Configure minimal MIT Kerberos server.
Preparations
Update package index.
$ sudo apt update
Upgrade operating system.
$ sudo apt upgrade
Ensure that hostname is defined.
$ sudo hostnamectl --static set-hostname kerberos.octocat.lab
Inspect hosts
file which should be in its initial state.
$ cat /etc/hosts
127.0.0.1 localhost # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters
Kerberos server needs to have a static IP address assigned.
$ cat /etc/network/interfaces
# This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). source /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback
$ cat /etc/network/interfaces.d/eth0
auto eth0 iface eth0 inet static address 10.10.10.100 netmask 255.255.0.0 gateway 10.10.0.1
Configure NTP service
Install chrony
NTP daemon.
$ sudo apt install chrony
Stop unconfigured service.
$ sudo systemctl stop chrony
Delete default pool.
$ sudo sed -i -e "/\# Use Debian vendor zone./,+2d" /etc/chrony/chrony.con
Define Debian NTP pool as a source.
$ cat << EOF | sudo tee /etc/chrony/sources.d/debian-pool.sources pool 0.debian.pool.ntp.org iburst pool 1.debian.pool.ntp.org iburst pool 2.debian.pool.ntp.org iburst pool 3.debian.pool.ntp.org iburst EOF
Create a server configuration.
$ cat << EOF | sudo tee /etc/chrony/conf.d/server.conf bindaddress 10.10.10.100 allow 10.10.0.1/16 EOF
Use Unix domain command socket for command and monitoring access.
$ cat << EOF | sudo tee /etc/chrony/conf.d/cmd.conf bindcmdaddress /var/run/chrony/chronyd.sock cmdport 0 EOF
Ensure that service is started and enabled at boot.
$ sudo systemctl enable --now chrony
Install DNS service
Install BIND DNS daemon.
$ sudo apt install bind9
Stop BIND daemon.
$ sudo systemctl stop named
Define DNS forwarder.
$ sudo cat /etc/bind/named.conf.options
options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. forwarders { 10.10.0.1; }; //======================================================================== // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================== dnssec-validation auto; //listen-on-v6 { any; }; };
Load octocat zone.
$ sudo cat /etc/bind/named.conf.local
// // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include "/etc/bind/zones.rfc1918"; include "/etc/bind/zone.octocat";
Define octocat zone.
$ cat /etc/bind/zone.octocat
// // local zone // zone "octocat.lab" IN { type primary; file "/etc/bind/db.octocat"; allow-update { none; }; };
$ cat /etc/bind/db.octocat
; ; BIND data file for octocat zone ; $ORIGIN octocat.lab. $TTL 604800 @ IN SOA kerberos.octocat.lab. hostmaster.octocat.lab. ( 2 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS kerberos.octocat.lab. kerberos IN A 10.10.10.100 hydra IN A 10.10.10.101 cerberus IN A 10.10.10.102
Check zone validity.
$ sudo named-checkzone octocat.lab /etc/bind/db.octocat
zone octocat.lab/IN: loaded serial 2 OK
Ensure that service is started and enabled at boot.
$ sudo systemctl enable --now named
Point DNS resolver should point to DNS server.
$ cat /etc/resolv.conf
nameserver 10.10.10.100
Install Kerberos server
Install Kerberos packages.
$ sudo DEBIAN_FRONTEND=noninteractive apt install krb5-admin-server krb5-kdc krb5-config krb5-user
Disable and stop Kerberos services.
$ sudo systemctl disable --now krb5-kdc.service
$ sudo systemctl disable --now krb5-admin-server.service
Inspect KDC configuration.
$ sudo cat /etc/krb5kdc/kdc.conf
[kdcdefaults] kdc_ports = 750,88 [realms] OCTOCAT.LAB = { database_name = /var/lib/krb5kdc/principal admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab acl_file = /etc/krb5kdc/kadm5.acl key_stash_file = /etc/krb5kdc/stash kdc_ports = 750,88 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = des3-hmac-sha1 #supported_enctypes = aes256-cts:normal aes128-cts:normal default_principal_flags = +preauth }
Create log directory and limit its permissions.
$ sudo mkdir /var/log/kerberos
$ sudo chmod -R 750 /var/log/kerberos
Create Kerberos configuration.
