Friday, 15 June 2018

Configure SSO (Single Sign-on) with Kerberos 5

configure-sso-with-kerberos-5 Kerberos is the most widely used authentication protocol. It provides authentication service for users and other Network Services. The unique feature of Kerberos is that, it never transmits the users’ Passwords over network neither in plain text nor in encrypted form. Rather, it uses tickets to authenticate users and services. These tickets are encrypted with unique user and service keys. This arrangement protects the system against eavesdropping and replay attacks.

The Ticket based system also provides the SSO (Single Sign-On) facility to users. Kerberos is used by various famous Remote authentication Software, such as Microsoft Active Directory, FreeIPA, etc.

In this post, we will configure a Kerberos Key Distribution Center (KDC) on CentOS 7. Later on, we will configure a client to use the Single Sign-On feature of the Server.

 

System Specification:

We have two Virtual machines, one is for the KDC and the other is the client to demonstrate SSO. Both machines have identical configurations.

CPU 2.4 Ghz (1 core)
Memory 800 MB
Storage 8 GB
Operating System CentOS 7.0

I have already configured the preqrequisites i.e Network, DNS and NTP synchronization on both machines. The Hostname and IP addresses are:

S# IP Address Hostname Description
1 192.168.56.101 kerberos.itlab.com KDC Server
2 192.168.56.102 client.itlab.com Client Machine

Our Kerberos Realm is ITLAB.COM

 

Configure Kerberos:

Install Kerberos 5 packages. Here krb5-server is the Kerberos Server. whereas, krb5-workstation, pam_krb5 and sssd packages are required to configure same machine as Kerberos client as well.

[root@kerberos ~]# yum -y install krb5-server krb5-workstation pam_krb5 sssd

Now, edit kerberos main configuration file.

[root@kerberos ~]# vi /etc/krb5.conf

Uncomment all lines, and replace the default realm EXAMPLE.COM with ITLAB.COM (both upper and lower cases). Also update the kdc and admin-server hostnames (in our case, use the same name for both servers). The final configuration should look like this.

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = ITLAB.COM
default_ccache_name = KEYRING:persistent:%{uid}

[realms]
ITLAB.COM = {
  kdc = kerberos.itlab.com
  admin_server = kerberos.itlab.com
}

[domain_realm]
.itlab.com = ITLAB.COM
itlab.com = ITLAB.COM

Now, Configure the KDC Server.

[root@kerberos ~]# vi /var/kerberos/krb5kdc/kdc.conf

Uncomment all lines and replace the default realm EXAMPLE.COM with ITLAB.COM. The final configuration should look like this.

[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88

[realms]
ITLAB.COM = {
  master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal

Configure kadmin ACLs.

[root@kerberos ~]# vi /var/kerberos/krb5kdc/kadm5.acl

Update realm here. The final configuration are:

*/admin@ITLAB.COM       *

Create the Kerberos database and set a strong Password.

[root@kerberos ~]# kdb5_util create -s Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'ITLAB.COM',
master key name 'K/M@ITLAB.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:

Enable and Start Kerberos services.

[root@kerberos ~]# systemctl enable krb5kdc && systemctl start krb5kdc
Created symlink from /etc/systemd/system/multi-user.target.wants/krb5kdc.service to /usr/lib/systemd/system/krb5kdc.service.
[root@kerberos ~]# systemctl enable kadmin && systemctl start kadmin Created symlink from /etc/systemd/system/multi-user.target.wants/kadmin.service to /usr/lib/systemd/system/kadmin.service.

Allow Kerberos services through Firewall.

[root@kerberos ~]# firewall-cmd --permanent --add-service=kerberos success
[root@kerberos ~]# firewall-cmd --reload
success

Let’s add entries in our Kerberos Database.

[root@kerberos ~]# kadmin.local
Authenticating as principal root/admin@ITLAB.COM with password.
kadmin.local: listprincs K/M@ITLAB.COM
kadmin/admin@ITLAB.COM
kadmin/changepw@ITLAB.COM
kadmin/kerberos.itlab.com@ITLAB.COM
kiprop/kerberos.itlab.com@ITLAB.COM
krbtgt/ITLAB.COM@ITLAB.COM

Add Kerberized hosts in our Kerberos Database and Generate relevant keytabs.

kadmin.local:  addprinc -randkey host/kerberos.itlab.com WARNING: no policy specified for host/kerberos.itlab.com@ITLAB.COM; defaulting to no policy
Principal "host/kerberos.itlab.com@ITLAB.COM" created.
kadmin.local:  ktadd host/kerberos.itlab.com
Entry for principal host/kerberos.itlab.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kerberos.itlab.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kerberos.itlab.com with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kerberos.itlab.com with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kerberos.itlab.com with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kerberos.itlab.com with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kerberos.itlab.com with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kerberos.itlab.com with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.

Add the client host to Kerberos Database, and generate the keytab file, to be placed at the /etc directory of client machine.

kadmin.local:  addprinc -randkey host/client.itlab.com
WARNING: no policy specified for host/client.itlab.com@ITLAB.COM; defaulting to no policy
Principal "host/client.itlab.com@ITLAB.COM" created.
kadmin.local:  ktadd -k /tmp/client1.keytab host/client.itlab.com Entry for principal host/client.itlab.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/client1.keytab.
Entry for principal host/client.itlab.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/client1.keytab.
Entry for principal host/client.itlab.com with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/tmp/client1.keytab.
Entry for principal host/client.itlab.com with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/tmp/client1.keytab.
Entry for principal host/client.itlab.com with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/tmp/client1.keytab.
Entry for principal host/client.itlab.com with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/tmp/client1.keytab.
Entry for principal host/client.itlab.com with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/tmp/client1.keytab.
Entry for principal host/client.itlab.com with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/tmp/client1.keytab.

