| 1 | Exercise 3: Build a KDC |
|---|
| 2 | ======================= |
|---|
| 3 | |
|---|
| 4 | These exercises assume your host is pc1.ws.nsrc.org and you will be |
|---|
| 5 | building a realm REALM1.WS.NSRC.ORG - change `1` to the appropriate |
|---|
| 6 | value for your machine. |
|---|
| 7 | |
|---|
| 8 | 1. Install ntp |
|---|
| 9 | -------------- |
|---|
| 10 | |
|---|
| 11 | Because tickets are timestamped, it's important that your machine always |
|---|
| 12 | has an accurately synchronized clock. Double-check it's installed: |
|---|
| 13 | |
|---|
| 14 | # apt-get install ntp |
|---|
| 15 | |
|---|
| 16 | This will run a daemon (ntpd) which keeps your clock synchronized. |
|---|
| 17 | |
|---|
| 18 | Note: if you have a large network then it makes sense to have two local |
|---|
| 19 | timeservers and all other machines sync to those. You would then change |
|---|
| 20 | /etc/ntpd.conf to point to your time server(s). |
|---|
| 21 | |
|---|
| 22 | 2. Install kdc packages |
|---|
| 23 | ----------------------- |
|---|
| 24 | |
|---|
| 25 | # apt-get install krb5-kdc krb5-admin-server |
|---|
| 26 | |
|---|
| 27 | If you get a dialog box about setting up a kerberos realm, just accept [Ok] |
|---|
| 28 | |
|---|
| 29 | 3. Configure krb5 library |
|---|
| 30 | ------------------------- |
|---|
| 31 | |
|---|
| 32 | Now we are going to configure the krb5 client library, manually associating |
|---|
| 33 | your own machine with your own realm. (We could instead change the DNS, |
|---|
| 34 | but doing it here lets you control your own settings) |
|---|
| 35 | |
|---|
| 36 | # editor /etc/krb5.conf |
|---|
| 37 | [libdefaults] |
|---|
| 38 | default_realm = REALM1.WS.NSRC.ORG |
|---|
| 39 | dns_lookup_realm = true |
|---|
| 40 | dns_lookup_kdc = true |
|---|
| 41 | |
|---|
| 42 | [realms] |
|---|
| 43 | REALM1.WS.NSRC.ORG = { |
|---|
| 44 | kdc = pc1.ws.nsrc.org |
|---|
| 45 | admin_server = pc1.ws.nsrc.org |
|---|
| 46 | } |
|---|
| 47 | |
|---|
| 48 | [domain_realm] |
|---|
| 49 | pc1.ws.nsrc.org = REALM1.WS.NSRC.ORG |
|---|
| 50 | |
|---|
| 51 | 4. Create and initialize your database |
|---|
| 52 | -------------------------------------- |
|---|
| 53 | |
|---|
| 54 | Create Kerberos database: |
|---|
| 55 | |
|---|
| 56 | kdb5_util create -r REALM1.WS.NSRC.ORG -s |
|---|
| 57 | # This can pause for several minutes. Eventually you will be asked to |
|---|
| 58 | # choose a database master password. Use "abcd" for this exercise, |
|---|
| 59 | # but normally you'd choose something much stronger. |
|---|
| 60 | |
|---|
| 61 | Create the ACL file and grant admin rights to all */admin principals: |
|---|
| 62 | |
|---|
| 63 | # editor /etc/krb5kdc/kadm5.acl |
|---|
| 64 | */admin@REALM1.WS.NSRC.ORG * |
|---|
| 65 | |
|---|
| 66 | Now we use kadmin.local (running as root) to create the first few |
|---|
| 67 | principals: a host principal for the host itself (putting the |
|---|
| 68 | randomly-chosen key into its own keytab file); a regular principal "student" |
|---|
| 69 | and a KDC admin principal "student/admin" |
|---|
| 70 | |
|---|
| 71 | # kadmin.local |
|---|
| 72 | addprinc -randkey host/pc1.ws.nsrc.org |
|---|
| 73 | ktadd host/pc1.ws.nsrc.org |
|---|
| 74 | addprinc student |
|---|
| 75 | -- you'll be prompted to choose a password |
|---|
| 76 | addprinc student/admin |
|---|
| 77 | -- you'll be prompted to choose a password |
|---|
| 78 | ^D |
|---|
| 79 | |
|---|
| 80 | Now start the daemons: |
|---|
| 81 | |
|---|
| 82 | # /etc/init.d/krb5-kdc start |
|---|
| 83 | # /etc/init.d/krb5-admin-server start |
|---|
| 84 | |
|---|
| 85 | At this point, you should be able to get a ticket from your own realm: |
|---|
| 86 | |
|---|
| 87 | $ kinit student |
|---|
| 88 | Password for student@REALM1.WS.NSRC.ORG: <enter chosen password> |
|---|
| 89 | $ klist |
|---|
| 90 | |
|---|
| 91 | (Note that you've obtained a ticket from your own realm, using the |
|---|
| 92 | username and password you created in your own KDC) |
|---|
| 93 | |
|---|
| 94 | If this doesn't work, then debug as follows: |
|---|
| 95 | |
|---|
| 96 | * Check your clock is synchronized (type `date`) |
|---|
| 97 | * Check your krb5.conf |
