Mike's Technology and Finance Blog: Deploying a Kerberos KDC in Ubuntu 11.10 or Fedora 15

What is Kerberos?

Kerberos is an authentication and authorization protocol that allows authenticated (and sometimes encrypted) communication between two systems. Authentication is performed by a third system that is known as a key distribution center (KDC) that stores passwords for all of the principals (typically users and systems) known within it's realm. A unique feature of Kerberos is that the password is never sent over any type of connection (encrypted or plain text) during authentication or authorization. Instead the KDC generates a token (called a ticket granting ticket) that is encrypted using the password as the key and sends it to the requesting client. If the client has the correct password and decrypts the ticket granting ticket, the client can now use this token to request access to different services (anything from logon capability, file transfer, or shell access to authenticating web applications, services, and clients across domains).

Kerberos is a protocol that can be implemented by anyone, but the two main implementations known in the IT industry are MIT Kerberos V (currently in a 1.10 release) and Microsoft Active Directory (stable with Windows Server 2008 R2, unstable in the Windows 8 Server Developer Preview). MIT Kerberos is often used in IT environments dominated by UNIX and Linux systems while Active Directory is predominantly used in Microsoft environments. Mechanisms exist to allow MIT Kerberos and Active Directory to communicate successfully in certain mixed environments. A key thing to note is that in addition to a Kerberos infrastructure, Active Directory also provides an integrated LDAP V3 compliant directory. MIT Kerberos V would need to be integrated with another LDAP implementation (such as OpenLDAP) to provide similar functionality. Kerberos is simply a piece that fits into a larger identity management (IdM) or authentication, authorization, and accounting (AAA) strategy.

To demonstrate the functionality of the protocol and the mechanics of setting up a realm that can be used as an authentication source I will show how to set up a KDC in a RedHat based distribution (RH) and a Debian based distribution (D). Although I am demonstrating with Fedora Core 15 (RH) and Ubuntu 11.10 (D), a similar application of these steps could easily be carried out in RedHat Enterprise Linux (RH), CentOS (RH), Mandriva (RH), Yellow Dog Linux (RH), Knoppix (D), etc.

Security in a Kerberos Environment

Security is a paramount concern in a Kerberos environment for deploying a KDC. All of the passwords for every user and system in the realm are stored on the KDC and an intruder can reasonably decrypt passwords and gain dozens to thousands points of potential entry to the network. Security for a KDC is a large topic and I will cover some of the practices that I have seen/considered in a separate post.

For simplicity, I demonstrate a setup that might be reasonable for a development/testing non-production Kerberos environment (this involves a less strict system setup with regard to allowing a build environment on a KDC in addition to allowing remote logon capability utilizing SSH). For a production environment, the potential attack footprint should be minimized to a level that is considered suitable based on the available legal/regulatory/business requirements and policies.

Options For Setting Up The Servers

It is possible to obtain pre-built packages for Kerberos 5, but depending on the needs of the organization or security requirements, it is probably more desirable to build from source.

For the die hard package users, in Fedora the command to install a kdc is:

yum install krb5-server

For Ubuntu users,

apt-get install krb5-kdc

Since I want to have direct control over patching and the options that are compiled in, I will compile krb5-1.10 from source.

Prerequisite Setup

The initial installation process for Fedora 15 and Ubuntu Server is well documented all over the Internet (so I'm not going to cover it here). Since I am using Hyper-V on Windows Server 2008 R2 as a virtualization host, I had to make a couple of minor changes to get networking to function properly. This involved using Legacy Network Adapters for the VMs and uninstalling the irqbalance package (yum erase irqbalance in Fedora and dpkg -r irqbalance in Ubuntu). Fedora Core ran fine after the change, but networking was still shaky with Ubuntu.

Next I ensured that the GNU C compiler (gcc) was installed and working.

Configuring and Building

Configuring and building is relatively straightforward, I used a prefix of /usr/local/krb5 and I did not use OpenLDAP for the backend database storage. First, download the latest release:

burrm@ubuntu-kdc:~$ wget http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10-signed.tar
--2012-02-06 23:10:30-- http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10-signed.tar
Resolving web.mit.edu... 18.9.22.69
Connecting to web.mit.edu|18.9.22.69|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10649600 (10M) [application/x-tar]
Saving to: `krb5-1.10-signed.tar'

100%[======================================>] 10,649,600 21.7K/s in 8m 27s

2012-02-06 23:19:05 (20.5 KB/s) - `krb5-1.10-signed.tar' saved [10649600/10649600]

Then extract the source code:

burrm@ubuntu-kdc:~$ tar -xvf krb5-1.10-signed.tar
krb5-1.10.tar.gz
krb5-1.10.tar.gz.asc
burrm@ubuntu-kdc:~$ tar -xzf krb5-1.10.tar.gz
burrm@ubuntu-kdc:~$ cd krb5-1.10/

