Difference between revisions of "Kerberos"

From ProgClub
Jump to: navigation, search
Line 1: Line 1:
 
This page details the Kerberos configuration at ProgClub. Check out [[Network administration]] for other network admin related material. See [[Single sign-on]] for other SSO related material.
 
This page details the Kerberos configuration at ProgClub. Check out [[Network administration]] for other network admin related material. See [[Single sign-on]] for other SSO related material.
  
= Project status =
+
== Project status ==
  
 
Complete! [[Charity]] is now [[#KDC_configuration|configured]] as the KDC. We're still pending SSH integration, and there are a few more things to do for [[Single sign-on]], but [[Kerberos]] is functional.
 
Complete! [[Charity]] is now [[#KDC_configuration|configured]] as the KDC. We're still pending SSH integration, and there are a few more things to do for [[Single sign-on]], but [[Kerberos]] is functional.
  
= DNS configuration =
+
== DNS configuration ==
  
 
See [http://web.mit.edu/Kerberos/krb5-1.9/krb5-1.9.1/doc/krb5-install.html#Hostnames%20for%20the%20Master%20and%20Slave%20KDCs Hostnames for the Master and Slave KDCs] for information about configuring DNS for Kerberos. ProgClub's DNS configuration for Kerberos is as follows:
 
See [http://web.mit.edu/Kerberos/krb5-1.9/krb5-1.9.1/doc/krb5-install.html#Hostnames%20for%20the%20Master%20and%20Slave%20KDCs Hostnames for the Master and Slave KDCs] for information about configuring DNS for Kerberos. ProgClub's DNS configuration for Kerberos is as follows:
  
== progclub.org ==
+
=== progclub.org ===
  
 
     $ORIGIN progclub.org.
 
     $ORIGIN progclub.org.
Line 18: Line 18:
 
     _kpasswd._udp          SRV      0 0 464 charity
 
     _kpasswd._udp          SRV      0 0 464 charity
  
== progclub.com ==
+
=== progclub.com ===
  
 
     $ORIGIN progclub.com.
 
     $ORIGIN progclub.com.
Line 27: Line 27:
 
     _kpasswd._udp          SRV      0 0 464 charity
 
     _kpasswd._udp          SRV      0 0 464 charity
  
== progclub.info ==
+
=== progclub.info ===
  
 
     $ORIGIN progclub.info.
 
     $ORIGIN progclub.info.
Line 36: Line 36:
 
     _kpasswd._udp          SRV      0 0 464 charity
 
     _kpasswd._udp          SRV      0 0 464 charity
  
== progclub.net ==
+
=== progclub.net ===
  
 
     $ORIGIN progclub.net.
 
     $ORIGIN progclub.net.
Line 45: Line 45:
 
     _kpasswd._udp          SRV      0 0 464 charity
 
     _kpasswd._udp          SRV      0 0 464 charity
  
== progclub.co ==
+
=== progclub.co ===
  
 
     $ORIGIN progclub.co.
 
     $ORIGIN progclub.co.
Line 54: Line 54:
 
     _kpasswd._udp          SRV      0 0 464 charity
 
     _kpasswd._udp          SRV      0 0 464 charity
  
== progclub.mobi ==
+
=== progclub.mobi ===
  
 
     $ORIGIN progclub.mobi.
 
     $ORIGIN progclub.mobi.
Line 63: Line 63:
 
     _kpasswd._udp          SRV      0 0 464 charity
 
     _kpasswd._udp          SRV      0 0 464 charity
  
= KDC configuration =
+
== KDC configuration ==
  
 
The KDC (Key Distribution Centre) for ProgClub is [[Charity|charity.progclub.org]], aliased as kerberos.progclub.*.
 
The KDC (Key Distribution Centre) for ProgClub is [[Charity|charity.progclub.org]], aliased as kerberos.progclub.*.
  
== Configuration ==
+
=== Configuration ===
  
 
  root@charity:/etc# ll kr*
 
  root@charity:/etc# ll kr*
Line 174: Line 174:
 
     }
 
     }
  
== Database ==
+
=== Database ===
  
 
  root@charity:/etc# cd /var/lib/krb5kdc/
 
  root@charity:/etc# cd /var/lib/krb5kdc/
Line 186: Line 186:
 
  -rw-------  1 root root    0 2011-08-05 02:55 principal.ok
 
  -rw-------  1 root root    0 2011-08-05 02:55 principal.ok
  
== Keytab files ==
+
=== Keytab files ===
  
 
  root@charity:/var/lib/krb5kdc# cd /etc
 
  root@charity:/var/lib/krb5kdc# cd /etc
 
  root@charity:/etc# find -name "*.keytab"
 
  root@charity:/etc# find -name "*.keytab"
 
  ./apache2/apache2.keytab
 
  ./apache2/apache2.keytab

Revision as of 23:30, 9 August 2011

This page details the Kerberos configuration at ProgClub. Check out Network administration for other network admin related material. See Single sign-on for other SSO related material.

Project status

Complete! Charity is now configured as the KDC. We're still pending SSH integration, and there are a few more things to do for Single sign-on, but Kerberos is functional.

