      3. Service Request: The user presents the TGT to the TGS to request access to a service.
      4. Service Ticket Issuance: The TGS issues a service ticket for the requested service.
      5. Service Access: The user presents the service ticket to the service server for access.

Recommended Training: Linux Administration: The Complete Linux Bootcamp in 2025 from Andrei Dumitrescu, Crystal Mind Academy

3371848 9ea9 18

How Kerberos Works

  1. User Authentication:
    • When a user attempts to log in, they provide their username and password.
    • The client sends an authentication request to the AS component of the KDC.
    • The AS verifies the credentials and, if valid, issues a Ticket-Granting Ticket (TGT).
  2. Ticket-Granting Ticket (TGT):
    • The TGT is encrypted with the user’s secret key and contains a session key for communication between the client and the TGS.
    • The client uses the TGT to request service tickets for specific services from the TGS.
  3. Service Ticket Request:
    • The client presents the TGT to the TGS to obtain a service ticket for a desired service.
    • The TGS verifies the TGT and issues a service ticket encrypted with the service’s secret key.
  4. Service Access:
    • The client presents the service ticket to the service server.
    • The service server decrypts the ticket and verifies its validity. If valid, the client gains access to the service.

Benefits of Using a Kerberos Server

  1. Secure Authentication:
    • Kerberos provides strong, mutual authentication between clients and servers using encrypted tickets.
  2. Single Sign-On (SSO):
    • Users can access multiple services with a single login session, improving convenience and security.
  3. Centralized Authentication:
    • Kerberos centralizes the authentication process, which simplifies management and improves security.
  4. Mutual Authentication:
    • Both clients and servers authenticate each other, preventing man-in-the-middle attacks.
  5. Ticket-Based System:
    • Reduces the need for repeatedly sending passwords over the network, as authentication is done through tickets.

Common Kerberos Implementations

  • MIT Kerberos: An open-source implementation of the Kerberos protocol developed by MIT.
  • Heimdal Kerberos: An open-source Kerberos implementation that is compatible with the MIT Kerberos protocol.
  • Microsoft Active Directory: A Kerberos-based authentication service used in Windows environments.

Example of a Kerberos Authentication Flow

  1. Client Request:
    • User requests access to a service.
  2. AS Response:
    • Kerberos Authentication Server issues a TGT.
  3. TGT Presentation:
    • Client presents TGT to the Ticket-Granting Server.
  4. TGS Response:
    • Ticket-Granting Server issues a service ticket.
  5. Service Access:
    • Client uses the service ticket to access the service.

Kerberos Authentication Diagram

+----------+            +---------+            +---------+
| Client |
 | -- (1) --> | AS |
  | -- (2) --> | TGS |
   | -- (3) --> | Service |
    | <-(4)- TGT - |
     | <-(5)- Service Ticket -|
+----------+            +---------+            +---------+

Common Kerberos Commands

CommandDescription
kinit [user]Authenticate as a user and obtain a TGT.
klistList Kerberos tickets held by the client.
kdestroyDestroy Kerberos tickets and destroy the TGT.
kadminKerberos administration tool for managing principals and policies.
kpasswdChange a user’s Kerberos password.
Common Kerberos Commands

Summary

A Kerberos server is essential for secure and centralized authentication in networked environments. By managing authentication tickets and maintaining user credentials, it ensures that communication between clients and servers is secure and efficient. Whether you’re using MIT Kerberos, Heimdal Kerberos, or Active Directory, understanding the Kerberos server’s role and functionality can help you set up and manage secure authentication systems effectively.

Linux Server Specification

We have a RHEL 7.6 client and a FreeIPA server with following specifications.

FreeIPA Server

  • Hostname – ipaserver.example.com
  • IP Address – 192.168.116.200/24

Kerberos Client

  • Hostname – client2.example.com
  • IP Address – 192.168.116.202/24
71t3j00C yL. AC UL160 SR160,160
Amazon Fire HD 10 tablet (newest model) built for relaxation, 10.1″ vibrant Full HD screen, octa-core processor, 3 GB RAM, 32 GB, Black
4.5 out of 5 stars(25322)
$89.99 (as of May 14, 2025 16:10 GMT +00:00 – More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)

Configure Kerberos Server

Although the Kerberos server-side configuration are not the requirement of RHCE objectives, but since you are practicing in your own test environment. Therefore, it is good to know about the server-side configuration of adding a Kerberos Client.

Add client2.example.com machine to Kerberos Server.

