A comprehensive guide to configuring Kerberos authentication in Linux. Follow these steps to set up Kerberos for secure, centralized authentication on your Linux systems. #centlinux #linux #freeipa
This Red Hat Certified Engineer (RHCE) exam objective, requires you to know, how to configure a Linux system to authenticate using Kerberos. This objective didn’t require you to know how to configure a Kerberos Server. However, for the sake of practice you can configure your own Kerberos Server using FreeIPA. (Please read our previous post Configure Identity Management with FreeIPA Server)
We have already wrote an article about authenticating a Red Hat Enterprise Linux (RHEL) 7 machine with Kerberos (or more specifically FreeIPA) server by using ipa-client package (Configure a Linux Machine as FreeIPA Client). Now, we will see how to authenticate a Red Hat Enterprise Linux (RHEL) 7 machine with Kerberos server without using ipa-client.
A Kerberos server is a central component of the Kerberos authentication protocol, which provides secure, centralized authentication services for networks. It plays a crucial role in verifying user identities and facilitating secure communication between clients and servers in a networked environment. Here’s a detailed look at what a Kerberos server is, its components, and how it works.
plaintextCopy code+----------+ +---------+ +---------+
| Client | -- (1) --> | AS | -- (2) --> | TGS | -- (3) --> | Service |
| | | | | | | |
| | <-(4)- TGT -| | <-(5)- Service Ticket -| |
+----------+ +---------+ +---------+
Command | Description |
---|---|
kinit [user] | Authenticate as a user and obtain a TGT. |
klist | List Kerberos tickets held by the client. |
kdestroy | Destroy Kerberos tickets and destroy the TGT. |
kadmin | Kerberos administration tool for managing principals and policies. |
kpasswd | Change a user’s Kerberos password. |
A Kerberos server is essential for secure and centralized authentication in networked environments. By managing authentication tickets and maintaining user credentials, it ensures that communication between clients and servers is secure and efficient. Whether you’re using MIT Kerberos, Heimdal Kerberos, or Active Directory, understanding the Kerberos server’s role and functionality can help you set up and manage secure authentication systems effectively.
Recommended Online Training: Learn Bash Shell in Linux for Beginners
We have a RHEL 7.6 client and a FreeIPA server with following specifications.
FreeIPA Server
Kerberos Client
Although the Kerberos server-side configuration are not the requirement of RHCE objectives, but since you are practicing in your own test environment. Therefore, it is good to know about the server-side configuration of adding a Kerberos Client.
Add client2.example.com machine to Kerberos Server.
Connect to ipaserver.example.com and execute following commands.
# kinit admin Password for admin@EXAMPLE.COM:
# ipa host-add --ip-address 192.168.116.202 client2.example.com -------------------------------- Added host "client2.example.com" -------------------------------- Host name: client2.example.com Principal name: host/client2.example.com@EXAMPLE.COM Password: False Keytab: False Managed by: client2.example.com # ipa dnsrecord-add example.com client2 --ttl=3600 --a-ip-address=192.168.116.202 Record name: client2 Time to live: 3600 A record: 192.168.116.202
Generate the Kerberos keytab for client2.example.com.
# ipa-getkeytab -s ipaserver.example.com -p host/client2.example.com -k /var/ftp/pub/client2.keytab Keytab successfully retrieved and stored in: /var/ftp/pub/client2.keytab
# chmod 644 /var/ftp/pub/client2.keytab
Connect to client2.example.com and configure Kerberos authentication.
Configure DNS resolution.
# nmcli connection modify eno16777728 ipv4.dns 192.168.116.200
# nmcli connection down eno16777728 ; nmcli connection up eno16777728 Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/1)
Install required Packages using yum command.
# yum install -y krb5-workstation sssd pam_krb5
I have already installed the required packages. Therefore yum perform no action for my machine.
Download keytab file from ipaserver.example.com.
# wget ftp://ipaserver/pub/client2.keytab -O /etc/krb5.keytab --2018-07-29 02:20:07-- ftp://ipaserver/pub/client2.keytab => â/etc/krb5.keytabâ Resolving ipaserver (ipaserver)... 192.168.116.200 Connecting to ipaserver (ipaserver)|192.168.116.200|:21... connected. Logging in as anonymous ... Logged in! ==> SYST ... done. ==> PWD ... done. ==> TYPE I ... done. ==> CWD (1) /pub ... done. ==> SIZE client2.keytab ... 492 ==> PASV ... done. ==> RETR client2.keytab ... done. Length: 492 (unauthoritative) 100%[======================================>] 492 --.-K/s in 0s 2018-07-29 02:20:07 (53.8 MB/s) - â/etc/krb5.keytabâ saved [492] # klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 host/client2.example.com@EXAMPLE.COM 1 host/client2.example.com@EXAMPLE.COM 1 host/client2.example.com@EXAMPLE.COM 1 host/client2.example.com@EXAMPLE.COM 1 host/client2.example.com@EXAMPLE.COM 1 host/client2.example.com@EXAMPLE.COM
Our keytab is now in place. Let’s configure Kerberos authentication now.
# authconfig --update --enablekrb5 --krb5realm=EXAMPLE.COM --krb5kdc=ipaserver.example.com --krb5adminserver=ipaserver.example.com
We have successfully configure our Red Hat Enterprise Linux (RHEL) 7 machine to authenticate with Kerberos server.
If you are new to Linux and facing difficulty in working at Linux Bash prompt. We recommend that, you should read The Linux Command Line, 2nd Edition: A Complete Introduction by William Shotts.
Congratulations on setting up Kerberos authentication in Linux! With this guide, you now have the knowledge to configure secure, centralized authentication for your Linux systems, enhancing both security and efficiency in your network environment.
If you found this guide helpful and need additional support for Kerberos configuration, Linux administration, or other IT tasks, I’m here to help! Visit my Fiverr profile to explore my range of professional services, including:
Check out my Fiverr profile to find the perfect solution for your IT needs. I look forward to assisting you with your next project!
Thank you for following along with this guide, and best of luck with your Kerberos authentication setup!
Puppy Linux is a fast, lightweight OS designed for speed and simplicity, perfect for old…
Learn how to change Apache document root in Linux by following this step-by-step guide. Adjust…
Discover how to change Apache port in Linux easily. Follow our simple guide to modify…
Learn how to create a virtual host in Apache Server with this comprehensive guide. Set…
Discover 10 practical tasks for the RHCSA exam with step-by-step solutions. Boost your Linux skills…
Discover the ultimate Fail2ban configuration guide. Learn how to set up, customize, and optimize Fail2ban…
This website uses cookies.