Use the Kerberos service on Linux

One of the most difficult steps for data administrators is the whole process of maintaining the security and integrity of your systems. The critical process is taking responsibility for what each user does. It also includes a deep understanding and control of what is happening to every application, server and service in your network infrastructure.

Kerberos remains one of the most secure authentication protocols in Linux environments. You will learn later that Kerberos is also useful for encryption purposes.

This article explains how to implement the Kerberos service on the Linux operating system. The guide will walk you through the mandatory steps to ensure the Kerberos service is successful on a Linux system.

Using the Kerberos Service on Linux: An Overview

The essence of authentication is to provide a reliable process that ensures you identify all users on your workstation. It also helps control what users can access. This process is quite difficult in open network environments, unless you rely solely on every user logging into every program with passwords.

But in normal cases, users have to enter passwords to access any service or application. This process can be hectic. Again, constant use of passwords is a recipe for password leaks or cybercrime vulnerability. Kerberos comes in handy in these cases.

Aside from allowing users to register only once and access all applications, Kerberos also allows the administrator to continually review what each user can access. Ideally, successful use of Kerberos Linux aims to address the following;

  • Ensure that each user has their unique identity and that no user impersonates another.
  • Make sure each server has and proves its unique identity. This requirement prevents attackers from sneaking in and impersonating the server.

Step-by-step guide to using Kerberos on Linux

The following steps will help you successfully use Kerberos on Linux:

Step 1: Confirm if you have KBR5 installed on your computer

Verify that you have the latest Kerberos version installed with the following command. If you don’t have it, you can download and install KBR5. We have already discussed the installation process in another article.

Step 2: Create a search path

You need to create a search path by adding /usr/Kerberos/bin and /usr/Kerberos/sbin to the search path.

Step 3: Set up your space name

Your real name should be your DNS domain name. This command is:

You must adapt the results of this command to your space environment.

Step 4: Create and start your KDC database for the principal

Create a key distribution center for the principal database. Of course, this is also the point where you need to create your master password for the operations. This command is necessary:

Once created, you can start the KDC with the following command:

Step 5: Set up a personal Kerberos principal

It’s time to set up a KBR5 principal for you. It should have administrator rights as you need the rights to manage, control and run the system. You must also create a host principal for the host KDC. The prompt for this command is:

# cadmind [-m]

At this point you may need to configure your Kerberos. In the /etc/krb5.config file, go to the default domain and enter the following: default_realm = IST.UTL.PT. The realm should also match the domain name. In this case, KENHINT.COM is the domain configuration required for the domain service in the primary master.

After completing the above processes, a window will appear that captures the summary of the status of the network resources up to this point, as shown below:

It is recommended to validate users on the network. In this case, KenHint should have a UID in a higher range than local users.

Step 6: Use the Kerberos Kinit Linux command to test the new principal

The Kinit utility is used to test the new principal created as captured below:

Step 7: Create contact

Making contact is an incredibly important step. Run both the ticket-granting server and the authentication server. The ticket-granting server resides on a dedicated computer that only the administrator has network and physical access to. Reduce all network services to as few as possible. You shouldn’t even be running the sshd service.

As with any sign-up process, your first interaction with KBR5 involves entering certain details. Once you enter your username, the system sends the information to the Linux Kerberos authentication server. Once the authentication server has identified you, it generates a random session for continued correspondence between the ticket-granting server and your client.

The ticket usually contains the following information:

Names of both the ticket-granting server and the client

  • ticket lifetime
  • Current time
  • The key of the new generation
  • The IP address of the client

Step 8: Test using the Kinit Kerberos command to get user credentials

During the installation process, the default domain is set to IST.UTL. PT through the installation package. After that, you can use Kinit command to get a ticket as shown in the following image:

In the screenshot above, istKenHint refers to the user ID. This user ID also comes with a password to verify that a valid Kerberos ticket is present. The Kinit command is used to view or retrieve the tickets and credentials present on the network.

After installation, you can use this standard Kinit command to get a ticket if you don’t have a custom domain. You can also fully customize a domain.

In this case, the istKenHint is the corresponding network ID.

Step 9: Test the admin system with the password obtained earlier

The documentation results are shown below after a successful run of the above command:

Step 10: Restart the kadmin service

Restart the server with # kadmind [-m] Command gives you access to the control list of users in the list.

Step 11: Monitor your system’s performance

The following screenshot highlights the commands added in /etc/named/db.KenHint.com to help clients automatically determine the key distribution center for the realms using the DNS SRV elements.

Step 12: Use the Klist command to verify your ticket and credentials

After entering the correct password, the klist utility will display the following information about the status of the Kerberos service running in the Linux system as shown in the screenshot below:

The cache folder krb5cc_001 contains the label krb5cc_ and the userid as indicated in the previous screenshots. You can add an entry to the /etc/hosts file for the KDC client to establish identity with the server as below:

Conclusion

After completing the above steps, the Kerberos realm and the services initiated by the Kerberos server are ready and running on the Linux system. You can still use your Kerberos to authenticate other users and edit user rights.

Sources:

Vazquez, A. (2019). Integration of LDAP with Active Directory and Kerberos. In Practical LPIC-3 300 (pp. 123-155). Apress, Berkeley, CA.

https://documentation.suse.com/sles/15-SP3/html/SLES-all/cha-security-kerberos.html

https://www.oreilly.com/library/view/linux-security-cookbook/0596003919/ch04s11.html

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/configuring_a_kerberos_5_client

Calegari, P., Levrier, M., & Balczyński, P. (2019). Web portals for high-performance computing: a survey. ACM Transactions on the Internet (TWEB), 13(1), 1-36.

Related Posts