1 | Exercise 3: Build a KDC |
---|
2 | ======================= |
---|
3 | |
---|
4 | These exercises assume your host is pc1.ws.nsrc.org and you will be |
---|
5 | building a realm REALM1.WS.NSRC.ORG - change `1` to the appropriate |
---|
6 | value for your machine. |
---|
7 | |
---|
8 | 1. Install ntp |
---|
9 | -------------- |
---|
10 | |
---|
11 | Because tickets are timestamped, it's important that your machine always |
---|
12 | has an accurately synchronized clock. Double-check it's installed: |
---|
13 | |
---|
14 | # apt-get install ntp |
---|
15 | |
---|
16 | This will run a daemon (ntpd) which keeps your clock synchronized. |
---|
17 | |
---|
18 | Note: if you have a large network then it makes sense to have two local |
---|
19 | timeservers and all other machines sync to those. You would then change |
---|
20 | /etc/ntpd.conf to point to your time server(s). |
---|
21 | |
---|
22 | 2. Install kdc packages |
---|
23 | ----------------------- |
---|
24 | |
---|
25 | # apt-get install krb5-kdc krb5-admin-server |
---|
26 | |
---|
27 | If you get a dialog box about setting up a kerberos realm, just accept [Ok] |
---|
28 | |
---|
29 | 3. Configure krb5 library |
---|
30 | ------------------------- |
---|
31 | |
---|
32 | Now we are going to configure the krb5 client library, manually associating |
---|
33 | your own machine with your own realm. (We could instead change the DNS, |
---|
34 | but doing it here lets you control your own settings) |
---|
35 | |
---|
36 | # editor /etc/krb5.conf |
---|
37 | [libdefaults] |
---|
38 | default_realm = REALM1.WS.NSRC.ORG |
---|
39 | dns_lookup_realm = true |
---|
40 | dns_lookup_kdc = true |
---|
41 | |
---|
42 | [realms] |
---|
43 | REALM1.WS.NSRC.ORG = { |
---|
44 | kdc = pc1.ws.nsrc.org |
---|
45 | admin_server = pc1.ws.nsrc.org |
---|
46 | } |
---|
47 | |
---|
48 | [domain_realm] |
---|
49 | pc1.ws.nsrc.org = REALM1.WS.NSRC.ORG |
---|
50 | |
---|
51 | 4. Create and initialize your database |
---|
52 | -------------------------------------- |
---|
53 | |
---|
54 | Create Kerberos database: |
---|
55 | |
---|
56 | kdb5_util create -r REALM1.WS.NSRC.ORG -s |
---|
57 | # This can pause for several minutes. Eventually you will be asked to |
---|
58 | # choose a database master password. Use "abcd" for this exercise, |
---|
59 | # but normally you'd choose something much stronger. |
---|
60 | |
---|
61 | Create the ACL file and grant admin rights to all */admin principals: |
---|
62 | |
---|
63 | # editor /etc/krb5kdc/kadm5.acl |
---|
64 | */admin@REALM1.WS.NSRC.ORG * |
---|
65 | |
---|
66 | Now we use kadmin.local (running as root) to create the first few |
---|
67 | principals: a host principal for the host itself (putting the |
---|
68 | randomly-chosen key into its own keytab file); a regular principal "student" |
---|
69 | and a KDC admin principal "student/admin" |
---|
70 | |
---|
71 | # kadmin.local |
---|
72 | addprinc -randkey host/pc1.ws.nsrc.org |
---|
73 | ktadd host/pc1.ws.nsrc.org |
---|
74 | addprinc student |
---|
75 | -- you'll be prompted to choose a password |
---|
76 | addprinc student/admin |
---|
77 | -- you'll be prompted to choose a password |
---|
78 | ^D |
---|
79 | |
---|
80 | Now start the daemons: |
---|
81 | |
---|
82 | # /etc/init.d/krb5-kdc start |
---|
83 | # /etc/init.d/krb5-admin-server start |
---|
84 | |
---|
85 | At this point, you should be able to get a ticket from your own realm: |
---|
86 | |
---|
87 | $ kinit student |
---|
88 | Password for student@REALM1.WS.NSRC.ORG: <enter chosen password> |
---|
89 | $ klist |
---|
90 | |
---|
91 | (Note that you've obtained a ticket from your own realm, using the |
---|
92 | username and password you created in your own KDC) |
---|
93 | |
---|
94 | If this doesn't work, then debug as follows: |
---|
95 | |
---|
96 | * Check your clock is synchronized (type `date`) |
---|
97 | * Check your krb5.conf |
---|
