Differences
This shows you the differences between two versions of the page.
linux_wiki:configure_a_system_to_authenticate_using_kerberos [2016/09/13 23:13] billdozor [Configure the Kerberos Client] |
linux_wiki:configure_a_system_to_authenticate_using_kerberos [2019/05/25 23:50] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Configure A System To Authenticate Using Kerberos ====== | ||
- | |||
- | **General Information** | ||
- | |||
- | Setting up a client to authenticate using kerberos. | ||
- | |||
- | ---- | ||
- | |||
- | ====== Prerequisites ====== | ||
- | |||
- | Some items are required before being able to practice this objective. | ||
- | |||
- | * [[linux_wiki: | ||
- | * Alternatively, | ||
- | * Creating a KDC server/ | ||
- | * Lab Setup: An additional system to act as a client. (**server1.example.com**) | ||
- | * If you are using the FreeIPA server, configure the client to [[linux_wiki: | ||
- | |||
- | ---- | ||
- | |||
- | ====== Package Install ====== | ||
- | |||
- | Install the required packages | ||
- | <code bash> | ||
- | yum install krb5-workstation pam_krb5 | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ====== Configure the Kerberos Client ====== | ||
- | |||
- | **Option 1**: Use authconfig to enable kerberos< | ||
- | |||
- | **Option 2**: Use authconfig-tui to enable kerberos | ||
- | * Open authconfig-tui< | ||
- | * Authentication Configuration | ||
- | * Under Authentication -> select "Use Kerberos", | ||
- | * LDAP Settings -> Do not change anything, Next | ||
- | * Kerberos Settings | ||
- | * Realm: EXAMPLE.COM | ||
- | * KDC: ipa.example.com | ||
- | * Admin Server: ipa.example.com | ||
- | * Ok | ||
- | |||
- | ---- | ||
- | |||
- | Test a kerberos ticket | ||
- | * Login as a LDAP user< | ||
- | * Get a kerberos ticket< | ||
- | * View ticket< | ||
- | * SSH to another system< | ||
- | |||
- | ---- | ||
- | |||
- | ====== Configure the Client OS Components ====== | ||
- | |||
- | ===== SSH ===== | ||
- | |||
- | Uncomment the required GSSAPI lines | ||
- | <code bash> | ||
- | vim / | ||
- | |||
- | GSSAPIAuthentication yes | ||
- | GSSAPICleanupCredentials yes | ||
- | </ | ||
- | |||
- | \\ | ||
- | Reload the SSHD config | ||
- | <code bash> | ||
- | systemctl reload sshd | ||
- | </ | ||
- | |||
- | ===== PAM ===== | ||
- | |||
- | Configure PAM to enable krb5 | ||
- | <code bash> | ||
- | authconfig --enablekrb5 --update | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ====== Test The Client ====== | ||
- | |||
- | Change to the user | ||
- | <code bash> | ||
- | su - user1 | ||
- | </ | ||
- | |||
- | \\ | ||
- | Initialize kerberos | ||
- | <code bash> | ||
- | kinit | ||
- | </ | ||
- | |||
- | \\ | ||
- | SSH to to the KDC server | ||
- | <code bash> | ||
- | ssh ipa.example.com | ||
- | </ | ||
- | * Should not be prompted for a password due to initializing a kerberos ticket | ||
- | |||
- | ---- | ||