NOTA BENE Gli esempi citati in questa guida si intendono per MIT Kerberos 5 versione 1.6 su Scientific Linux 5.1.
kdc.example.com: KDC del realm EXAMPLE.COM e DNS di example.com
client.example.com: client Kerberizzato appartenente al realm EXAMPLE.COM
server.example.com: server applicativo Kerberizzato appartenente al realm EXAMPLE.COM
lab1.d1.example.com: KDC del realm D1.EXAMPLE.COM e DNS di d1.example.com
lab2.d2.example.com: KDC del realm D2.EXAMPLE.COM e DNS di d2.example.com
….
….
….
labn.dn.example.com: KDC del realm Dn.EXAMPLE.COM e DNS di dn.example.com
[root@kdc ~]$ yum install krb5-server
[root@kdc ~]$ vi /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com:88
admin_server = kerberos.example.com:749
default_domain = example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[root@kdc ~]# vi /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
v4_mode = nopreauth
kdc_tcp_ports = 88
[realms]
EXAMPLE.COM = {
#master_key_type = des3-hmac-sha1
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
}
[root@kdc ~]$ kdb5_util create -s
[root@kdc ~]$ service krb5kdc start
[root@kdc ~]$ service kadmin start
[root@kdc ~]$ service krb524 start
[root@kdc ~]$ kadmin.local
kadmin.local: listprincs
kadmin.local: addprinc admin/admin
[root@kdc ~]$ vi /var/kerberos/krb5kdc/kadm5.acl
[root@kdc ~]$ kinit admin/admin
[root@kdc ~]$ kadmin
kadmin: addprinc user1
kadmin: addprinc -randkey host/kdc.example.com
kadmin: ktadd host/kdc.example.com
kadmin: exit
[root@kdc ~] vi /etc/ssh/sshd_config
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes (elimina il ticket alla chiusura della sessione ssh)
[root@kdc ~]$ service sshd restart
[root@kdc ~]$ vi /etc/ssh/ssh_config
GSSAPIDelegateCredentials yes (abilita il client ssh al forwarding del ticket)
[root@kdc ~]$ adduser -m user1
[root@kdc ~]$ kinit user1
[root@kdc ~]$ klist
[root@kdc ~]$ ssh user1@kdc.example.com
[user1@kdc ~]$ klist (la cache delle credenziali è vuota)
[user1@kdc ~]$ exit
[root@kdc ~]$ kinit -f user1
[root@kdc ~]$ klist -f
[root@kdc ~]$ ssh user1@kdc.example.com
[user1@kdc ~]$ klist -f (notare che il TGT è ancora forwardabile)
[user1@kdc ~]$ exit
[root@kdc ~]$ authconfig –update –enablekrb5
[root@kdc ~]$ vi /etc/pam.d/system-auth (aggiungere validate)
auth sufficient pam_krb5.so use_first_pass validate
[root@kdc ~]$ vi /etc/xinetd.d/krb5-telnet (verificare che disable = no)
[root@kdc ~]$ service xinetd restart
[root@kdc ~]$ telnet -f -a -l user1 kdc.example.com
[user1@kdc ~]$ exit
[root@kdc ~]$ vi /var/named/data/example.db
_kerberos IN TXT "EXAMPLE.COM"
_kerberos._udp IN SRV 0 0 88 kerberos
_kerberos._tcp IN SRV 0 0 88 kerberos
_kerberos-master._udp IN SRV 0 0 88 kerberos
_kerberos-adm._tcp IN SRV 0 0 749 kerberos
_kpasswd._udp IN SRV 0 0 464 kerberos