paulgorman.org/technical

Kerberos

Kerberos allows clients to authenticate to a service without sending their secrets over the network. This is possible with symmetric key cryptography where the client and server both have a trust relationship with a third party, the Kerberos server. (Kerberos = three heads. Har.)

Kerberos is useful for implementing single sign-on, and is required for things like NFSv4.

Note that Kerberos is purely authentication. It doesn’t do authorization or accounting.

Pieces:

(The AS and TGS are subordinate to the KDC, and typically run on the same box.)

Process Overview:

  1. A principal authenticates to the AS.
  2. The AS forwards the request to the KDC.
  3. The KDC gets a TGT from the TGS, which is timestamped and encrypted using the client key in its database, and sends it to the client.
  4. When a client needs to communicate with another principal/service, it sends its TGT to the TGS.
  5. The TGS decrypts the TGT to verify the client identity, and issues a session key to the client for the service.
  6. The client uses the session key to authenticate itself to the SS.
  7. Because the SS has a pre-existing trust relationship with the TGS, it trusts the client and permits access.

When lifetime of the TGT expires, the client will need to renew its TGT. Timekeeping is vital for Kerberos since time is a factor in encrypting tickets.

Principals (clients and services) are contained in an administrative grouping called a Realm. A user and realm are noted like paul@EXAMPLE.COM. The realm is capitalized by convention; it need not match a DNS domain name, but often a domain name is used for the realm.

Redundant Kerberos servers are a good idea to prevent service disruption to clients if the primary goes down.

Example

Here we set up two KDC’s (a master and slave) on FreeBSD, create one user, and one service.

There are two popular implementations of Kerberos: MIT and Heimdal. We will us Heimdal because it’s included in FreeBSD base and Samba uses it.

Edit /etc/rc.conf:

kdc_enable="YES"
kadmind_enable="YES"

Edit /etc/krb5.conf:

[libdefaults]
    default_realm = EXAMPLE.ORG
[realms]
    EXAMPLE.ORG = {
        kdc = kerberos.example.org
        admin_server = kerberos.example.org
    }
[domain_realm]
    .example.org = EXAMPLE.ORG

Create the Kerberos database and add a principal by running:

# kstash
Master key: xxxxxxxxxxxxxxxxxxxxxxx
Verifying password - Master key: xxxxxxxxxxxxxxxxxxxxxxx
kadmin> add myprincipal
Max ticket life [unlimited]:
Max renewable life [unlimited]:
Attributes []:
Password: xxxxxxxx
Verifying password - Password: xxxxxxxx

Supply a long and strong password. Because it’s stored in /var/heimdal/m-key, it not necessary to remember the password.

Initialize the database:

# kadmin -l
kadmin> init EXAMPLE.ORG
Realm max ticket life [unlimited]:

Start the daemons:

# service kdc start
# service kadmind start

Obtain a ticket on our client, and view it:

$ kinit myprincipal
$ klist

(On a debian client, if not already installed: apt-get install heimdal-clients.)

References