How to install Kerberos into a network environment with Fedora Linux 7 as the Kerberos Server.
Server Setup: Install the packages - krb5-server - krb5-libs by typing in "yum install krb5-server krb5-libs"
3.5. Kerberos Software Configuration Now, you'll need to configure Kerberos, create an administrator, determine a policy, and initialize the Kerberos principal database.
The first step is to edit the /etc/krb5.conf configuration file. In this file you'll need to set your realm, expand on the realm definition by specifying the Kerberos servers, and finally setting the domain realm. For our example, this is done as follows:
default_realm = BLUHM-DE.COM
[realms]
BLUHM-DE.COM = {
kdc = kerberos1.bluhm-de.com:88
kdc = kerberos2.bluhm-de.com:88
admin_server = kerberos1.bluhm-de.com:749
default_domain = bluhm-de.com
}
[domain_realm]
.bluhm-de.com = BLUHM-DE.COM
bluhm-de.com = BLUHM-DE.COM
To initialize and create the Kerberos database, you must run the follow command:
{Kerberos1}bash# /usr/kerberos/sbin/kdb5_util create -s
The -s flag tell the KDC to create a stash file to authenticate itself. You may also use a -r flag to specify a realm. Specifying a realm for the new database is only necessary if you have more than one realm defined in your krb5.conf file.
Kerberos will then ask you to set the master password for your Kerberos database. It is very important that you do not forget this password. You will not be able to administrate your server if you do not remember the master password.
Next on the KDC you must edit the acl file to grant administrative access. Typically, this file is located at /var/kerberos/krb5kdc/kadm5.acl. If necessary, specify the acl file location in your kdc.conf file. The location of your kdc.conf file is specified in your /etc/krb5.conf file and defaults to /var/Kerberos/krb5kdc/kdc.conf. For our bluhm-de.com example, we'll modify the acl file to include the following contents:
The meaning of those acl contents are that any account which ends with a /admin in the GNUD.IE realm is granted full access privileges.
Now that we've set up access for our administrative user, we need to create that administrative user. You can do this with the kadmin.local command from a root shell on the KDC, using the addprinc sub command. The standard is to name the administrative account admin. For the bluhm-de.com Kerberos Administrator, the following command would accomplish this:
{Kerberos1}bash# /usr/kerberos/sbin/kadmin.local -q "addprinc admin/admin" => I tried this with root instead and it worked ok.
The daemons that must run on the server are krb5kdc and kadmin. If necessary, krb524 may also be run to provide backward compatibility to Kerberos 4 clients. However, before starting krb524 remember our security warning about Kerberos V4 and be sure that you really need to provide that functionality. On the KDCs krb5kdc and kadmin should be configured to start automatically by turning them on with the chkconfig command.
{Kerberos1}bash# /sbin/chkconfig krb5kdc on {Kerberos1}bash# /sbin/chkconfig kadmin on
Finally, we can start them up manually, with the following command:
{Kerberos1}bash# /etc/rc.d/init.d/krb5kdc start {Kerberos1}bash# /etc/rc.d/init.d/kadmin start
and we have a working KDC.
3.6. Principal Creation You can create the first user principal in Kerberos with the following command:
{Kerberos1}bash# kadmin.local {Kerberos1}kadmin.local: addprinc <username>
A script could be written to create principals in bulk if you have a large number of account which you will be supporting with Kerberos.
Client Setup Fedora 7 SSH install the package krb5-workstation by using yum install krb5-workstation
6. Client Configuration 6.1. General GNU/Linux Client Configuration GNU/Linux distributions of Kerberos include a client package which contains all of the software and configuration files needed for setting up a GNU/Linux machine to be able to perform Kerberos authentications against a KDC. In Fedora derived GNU/Linux, this package is krb5-workstation. In order for your system to be capable of Kerberos authentication, including by authentication by kerberized applications, you must configure Kerberos on the system.
Configuration involves editing the /etc/krb5.conf file. In this file, you must specify your realm, KDC's, administrative server, logging, default domain, and KDC information. You must also modify the kdc.conf file, which you are allowed to specify a location for in the krb5.conf file. The default location is /var/Kerberos/krb5kdc/kdc.conf. The kdc.conf file contains information about the encryption algorithm policy of the realm.
The configuration information for the system on which you wish to perform Kerberos authentications is the same information which was placed in the /etc/krb5.conf filename on the KDC.
Now, you can test Kerberos authentication using the kinit command:
bash$ kinit <username>
If your authentication fails, the best place to look for a description of the cause are the system log files on the client and the KDC log file on the KDC which authentication was performed against. When trouble shooting authentication issues, it can be very helpful to have a terminal windows open to the KDC running a tail -f on the KDC log. In our example krb5.conf, the location of the KDC log was /var/log/Kerberos/krb5kdc.log.
To enable kerberos authentication for the ssh shell, enter SETUP into the command prompt and add the Kerberos into the login authentication options. Thats it.
Lots more information can be found here: http://cryptnet.net/fdp/admin/kerby-infra/en/kerby-infra.html#install