Connect to ipaserver.example.com and execute following command.

kinit admin

Add a Host to FreeIPA server.

ipa host-add --ip-address 192.168.116.202 client2.example.com

Output:

--------------------------------
Added host "client2.example.com"
--------------------------------
  Host name: client2.example.com
  Principal name: host/client2.example.com@EXAMPLE.COM
  Password: False
  Keytab: False
  Managed by: client2.example.com

Add DNS record of the host.

ipa dnsrecord-add example.com client2 --ttl=3600 --a-ip-address=192.168.116.202

Output:

Record name: client2
  Time to live: 3600
  A record: 192.168.116.202

Generate the Kerberos keytab for client2.example.com.

ipa-getkeytab -s ipaserver.example.com -p

Output:

host/client2.example.com -k /var/ftp/pub/client2.keytab
Keytab successfully retrieved and stored in: /var/ftp/pub/client2.keytab

Adjust permissions of keytab file.

chmod 644 /var/ftp/pub/client2.keytab

Configure Kerberos Authentication on Linux Clients

Connect to client2.example.com and configure Kerberos authentication.

Configure DNS resolution.

nmcli connection modify eno16777728 ipv4.dns 192.168.116.200
nmcli connection down eno16777728 ; nmcli connection up eno16777728

Install required Packages using yum command.

yum install -y krb5-workstation sssd pam_krb5

I have already installed the required packages. Therefore yum perform no action for my machine.

Download keytab file from ipaserver.example.com.

wget ftp://ipaserver/pub/client2.keytab -O /etc/krb5.keytab

Output:

   --2018-07-29 02:20:07--  ftp://ipaserver/pub/client2.keytab
           => â/etc/krb5.keytabâ
Resolving ipaserver (ipaserver)... 192.168.116.200
Connecting to ipaserver (ipaserver)|192.168.116.200|:21... connected.
Logging in as anonymous ... Logged in!
==> SYST ... done.    ==> PWD ... done.
==> TYPE I ... done.  ==> CWD (1) /pub ... done.
==> SIZE client2.keytab ... 492
==> PASV ... done.    ==> RETR client2.keytab ... done.
Length: 492 (unauthoritative)

100%[======================================>] 492         --.-K/s   in 0s

2018-07-29 02:20:07 (53.8 MB/s) - â/etc/krb5.keytabâ saved [492]

Execute following command to show cached Kerberos tickets (TGTs).

klist -k

Output:

Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 host/client2.example.com@EXAMPLE.COM
   1 host/client2.example.com@EXAMPLE.COM
   1 host/client2.example.com@EXAMPLE.COM
   1 host/client2.example.com@EXAMPLE.COM
   1 host/client2.example.com@EXAMPLE.COM
   1 host/client2.example.com@EXAMPLE.COM

Our keytab is now in place. Let’s configure Kerberos authentication now.

authconfig --update --enablekrb5 \
--krb5realm=EXAMPLE.COM \
--krb5kdc=ipaserver.example.com \
--krb5adminserver=ipaserver.example.com

We have successfully configure our Red Hat Enterprise Linux (RHEL) 7 machine to authenticate with Kerberos server.

Frequently Asked Questions (FAQs)

1. What is Kerberos Authentication?

Kerberos is a network authentication protocol that provides secure identity verification for users and services over a non-secure network, using encrypted tickets instead of plaintext passwords.

2. What are the main components needed for Kerberos setup?

You need:

  • A Key Distribution Center (KDC) (includes Authentication Server and Ticket Granting Server).
  • A Kerberos client on Linux machines.
  • Properly configured DNS and realm settings.

3. Do I need administrative privileges to configure Kerberos?

Yes, you need root or sudo access to install packages, modify configuration files, and manage Kerberos principals (user/service accounts).

4. How do I test if Kerberos authentication is working?

After setup, use the kinit command to request a ticket-granting ticket (TGT). If successful, you can check active tickets with klist.

5. What are common issues when setting up Kerberos?

  • Incorrect realm or DNS configurations.
  • Time synchronization issues (Kerberos requires NTP for proper ticket validation).
  • Firewall blocking Kerberos ports (typically UDP 88).
  • Missing or misconfigured client/server principals.
71f5y1e7QtL. AC UL160 SR160,160
Red Hat RHCSA 9 Cert Guide: EX200 (Certification Guide)
4.5 out of 5 stars(52)
$49.99 (as of May 15, 2025 16:15 GMT +00:00 – More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)

Final Thoughts

Now that you’ve walked through configuring Kerberos authentication in Linux, you’re not just keeping up—you’re staying ahead. By setting up centralized, secure authentication, you’ve taken a critical step toward hardened system access and smoother network logins. Many admins skip this setup and leave their systems exposed—don’t be one of them.

Ready to elevate your security even further? Take action now—implement what you’ve learned, test your configuration, and integrate Kerberos with other services like SSH or LDAP. The pros are already doing it—are you?

Searching for a skilled Linux admin? From server management to security, I ensure seamless operations for your Linux systems. Find out more on my Fiverr profile!

Thank you for following along with this guide, and best of luck with your Kerberos authentication setup!

Looking for something?

Latest Articles

Leave a Reply