Kerberos

最後更新: 2021-10-27

 


依賴的 Service

 

 * NTP

Kerberos is a time sensitive protocol

client 與 server 之間最多可以有 5 分鍾不同

 * DNS (/etc/hosts)

用來找出 KDC 位置

 


術語

 

Realms

domain or group your hosts and users belong to. should be in uppercase
By default the realm is created from the KDC’s domain name.

Key Distribution Center(KDC)

consist of three parts:
a database of all principals,
the authentication server,
and the ticket granting server.

Ticket Granting Ticket(TGT)

issued by the Authentication Server (AS)

Ticket Granting Server(TGS)

issues service tickets to clients upon request.

Tickets

confirm the identity of the two principals.

Keytab Files

files extracted from the KDC principal database and contain the encryption key for a service or host.

It is strongly recommended that your network-authenticated users have their uid in a different range

 


Installation on Rocky8

 

Install

dnf install krb5-server

Service Management

systemctl start krb5kdc

systemctl enable krb5kdc

Remark

systemctl start kadmin

Firewall Setting

firewall-cmd --add-service=kerberos     # 88/tcp&udp

必須

firewall-cmd --add-service=kadmin       # 749/tcp

Kerberos Administration Protocol (access that remotely), 不建議開放

firewall-cmd --add-service=kpasswd      # 464/tcp&udp

The kpasswd command is used to change a Kerberos principal’s password.

 


Configure

 

/etc/krb5.conf

includedir /etc/krb5.conf.d/

...

[libdefaults]
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 dns_lookup_kdc = false
 rdns = false
 pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
 spake_preauth_groups = edwards25519
 default_ccache_name = KEYRING:persistent:%{uid}
 default_realm = DATAHUNTER.LOCAL
 
[realms]
 DATAHUNTER.LOCAL = {
  kdc = DATAHUNTER.LOCAL
  admin_server = DATAHUNTER.LOCAL
 }

[realms]

Realm-specific contact information and settings

[domain_realm]

Maps server hostnames to Kerberos realms
If no translation entry applies to a hostname used for a service principal for a service ticket request,
the library will try to get a referral to the appropriate realm from the client realm's KDC.

dns_lookup_kdc

Indicate whether DNS SRV records should be used to locate the KDCs and other servers for a realm,  
if they are not listed in the krb5.conf information for the realm.

dns_uri_lookup

Indicate whether DNS URI records should be used to locate the KDCs and other servers for a realm,
if they are not listed in the krb5.conf information for the realm

The kdc.conf file supplements krb5.conf(5) for programs which are typically only used on a KDC
(krb5kdc(8), kadmind(8), kdb5_util(8))
for the KDC programs mentioned, krb5.conf and kdc.conf will be merged into a single configuration profile.

/var/kerberos/krb5kdc/kdc.conf

[realms]
 DATAHUNTER.LOCAL = {
  ...
 }

 


kdb5_util

 

Kerberos database maintenance utility

# Create a Kerberos Database

# prompted to enter a password which will act as the master key

kdb5_util create -s

Remark

The -s flag is specified so that a stash file is created,
allowing for the Kerberos service to automatically start up without requiring the master key to be provided manually.

# The -f argument can be used to override the key_stash_file specified in kdc.conf(5)

# The default is /var/kerberos/krb5kdc/.k5.REALM

kdb5_util stash [-f key_stash_file]

Initializing database '/var/kerberos/krb5kdc/principal' for realm 'DATAHUNTER.LOCAL',
master key name 'K/M@DATAHUNTER.LOCAL'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:

ls -al /var/kerberos/krb5kdc/

total 28
drwxr-xr-x. 2 root root  155 Oct 19 12:23 .
drwxr-xr-x. 4 root root   33 Oct 19 11:56 ..
-rw-------. 1 root root   81 Oct 19 12:23 .k5.DATAHUNTER.LOCAL
-rw-------. 1 root root   22 Sep 22 02:31 kadm5.acl
-rw-------. 1 root root  441 Oct 19 12:17 kdc.conf
-rw-------. 1 root root 8192 Oct 19 12:23 principal
-rw-------. 1 root root 8192 Oct 19 12:23 principal.kadm5
-rw-------. 1 root root    0 Oct 19 12:23 principal.kadm5.lock
-rw-------. 1 root root    0 Oct 19  2021 principal.ok

