Prerequisites
Before configuring a Kerberos client, you have to configure a KDC.
Also, to get Kerberos running, NTP synchronization and hostname resolution must be working.
If DNS is not configured, add the following lines in the /etc/hosts file (replace the specified ip addresses with yours):
192.168.1.11 kbserver.example.com 192.168.1.12 kbclient.example.com
Client Configuration
Install the Kerberos client packages:
# yum install -y krb5-workstation pam_krb5
Edit the /etc/krb5.conf file, replace EXAMPLE.COM with your own realm, example.com with your own domain name, and kerberos.example.com with your own KDC server name (here kbserver.example.com).
Create a user for test:
# useradd user01
Add the client machine name (here kbclient.example.com) to the principals:
# kadmin -q "addprinc -randkey host/kbclient.example.com" Authenticating as principal root/admin@EXAMPLE.COM with password. Password for root/admin@EXAMPLE.COM:kerberosWARNING: no policy specified for host/kbclient.example.com@EXAMPLE.COM; defaulting to no policy Principal "host/kbclient.example.com@EXAMPLE.COM" created. # kadmin -q "ktadd -k /etc/krb5.keytab host/kbclient.example.com" Authenticating as principal root/admin@EXAMPLE.COM with password. Password for root/admin@EXAMPLE.COM:kerberosEntry for principal host/kbclient.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/kbclient.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/kbclient.example.com with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/kbclient.example.com with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/kbclient.example.com with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/kbclient.example.com with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/krb5.keytab.
Edit the /etc/ssh/ssh_config file and add/uncomment the following lines:
GSSAPIAuthentication yes GSSAPIDelegateCredentials yes
Reload the sshd service configuration:
# service sshd reload
Configure the PAM component with a text interface:
# authconfig-tui
Select “[*] Use Kerberos” in the Authentication column, then Next and OK.
Alternatively, configure the PAM component at the command line:
# authconfig --enablekrb5 --update
Test your configuration (here kbserver.example.com is the KDC server name):
# kinit user01 Password for user01@EXAMPLE.COM:user01# ssh user01@kbserver.example.com $ klist Ticket cache: FILE:/tmp/krb5cc_500_TGWbLJ1810 Default principal: user01@EXAMPLE.COM Valid starting Expires Service principal 02/12/14 17:51:58 02/13/14 17:50:46 krbtgt/EXAMPLE.COM@EXAMPLE.COM renew until 02/12/14 17:50:46
Now, you should be able to quit and reconnect without giving any password.
In addition, the first time you log in to a Kerberos client, you have to provide a login/password. Then, you get a ticket that allows you to log in to all the other Kerberos clients in the same realm and you don’t need to provide a password any more as long as your ticket is valid.
Note: To delete a ticket, use the kdestroy command.
Source: RHEL 5 Deployment Guide.
You should first edit the sshd_config file and add/uncomment the two GSSAPI* lines:
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
because if not you will receive an error:
[root@r2 ~]# kadmin -q “addprinc -randkey host/r2.example.com”
Authenticating as principal root/admin@EXAMPLE.COM with password.
Password for root/admin@EXAMPLE.COM:
kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
[root@r2 ~]# vim /etc/ssh/ssh_config
[root@r2 ~]# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
[root@r2 ~]# kadmin -q “addprinc -randkey host/r2.example.com”
Authenticating as principal root/admin@EXAMPLE.COM with password.
Password for root/admin@EXAMPLE.COM:
WARNING: no policy specified for host/r2.example.com@EXAMPLE.COM; defaulting to no policy
Principal “host/r2.example.com@EXAMPLE.COM” created.
Interesting. Thanks.
For me the client and server always ask for password… There must be same other setting , no?!