Configure a Kerberos 5 Client


Configure a Kerberos 5 Client

Setting up a Kerberos 5 client is less involved than setting up a server. At a minimum, install the client packages and provide each client with a valid krb5.conf configuration file. While ssh and slogin are the preferred method of remotely logging in to client systems, Kerberized versions of rsh and rlogin are still available, though deploying them requires that a few more configuration changes be made.

1. Be sure that time synchronization is in place between the Kerberos client and the KDC. Verify that DNS is working properly on the Kerberos client before configuring the Kerberos client programs. The server and client firewall ports must be configured to allow kerberos and  kpassword. If you suspect this is interfering with your install just shut the firewall off

(# systemctl stop firewalld.service) long enough to configure and then retrace the steps to allow Kerberos to communicate between the server and client.

2. Install the krb5-libs and krb5-workstation packages on all of the client machines. Supply

a valid /etc/krb5.conf file for each client (usually this can be the same krb5.conf file used

by the KDC).

# yum install krb5-workstation

3. Before a workstation in the realm can use Kerberos to authenticate users who connect using

ssh or Kerberized rsh or rlogin , it must have its own host principal in the Kerberos database. The sshd , kshd, and klogind server programs all need access to the keys for the host service's principal. Additionally, in order to use the kerberized rsh and rlogin  services, the client workstation must have the xinetd package installed. Enter this command in a terminal on the client workstation:

# yum install xinetd

At this point I named my client computer to avoid confusing configuration settings.

# hostnamectl set-hostname <user – hostname>

# hostnamectl set-hostname mlfclient

Transfer the same info from the /etc/krb5.conf file on the KDC server to the client:

Do the following on the KDC server. Using kadmin , add a host principal for the workstation on the KDC server. Entering the following to be sure the kadmin service is running:

# service kadmin status

If it is not running because of restarting the KDC server then start both the krb5kdc and kadmin services:

# /sbin/service krb5kdc start

# /sbin/service kadmin start

Then add a principal username

# kadmin.local -q "addprinc <username>/admin"

You then need to enter a password for the principal username.

Now that the principal has been created, keys can be extracted for the workstation by running

kadmin on the workstation itself by using the ktadd command within kadmin.

Go back to the workstation or Kerberos client computer. The instance in this case is the hostname of the workstation. Use the -randkey option for the kadmin 's addprinc command to create a host principal and assign it a random key:

# kadmin

# addprinc -randkey host/<client>.<domain>.com

# ktadd host/<KDCserver>.<domain>.com

To use other kerberized network services, they must first be started. An example of the ssh service and instructions for enabling:

ssh OpenSSH uses GSS-API to authenticate users to servers if the client's and server's configuration both have GSSAPIAuthentication enabled. If the client also has GSSAPIDelegateCredentials enabled, the user's credentials are made available on the remote system.

Kerberos Client log in

Validate your Kerberos client by entering:
$ klist
No credentials are found until the user is initialized.
$ kinit
Initialize the user and then provide the user password.
$ klist
Now the client is logged in with a valid ticket specified by the Kerberos key policy.

Who's new

Recent comments

No comments available.

Who's online

There are currently 0 users online.