File: principal

principal: Berkeley DB 1.85/1.86 (Btree, version 3, native byte-order)

 


管理功具

 

  • kadmin.local: 需要在 KDC server 上面運作
  • kadmin: 可以在任何一台 KDC 領域的系統上面運作

kadmin.local

kadmin.local

Authenticating as principal root/admin@DATAHUNTER.LOCAL with password.

Help: "?"        # List available requests

Principal

  • addprinc
  • listprincs
  • getprinc
  • delprinc
  • modprinc
  • renprinc
  • cpw, change_password      # Change password

Policy

  • list_policies, listpols
  • add_policy, addpol
  • modify_policy, modpol
  • delete_policy, delpol
  • get_policy, getpol

Privileges

  • getprivs      # Get privileges

ie.

kadmin.local:  addprinc datahunter

No policy specified for datahunter@DATAHUNTER.LOCAL; defaulting to no policy
Enter password for principal "datahunter@DATAHUNTER.LOCAL":
Re-enter password for principal "datahunter@DATAHUNTER.LOCAL":
Principal "datahunter@DATAHUNTER.LOCAL" created.

kadmin.local: listprincs

K/M@DATAHUNTER.LOCAL
datahunter@DATAHUNTER.LOCAL
kadmin/admin@DATAHUNTER.LOCAL
kadmin/changepw@DATAHUNTER.LOCAL
kadmin/r8.local@DATAHUNTER.LOCAL
kiprop/r8.local@DATAHUNTER.LOCAL
krbtgt/DATAHUNTER.LOCAL@DATAHUNTER.LOCAL

kadmin.local:  delprinc tim

Are you sure you want to delete the principal "tim@DATAHUNTER.LOCAL"? (yes/no): yes
Principal "tim@DATAHUNTER.LOCAL" deleted.
Make sure that you have removed this principal from all ACLs before reusing.

設定哪些用戶端可以管理資料庫 (remotely)

For regular users with no special privileges, no action will be required.

/var/kerberos/krb5kdc/kadm5.acl

 


申請票據

 

kinit - 申請票據

klist

 


Kerberos 與 Software 的整合

 

一共有兩個方法

  • native Kerberos support
  • delegating the authentication work to the PAM subsystem

native Kerberos support

OpenSSH

ssh Server

Kerberos-5 only for SSH-1

SSH-2 has no standard support for Kerberos yet.

However, there is a proposal to add it via GSSAPI (Generic Security Services Application Programming Interface, RFC 1964).

/etc/ssh/sshd_config

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no

# default sshd_config file has GSSAPIAuthentication=yes

Configure your host so that it knows where to get Kerberos tickets.

ssh Client

~/.ssh/ssh_config

GSSAPIAuthentication yes

kadmin on the client machine to connect to the Kerberos server,

and then you call ktadd which will export the key to the local filesystem.

PAM subsystem

authconfig -configure automatically-> /etc/sssd/sssd.conf

 


Log

 

/var/log/krb5kdc.log         # Rocky8

Oct 19 16:30:05 r8.local krb5kdc[68565](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 192.168.88.70: CLIENT_NOT_FOUND: tim@DATAHUNTER.LOCAL for krbtgt/DATAHUNTER.LOCAL@DATAHUNTER.LOCAL, Client not found in Kerberos database

Oct 19 16:21:04 r8.local krb5kdc[68565](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 192.168.88.70: ISSUE: authtime 1634631664, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, datahunter@DATAHUNTER.LOCAL for krbtgt/DATAHUNTER.LOCAL@DATAHUNTER.LOCAL