Add a user in Kerberos database to used for login to kerberized hosts.

kadmin.local:  addprinc kuser1 WARNING: no policy specified for kuser1@ITLAB.COM; defaulting to no policy
Enter password for principal "kuser1@ITLAB.COM":
Re-enter password for principal "kuser1@ITLAB.COM":
Principal "kuser1@ITLAB.COM" created.

Create an OS user for authorization purpose. This step is not required, if you are using an LDAP Directory. In that case, user should be added to LDAP Directory.

[root@kerberos ~]# useradd kuser1

Configure the Kerberos Authentication.

[root@kerberos ~]# authconfig --update --enablekrb5 --krb5kdc=kerberos.itlab.com --krb5adminserver=kerberos.itlab.com --krb5realm=ITLAB.COM

Now login with kuser1 to kerberos server using ssh.

[kuser1@kerberos ~]$ ssh kuser1@kerberos
The authenticity of host 'kerberos (192.168.56.101)' can't be established.
ECDSA key fingerprint is 22:fa:59:75:3e:fa:24:73:a2:c3:cc:8f:24:bd:11:db.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'kerberos,192.168.56.101' (ECDSA) to the list of known hosts.
Last login: Fri Jun 15 14:50:54 2018

Check the tickets that was provided to the kuser1.

[kuser1@kerberos ~]$ klist
Ticket cache: KEYRING:persistent:1000:krb_ccache_gXNDEWJ
Default principal: kuser1@ITLAB.COM

Valid starting       Expires              Service principal
06/15/2018 14:54:47  06/16/2018 14:50:54  host/kerberos.itlab.com@ITLAB.COM
06/15/2018 14:50:54  06/16/2018 14:50:54  krbtgt/ITLAB.COM@ITLAB.COM

Now, login to client.itlab.com machine, configure it for Kerberos authentication.
Install necessary packages.

[root@client ~]# yum -y install krb5-workstation sssd pam_krb5

Copy the respective keytab from kerberos machine to client machine. Copy krb5.conf as well, to avoid edit it again.

[root@client ~]# scp root@kerberos:/tmp/client1.keytab /etc/krb5.keytab root@kerberos's password:
client1.keytab                                                                          100%  586     0.6KB/s   00:00
[root@client ~]# scp root@kerberos:/etc/krb5.conf /etc/krb5.conf
root@kerberos's password:
krb5.conf                                                                               100%  472     0.5KB/s   00:00

Add local user kuser1 for Authorization purpose.

[root@client ~]# useradd kuser1

Configure the Kerberos Authentication.

[root@client ~]# authconfig --update --enablekrb5 --krb5kdc=kerberos.itlab.com --krb5adminserver=kerberos.itlab.com --krb5realm=ITLAB.COM

 

Test Kerberos Configurations:

Now test Single Sign-On with ssh.

[root@client ~]# ssh kuser1@client.itlab.com kuser1@client.itlab.com's password:
[kuser1@client ~]$ klist
Ticket cache: KEYRING:persistent:1000:krb_ccache_Ud91x2t
Default principal: kuser1@ITLAB.COM

Valid starting       Expires              Service principal
06/15/2018 15:22:53  06/16/2018 15:22:52  krbtgt/ITLAB.COM@ITLAB.COM
[kuser1@client ~]$ ssh kuser1@kerberos.itlab.com
Last login: Fri Jun 15 15:02:53 2018 from kerberos.itlab.com
[kuser1@kerberos ~]$ klist
Ticket cache: KEYRING:persistent:1000:krb_ccache_gXNDEWJ
Default principal: kuser1@ITLAB.COM

Valid starting       Expires              Service principal
06/15/2018 14:54:47  06/16/2018 14:50:54  host/kerberos.itlab.com@ITLAB.COM
06/15/2018 14:50:54  06/16/2018 14:50:54  krbtgt/ITLAB.COM@ITLAB.COM
[kuser1@client ~]$ ssh kuser1@client.itlab.com
Last login: Fri Jun 15 15:23:45 2018 from kerberos.itlab.com
[kuser1@client ~]$ klist
Ticket cache: KEYRING:persistent:1000:krb_ccache_Ud91x2t
Default principal: kuser1@ITLAB.COM

Valid starting       Expires              Service principal
06/15/2018 15:24:29  06/16/2018 15:22:52  host/client.itlab.com@ITLAB.COM
06/15/2018 15:23:15  06/16/2018 15:22:52  host/kerberos.itlab.com@ITLAB.COM
06/15/2018 15:22:53  06/16/2018 15:22:52  krbtgt/ITLAB.COM@ITLAB.COM

Look at the output of the last klist command. The session obtain a TGT (Ticket Granting Ticket) and two TGS (Ticket Granting Service) tickets, and it is never asking for the password again. whereas, it is authenticating to different servers using these Tickets and providing Single Sign-On facility.

Our Kerberos 5 Server is working fine and providing Single Sign-on facility to users.

Configure SSO (Single Sign-on) with Kerberos 5


YOU MIGHT ALSO LIKE:

No comments:

Post a Comment