DNS configuration

See Hostnames for the Master and Slave KDCs for information about configuring DNS for Kerberos. ProgClub's DNS configuration for Kerberos is as follows:

progclub.org

    $ORIGIN progclub.org.
    _kerberos               TXT       "PROGCLUB.ORG"
    kerberos                CNAME     charity
    _kerberos._udp          SRV       0 0 88 charity
    _kerberos-adm._tcp      SRV       0 0 749 charity
    _kpasswd._udp           SRV       0 0 464 charity

progclub.com

    $ORIGIN progclub.com.
    _kerberos               TXT       "PROGCLUB.ORG"
    kerberos                CNAME     charity
    _kerberos._udp          SRV       0 0 88 charity
    _kerberos-adm._tcp      SRV       0 0 749 charity
    _kpasswd._udp           SRV       0 0 464 charity

progclub.info

    $ORIGIN progclub.info.
    _kerberos               TXT       "PROGCLUB.ORG"
    kerberos                CNAME     charity
    _kerberos._udp          SRV       0 0 88 charity
    _kerberos-adm._tcp      SRV       0 0 749 charity
    _kpasswd._udp           SRV       0 0 464 charity

progclub.net

    $ORIGIN progclub.net.
    _kerberos               TXT       "PROGCLUB.ORG"
    kerberos                CNAME     charity
    _kerberos._udp          SRV       0 0 88 charity
    _kerberos-adm._tcp      SRV       0 0 749 charity
    _kpasswd._udp           SRV       0 0 464 charity

progclub.co

    $ORIGIN progclub.co.
    _kerberos               TXT       "PROGCLUB.ORG"
    kerberos                CNAME     charity
    _kerberos._udp          SRV       0 0 88 charity
    _kerberos-adm._tcp      SRV       0 0 749 charity
    _kpasswd._udp           SRV       0 0 464 charity

progclub.mobi

    $ORIGIN progclub.mobi.
    _kerberos               TXT       "PROGCLUB.ORG"
    kerberos                CNAME     charity
    _kerberos._udp          SRV       0 0 88 charity
    _kerberos-adm._tcp      SRV       0 0 749 charity
    _kpasswd._udp           SRV       0 0 464 charity

KDC configuration

The KDC (Key Distribution Centre) for ProgClub is charity.progclub.org, aliased as kerberos.progclub.*.

Configuration

root@charity:/etc# ll kr*
-rw-r--r-- 1 root root 1755 2011-08-05 02:36 krb5.conf

krb5kdc:
total 20
drwx------  2 root root 4096 2011-08-04 11:57 ./
drwxr-xr-x 78 root root 4096 2011-08-05 02:37 ../
-rw-r--r--  1 root root  353 2011-08-04 11:53 kadm5.acl
-rw-r--r--  1 root root  640 2011-08-04 11:49 kdc.conf
-rw-------  1 root root   65 2011-08-04 11:57 stash
root@charity:/etc# cat krb5.conf
[logging]
        default = FILE:/var/log/krb5.log

[libdefaults]
        default_realm = PROGCLUB.ORG

# The following krb5.conf variables are only for MIT Kerberos.
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true 

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java). 

#       default_tgs_enctypes = des3-hmac-sha1
#       default_tkt_enctypes = des3-hmac-sha1
#       permitted_enctypes = des3-hmac-sha1 

# The following libdefaults parameters are only for Heimdal Kerberos.
        v4_instance_resolve = false
        v4_name_convert = {
                host = {
                        rcmd = host
                        ftp = ftp
                }
                plain = {
                        something = something-else
                }
        }
        fcc-mit-ticketflags = true

[realms]
        PROGCLUB.ORG = {
                kdc = kerberos.progclub.org:88
                admin_server = kerberos.progclub.org
                default_domain = progclub.org
        }

[domain_realm]
        .progclub.org = PROGCLUB.ORG
        progclub.org = PROGCLUB.ORG
        .progclub.com = PROGCLUB.ORG
        progclub.com = PROGCLUB.ORG
        .progclub.info = PROGCLUB.ORG
        progclub.info = PROGCLUB.ORG
        .progclub.net = PROGCLUB.ORG
        progclub.net = PROGCLUB.ORG
        .progclub.co = PROGCLUB.ORG
        progclub.co = PROGCLUB.ORG
        .progclub.mobi = PROGCLUB.ORG
        progclub.mobi = PROGCLUB.ORG

[login]
        krb4_convert = true
        krb4_get_tickets = false
root@charity:/etc# cat krb5kdc/kadm5.acl
# This file is the access control list for krb5 administration.
# When this file is edited run /etc/init.d/krb5-admin-server restart to activate
# One common way to set up Kerberos administration is to allow any principal
# ending in /admin  is given full administrative rights.
# To enable this, uncomment the following line:
*/admin@PROGCLUB.ORG    *
root@charity:/etc# cat krb5kdc/kdc.conf
[kdcdefaults]
    kdc_ports = 750,88
    default_realm = PROGCLUB.ORG

[realms]
    PROGCLUB.ORG = {
        database_name = /var/lib/krb5kdc/principal
        admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
        acl_file = /etc/krb5kdc/kadm5.acl
        key_stash_file = /etc/krb5kdc/stash
        kdc_ports = 750,88
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des3-hmac-sha1
        supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
        default_principal_flags = +preauth
    }

Database

root@charity:/etc# cd /var/lib/krb5kdc/
root@charity:/var/lib/krb5kdc# ll
total 24
drwx------  2 root root 4096 2011-08-04 11:57 ./
drwxr-xr-x 30 root root 4096 2011-08-04 11:37 ../
-rw-------  1 root root 8192 2011-08-05 02:55 principal
-rw-------  1 root root 8192 2011-08-04 11:57 principal.kadm5
-rw-------  1 root root    0 2011-08-04 11:57 principal.kadm5.lock
-rw-------  1 root root    0 2011-08-05 02:55 principal.ok

Keytab files

root@charity:/var/lib/krb5kdc# cd /etc
root@charity:/etc# find -name "*.keytab"
./apache2/apache2.keytab