Differences
This shows you the differences between two versions of the page.
linux_wiki:configure_a_system_to_authenticate_using_kerberos [2016/08/14 23:39] billdozor [Prerequisites] |
linux_wiki:configure_a_system_to_authenticate_using_kerberos [2019/05/25 23:50] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Configure A System To Authenticate Using Kerberos ====== | ||
- | |||
- | **General Information** | ||
- | |||
- | Setting up a client to authenticate using kerberos. | ||
- | |||
- | ---- | ||
- | |||
- | ====== Prerequisites ====== | ||
- | |||
- | Some items are required before being able to practice this objective. | ||
- | |||
- | * [[linux_wiki: | ||
- | * Alternatively, | ||
- | * Creating a KDC server/ | ||
- | * Lab Setup: An additional system to act as a client. (**server1.example.com**) | ||
- | |||
- | ---- | ||
- | |||
- | ====== Package Install ====== | ||
- | |||
- | Install the required packages | ||
- | <code bash> | ||
- | yum install krb5-workstation pam_krb5 | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ====== Configure the Kerberos Client ====== | ||
- | |||
- | Setup the krb5.conf file | ||
- | * Edit / | ||
- | * OR copy the / | ||
- | |||
- | \\ | ||
- | Create the user | ||
- | <code bash> | ||
- | useradd user1 | ||
- | </ | ||
- | |||
- | \\ | ||
- | Open the Kerberos admin tool on the client system | ||
- | <code bash> | ||
- | kadmin | ||
- | </ | ||
- | |||
- | \\ | ||
- | Add the client hostname | ||
- | <code bash> | ||
- | addprinc --randkey host/ | ||
- | </ | ||
- | |||
- | \\ | ||
- | Create the local keytab file for the client hostname | ||
- | <code bash> | ||
- | ktadd host/ | ||
- | </ | ||
- | |||
- | \\ | ||
- | Exit the admin tool | ||
- | <code bash> | ||
- | quit | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ====== Configure the Client OS Components ====== | ||
- | |||
- | ===== SSH ===== | ||
- | |||
- | Uncomment the required GSSAPI lines | ||
- | <code bash> | ||
- | vim / | ||
- | |||
- | GSSAPIAuthentication yes | ||
- | GSSAPIDelegateCredentials yes | ||
- | </ | ||
- | |||
- | \\ | ||
- | Reload the SSHD config | ||
- | <code bash> | ||
- | systemctl reload sshd | ||
- | </ | ||
- | |||
- | ===== PAM ===== | ||
- | |||
- | Configure PAM to enable krb5 | ||
- | <code bash> | ||
- | authconfig --enablekrb5 --update | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ====== Test The Client ====== | ||
- | |||
- | Change to the user | ||
- | <code bash> | ||
- | su - user1 | ||
- | </ | ||
- | |||
- | \\ | ||
- | Initialize kerberos | ||
- | <code bash> | ||
- | kinit | ||
- | </ | ||
- | |||
- | \\ | ||
- | SSH to to the KDC server | ||
- | <code bash> | ||
- | ssh server3.mydomain.com | ||
- | </ | ||
- | |||
- | ---- | ||