$ cat << EOF | sudo tee /etc/krb5.conf [libdefaults] default_realm = OCTOCAT.LAB default_ccache_name = KEYRING:persistent:%{uid} forwardable = true [realms] OCTOCAT.LAB = { kdc = kerberos.octocat.lab admin_server = kerberos.octocat.lab default_domain = octocat.lab } [domain_realm] octocat.lab = OCTOCAT.LAB .octocat.lab = OCTOCAT.LAB [logging] kdc = FILE:/var/log/kerberos/krb5kdc.log admin_server = FILE:/var/log/kerberos/kadmin.log default = FILE:/var/log/kerberos/krb5lib.log EOF
Initialize Kerberos database.
$ sudo kdb5_util create -s -P topecretmasterpassword
Loading random data Initializing database '/var/lib/krb5kdc/principal' for realm 'OCTOCAT.LAB', master key name 'K/M@OCTOCAT.LAB'
Start and enable Kerberos KDC service.
$ sudo systemctl enable --now krb5-kdc.service
Start and enable Kerberos administrative service.
$ sudo systemctl enable --now krb5-admin-server.service
Inspect database contents.
$ sudo kadmin.local
Authenticating as principal root/admin@OCTOCAT.LAB with password. kadmin.local: listprincs K/M@OCTOCAT.LAB kadmin/admin@OCTOCAT.LAB kadmin/changepw@OCTOCAT.LAB kadmin/kerberos.octocat.lab@OCTOCAT.LAB kiprop/kerberos.octocat.lab@OCTOCAT.LAB krbtgt/OCTOCAT.LAB@OCTOCAT.LAB kadmin.local: quit
Create access control list for Kerberos administration.
$ cat << EOF | tee /etc/krb5kdc/kadm5.acl # This file Is the access control list for krb5 administration. # When this file is edited run service krb5-admin-server restart to activate # One common way to set up Kerberos administration is to allow any principal # ending in /admin is given full administrative rights. # To enable this, uncomment the following line: */admin * EOF
Restart Kerberos Admin server.
$ sudo systemctl restart krb5-admin-server.service
Create admin user.
$ sudo kadmin.local
Authenticating as principal root/admin@OCTOCAT.LAB with password. kadmin.local: addprinc root/admin No policy specified for root/admin@OCTOCAT.LAB; defaulting to no policy Enter password for principal "root/admin@OCTOCAT.LAB": rootpassword Re-enter password for principal "root/admin@OCTOCAT.LAB": rootpassword Principal "root/admin@OCTOCAT.LAB" created. kadmin.local: quit
Create regular user.
$ kadmin -p root/admin
Couldn't open log file /var/log/kerberos/kadmin.log: Permission denied Authenticating as principal root/admin with password. Password for root/admin@OCTOCAT.LAB: kadmin: addprinc milosz No policy specified for milosz@OCTOCAT.LAB; defaulting to no policy Enter password for principal "milosz@OCTOCAT.LAB": miloszpass Re-enter password for principal "milosz@OCTOCAT.LAB": miloszpass Principal "milosz@OCTOCAT.LAB" created. kadmin: quit
Obtain and cache Kerberos ticket-granting ticket.
$ kinit milosz
Password for milosz@OCTOCAT.LAB: miloszpass
$ klist
Ticket cache: KEYRING:persistent:1000:1000 Default principal: milosz@OCTOCAT.LAB Valid starting Expires Service principal 11/07/21 02:06:58 11/07/21 12:06:58 krbtgt/OCTOCAT.LAB@OCTOCAT.LAB renew until 11/08/21 02:06:55
Basic Kerberos setup is complete.
Install and configure firewall
Install Dynamic Firewall Manager.
$ sudo apt install firealld
Use public
as a default zone.
$ sudo firewall-cmd --set-default-zone public
success
List default services.
$ sudo firewall-cmd --list-services --zone public
dhcpv6-client ssh
Disable DHCPv6.
$ sudo firewall-cmd --zone public --remove-service dhcpv6-client
success
Open ports for NTP and DNS services.
$ sudo firewall-cmd --zone public --add-service ntp --add-service dns
success
Open ports for Kerberos services.
$ sudo firewall-cmd --zone public --add-service kerberos --add-service kadmin --add-service kpasswd
success
List allowed services.
$ sudo firewall-cmd --list-services --zone public
dns kadmin kerberos kpasswd ntp ssh
Make changes permanent.
$ sudo firewall-cmd --runtime-to-permanent
success