Post

Walkthough Guide: How to Setup Kerberos Authentication on Linux

The objective of this guide is to setup Kerberos on Linux, and authenticate on a server via SSH using Kerberos.

This can be useful to:

  • Understand the basics of Kerberos installation, setup, administration on Linux.
  • Setting up test environments for developing Kerberized applications.

Pre-Requisites

  • A basic understanding on Linux & bash.
  • Familiarity with the Kerberos Protocol.
  • Three Linux hosts.
    • One will be hosting the KDC, we’ll call it kdc.example.com
    • One will act as a SSH server, we’ll call it server.example.com
    • One will act as the SSH client, well call it client.example.com

An easy way is to get the Linux hosts is to create virtual machines on a cloud provider. In this guide, we will be using Ubuntu, but this should work for some other distributions (you’ll just need to find the correct packages for Kerberos).

Setting up the KDC

In this guide, we will choose EXAMPLE.COM as the Kerberos realm.

SSH to the host on which you want to install the KDC.

First of all, let’s change the hostname to kdc.example.com.

1
$ sudo hostnamectl set-hostname kdc.example.com  

Then we’ll install the KDC and admin-server packages:

1
$ sudo apt install -y krb5-kdc krb5-admin-server

You’ll be propmted for a few things:

  • Default realm: set it to EXAMPLE.COM (in caps)
  • Kerberos Servers: kdc.example.com
  • Administrative Server: kdc.example.com

Now let’s create the Kerberos realm, database, and restart the services:

1
2
3
$ sudo krb5_newrealm
$ sudo systemctl restart krb5-kdc
$ sudo systemctl restart krb5-admin-server

We can now create a user (let’s call it john) and Service Principal for the SSH Server:

1
2
3
4
5
$ sudo kadmin.local
addprinc john
addprinc -randkey host/server.example.com
ktadd -k /tmp/server.keytab host/server.example.com
quit

We’ll then need to copy the keytab in /tmp/server.keytab to the server host at /etc/krb5.keytab (using scp for example).

Setting up the SSH Server

Let’s change the hostname and setup a few local DNS records:

1
$ sudo hostnamectl set-hostname server.example.com

Edit /etc/hosts and add these two lines (replace with the real IP addresses):

1
2
1.2.3.4 kdc.example.com
2.3.4.5 server.example.com

Install the kerberos client package:

1
$ sudo apt install -y krb5-user

You’ll be propmted for a few things:

  • Default realm: set it to EXAMPLE.COM (in caps)
  • Kerberos Servers: kdc.example.com
  • Administrative Server: kdc.example.com

Edit /etc/krb5.conf, and under the [domain_realm] section, add these two lines:

1
2
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM

Check that the keytab is valid and that we can authenticate with it:

1
$ sudo kinit -kt /etc/krb5.keytab

Then destroy the credential cache:

1
$ sudo kdestroy

Edit the /etc/ssh/sshd_config file, and enable these two options if they are not already:

1
2
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

Restart the SSH daemon:

1
$ sudo systemctl restart sshd

Finally, add the user account:

1
$ sudo useradd -m -s /bin/bash john

Setting up the SSH Client

Let’s change the hostname and setup a few local DNS records:

1
$ sudo hostnamectl set-hostname client.example.com

Edit /etc/hosts and add these two lines (replace with the real IP addresses):

1
2
1.2.3.4 kdc.example.com
2.3.4.5 server.example.com

Install the kerberos client package:

1
$ sudo apt install -y krb5-user

You’ll be propmted for a few things:

  • Default realm: set it to EXAMPLE.COM (in caps)
  • Kerberos Servers: kdc.example.com
  • Administrative Server: kdc.example.com

Then kinit:

1
$ kinit john

Finally, ssh to the server host, and voila!

Debugging Tips

Run the SSH client with more verbosity:

1
$ KRB5_TRACE=/dev/stdout ssh -vvv [email protected]

On the SSH server, consider running a SSH daemon on a different port to see the logging output more easily:

1
$ sudo /usr/sbin/sshd -p 2222 -d -d -d
This post is licensed under CC BY 4.0 by the author.