Professional Documents
Culture Documents
And if you look for it as for silver and search for it as for hidden treasure, then you will understand the fear of the LORD and find the knowledge of God. (Proverbs 2:4-5)
Jeong Chul
tland12.wordpress.com
Kerberos system Kerberos Version 4, 5 overview Kerberos Authentication Using Kadmin & Ticket control Kerberos Server Testing Environment Configuration Prerequisite
Part 2 Practice
Step 7 Packages Installation Step 8 KDC Configuration Step 9 Application Server Configuration Step 10 Kerberos Testing SSH and Telnet server Step 11 Packet Capture using WireShark
2.Principals
a. A principal identifies each participant in a Kerberos authentication Users and network services Identified by primary, instance, and realm Ex: root/admin@CHUL.COM b. Each principal has a password Passwords are used as encryption keys Users memorize passwords Services store passwords in a keytab file KDC knows all passwords
User enters username and password Login program sends request for a TGT for that principal to KDC KDC sends the login program a TGT encrypted using the user's password If the login program can decrypt the TGT with the password provided by the user, the user is authenticated
2. Ticket Authentication
Client sends request for a service ticket to the KDC's ticket granting service KDC sends client two identical copies One encrypted with the TGT One encrypted with the service password Client sends the network service Ticket encrypted with service's password A timestamp encrypted with the ticket
2.Kerberos Clients
a. Set up /etc/krb5.conf for the realm b. Gets initial TGT kinit to get a new TGT klist lists available credentials kdestroy deletes all credentials ktutil can be used to view keytab files c. Tickets stored in /tmp/krb5cc_UID
2.client.chul.com: 192.168.80.10 on CentOS 5.8 Application server - Telnet and SSH server Client for packet capture linux
3. Kerberos Realm: CHUL.COM
# cat /etc/hosts
127.0.0.1 192.168.80.25 192.168.80.10 localhost.localdomain server.chul.com client.chul.com localhost server client
Network time protocol ->Enable time protocol Time Zone -> Phnom_Penh
[root@server]# kdb5_util create -r CHUL.COM s [root@server]# ls /var/kerberos/krb5kdc/principal 3. Edit the [realms] block to /var/kerberos/krb5kdc/kdc.conf
# vi /var/kerberos/krb5kdc/kdc.conf [realms] CHUL.COM = { master_key_type = des3-hmac-sha1 default_principal_flags = +preauth
4. Edit /var/kerberos/krb5kdc/kadm5.acl control which administrative privileges are available to which principals principal, permissions, target principal
# vi /var/Kerberos/krb5kdc/kadm5.acl */admin@CHUL.COM * //allow any principal with an instance of admin full access to the database
//adding admin principal //adding user //list principals //show information about principal
Krb5.keytab file contains the host principal and password for the system