Skip to content

Instantly share code, notes, and snippets.

@kumar-de

kumar-de/setup-kerberos-client.md

Last active August 21, 2019 17:44
Show Gist options
  • Save kumar-de/e8f85948b3d660165fb4a7a1662ac1de to your computer and use it in GitHub Desktop.
Save kumar-de/e8f85948b3d660165fb4a7a1662ac1de to your computer and use it in GitHub Desktop.
Download ZIP
Raw
setup-kerberos-client.md

Setup Kerberos client on your machine

Install the Kerberos client packages:

apt-get install krb5-user

Paste into /etc/krb5.conf and adjust the following to match your server-setup

[libdefaults]
 default_realm = ABC.TEST
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 udp_preference_limit = 1
default_tgs_enctypes = aes256-cts
default_tkt_enctypes = aes256-cts
permitted_enctypes = aes256-cts
# rdns = false
# pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
# default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 YEL.TEST = {
  kdc = cluster-01.abc.test
  admin_server = cluster-01.abc.test
 }

[domain_realm]
 .example.com = ABC.TEST
 example.com = ABC.TEST

Check if the ssh client program will try Kerberos authentication

vim /etc/ssh/ssh_config      # (on MacOSX it's /etc/ssh_config)

Enable the following lines

...
GSSAPIAuthentication yes    # check this line present (near end)
GSSAPIKeyExchange yes       # add this line too
...

Try to acquire Kerberos ticket using your principal

kinit achintya.kumar
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment