Configure SSO (Single Sign-on) with Kerberos on CentOS 7 - CentLinux

Latest

Friday, 15 June 2018

Configure SSO (Single Sign-on) with Kerberos on CentOS 7

Configure SSO (Single Sign-on) with Kerberos on CentOS 7

Kerberos is the most widely used authentication protocol. It provides authentication service for users and other Network Services. The unique feature of Kerberos is that, it never transmits the users’ passwords over network neither in plain text nor in encrypted form. Rather, it uses tickets to authenticate users and services. These tickets are encrypted with unique user and service keys. This arrangement protects the system against eavesdropping and replay attacks.

The Ticket based system also provides the SSO (Single Sign-On) facility to users. Kerberos is used by various famous remote authentication Software, such as Microsoft Active Directory, FreeIPA, etc.

In this post, we will configure a Kerberos Key Distribution Center (KDC) on CentOS 7. Later on, we will configure a client to use the Single Sign-On feature of the Server.

 

This Article Provides:

     

    System Specification:

    We have two Virtual machines, one is for the KDC and the other is the client to demonstrate SSO. Both machines have identical configurations.

    • CPU - 2.4 Ghz (1 core)
    • Memory - 800 MB
    • Storage - 8 GB
    • Operating System - CentOS 7.0

    I have already configured the preqrequisites i.e Network, DNS and NTP synchronization on both machines. The Hostname and IP addresses are:

    S# IP Address Hostname Description
    1 192.168.56.101 kerberos.itlab.com KDC Server
    2 192.168.56.102 client.itlab.com Client Machine

    Our Kerberos Realm is ITLAB.COM

     

    Configure Kerberos on CentOS 7:

    Install Kerberos 5 packages. Here krb5-server is the Kerberos Server. whereas, krb5-workstation, pam_krb5 and sssd packages are required to configure same machine as Kerberos client as well.

    [root@kerberos ~]# yum -y install krb5-server krb5-workstation pam_krb5 sssd

    Now, edit kerberos main configuration file.

    [root@kerberos ~]# vi /etc/krb5.conf

    Uncomment all lines, and replace the default realm EXAMPLE.COM with ITLAB.COM (both upper and lower cases). Also update the kdc and admin-server hostnames (in our case, use the same name for both servers). The final configuration should look like this.

    [logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

    [libdefaults]
    dns_lookup_realm = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    default_realm = ITLAB.COM
    default_ccache_name = KEYRING:persistent:%{uid}

    [realms]
    ITLAB.COM = {
      kdc = kerberos.itlab.com
      admin_server = kerberos.itlab.com
    }

    [domain_realm]
    .itlab.com = ITLAB.COM
    itlab.com = ITLAB.COM

    Now, Configure the KDC Server.

    [root@kerberos ~]# vi /var/kerberos/krb5kdc/kdc.conf

    Uncomment all lines and replace the default realm EXAMPLE.COM with ITLAB.COM. The final configuration should look like this.

    [kdcdefaults]
    kdc_ports = 88
    kdc_tcp_ports = 88

    [realms]
    ITLAB.COM = {
      master_key_type = aes256-cts
      acl_file = /var/kerberos/krb5kdc/kadm5.acl
      dict_file = /usr/share/dict/words
      admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
      supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal

    Configure kadmin ACLs.

    [root@kerberos ~]# vi /var/kerberos/krb5kdc/kadm5.acl

    Update realm here. The final configuration looks like:

    */admin@ITLAB.COM       *

    Create the Kerberos database and set a strong password.

    [root@kerberos ~]# kdb5_util create -s Loading random data
    Initializing database '/var/kerberos/krb5kdc/principal' for realm 'ITLAB.COM',
    master key name 'K/M@ITLAB.COM'
    You will be prompted for the database Master Password.
    It is important that you NOT FORGET this password.
    Enter KDC database master key:
    Re-enter KDC database master key to verify:

    Enable and start Kerberos services.

