Install a MIT Kerberos 5 Server on Debian Wheezy

INSTALLATION AND SETUP

Install these Kerberos packages:

apt-get install krb5-{admin-server,kdc} -y

These are the answers I put when I was prompted:

Default Kerberos version 5 realm: EXAMPLE.COM

Add locations of default Kerberos servers to /etc/krb5.conf: YES

Kerberos servers for your realm: kerberos.example.com

Administrative server for your Kerberos realm: kerberos.example.com

Create the Kerberos KDC configure automatically: Yes

Run the Kerberos V5 administration daemon (kadmind): Yes

Should man mandb be installed 'setuid man'?: No

Now to create your Kerberos realm. Be patient, as It takes a while to load the random data. Once it is finished, enter your Kerberos admin password <keep it secret. keep it safe>: 

krb5_newrealm

Now to edit the /etc/krb5.conf file:

[libdefaults]
        default_realm = EXAMPLE.COM

# The following krb5.conf variables are only for MIT Kerberos.
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

[realms]
        EXAMPLE.COM = {
                kdc = kerberos.example.com
                admin_server = kerberos.example.com
        }

[domain_realm]
        .example.com = EXAMPLE.COM
        example.com = EXAMPLE.COM

[login]
        krb4_convert = true
        krb4_get_tickets = false

[logging]
        kdc = FILE:/var/log/kerberos/krb5kdc.log
        admin_server = FILE:/var/log/kerberos/kadmin.log
        default = FILE:/var/log/kerberos/krb5lib.log

Create the log files and their permissions:

mkdir /var/log/kerberos
touch /var/log/kerberos/{krb5kdc,kadmin,krb5lib}.log
chmod -R 750  /var/log/kerberos

 Set the access rights in the '/etc/krb5kdc/kadm5.acl' file by uncommenting this line: 

*/admin *

Restart the Kerberos services to put these changes into effect:

service krb5-admin-server restart
service krb5-kdc restart

We are going to do a few things at once-

List the principles that we have on our Kerberos server, add some policies and create an admin user, which can be used on any machine in the Kerberos realm (kadmin.local can only be used on the Kerberos server):

kadmin.local

listprincs

add_policy -minlength 8 -minclasses 3 admin
add_policy -minlength 8 -minclasses 3 host
add_policy -minlength 8 -minclasses 3 service
add_policy -minlength 8 -minclasses 2 user

addprinc -policy admin admin/admin

quit

* NOTE *

The user you create here will need to be a local account on BOTH the Kerberos server and client servers in order to test with (This can be fixed by implementing something like an LDAP backend)

Also, you need to be able to ping your client. If you do not have a DNS server, add the client’s ip to the ‘/etc/host/’ file on your KERBEROS server:

192.168.1.xxx     cleint.example.com                        client

Now sign in as our new admin and let’s create our first user:

kadmin -p admin/admin

addprinc -policy user tux
quit

TESTING

kinit

After providing your password, you should now be provided with the ticket granting ticket from Kerberos. 

klist

You should receive results similar to this:

Valid starting Expires Service principal
11/07/2013 11:41 11/07/2013 21:41 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 12/07/2013 11:41

End the test by destroying your ticket:

kdestroy

CLIENT SETUP

Add a principal for your test server on our Kerberos server so you can connect to it:

kadmin -p admin/admin

addprinc -policy service -randkey host/client.example.com
ktadd -k /etc/krb5.keytab -norandkey host/ client.example.com

These should be the similar results if it worked correctly:

Entry for principal host/ client.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/ client.example.com with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/ client.example.com with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/ client.example.com with kvno 2, encryption type des-cbc-crc added to keytab WRFILE:/etc/krb5.keytab.

Now, to move to our client server.

Four steps:

- Install the krb5-clients package on your test server:

apt-get install krb5-clients -y

These are the answers I put when I was prompted:

Default Kerberos version 5 realm: EXAMPLE.COM

Kerberos servers for your realm: kerberos.example.com

Administrative server for your Kerberos realm: kerberos.example.com

- Copy krb5.conf to your other server:

scp root@192.168.1.xxx:"/etc/krb5.conf /etc/krb5.keytab" /etc

- Add these lines to '/etc/ssh/sshd_config':

KerberosAuthentication yes
KerberosTicketCleanup yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UseDNS yes

- Restart the SSH service for these changes to come into effect:

service ssh restart

MOMENT OF TRUTH

Hop back on your Kerberos server and enter this command to see if you can ssh into your test server:

kinit
ssh client.example.com

If everything worked correctly, you should be able to ssh into that server with Kerberos.

Good Luck

Source : midactstech