You can use multiple build directories (if you are building on different platforms), this is what I do:

burrm@ubuntu-kdc:~/krb5-1.10$ mkdir Ubuntu-11.10-Server
burrm@ubuntu-kdc:~/krb5-1.10$ cd Ubuntu-11.10-Server/
burrm@ubuntu-kdc:~/krb5-1.10/Ubuntu-11.10-Server$ ../src/configure --help
burrm@ubuntu-kdc:~/krb5-1.10/Ubuntu-11.10-Server$ ../src/configure --prefix=/usr/local/krb5
burrm@ubuntu-kdc:~/krb5-1.10/Ubuntu-11.10-Server$ make

After everything configures and builds correctly, it needs to be installed:

burrm@ubuntu-kdc:~/krb5-1.10/Ubuntu-11.10-Server$ su -
Password:
root@ubuntu-kdc:~# cd /home/burrm/krb5-1.10/Ubuntu-11.10-Server/
root@ubuntu-kdc:/home/burrm/krb5-1.10/Ubuntu-11.10-Server# make install

Next I do a step that allows versions to be switched quickly (if needed)

root@ubuntu-kdc:/home/burrm/krb5-1.10/Ubuntu-11.10-Server# cd /usr/local/
root@ubuntu-kdc:/usr/local# mv krb5 krb5-1.10
root@ubuntu-kdc:/usr/local# ln -s krb5-1.10 /usr/local/krb5

Now, we are ready to configure the KDC with a basic configuration.

Configuring the KDC

These steps are somewhat platform independent because they involve configuring the application. The main difference between platforms/builds/packages is the default location of the kdc.conf and krb5.conf files. These can be determined on a platform by locating the man pages for the Kerberos installation and then looking at the man pages for krb5.conf and kdc.conf. Samples may even be available depending on the build (for me this path is /usr/local/krb5/share/examples/krb5/).

First the kdc.conf and krb5.conf files need to be built. For my build, the correct paths are /usr/local/krb5/var/krb5kdc/kdc.conf and /etc/krb5.conf.

My kdc.conf:

[kdcdefaults]
kdc_ports = 750,88

[realms]
MIKESBLOG.LAN = {
        database_name = /usr/local/krb5/var/krb5kdc/principal
        admin_keytab = FILE:/usr/local/krb5/var/krb5kdc/kadm5.keytab
        acl_file = /usr/local/krb5/var/krb5kdc/kadm5.acl
        key_stash_file = /usr/local/krb5/var/krb5kdc/.k5.MIKESBLOG.LAN
        kdc_ports = 750,88
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        }

My krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = MIKESBLOG.LAN
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 MIKESBLOG.LAN = {
  kdc = ubuntu-kdc.mikesblog.lan
  admin_server = ubuntu-kdc.mikesblog.lan
 }

[domain_realm]
 .mikesblog.lan = MIKESBLOG.LAN
 mikesblog.lan = MIKESBLOG.LAN

Then the database needs to be initialized, the ACL file needs to be built, and principals can be created. For my ACL file, I allow anyone defined in the database with a /admin instance to perform all Kerberos-related actions on the KDC. This file is moderately customizable (see MIT's installation guide site) based on permissions that need to be granted to other people/service accounts.

root@ubuntu-kdc:/usr/local# /usr/local/krb5/sbin/kdb5_util create -r MIKESBLOG.LAN -s
Loading random data
Initializing database '/usr/local/krb5/var/krb5kdc/principal' for realm 'MIKESBLOG.LAN',
master key name 'K/M@MIKESBLOG.LAN'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:

root@ubuntu-kdc:/usr/local# vi /usr/local/krb5/var/krb5kdc/kadm5.acl
root@ubuntu-kdc:/usr/local# cat /usr/local/krb5/var/krb5kdc/kadm5.acl
*/admin@MIKESBLOG.LAN x

From there, a couple of principals can be created with kadmin.local:

root@ubuntu-kdc:/usr/local# /usr/local/krb5/sbin/kadmin.local
Authenticating as principal root/admin@MIKESBLOG.LAN with password.
kadmin.local: addprinc burrm/admin
WARNING: no policy specified for burrm/admin@MIKESBLOG.LAN; defaulting to no policy
Enter password for principal "burrm/admin@MIKESBLOG.LAN":
Re-enter password for principal "burrm/admin@MIKESBLOG.LAN":
Principal "burrm/admin@MIKESBLOG.LAN" created.
kadmin.local: q

Finally the KDC and admin server can be started:

root@ubuntu-kdc:/usr/local# /usr/local/krb5/sbin/krb5kdc
root@ubuntu-kdc:/usr/local# /usr/local/krb5/sbin/kadmind

It may be desirable to create init scripts to start these on boot, but another option is to have an administrator manually start/stop them when needed. Additionally the firewall (typically iptables) needs to be adjusted to allow ports 750 and 88 (or others defined in the kdc.conf file).

See Also,
Kerberos Password Policies Made Easy