Menu Close

ssh authentication with kerberos

This documentation have been tested on CentOS 7.

Install KDC

# yum install -y krb5-server krb5-workstation pam_krb5  

Hostname and resolvingSet your hostname

  # hostnamectl set-hostname hanthana.ucsc.com
verify your hostname

# hostname Your domain should resolve. In case if you do not use dns service..

[danishka@kdc ~]$ cat /etc/hosts
192.168.1.101 hanthana.ucsc.com
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6


Server Configuration

# ls /var/kerberos/krb5kdc/
kadm5.acl kdc.conf
 
ACL grant all privileges to anyone with admin role. 
Replace EXAMPLE.COM with your realm.
 
# cd /var/kerberos/krb5kdc/
# cat kadm5.acl 
*/admin@UCSC *
 
# cat kdc.conf 
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88

[realms]
UCSC.COM = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}


Client Configuration
# cat /etc/krb5.conf

includedir /etc/krb5.conf.d/

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = UCSC.COM
default_ccache_name = KEYRING:persistent:%{uid}

[realms]
UCSC.COM = {
kdc = hanthana.ucsc.com
admin_server = hanthana.ucsc.com
}

[domain_realm]
.ucsc.com = UCSC.COM
ucsc.com = UCSC.COM

KDC Database

# kdb5_util create -s -r UCSC.COM
 
Start and enable kadmin and krbkdc services

# systemctl start kadmin.service 
# systemctl start krb5kdc.service 
# systemctl enable kadmin.service 
# systemctl enable krb5kdc.service 

Principals

Objects in the KDC database known as principals, those objects can be users or hosts.
So we need to add each principal for each object. 

# kadmin.local kadmin.local: addprinc root/admin kadmin.local: addprinc danishka kadmin.local: addprinc host/hanthana.ucsc.com kadmin.local: quit


Copy enrypted Kerberos keytab files

# kadmin.local
kadmin.local: addprinc -randkey host/hanthana.ucsc.com
kadmin.local: ktadd host/hanthana.ucsc.com
kadmin.local: quit

 

Configure ssh client to allow clients to use Kerberos authentication.

Edit /etc/ssh/ssh_config
 
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
Now update PAM configuration
# authconfig  --enablekrb5 --update
Reload ssh configuration
# systemctl reload sshd.service
 
 
As local user you should able to get your token
[danishka@kdc ~]$ klist 
Ticket cache: KEYRING:persistent:1000:1000
Default principal: danishka@UCSC.COM

Valid starting Expires Service principal
08/28/2018 11:19:21 08/29/2018 10:56:50 krbtgt/UCSC.COM@UCSC.COM
 
In case if you get following result, run kinit instead
 
$ klist 
klist: Credentials cache keyring 'persistent:1000:1000' not found
[madura@localhost ~]$ kinit
Password for danishka@UCSC.COM:
[madura@localhost ~]$ klist
Ticket cache: KEYRING:persistent:1000:1000
Default principal: danishka@UCSC.COM

Valid starting Expires Service principal
08/28/2018 11:19:21 08/29/2018 10:56:50 krbtgt/UCSC.COM@UCSC.COM 
 
 

Now SSH without password using your Kerberos token.

[danishka@kdc ~]$ ssh hanthana.ucsc.com
Last login: Tue Aug 28 13:49:19 2018 from 192.168.1.99

Create .pcap file
 
tcpdump -i any -w /tmp/tcpdump.pcap 
%d bloggers like this: