How to Setup Kerberos Server and Client on Ubuntu 18.04 LTS

Kerberos is a network authentication protocol that uses symmetric key cryptography and requires authorization from a trusted third party to authenticate client-server applications. It was originally developed by the Massachusetts Institute of Technology (MIT) to protect the network services provided by the Athena project.

In the modern world, Kerberos is often used as a third-party authentication service. This means that all clients trust Kerberos' judgment about another clients' identity.

In this tutorial, we will show you how to set up Kerberos authentication between two Ubuntu 18.04 servers. We will install and configure the Kerberos server on the Ubuntu server and then install the Kerberos client on the other. Finally, we will test the authentication of the SSH service with the Kerberos server.

Prerequisites

  • Ubuntu server 18.04
    • 10.10.10.15     krb5.ahmad.io   krb5
    • 10.10.10.16     client1.ahmad.io    client1
  • Root privileges

What we will do:

  1. Setup FQDN File
  2. Install KDC Kerberos Server
  3. Configure KDC Kerberos Server
  4. Install and Configure Kerberos Client
  5. Testing

Step 1 - Setup FQDN

First of all, we must configure the FQDN on the Kerberos server and then edit the '/etc/hosts' file of the server.

Change the FQDN of the Kerberos server using the following command.

hostnamectl set-hostname krb5.ahmad.io

After that, edit the '/etc/hosts' file using vim editor.

vim /etc/hosts

Change the IP address and FQDN with your own and paste into it.

10.10.10.15     krb5.ahmad.io   krb5

Save and close.

Now test using the 'ping' command below and make sure the FQDN is resolved to the right IP address.

ping -c 3 $(hostname -f)

Hostname configuration

Step 2 - Install KDC Kerberos Server

Now we're going to install the Kerberos server on the 'krb5' server with IP address '10.10.10.15' and the FQDN is 'krb5.ahmad.io'.

Install Kerberos server using the following apt command.

sudo apt install krb5-kdc krb5-admin-server krb5-config -y

During the installation, you will be asked about the Kerberos Realm, the Kerberos server of the Realm, and the Admin server.

By default, the Kerberos will use the Kerberos server domain name as a REALM, 'AHMAD.IO'.

The Kerberos server is 'krb5.ahmad.io'.

Set server name

And the Admin server same as the Kerberos server 'krb5.ahmad.io'.

admin server name

Once the installation is finished, you will be shown the Kerberos service is failed to run. It's fine because we will configure on the next stage.

Step 3 - Configure KDC Kerberos Server

Now generate a new strong master password for the Kerberos REALM using the following command.

sudo krb5_newrealm

Type your strong password and the REALM password will be generated at the '/etc/krb5kdc/stash' file.

Configure KDC Kerberos Server

After that, we need to create the admin user (admin principal) for the KDC Kerberos server, add the Kerberos server hostname to the database, and then create the keytab for the Kerberos server.

Run the 'kadmin.local' command-line interface for Kerberos administration command below.

sudo kadmin.local

Create a new admin user principal called 'root'.

addprinc root/admin

Type the strong password for the 'root' admin principal.

Add the KDC Kerberos server to the database and create the keytab file for the KDC host.

addprinc -randkey host/krb5.ahmad.io
ktadd host/krb5.ahmad.io

Then close the 'kadmin.local' utility.

quit

Configure kerberos server

Next, we need to add the 'root' admin principle to the access control list by editing the '/etc/krb5kdc/kadm5.acl' file.

vim /etc/krb5kdc/kadm5.acl

Add the following configuration.

root/admin * 

Save and close the configuration, then restart the Kerberos service.

sudo systemctl restart krb5-admin-server.service

And the configuration of KDC Kerberos server has been completed.

Restart Kerberos

Step 4 - Install and Configure Kerberos Client

In this step, we're going to install the Kerberos client on Ubuntu server with IP address '10.10.10.16' and the hostname 'client1'.

