linux_wiki:configure_a_system_to_authenticate_using_kerberos

This is an old revision of the document!

Configure A System To Authenticate Using Kerberos

General Information

Setting up a client to authenticate using kerberos.

Prerequisites

Some items are required before being able to practice this objective.

  • Lab Setup: Ensure you have already setup your FreeIPA server. (ipa.example.com)
    • Alternatively, you can setup a KDC server.
    • Creating a KDC server/FreeIPA server is not a RHCE Exam Objective, but you will need one to practice with.
  • Lab Setup: An additional system to act as a client. (server1.example.com)

Package Install

Install the required packages 

yum install krb5-workstation pam_krb5

Configure the Kerberos Client

Setup the krb5.conf file

  • Edit /etc/krb5.conf and change EXAMPLE.COM to the desired domain
  • OR copy the /etc/krb5.conf file from the KDC server to the client


Create the user 

useradd user1


Open the Kerberos admin tool on the client system 

kadmin


Add the client hostname 

addprinc -randkey host/server1.example.com


Create the local keytab file for the client hostname 

ktadd host/server1.example.com


Exit the admin tool 

exit

Configure the Client OS Components

SSH

Uncomment the required GSSAPI lines 

vim /etc/ssh/sshd_config
 
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes


Reload the SSHD config 

systemctl reload sshd

PAM

Configure PAM to enable krb5 

authconfig --enablekrb5 --update

Test The Client

Change to the user 

su - user1


Initialize kerberos 

kinit


SSH to to the KDC server 

ssh ipa.example.com
  • Should not be prompted for a password due to initializing a kerberos ticket
  • linux_wiki/configure_a_system_to_authenticate_using_kerberos.1472011659.txt.gz
  • Last modified: 2019/05/25 23:50
  • (external edit)