    [root@kerberos ~]# systemctl enable krb5kdc && systemctl start krb5kdc
    Created symlink from /etc/systemd/system/multi-user.target.wants/krb5kdc.service to /usr/lib/systemd/system/krb5kdc.service.
    [root@kerberos ~]# systemctl enable kadmin && systemctl start kadmin Created symlink from /etc/systemd/system/multi-user.target.wants/kadmin.service to /usr/lib/systemd/system/kadmin.service.

    Allow Kerberos services through Linux Firewall.

    [root@kerberos ~]# firewall-cmd --permanent --add-service=kerberos success
    [root@kerberos ~]# firewall-cmd --reload
    success

    Let’s add entries in our Kerberos database.

    [root@kerberos ~]# kadmin.local
    Authenticating as principal root/admin@ITLAB.COM with password.
    kadmin.local: listprincs K/M@ITLAB.COM
    kadmin/admin@ITLAB.COM
    kadmin/changepw@ITLAB.COM
    kadmin/kerberos.itlab.com@ITLAB.COM
    kiprop/kerberos.itlab.com@ITLAB.COM
    krbtgt/ITLAB.COM@ITLAB.COM

    Add Kerberized hosts in our Kerberos database and generate relevant keytabs.

    kadmin.local:  addprinc -randkey host/kerberos.itlab.com WARNING: no policy specified for host/kerberos.itlab.com@ITLAB.COM; defaulting to no policy
    Principal "host/kerberos.itlab.com@ITLAB.COM" created.
    kadmin.local:  ktadd host/kerberos.itlab.com
    Entry for principal host/kerberos.itlab.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
    Entry for principal host/kerberos.itlab.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
    Entry for principal host/kerberos.itlab.com with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
    Entry for principal host/kerberos.itlab.com with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
    Entry for principal host/kerberos.itlab.com with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab.
    Entry for principal host/kerberos.itlab.com with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab.
    Entry for principal host/kerberos.itlab.com with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
    Entry for principal host/kerberos.itlab.com with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.

    Add the client host to Kerberos database, and generate the keytab file, to be placed at the /etc directory of client machine.

    kadmin.local:  addprinc -randkey host/client.itlab.com
    WARNING: no policy specified for host/client.itlab.com@ITLAB.COM; defaulting to no policy
    Principal "host/client.itlab.com@ITLAB.COM" created.
    kadmin.local:  ktadd -k /tmp/client1.keytab host/client.itlab.com Entry for principal host/client.itlab.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/client1.keytab.
    Entry for principal host/client.itlab.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/client1.keytab.
    Entry for principal host/client.itlab.com with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/tmp/client1.keytab.
    Entry for principal host/client.itlab.com with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/tmp/client1.keytab.
    Entry for principal host/client.itlab.com with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/tmp/client1.keytab.
    Entry for principal host/client.itlab.com with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/tmp/client1.keytab.
    Entry for principal host/client.itlab.com with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/tmp/client1.keytab.
    Entry for principal host/client.itlab.com with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/tmp/client1.keytab.

    Add a user in Kerberos database to used for login to kerberized hosts.

    kadmin.local:  addprinc kuser1 WARNING: no policy specified for kuser1@ITLAB.COM; defaulting to no policy
    Enter password for principal "kuser1@ITLAB.COM":
    Re-enter password for principal "kuser1@ITLAB.COM":
    Principal "kuser1@ITLAB.COM" created.

    Create an OS user for authorization purpose. This step is not required, if you are using an LDAP Directory. In that case, user should be added to LDAP Directory.

    [root@kerberos ~]# useradd kuser1

    Configure the Kerberos authentication.

    [root@kerberos ~]# authconfig --update --enablekrb5 --krb5kdc=kerberos.itlab.com --krb5adminserver=kerberos.itlab.com --krb5realm=ITLAB.COM

    Now login with kuser1 to kerberos server using ssh.

    [kuser1@kerberos ~]$ ssh kuser1@kerberos
    The authenticity of host 'kerberos (192.168.56.101)' can't be established.
    ECDSA key fingerprint is 22:fa:59:75:3e:fa:24:73:a2:c3:cc:8f:24:bd:11:db.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added 'kerberos,192.168.56.101' (ECDSA) to the list of known hosts.
    Last login: Fri Jun 15 14:50:54 2018

    Check the tickets that was provided to the kuser1.

