Wednesday, June 20, 2012

Remove AES Encryption From MIT Kerberos V5

AES encryption is used by default in MIT kerberos v5. But in Cloudera Distribution of Hadoop(CDH) does not support AES encryption.Here I am describing how to remove AES encryption from kerberos and change password of Ticket granting Ticket Principal.

Step 1: Removing AES encryption

Edit /etc/krb5kdc/kdc.conf file and remove aes256-cts:normal from ' 'supported_enctypes'

sudo vi /etc/krb5kdc/kdc.conf
Step 2: Change password of Ticket granting Ticket Principal 

Use the following command in 'kadmin' utility

#kadmin -p root/admin
>change_password -randkey krbtgt/TEST.COM@TEST.COM
TEST.COM is your realm name.


Step 3: Restart kdc and admin server  
sudo invoke-rc.d krb5-kdc restart
sudo invoke-rc.d krb5-admin-server restart
Reference : http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.6/doc/admin.html

Posted by at No comments:
Labels: , , ,

Monday, June 18, 2012

Installation and configuration of MIT Kerberos on Ubuntu

Kerberos is a central authentication protocol used to verify users, hosts and services using kerberos database. Kerberos database contains the entries called principals,which consists of principal names, secret keys, key aging information and Kerberos-specific data. User can access these principal from anywhere in the realm. Each realm contain one Key Distribution center and many slaves.User input is authenticated against the Kerberos database. In successful authentication, the KDC ("Key Distribution Center") will issue users a "confirmation", called the TGT ("Ticket-Granting Ticket"). You can find more information about kerberos from following links

[1] http://en.wikipedia.org/wiki/Kerberos_(protocol)
[2] http://web.mit.edu/kerberos/#what_is
[3] http://www.kerberos.info/

Environment:
Operating System: Ubuntu 10.04 Lucid Lynx 64 bit Edition
Kerberos : MIT Kerberos V5

MIT Kerberos, an implementation of Kerberos, will be used to authenticate users


Installation

Step 1: Install Key Distribution Center(KDC) and administration server  

sudo apt-get install krb5-{admin-server,kdc}

It will install master kdc and admin server , we can configure multiple slave kdc under a single master kdc. KDC installation will ask following questions
1. Default Kerberos version 5 realm?
We can gave any ASCII string as realm but conventionally use the upper case version of domain name 2. Kerberos4 compatibility mode to use? 
Give it as 'none'
3.What are the Kerberos servers for your realm?
Fully qualified domain name of kerberos server
4.What is the administrative server for your realm?
Fully qualified domain name of kerberos server 

Step 2:Create new realm use 'krb5_relam'

 Use the command krb5_newrealm in the terminal

krb5_newrealm

The command will ask about the master password(don't forgot this) and create the realm using the name as define in the previous steps

Step 3:Restart Administrative server and key distribution center 

sudo invoke-rc.d krb5-admin-server restart
sudo invoke-rc.d krb5-kdc restart

Step 4 :Initial Test





To just quickly test the installation, we will use the 'kadmin.local' database administration program.
Start kadmin.local, then type 'listprincs'. That command should print out the list of principals. For example




sudo kadmin.local
Authenticating as principal root/admin@TEST.COM with password.

kadmin.local:  listprincs

K/M@TEST.COM
kadmin/admin@TEST.COM
kadmin/changepw@TEST.COM
kadmin/history@TEST.COM
krbtgt/TEST.COM@TEST.COM
kadmin.local: quit

'kadmin.local' work only in kerberos administration center\



Step 5:Access Rights





Edit /etc/krb5kdc/kadm5.acl file, and uncomment '*/admin *' line

Enter into 'kadmin.local' and add policy for root user 'addprinc root/admin' 
For example





sudo kadmin.local
Authenticating as principal root/admin@TEST.COM with password.

kadmin.local:  addprinc root/admin

WARNING: no policy specified for root/admin@TEST.COM; defaulting to no policy
Enter password for principal "root/admin@TEST.COM": PASSWORD
Re-enter password for principal "root/admin@TEST.COM": PASSWORD
Principal "root/admin@TEST.COM" created.

kadmin.local:  quit


Restart Administrative server and key distribution center(Refer step 3)
Test the new step using 'kadmin'. Kadmin as root/admin using



kadmin -p root/admin


If the configuration is correct, it will ask for password





Step 6: Obtaining a Kerberos Ticket 







Commands 



klist -5 -List the cached ticket 



kinit -to obtain ticket for current user 







Step 7:Installing Kerberized Services
Kerberized service is need to authenticate with kerberos.



sudo apt-get install krb5-rsh-server 
sudo update-rc.d openbsd-inetd defaults
sudo invoke-rc.d openbsd-inetd restart


Step 8:Connecting to a Kerberos Server 



Install krb5-clients and krb5-user in each host, where we want to use kerberos authentication.


sudo apt-get install krb5-clients krb5-user


It will ask for kerberos administration and key distribution center details



References

[1] http://www.debian-administration.org/articles/570

[2] http://web.mit.edu/kerberos/krb5-1.8/krb5-1.8.1/doc/krb5-install.html

[3] http://techpubs.spinlocksolutions.com/dklar/kerberos.html

















Posted by



at





1 comment:
  























Labels:
,
,























        

      









Subscribe to:
Posts (Atom)