ssh authentication with kerberos

This documentation have been tested on CentOS 7.

Install KDC

# yum install -y krb5-server krb5-workstation pam_krb5  

Hostname and resolving Set your hostname

  # hostnamectl set-hostname hanthana.ucsc.com
verify your hostname

# hostname Your domain should resolve. In case if you do not use dns service..

[danishka@kdc ~]$ cat /etc/hosts
192.168.1.101  hanthana.ucsc.com
127.0.0.1  localhost.localdomain localhost 
::1  localhost6.localdomain6 localhost6

Server Configuration

# ls /var/kerberos/krb5kdc/
kadm5.acl  kdc.conf

ACL grant all privileges to anyone with admin role. 

Replace EXAMPLE.COM with your realm.

# cd  /var/kerberos/krb5kdc/

# cat kadm5.acl 
*/admin@UCSC *

# cat kdc.conf 
[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
 UCSC.COM = {
  #master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }

Client Configuration

# cat /etc/krb5.conf

includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_realm = UCSC.COM
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 UCSC.COM = {
  kdc = hanthana.ucsc.com
  admin_server = hanthana.ucsc.com
 }

[domain_realm]
 .ucsc.com = UCSC.COM
 ucsc.com = UCSC.COM

KDC Database

# kdb5_util create -s -r UCSC.COM

Start and enable kadmin and krbkdc services

# systemctl start kadmin.service 
# systemctl start krb5kdc.service 
# systemctl enable kadmin.service 
# systemctl enable krb5kdc.service 

Principals

Objects in the KDC database known as principals, those objects can be users or hosts.

So we need to add each principal for each object. 
# kadmin.local
kadmin.local: addprinc root/admin
kadmin.local: addprinc danishka
kadmin.local: addprinc host/hanthana.ucsc.com
kadmin.local: quit


Copy enrypted Kerberos keytab files


# kadmin.local
kadmin.local: addprinc -randkey host/hanthana.ucsc.com
kadmin.local: ktadd host/hanthana.ucsc.com
kadmin.local: quit
 

Configure ssh client to allow clients to use Kerberos authentication.

Edit /etc/ssh/ssh_config

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

Now update PAM configuration

# authconfig  --enablekrb5 --update

Reload ssh configuration

# systemctl reload sshd.service

As local user you should able to get your token

[danishka@kdc ~]$ klist 
Ticket cache: KEYRING:persistent:1000:1000
Default principal: danishka@UCSC.COM

Valid starting       Expires              Service principal
08/28/2018 11:19:21  08/29/2018 10:56:50  krbtgt/UCSC.COM@UCSC.COM

In case if you get following result, run kinit instead

$ klist 
klist: Credentials cache keyring 'persistent:1000:1000' not found
[madura@localhost ~]$ kinit 
Password for danishka@UCSC.COM: 
[madura@localhost ~]$ klist 
Ticket cache: KEYRING:persistent:1000:1000
Default principal: danishka@UCSC.COM

Valid starting       Expires              Service principal
08/28/2018 11:19:21  08/29/2018 10:56:50  krbtgt/UCSC.COM@UCSC.COM  

Now SSH without password using your Kerberos token.

[danishka@kdc ~]$ ssh hanthana.ucsc.com
Last login: Tue Aug 28 13:49:19 2018 from 192.168.1.99

Create .pcap file

tcpdump -i any -w /tmp/tcpdump.pcap