|---|
| 98 | * Check kdc is running: `ps auxwww | grep krb5kdc` |
|---|
| 99 | * Look at KDC logs in /var/log/auth.log |
|---|
| 100 | |
|---|
| 101 | 5. Managing principals |
|---|
| 102 | ---------------------- |
|---|
| 103 | |
|---|
| 104 | From now on, you don't need `kadmin.local` as root to administer the |
|---|
| 105 | Kerberos database; you can use `kadmin` instead, as a normal user. This |
|---|
| 106 | runs over a TCP socket (so it can be run from a remote workstation, not |
|---|
| 107 | necessarily the KDC). The traffic is authenticated and encrypted using |
|---|
| 108 | Kerberos. |
|---|
| 109 | |
|---|
| 110 | $ kadmin -p student/admin |
|---|
| 111 | ... enter password for 'student/admin' which you chose earlier |
|---|
| 112 | |
|---|
| 113 | Type '?' for a list of commands. The important ones are: |
|---|
| 114 | |
|---|
| 115 | listprincs -- list principals |
|---|
| 116 | addprinc <principal> -- add principal |
|---|
| 117 | cpw <principal> -- change password |
|---|
| 118 | delprinc <principal> -- delete principal |
|---|
| 119 | |
|---|
| 120 | Use ^D (ctrl-D) to exit. |
|---|
| 121 | |
|---|
| 122 | Try the following: |
|---|
| 123 | |
|---|
| 124 | * Change the password for the `student` principal. In another screen, |
|---|
| 125 | check that you can `kinit student` with the new password. |
|---|
| 126 | * Create a new user principal of your choice, and check you can get a ticket |
|---|
| 127 | for it with kinit. |
|---|
| 128 | |
|---|
| 129 | 6. Kerberos ssh |
|---|
| 130 | --------------- |
|---|
| 131 | |
|---|
| 132 | Since we have modified krb5.conf earlier, restart sshd: |
|---|
| 133 | |
|---|
| 134 | # service ssh restart |
|---|
| 135 | |
|---|
| 136 | Create a local `student` user: |
|---|
| 137 | |
|---|
| 138 | # useradd -m -s /bin/bash student |
|---|
| 139 | |
|---|
| 140 | Note that we have not set any password. However you should be able to login |
|---|
| 141 | using a kerberos ticket: |
|---|
| 142 | |
|---|
| 143 | $ kinit student |
|---|
| 144 | $ ssh student@localhost |
|---|
| 145 | |
|---|
| 146 | 7. Extra exercises |
|---|
| 147 | ------------------ |
|---|
| 148 | |
|---|
| 149 | If you have spare time, you and your neighbour can add [realms] and |
|---|
| 150 | [domain_realms] sections for each other, and you can try to get a ticket |
|---|
| 151 | directly from the other realm and use it to login to the other machine: |
|---|
| 152 | |
|---|
| 153 | kinit student@REALM2.WS.NSRC.ORG |
|---|
| 154 | ssh student@pc2.ws.nsrc.org |
|---|
| 155 | |
|---|
| 156 | You could also try setting up cross-realm authentication. Each KDC has to |
|---|
| 157 | share a secret with its neighbour. On both KDCs create the following |
|---|
| 158 | principals; for each principal enter the same (preferably long and complex) |
|---|
| 159 | passphrase on both KDCs. |
|---|
| 160 | |
|---|
| 161 | # kadmin -p student/admin |
|---|
| 162 | addprinc krbtgt/REALM2.WS.NSRC.ORG@REALM1.WS.NSRC.ORG |
|---|
| 163 | addprinc krbtgt/REALM1.WS.NSRC.ORG@REALM2.WS.NSRC.ORG |
|---|
| 164 | |
|---|
| 165 | (The first sets up realm2 to trust realm1; the second sets up realm1 to |
|---|
| 166 | trust realm2) |
|---|
| 167 | |
|---|
| 168 | At this point, Kerberos authentication will work, but ssh on pc1 will reject |
|---|
| 169 | a user who has authenticated as someone@REALM2 because pc1 is part of |
|---|
| 170 | REALM1. |
|---|
| 171 | |
|---|
| 172 | -- on pc1, logging in to pc2 |
|---|
| 173 | $ kinit student |
|---|
| 174 | $ ssh -v student@pc2.ws.nsrc.org |
|---|
| 175 | -- should be rejected |
|---|
| 176 | |
|---|
| 177 | To permit it, create file `~/.k5login` containing the authorized |
|---|
| 178 | principal(s), one per line. |
|---|
| 179 | |
|---|
| 180 | -- on pc2 |
|---|
| 181 | # editor ~student/.k5login |
|---|
| 182 | student@REALM1.WS.NSRC.ORG |
|---|
| 183 | |
|---|
| 184 | Notes |
|---|
| 185 | ----- |
|---|
| 186 | |
|---|
| 187 | In a real environment, you would add at least one slave KDC for resilience. |
|---|
| 188 | There is information how to do this at |
|---|
| 189 | http://web.mit.edu/kerberos/krb5-1.8/krb5-1.8.3/doc/krb5-install.html#Install%20the%20Slave%20KDCs |
|---|