Friday, October 26, 2012

Kerberose authentication in rhel

Kerberose authentication

To use kerberose authentication we need to set up server with all the needed principle and their passwords.and we must configure the client to use the proper kerberpse server as needed.

Server Configuration

Packages needed are

yum install -y krb5-server
yum install -y krb5-libs
yum install -y readline-devel

vim /etc/krb5.conf

default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

default_realm = VIRTUAL.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

kdc =
admin_server =

[domain_realm] = VIRTUAL.COM = VIRTUAL.COM


vim /var/kerberos/krb5kdc/kdc.conf

kdc_ports = 88
kdc_tcp_ports = 88

master_key_type = aes256-cts
default_principle_flags = +preauth
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal

kdb5_util create -r VIRTUAL.COM -s


kadmin:  listprincs
kadmin:  addprinc root/admin
kadmin:  ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin

kadmin:  ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/changepw

kadmin:  addprinc -randkey host/

kadmin:  ktadd -k /etc/krb5.keytab host/

vim /var/kerberos/krb5kdc/kadm5.acl
*/admin@VIRTUAL.COM     *

service krb5kdc restart
chkconfig krb5kdc on
service kadmin restart
chkconfig kadmin on

Client side configuration

copy the /etc/krb5.conf from server to client


select the kerberised password authentication then they will ask for kdc and krb5 server and releam name to which we need to enter the correct entry .When closing the utils the system will configure itself for connection to kerberose server

Now we need to add that machine to kerberose server database

kadmin:  addprinc -randkey host/
kadmin:  ktadd -k /etc/krb5.keytab host/

now the client machine is added to server and now the tickets will be issued as normal and to check that
klist to list the tickets got from server


Now adding nis user to kerberose

At server make a principle for the nis users and that is it


kadmin:  addprinc nisuser1

now will be prompted for kerberose password which at client will enable the user to login as user using kerberised security .

No comments:

Post a Comment