Skip to content

Instantly share code, notes, and snippets.

@paigeadelethompson

paigeadelethompson/gist:7125343dcd0d1ff60f342c09e70cd68c

Created July 23, 2024 08:18
Show Gist options
  • Save paigeadelethompson/7125343dcd0d1ff60f342c09e70cd68c to your computer and use it in GitHub Desktop.
Save paigeadelethompson/7125343dcd0d1ff60f342c09e70cd68c to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.txt
TITLE: Kerberos V
LFS VERSION: any
AUTHOR: Succendo Fornacalis <[email protected]>
SYNOPSIS:
Installing Kerberos V on clients and the KDC
HINT:
So, you want to run Kerberos eh? Or just curious what Kerberos is? Well in such
a case I will give you my explanation of Kerberos. Kerberos is an authentication
method developed by MIT that is based on tickets. Tickets, as you may know, are
used in place of the users password, as well as very strong encryption to
services like telnet. The Tickets are given out by a Key Distribution Center
(KDC) and then used for authenticating to any other server within it's realm.
So, in short, users send their password to the KDC, The KDC then gives them a
Ticket granting Ticket or TGT encrypted using their password as the key. If
their password is bad, then the TGT will be bogus. The TGT which expires at a
given time, permits the client to obtain additional tickets. This gives
permission to a specific service. If this hint is acward or just plain bad, let
me know, or if I just suck at explaining something let me know that too, and
I’ll make revision. I am, by no means, a writer so I’m sure this could be
better. And with that, good luck.
CONTENTS
========
1. Introduction
2. Installing Kerberos
3. Creating Configs
4. Adding Support
5. Creating Bootscripts
Software used/mentioned/etc in this hint
========================================
Kerberos V: http://web.MIT.edu/network/Kerberos-form.html
Samba 2.2.2: ftp://ftp.samba.org/pub/samba/samba-2.2.2.tar.gz
OpenSSL: http://www.openssl.org/source/openssl-0.9.6b.tar.gz
SSH: ftp://ftp.ssh.com/pub/ssh/ssh-3.0.1.tar.gz
Installing Kerberos V
=====================
cd src &&
/configure --prefix=/usr &&
make distclean &&
make &&
make check &&
make install
If you want to keep everything after the LFS install seperatate, you can give it
the prefix /usr/local. Just make sure you change the ./configure lines to
/usr/local.
This will compile the Kerberos tools, and a telnetd with kerberos support.
Setting up KDC
==============
see man krb5.conf and man kdc.conf
the config files are built much like a windows .ini file. The realm is usually
the domain in caps. Below are commands that I used for my configs, only a few
changes are needed.
KDC Configuration:
cat > /etc/krb5.conf << "EOF"
[libdefaults]
ticket_lifetime = 600
default_realm = NOVASTAR.WOX.ORG
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
NOVASTAR.WOX.ORG = {
kdc = SockPuppet.novastar.wox.org:88
admin_server = SockPuppet.novastar.wox.org:749
default_domain = novastar.wox.org
}
[domain_realm]
.novastar.wox.org = NOVASTAR.WOX.ORG
novastar.wox.org = NOVASTAR.WOX.ORG
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
EOF
cat > /etc/kdc.conf << "EOF"
[kdcdefaults]
kdc_ports = 88,750
[realms]
NOVASTAR.WOX.ORG = {
database_name = /usr/var/krb5kdc/principal
admin_keytab = /usr/var/krb5kdc/kadm5.keytab
acl_file = /usr/var/krb5kdc/kadm5.acl
