11.3. Configuring a Kerberos Client
All that is required to set up a Kerberos 5 client is to install the client packages and provide each client with a valid
krb5.conf
configuration file. While ssh
and slogin
are the preferred methods of remotely logging in to client systems, Kerberos-aware versions of rsh
and rlogin
are still available, with additional configuration changes.
- Install the
krb5-libs
andkrb5-workstation
packages on all of the client machines.[root@server ~]# yum install krb5-workstation krb5-libs
- Supply a valid
/etc/krb5.conf
file for each client. Usually this can be the samekrb5.conf
file used by the Kerberos Distribution Center (KDC). For example:[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true allow_weak_crypto = true [realms] EXAMPLE.COM = { kdc = kdc.example.com.:88 admin_server = kdc.example.com default_domain = example.com } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM
In some environments, the KDC is only accessible using an HTTPS Kerberos Key Distribution Center Proxy (KKDCP). In this case, make the following changes:- Assign the URL of the KKDCP instead of the host name to the
kdc
andadmin_server
options in the[realms]
section:[realms] EXAMPLE.COM = { kdc = https://kdc.example.com/KdcProxy admin_server = https://kdc.example.com/KdcProxy kpasswd_server = https://kdc.example.com/KdcProxy default_domain = example.com }
For redundancy, the parameterskdc
,admin_server
, andkpasswd_server
can be added multiple times using different KKDCP servers. - On IdM clients, restart the
sssd
service to make the changes take effect:[root@server ~]# systemctl restart sssd
- To use Kerberos-aware
rsh
andrlogin
services, install thersh
package. - Before a workstation can use Kerberos to authenticate users who connect using
ssh
,rsh
, orrlogin
, it must have its own host principal in the Kerberos database. Thesshd
,kshd
, andklogind
server programs all need access to the keys for the host service's principal.- Using
kadmin
, add a host principal for the workstation on the KDC. The instance in this case is the host name of the workstation. Use the-randkey
option for thekadmin
'saddprinc
command to create the principal and assign it a random key:addprinc -randkey host/server.example.com
- The keys can be extracted for the workstation by running
kadmin
on the workstation itself and using thektadd
command.ktadd -k /etc/krb5.keytab host/server.example.com
- To use other Kerberos-aware network services, install the krb5-server package and start the services. The Kerberos-aware services are listed in Table 11.3, “Common Kerberos-aware Services”.
Service Name | Usage Information |
---|---|
ssh | OpenSSH uses GSS-API to authenticate users to servers if the client's and server's configuration both have GSSAPIAuthentication enabled. If the client also has GSSAPIDelegateCredentials enabled, the user's credentials are made available on the remote system. OpenSSH also contains the sftp tool, which provides an FTP-like interface to SFTP servers and can use GSS-API. |
IMAP |
The
cyrus-imap package uses Kerberos 5 if it also has the cyrus-sasl-gssapi package installed. The cyrus-sasl-gssapi package contains the Cyrus SASL plugins which support GSS-API authentication. Cyrus IMAP functions properly with Kerberos as long as the cyrus user is able to find the proper key in /etc/krb5.keytab , and the root for the principal is set to imap (created with kadmin ).
An alternative to
cyrus-imap can be found in the dovecot package, which is also included in Red Hat Enterprise Linux. This package contains an IMAP server but does not, to date, support GSS-API and Kerberos.
|