- Configure FQDN

Configure the FQDN on the client machine using the following command.

hostnamectl set-hostname client1.ahmad.io

After that, edit the '/etc/hosts' file using vim editor.

vim /etc/hosts

Paste both KDC Kerberos server and the client as below.

10.10.10.15     krb5.ahmad.io   krb5
10.10.10.16     client1.ahmad.io    client1

Save and close.

Install and Configure Kerberos Client

- Install Kerberos Client

Install Kerberos client packages by running the following apt command.

sudo apt install -y krb5-user libpam-krb5 libpam-ccreds auth-client-config

During the installation, you will be asked about the Kerberos Realm, the Kerberos server of the Realm, and the Admin server.

By default, Kerberos will use the Kerberos server domain name as a REALM, 'AHMAD.IO'.

set server domain

The Kerberos server is 'krb5.ahmad.io'.

set kerberos server

And the Admin server same as the Kerberos server 'krb5.ahmad.io'.

set admin server

And the installation for Kerberos client is finished.

- Configure Kerberos Client

From the client machine, connect to the KDC Kerberos server using the 'kadmin' command.

kadmin

And you will be asked for the password of 'root/admin' principle. Type the password and you will be logged in to the KDC Kerberos administration system.

Now add the client FQDN 'client1.ahmad.io' to the Kerberos database and add the keytab file for the client.

addprinc -randkey host/client1.ahmad.io
ktadd host/client1.ahmad.io

Then close the kadmin Kerberos Administration interface.

quit

And the configuration of Kerberos client is completed.

Configure Kerberos Client

Step 5 - Testing

For this testing purpose, we're going to configure the SSH authentication using the Kerberos. The client machine 'client1.ahmad.io' will connect to the server 'krb5.ahmad.io' through SSH with the Kerberos authentication.

- Setup 'krb5.ahmad.io' Server

Create a new system user called 'ammar'.

useradd -m -s /bin/bash ammar

Login to the KDC Kerberos administration and add a new principal user called 'ammar'.

kadmin.local
addprinc ammar

Close the Kerberos Administration interface and edit the ssh configuration '/etc/ssh/sshd_config'.

vim /etc/ssh/sshd_config

Uncomment the 'GSSAPIAuthentication' and enable it by changing the value to ''.

GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

Save and close the configuration, then restart the ssh service.

systemctl restart sshd

Test Kerberos authentication

- Setup 'client1.ahmad.io' Machine

Add new system user 'ammar' on the client machine and login into it.

useradd -m -s /bin/bash ammar
su - ammar

After that, initialize the Kerberos user principal 'ammar'.

kinit ammar

Type the password of the user and after that check the available Ticket using the following command.

klist

And you will be shown the following result.

setup client machine

Now you can connect the 'krb5.ahmad.io' server using the SSH Kerberos authentication.

ssh krb5.ahmad.io

And you will be connected to the 'krb5.ahmad.io' server through SSH with Kerberos authentication.

test ssh login

Below is the SSH Log after logged to the server.

Test successful

Finally, the installation and configuration of Kerberos server and client on Ubuntu 18.04 has been completed successfully.

Reference

https://web.mit.edu/kerberos/

Share this page:

Suggested articles

4 Comment(s)

Add comment

Comments

By: Nishit Shah at: 2019-07-01 06:53:40

Nicely explained ... Thanks

 

By: Felipe at: 2019-08-22 13:52:04

Hello Muhammad Arul,

I was able to do a SSH via Kerberos but without using a Kerberos Server, all we neeed is SSH -> PAM -> Kerberos and reach port 88 on the Domain Controller .Take a look here.http://felipeferreira.net/2019/08/21/configure-kerberos-for-ssh-activedirectory/

By: asif80 at: 2019-08-31 10:24:35

This is a very good explanation of the Kerberos. Full marks for nice article.

By: Tom Tobin at: 2019-09-07 16:20:34

Awesome, tried like 3 other getting started tutorials and had problems with each, this worked great, thank you.