dict_file = /usr/var/krb5kdc/kadm5.dict
key_stash_file = /usr/var/krb5kdc/.k5.NOVASTAR.WOX.ORG
kadmind_port = 749
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
}
EOF
To add Kerberos V4 support, add des-cbc-crc:v4 to the supported_enctypes line.
add Kerberos to /etc/services with these commandi (note that there daemons can
be run an any server within the relm):
echo "kerberos 88/udp kdc # Kerberos V5 KDC" >>/etc/services
echo "kerberos 88/tcp kdc # Kerberos V5 KDC" >>/etc/services
echo "klogin 543/tcp # Kerberos authenticated rlogin"
>>/etc/services
echo "kshell 544/tcp cmd # and remote shell" >>/etc/services
echo "kerberos-adm 749/tcp # Kerberos 5 admin/changepw"
>>/etc/services
echo "kerberos-adm 749/udp # Kerberos 5 admin/changepw"
>>/etc/services
echo "krb5_prop 754/tcp # Kerberos slave propagation"
>>/etc/services
echo "eklogin 2105/tcp # Kerberos auth. & encrypted rlogin"
>>/etc/services
echo "krb524 4444/tcp # Kerberos 5 to 4 ticket translator"
>>/etc/services
add Kerberos servers to inetd.conf with these commands. This only allows
authentification through kerberos if you want to allow nono kerberos access to
telnet (why?) ftp sh etc. have a look at the man pages (make sure you find and
remove ftp, telnet, shell, login, and exec from you're config)
echo "klogin stream tcp nowait root /usr/sbin/klogind klogind -k -c" >>
/etc/inetd.conf
echo "eklogin stream tcp nowait root /usr/sbin/klogind klogind -k -c -e" >>
/etc/inetd.conf
echo "kshell stream tcp nowait root /usr/sbin/kshd kshd -k -c -A" >>
/etc/inetd.conf
echo "ftp stream tcp nowait root /usr/sbin/ftpd ftpd -a" >>
/etc/inetd.conf
echo "telnet stream tcp nowait root /usr/sbin/telnetd telnetd -a valid" >>
/etc/inetd.conf
Creating the database:
the creation of the password database is more complex than I would like to cover
in this hint, MIT has a great howto on the entire prosses at
http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.2/doc/install.html#SEC42
Setting Up Clients
==================
cat > /etc/krb5.conf << "EOF"
[libdefaults]
ticket_lifetime = 600
default_realm = NOVASTAR.WOX.ORG
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
NOVASTAR.WOX.ORG = {
kdc = SockPuppet.novastar.wox.org:88
admin_server = SockPuppet.novastar.wox.org:749
default_domain = novastar.wox.org
}
[domain_realm]
.novastar.wox.org = NOVASTAR.WOX.ORG
novastar.wox.org = NOVASTAR.WOX.ORG
EOF
add Kerberos to /etc/services with these command:
echo "kerberos 88/udp kdc # Kerberos V5 KDC" >>/etc/services
echo "kerberos 88/tcp kdc # Kerberos V5 KDC" >>/etc/services
echo "klogin 543/tcp # Kerberos authenticated rlogin"
>>/etc/services
echo "kshell 544/tcp cmd # and remote shell" >>/etc/services
echo "kerberos-adm 749/tcp # Kerberos 5 admin/changepw"
>>/etc/services
echo "kerberos-adm 749/udp # Kerberos 5 admin/changepw"
>>/etc/services
echo "krb5_prop 754/tcp # Kerberos slave propagation"
>>/etc/services
echo "eklogin 2105/tcp # Kerberos auth. & encrypted rlogin"
>>/etc/services
echo "krb524 4444/tcp # Kerberos 5 to 4 ticket translator"
>>/etc/services
Adding Support
==============
in this section I assume you have openssl installed, if not, go for it. Samba is
the only daemon that I have come accross in my search that has kerberos V
suport, if you know of any others, let me know.
Samba:
