Categories
SysOps

How to configure minimal MIT Kerberos server

Configure minimal MIT Kerberos server.

Preparations

Update package index.

$ sudo apt update

Upgrade operating system.

$ sudo apt upgrade

Ensure that hostname is defined.

$ sudo hostnamectl --static set-hostname kerberos.octocat.lab

Inspect hosts file which should be in its initial state.

$ cat /etc/hosts
127.0.0.1       localhost

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Kerberos server needs to have a static IP address assigned.

$ cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback
$ cat /etc/network/interfaces.d/eth0 
auto eth0
iface eth0 inet static
        address 10.10.10.100
        netmask 255.255.0.0
        gateway 10.10.0.1

Configure NTP service

Install chrony NTP daemon.

$ sudo apt install chrony

Stop unconfigured service.

$ sudo systemctl stop chrony

Delete default pool.

$ sudo sed -i -e "/\# Use Debian vendor zone./,+2d" /etc/chrony/chrony.con

Define Debian NTP pool as a source.

$ cat << EOF | sudo tee /etc/chrony/sources.d/debian-pool.sources
pool 0.debian.pool.ntp.org iburst
pool 1.debian.pool.ntp.org iburst
pool 2.debian.pool.ntp.org iburst
pool 3.debian.pool.ntp.org iburst
EOF

Create a server configuration.

$ cat << EOF | sudo tee /etc/chrony/conf.d/server.conf
bindaddress 10.10.10.100
allow 10.10.0.1/16
EOF

Use Unix domain command socket for command and monitoring access.

$ cat << EOF | sudo tee /etc/chrony/conf.d/cmd.conf
bindcmdaddress /var/run/chrony/chronyd.sock
cmdport 0
EOF

Ensure that service is started and enabled at boot.

$ sudo systemctl enable --now  chrony

Install DNS service

Install BIND DNS daemon.

$ sudo apt install bind9

Stop BIND daemon.

$ sudo systemctl stop named

Define DNS forwarder.

$ sudo cat /etc/bind/named.conf.options 
options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable 
        // nameservers, you probably want to use them as forwarders.  
        // Uncomment the following block, and insert the addresses replacing 
        // the all-0's placeholder.

        forwarders {
                10.10.0.1;
        };

        //========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //========================================================================
        dnssec-validation auto;

        //listen-on-v6 { any; };
};

Load octocat zone.

$ sudo cat /etc/bind/named.conf.local 
//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

include "/etc/bind/zone.octocat";

Define octocat zone.

$ cat /etc/bind/zone.octocat
//
// local zone
//

zone "octocat.lab" IN {
  type primary;
  file "/etc/bind/db.octocat";
  allow-update { none; };
};
$ cat /etc/bind/db.octocat
;
; BIND data file for octocat zone
;
$ORIGIN octocat.lab.
$TTL    604800
@       IN      SOA     kerberos.octocat.lab. hostmaster.octocat.lab. (
                              2         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      kerberos.octocat.lab.
kerberos IN     A       10.10.10.100
hydra    IN     A       10.10.10.101
cerberus IN     A       10.10.10.102

Check zone validity.

$ sudo named-checkzone octocat.lab /etc/bind/db.octocat 
zone octocat.lab/IN: loaded serial 2
OK

Ensure that service is started and enabled at boot.

$ sudo systemctl enable --now  named

Point DNS resolver should point to DNS server.

$ cat /etc/resolv.conf 
nameserver 10.10.10.100

Install Kerberos server

Install Kerberos packages.

$ sudo DEBIAN_FRONTEND=noninteractive apt install krb5-admin-server krb5-kdc krb5-config krb5-user

Disable and stop Kerberos services.

$ sudo systemctl disable --now krb5-kdc.service 
$ sudo systemctl disable --now krb5-admin-server.service 

Inspect KDC configuration.

$ sudo cat /etc/krb5kdc/kdc.conf
[kdcdefaults]
    kdc_ports = 750,88

[realms]
    OCTOCAT.LAB = {
        database_name = /var/lib/krb5kdc/principal
        admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
        acl_file = /etc/krb5kdc/kadm5.acl
        key_stash_file = /etc/krb5kdc/stash
        kdc_ports = 750,88
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des3-hmac-sha1
        #supported_enctypes = aes256-cts:normal aes128-cts:normal
        default_principal_flags = +preauth
    }

Create log directory and limit its permissions.

$ sudo mkdir /var/log/kerberos
$ sudo chmod -R 750 /var/log/kerberos

Create Kerberos configuration.