    [kuser1@kerberos ~]$ klist
    Ticket cache: KEYRING:persistent:1000:krb_ccache_gXNDEWJ
    Default principal: kuser1@ITLAB.COM

    Valid starting       Expires              Service principal
    06/15/2018 14:54:47  06/16/2018 14:50:54  host/kerberos.itlab.com@ITLAB.COM
    06/15/2018 14:50:54  06/16/2018 14:50:54  krbtgt/ITLAB.COM@ITLAB.COM

     

    Configure CentOS 7 as Kerberos Client:

    Now, login to client.itlab.com machine, configure it for Kerberos authentication.
    Install necessary packages.

    [root@client ~]# yum -y install krb5-workstation sssd pam_krb5

    Copy the respective keytab from kerberos machine to client machine. Copy krb5.conf as well, to avoid edit it again.

    [root@client ~]# scp root@kerberos:/tmp/client1.keytab /etc/krb5.keytab root@kerberos's password:
    client1.keytab                                                                          100%  586     0.6KB/s   00:00
    [root@client ~]# scp root@kerberos:/etc/krb5.conf /etc/krb5.conf
    root@kerberos's password:
    krb5.conf                                                                               100%  472     0.5KB/s   00:00

    Add local user kuser1 for Authorization purpose.

    [root@client ~]# useradd kuser1

    Configure the Kerberos authentication.

    [root@client ~]# authconfig --update --enablekrb5 --krb5kdc=kerberos.itlab.com --krb5adminserver=kerberos.itlab.com --krb5realm=ITLAB.COM

     

    Test Kerberos Configurations:

    Now test Single Sign-On with ssh.

    [root@client ~]# ssh kuser1@client.itlab.com kuser1@client.itlab.com's password:
    [kuser1@client ~]$ klist
    Ticket cache: KEYRING:persistent:1000:krb_ccache_Ud91x2t
    Default principal: kuser1@ITLAB.COM

    Valid starting       Expires              Service principal
    06/15/2018 15:22:53  06/16/2018 15:22:52  krbtgt/ITLAB.COM@ITLAB.COM
    [kuser1@client ~]$ ssh kuser1@kerberos.itlab.com
    Last login: Fri Jun 15 15:02:53 2018 from kerberos.itlab.com
    [kuser1@kerberos ~]$ klist
    Ticket cache: KEYRING:persistent:1000:krb_ccache_gXNDEWJ
    Default principal: kuser1@ITLAB.COM

    Valid starting       Expires              Service principal
    06/15/2018 14:54:47  06/16/2018 14:50:54  host/kerberos.itlab.com@ITLAB.COM
    06/15/2018 14:50:54  06/16/2018 14:50:54  krbtgt/ITLAB.COM@ITLAB.COM
    [kuser1@client ~]$ ssh kuser1@client.itlab.com
    Last login: Fri Jun 15 15:23:45 2018 from kerberos.itlab.com
    [kuser1@client ~]$ klist
    Ticket cache: KEYRING:persistent:1000:krb_ccache_Ud91x2t
    Default principal: kuser1@ITLAB.COM

    Valid starting       Expires              Service principal
    06/15/2018 15:24:29  06/16/2018 15:22:52  host/client.itlab.com@ITLAB.COM
    06/15/2018 15:23:15  06/16/2018 15:22:52  host/kerberos.itlab.com@ITLAB.COM
    06/15/2018 15:22:53  06/16/2018 15:22:52  krbtgt/ITLAB.COM@ITLAB.COM

    Look at the output of the last klist command. The session obtain a TGT (Ticket Granting Ticket) and two TGS (Ticket Granting Service) tickets, and it is never asking for the password again. whereas, it is authenticating to different servers using these Tickets and providing Single Sign-On facility.

    Our Kerberos 5 Server is working fine and providing Single Sign-on facility to users.

    No comments:

    Post a comment