/configure --with-krb5=/usr --with-ssl &&
make &&
make install
SSH: Unfortanatly OpenSSH (as of now) does not support Kerberos V. NOTE: SSH's
support of Kerberos V is EXPERIMENTAL. I take no responsibility if it goes ape
and eats you're dog. you have been warned.
/configure --with-kerberos5=/usr --prefix=/usr &&
make &&
make install
Creating Bootscripts
====================
this is the final step in our great adventure together. Creating the boot
scripts for all of the daemons.
cat > /etc/init.d/kdc << "EOF"
#!/bin/sh
# Begin /etc/init.d/kdc
#
# Include the functions declared in the /etc/init.d/functions file
#
source /etc/init.d/functions
case "$1" in
start)
echo -n "Starting Kerberos KDC ..."
loadproc krb5kdc
;;
stop)
echo -n "Stopping Kerberos KDC ..."
killproc krb5kdc
;;
restart)
$0 stop
/usr/bin/sleep 1
$0 start
;;
status)
statusproc krb5kdc
;;
*)
echo "Usage: $0 {start|stop|restart|status}"
exit 1
;;
esac
# End /etc/init.d/kdc
EOF
cat > /etc/init.d/samba << "EOF"
#!/bin/sh
# Begin /etc/init.d/samba
#
# Include the functions declared in the /etc/init.d/functions file
#
source /etc/init.d/functions
case "$1" in
start)
echo -n "Starting Samba ..."
loadproc /usr/local/samba/bin/smbd
;;
stop)
echo -n "Stopping Samba ..."
killproc smbd
;;
restart)
$0 stop
/usr/bin/sleep 1
$0 start
;;
status)
statusproc smbd
;;
*)
echo "Usage: $0 {start|stop|restart|status}"
exit 1
;;
esac
# End /etc/init.d/samba
EOF
cat > /etc/init.d/sshd << "EOF"
#!/bin/sh
# Begin /etc/init.d/ssh
#
# Include the functions declared in the /etc/init.d/functions file
#
source /etc/init.d/functions
case "$1" in
start)
echo -n "Starting SSH ..."
loadproc sshd
;;
stop)
echo -n "Stopping SSH ..."
killproc sshd
;;
restart)
$0 stop
/usr/bin/sleep 1
$0 start
;;
status)
statusproc sshd
;;
*)
echo "Usage: $0 {start|stop|restart|status}"
exit 1
;;
esac
# End /etc/init.d/ssh
EOF
chmod 754 /etc/init.d/kdc &&
chmod 754 /etc/init.d/samba &&
chmod 754 /etc/init.d/ssh &&
ln -sf ../init.d/kdc /etc/rc0.d/K400kdc &&
ln -sf ../init.d/kdc /etc/rc1.d/K400kdc &&
ln -sf ../init.d/kdc /etc/rc2.d/K400kdc &&
ln -sf ../init.d/kdc /etc/rc3.d/S600kdc &&
ln -sf ../init.d/kdc /etc/rc4.d/S600kdc &&
ln -sf ../init.d/kdc /etc/rc5.d/S600kdc &&
ln -sf ../init.d/kdc /etc/rc6.d/K400kdc &&
ln -sf ../init.d/samba /etc/rc0.d/K401samba &&
ln -sf ../init.d/samba /etc/rc1.d/K401samba &&
ln -sf ../init.d/samba /etc/rc2.d/K401samba &&
ln -sf ../init.d/samba /etc/rc3.d/S601samba &&
ln -sf ../init.d/samba /etc/rc4.d/S601samba &&
ln -sf ../init.d/samba /etc/rc5.d/S601samba &&
ln -sf ../init.d/samba /etc/rc6.d/K400samba &&
ln -sf ../init.d/ssh /etc/rc0.d/K402ssh &&
ln -sf ../init.d/ssh /etc/rc1.d/K402ssh &&
ln -sf ../init.d/ssh /etc/rc2.d/K402ssh &&
ln -sf ../init.d/ssh /etc/rc3.d/S602ssh &&
ln -sf ../init.d/ssh /etc/rc4.d/S602ssh &&
ln -sf ../init.d/ssh /etc/rc5.d/S602ssh &&
ln -sf ../init.d/ssh /etc/rc6.d/K402ssh
Further Reading
===========
Apache hint: http://hints.linuxfromscratch.org/hints/apache+php4+sql.hint.txt
Samba hint: http://hints.linuxfromscratch.org/hints/samba.txt
MIT's Docs on Kerberos:
http://web.mit.edu/kerberos/www/krb5-1.2/index.html#documentation
@paigeadelethompson
Copy link
Author

https://web.archive.org/web/20030618015558/http://hints.linuxfromscratch.org/hints/kerberos.txt

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment