First I created three Virtualbox VMs (Debian Linux) for Kerberos server, client and ssh server.
Kerberos server - kerberos.com
Client - client.com
SSH server - ssh.com
Then I added the following lines to the /etc/hosts files of the VMs.
10.0.0.1 kerberos.com
10.0.0.2 client.com
10.0.0.3 ssh.com
Make sure you can ping kerberos.com, ssh.com, client.com from all VMs(To check host-names are resolving).
Kerberos Server
Installing the Kerberos server (kerberos.com)
apt-get install krb5-admin-server krb5-kdc
During the installation it "may" ask following questions (My answers are shown in brackets)
Default Kerberos version 5 realm? [KERBEROS.COM]
Kerberos servers for your realm? [kerberos.com]
Administrative server for your realm? [kerberos.com]
Configuring Kerberos server
Before beginning a new realm must be created
krb5_newrealm
Edit the /etc/krb5.conf file (enter the following lines to the file if they're not there)
[libdefaults]
default_realm = KERBEROS.COM
...
...
...
[realms]
kdc = kerberos.com
admin_server = kerberos.com
...
...
...
[domain_realm]
...
...
kerberos.com = KERBEROS.COM
.kerberos.com = KERBEROS.COM
Notice on cdh:
we should open tcp port by updating file /etc/krb5kdc/kdc.conf:
kdc_tcp_ports = 88
then restart kdc service:
service krb5-admin-server restart
service krb5-kdc restart
Adding users (Principles)
Use the kadmin.local tool to add/delete/modify users (principles)
Type kadmin.local to use the tool
listprics will list the existing principles
To add the root user, type
addprinc root
If you want to assign an admin role to a user use the following command
addprinc root/admin
Then you have to uncomment the /admin line in /etc/krb5kdc/kadm.acl file.
In order to check the principle has applied correctly type the following command
kinit
kinit is used to get tickets from the Kerberos server.
It will prompt for password. (Enter the password given to the addprinc command)
Now type the following command to see the ticket.
klist
Client
Installing and configuring client for Kerberos (client.com)
apt-get install krb5-user
It will ask the same questions, asked during the server installation.
[Make sure you can ping kerberos.com from your client.com machine]
Testing
To get a ticket for your client machine type the following command.
kinit root
or (depending on your principles in kerberos.com)
kinit root/admin
If you get a ticket from kerberos.com, its working!.
Services
Using SSH service with Kerberos (ssh.com)
Install open ssh server and krb5-config
apt-get install openssh-server krb5-config
Configure the /etc/krb5.conf accordingly (Just like the previous ones)
Configuring SSH to use with Kerberos
Edit /etc/ssh/sshd_config and enable the following lines
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
Then restart the ssh server [/etc/init.d/ssh restart]
Configuring Kerberos server (kerberos.com) to work with ssh.com
Type the following commands on the kerberos.com to add the ssh.com principle
kadmin.local
addprinc -randkey host/ssh.com
ktadd -k /tmp/ssh.com.keytab host/ssh.com
Now copy the /tmp/ssh.com.keytab file to the ssh server (ssh.com) using the command below
scp /tmp/ssh.com.keytab root@ssh.com:/etc/krb5.keytab
Configuring a client machine for Kerberos authentication
Edit /etc/ssh/ssh_config and enable the following lines
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
Testing SSH service with Kerberos
Log in to the client machine and get a ticket
kinit root
(or kinit root/admin)
Then type the command below. It should log in to the ssh.com without password.
ssh root@ssh.com
Now type the following commands and check the difference
kdestroy
ssh root@ssh.com