98 | * Check kdc is running: `ps auxwww | grep krb5kdc` |
---|
99 | * Look at KDC logs in /var/log/auth.log |
---|
100 | |
---|
101 | 5. Managing principals |
---|
102 | ---------------------- |
---|
103 | |
---|
104 | From now on, you don't need `kadmin.local` as root to administer the |
---|
105 | Kerberos database; you can use `kadmin` instead, as a normal user. This |
---|
106 | runs over a TCP socket (so it can be run from a remote workstation, not |
---|
107 | necessarily the KDC). The traffic is authenticated and encrypted using |
---|
108 | Kerberos. |
---|
109 | |
---|
110 | $ kadmin -p student/admin |
---|
111 | ... enter password for 'student/admin' which you chose earlier |
---|
112 | |
---|
113 | Type '?' for a list of commands. The important ones are: |
---|
114 | |
---|
115 | listprincs -- list principals |
---|
116 | addprinc <principal> -- add principal |
---|
117 | cpw <principal> -- change password |
---|
118 | delprinc <principal> -- delete principal |
---|
119 | |
---|
120 | Use ^D (ctrl-D) to exit. |
---|
121 | |
---|
122 | Try the following: |
---|
123 | |
---|
124 | * Change the password for the `student` principal. In another screen, |
---|
125 | check that you can `kinit student` with the new password. |
---|
126 | * Create a new user principal of your choice, and check you can get a ticket |
---|
127 | for it with kinit. |
---|
128 | |
---|
129 | 6. Kerberos ssh |
---|
130 | --------------- |
---|
131 | |
---|
132 | Since we have modified krb5.conf earlier, restart sshd: |
---|
133 | |
---|
134 | # service ssh restart |
---|
135 | |
---|
136 | Create a local `student` user: |
---|
137 | |
---|
138 | # useradd -m -s /bin/bash student |
---|
139 | |
---|
140 | Note that we have not set any password. However you should be able to login |
---|
141 | using a kerberos ticket: |
---|
142 | |
---|
143 | $ kinit student |
---|
144 | $ ssh student@localhost |
---|
145 | |
---|
146 | 7. Extra exercises |
---|
147 | ------------------ |
---|
148 | |
---|
149 | If you have spare time, you and your neighbour can add [realms] and |
---|
150 | [domain_realms] sections for each other, and you can try to get a ticket |
---|
151 | directly from the other realm and use it to login to the other machine: |
---|
152 | |
---|
153 | kinit student@REALM2.WS.NSRC.ORG |
---|
154 | ssh student@pc2.ws.nsrc.org |
---|
155 | |
---|
156 | You could also try setting up cross-realm authentication. Each KDC has to |
---|
157 | share a secret with its neighbour. On both KDCs create the following |
---|
158 | principals; for each principal enter the same (preferably long and complex) |
---|
159 | passphrase on both KDCs. |
---|
160 | |
---|
161 | # kadmin -p student/admin |
---|
162 | addprinc krbtgt/REALM2.WS.NSRC.ORG@REALM1.WS.NSRC.ORG |
---|
163 | addprinc krbtgt/REALM1.WS.NSRC.ORG@REALM2.WS.NSRC.ORG |
---|
164 | |
---|
165 | (The first sets up realm2 to trust realm1; the second sets up realm1 to |
---|
166 | trust realm2) |
---|
167 | |
---|
168 | At this point, Kerberos authentication will work, but ssh on pc1 will reject |
---|
169 | a user who has authenticated as someone@REALM2 because pc1 is part of |
---|
170 | REALM1. |
---|
171 | |
---|
172 | -- on pc1, logging in to pc2 |
---|
173 | $ kinit student |
---|
174 | $ ssh -v student@pc2.ws.nsrc.org |
---|
175 | -- should be rejected |
---|
176 | |
---|
177 | To permit it, create file `~/.k5login` containing the authorized |
---|
178 | principal(s), one per line. |
---|
179 | |
---|
180 | -- on pc2 |
---|
181 | # editor ~student/.k5login |
---|
182 | student@REALM1.WS.NSRC.ORG |
---|
183 | |
---|
184 | Notes |
---|
185 | ----- |
---|
186 | |
---|
187 | In a real environment, you would add at least one slave KDC for resilience. |
---|
188 | There is information how to do this at |
---|
189 | http://web.mit.edu/kerberos/krb5-1.8/krb5-1.8.3/doc/krb5-install.html#Install%20the%20Slave%20KDCs |
---|