Agenda: ex3-kerberos-kdc.txt

File ex3-kerberos-kdc.txt, 5.7 KB (added by admin, 8 years ago)
Line 
1Exercise 3: Build a KDC
2=======================
3
4These exercises assume your host is pc1.ws.nsrc.org and you will be
5building a realm REALM1.WS.NSRC.ORG - change `1` to the appropriate
6value for your machine.
7
81. Install ntp
9--------------
10
11Because tickets are timestamped, it's important that your machine always
12has an accurately synchronized clock. Double-check it's installed:
13
14    # apt-get install ntp
15
16This will run a daemon (ntpd) which keeps your clock synchronized.
17
18Note: if you have a large network then it makes sense to have two local
19timeservers and all other machines sync to those. You would then change
20/etc/ntpd.conf to point to your time server(s).
21
222. Install kdc packages
23-----------------------
24
25    # apt-get install krb5-kdc krb5-admin-server
26
27If you get a dialog box about setting up a kerberos realm, just accept [Ok]
28
293. Configure krb5 library
30-------------------------
31
32Now we are going to configure the krb5 client library, manually associating
33your own machine with your own realm. (We could instead change the DNS,
34but doing it here lets you control your own settings)
35
36    # editor /etc/krb5.conf
37    [libdefaults]
38    default_realm = REALM1.WS.NSRC.ORG
39    dns_lookup_realm = true
40    dns_lookup_kdc = true
41
42    [realms]
43    REALM1.WS.NSRC.ORG = {
44            kdc = pc1.ws.nsrc.org
45            admin_server = pc1.ws.nsrc.org
46    }
47
48    [domain_realm]
49    pc1.ws.nsrc.org = REALM1.WS.NSRC.ORG
50
514. Create and initialize your database
52--------------------------------------
53
54Create Kerberos database:
55
56    kdb5_util create -r REALM1.WS.NSRC.ORG -s
57    # This can pause for several minutes. Eventually you will be asked to
58    # choose a database master password. Use "abcd" for this exercise,
59    # but normally you'd choose something much stronger.
60
61Create the ACL file and grant admin rights to all */admin principals:
62
63    # editor /etc/krb5kdc/kadm5.acl
64    */admin@REALM1.WS.NSRC.ORG    *
65
66Now we use kadmin.local (running as root) to create the first few
67principals: a host principal for the host itself (putting the
68randomly-chosen key into its own keytab file); a regular principal "student"
69and a KDC admin principal "student/admin"
70
71    # kadmin.local
72    addprinc -randkey host/pc1.ws.nsrc.org
73    ktadd host/pc1.ws.nsrc.org
74    addprinc student
75    -- you'll be prompted to choose a password
76    addprinc student/admin
77    -- you'll be prompted to choose a password
78    ^D
79
80Now start the daemons:
81
82    # /etc/init.d/krb5-kdc start
83    # /etc/init.d/krb5-admin-server start
84
85At this point, you should be able to get a ticket from your own realm:
86
87    $ kinit student
88    Password for student@REALM1.WS.NSRC.ORG: <enter chosen password>
89    $ klist
90
91(Note that you've obtained a ticket from your own realm, using the
92username and password you created in your own KDC)
93
94If this doesn't work, then debug as follows:
95
96* Check your clock is synchronized (type `date`)
97* Check your krb5.conf
98* Check kdc is running: `ps auxwww | grep krb5kdc`
99* Look at KDC logs in /var/log/auth.log
100
1015. Managing principals
102----------------------
103
104From now on, you don't need `kadmin.local` as root to administer the
105Kerberos database; you can use `kadmin` instead, as a normal user.  This
106runs over a TCP socket (so it can be run from a remote workstation, not
107necessarily the KDC).  The traffic is authenticated and encrypted using
108Kerberos.
109
110    $ kadmin -p student/admin
111    ... enter password for 'student/admin' which you chose earlier
112
113Type '?' for a list of commands. The important ones are:
114
115    listprincs              -- list principals
116    addprinc <principal>    -- add principal
117    cpw <principal>         -- change password
118    delprinc <principal>    -- delete principal
119
120Use ^D (ctrl-D) to exit.
121
122Try the following:
123
124* Change the password for the `student` principal. In another screen,
125  check that you can `kinit student` with the new password.
126* Create a new user principal of your choice, and check you can get a ticket
127  for it with kinit.
128
1296. Kerberos ssh
130---------------
131
132Since we have modified krb5.conf earlier, restart sshd:
133
134    # service ssh restart
135
136Create a local `student` user:
137
138    # useradd -m -s /bin/bash student
139
140Note that we have not set any password. However you should be able to login
141using a kerberos ticket:
142
143    $ kinit student
144    $ ssh student@localhost
145
1467. Extra exercises
147------------------
148
149If you have spare time, you and your neighbour can add [realms] and
150[domain_realms] sections for each other, and you can try to get a ticket
151directly from the other realm and use it to login to the other machine:
152
153    kinit student@REALM2.WS.NSRC.ORG
154    ssh student@pc2.ws.nsrc.org
155
156You could also try setting up cross-realm authentication. Each KDC has to
157share a secret with its neighbour.  On both KDCs create the following
158principals; for each principal enter the same (preferably long and complex)
159passphrase on both KDCs.
160
161    # kadmin -p student/admin
162    addprinc krbtgt/REALM2.WS.NSRC.ORG@REALM1.WS.NSRC.ORG
163    addprinc krbtgt/REALM1.WS.NSRC.ORG@REALM2.WS.NSRC.ORG
164
165(The first sets up realm2 to trust realm1; the second sets up realm1 to
166trust realm2)
167
168At this point, Kerberos authentication will work, but ssh on pc1 will reject
169a user who has authenticated as someone@REALM2 because pc1 is part of
170REALM1.
171
172    -- on pc1, logging in to pc2
173    $ kinit student
174    $ ssh -v student@pc2.ws.nsrc.org
175    -- should be rejected
176
177To permit it, create file `~/.k5login` containing the authorized
178principal(s), one per line.
179
180    -- on pc2
181    # editor ~student/.k5login
182    student@REALM1.WS.NSRC.ORG
183
184Notes
185-----
186
187In a real environment, you would add at least one slave KDC for resilience.
188There is information how to do this at
189http://web.mit.edu/kerberos/krb5-1.8/krb5-1.8.3/doc/krb5-install.html#Install%20the%20Slave%20KDCs