$ cat << EOF | sudo tee /etc/krb5.conf 
[libdefaults]
        default_realm = OCTOCAT.LAB
        default_ccache_name = KEYRING:persistent:%{uid}

        forwardable = true

[realms]
        OCTOCAT.LAB = {
                kdc = kerberos.octocat.lab
                admin_server = kerberos.octocat.lab
                default_domain = octocat.lab
        }

[domain_realm]
        octocat.lab = OCTOCAT.LAB
        .octocat.lab = OCTOCAT.LAB 

[logging]
        kdc = FILE:/var/log/kerberos/krb5kdc.log
        admin_server = FILE:/var/log/kerberos/kadmin.log
        default = FILE:/var/log/kerberos/krb5lib.log
EOF

Initialize Kerberos database.

$ sudo kdb5_util create -s -P topecretmasterpassword
Loading random data
Initializing database '/var/lib/krb5kdc/principal' for realm 'OCTOCAT.LAB',
master key name 'K/M@OCTOCAT.LAB'

Start and enable Kerberos KDC service.

$ sudo systemctl enable --now krb5-kdc.service 

Start and enable Kerberos administrative service.

$ sudo systemctl enable --now krb5-admin-server.service 

Inspect database contents.

$ sudo kadmin.local
Authenticating as principal root/admin@OCTOCAT.LAB with password.
kadmin.local:  listprincs
K/M@OCTOCAT.LAB
kadmin/admin@OCTOCAT.LAB
kadmin/changepw@OCTOCAT.LAB
kadmin/kerberos.octocat.lab@OCTOCAT.LAB
kiprop/kerberos.octocat.lab@OCTOCAT.LAB
krbtgt/OCTOCAT.LAB@OCTOCAT.LAB
kadmin.local:  quit

Create access control list for Kerberos administration.

$ cat << EOF | tee /etc/krb5kdc/kadm5.acl 
# This file Is the access control list for krb5 administration.
# When this file is edited run service krb5-admin-server restart to activate
# One common way to set up Kerberos administration is to allow any principal 
# ending in /admin  is given full administrative rights.
# To enable this, uncomment the following line:
*/admin *
EOF

Restart Kerberos Admin server.

$ sudo systemctl restart krb5-admin-server.service 

Create admin user.

$ sudo kadmin.local
Authenticating as principal root/admin@OCTOCAT.LAB with password.
kadmin.local:  addprinc root/admin
No policy specified for root/admin@OCTOCAT.LAB; defaulting to no policy
Enter password for principal "root/admin@OCTOCAT.LAB": rootpassword
Re-enter password for principal "root/admin@OCTOCAT.LAB": rootpassword
Principal "root/admin@OCTOCAT.LAB" created.
kadmin.local:  quit

Create regular user.

$ kadmin -p root/admin
Couldn't open log file /var/log/kerberos/kadmin.log: Permission denied
Authenticating as principal root/admin with password.
Password for root/admin@OCTOCAT.LAB: 
kadmin:  addprinc milosz
No policy specified for milosz@OCTOCAT.LAB; defaulting to no policy
Enter password for principal "milosz@OCTOCAT.LAB": miloszpass
Re-enter password for principal "milosz@OCTOCAT.LAB": miloszpass
Principal "milosz@OCTOCAT.LAB" created.
kadmin:  quit

Obtain and cache Kerberos ticket-granting ticket.

$ kinit milosz
Password for milosz@OCTOCAT.LAB: miloszpass
$ klist 
Ticket cache: KEYRING:persistent:1000:1000
Default principal: milosz@OCTOCAT.LAB

Valid starting     Expires            Service principal
11/07/21 02:06:58  11/07/21 12:06:58  krbtgt/OCTOCAT.LAB@OCTOCAT.LAB
        renew until 11/08/21 02:06:55

Basic Kerberos setup is complete.

Install and configure firewall

Install Dynamic Firewall Manager.

$ sudo apt install firealld

Use public as a default zone.

$ sudo firewall-cmd --set-default-zone public
success

List default services.

$ sudo firewall-cmd --list-services --zone public
dhcpv6-client ssh

Disable DHCPv6.

$ sudo firewall-cmd --zone public --remove-service dhcpv6-client
success

Open ports for NTP and DNS services.

$ sudo firewall-cmd --zone public --add-service ntp --add-service dns
success

Open ports for Kerberos services.

$ sudo firewall-cmd --zone public --add-service kerberos --add-service kadmin --add-service kpasswd
success

List allowed services.

$ sudo firewall-cmd --list-services  --zone public
dns kadmin kerberos kpasswd ntp ssh

Make changes permanent.

$ sudo firewall-cmd --runtime-to-permanent
success