Configure Kerberos server and client

Reading Time: 4 minutes

Before moving ahead to the configuration of Kerberos let’s discuss why we need Kerberos.

In this digital world, cybercrime is increasing in ways where no companies are safe.

Cyber attackers are targeting companies to steal important data. For good practice, companies should adopt powerful solutions which help to keep their data secure and safe from these attackers. Today I am talking about a most secure authentication service – “Kerberos” which provides a robust solution in an untrusted network in a secure manner.

Kerberos is an authentication protocol which works on the basis of tickets between two or more different nodes in an insecure network like the internet using secret-key cryptography. It provides secure communication between nodes.

Kerberos runs as a third party trusted server known as Kerberos Distribution Center (KDC). KDC is the heart of Kerberos.

It has three main components.

A. Application Server (AS) : Application Server authenticate user and basis of authentication generates ticket granting ticket(TGT)

B. Database : Application Server verify the rights of users(principal) from the database.

C. Ticket granting server (TGS) : TGS issues the service ticket for the server.

Below are the steps which involve during the Kerberos authentication process.

Step1:

User requests to the Application server for the access of service.

step2:

Application server authenticates the user by verifying its rights from the database and then generates a TGT(ticket granting ticket) and sends it to users. results are encrypted by the password of users.

Step3:

Then the user decrypts the message and sends the ticket to the Ticket granting server. A ticket contains authenticator information like username, network address.

Step4:

ticket granting server decrypts the ticket and authenticator verifies the request then TGS generates a service ticket to the user to allow for the services.

step5:

the user sends a service ticket and authenticator to the server.

step6:

server verifies the service ticket and authenticator then allows the user to access the services.

Before moving further let’s have a brief introduction about realm and principals as these terms will be used in further steps.

Realm: realm is a domain or logical area where Kerberos authentication server authenticates the users and services.

Principals: principals is the user in Kerberos which has unique identity within realm.

Steps to start the Kerberos configuration

Server side:- 

Change the hostname as FQDN

sudo hostnamectl set-hostname EDGE.HADOOP.COM

Check by running hostname command

Open /etc/hosts file 

sudo vim /etc/hosts

And add below mentioned line on that

10.0.0.33 EDGE.HADOOP.COM

where 10.0.0.33 is the IP of Kerberos server

Install mentioned packages

sudo apt-get install krb5-kdc krb5-admin-server -y

Initialize new realm in this instance so that this will act as KDC server

sudo krb5_newrealm

This will ask for the KDC database master key password.

Please enter twice to verify same password

Now change the configuration file of KDC which resides under /etc/krb5kdc/

Change port number to 88 if not there

sudo vim /etc/krb5kdc/kdc.conf

And also change realm to HADOOP.COM

Now start and enable daemon services for kerberos 

sudo systemctl start krb5-kdc.service
sudo systemctl enable krb5-kdc.service

sudo systemctl start krb5-admin-server.service
sudo systemctl enable krb5-admin-server.service

Client side:-

Make same host file entry in client side

sudo vim /etc/hosts

10.0.0.118 EDGE.HADOOP.COM

Now install client kerberos packages in client side

sudo apt install krb5-user libpam-krb5 libpam-ccreds auth-client-config -y

This will ask for default kerberos version 5 realm:

Need to enter there “HADOOP.COM”

Then go with default one with ok

Configure the config file of kerberos client

sudo vim /etc/krb5.conf
[libdefaults]
        default_realm = HADOOP.COM
    udp_preference_limit = 1

# The following krb5.conf variables are only for MIT Kerberos.
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

#       default_tgs_enctypes = des3-hmac-sha1
#       default_tkt_enctypes = des3-hmac-sha1
#       permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
        fcc-mit-ticketflags = true

[realms]
        HADOOP.COM = {
                kdc = EDGE.HADOOP.COM
                admin_server = EDGE.HADOOP.COM
                default_domain = HADOOP.COM
}

[domain_realm]
        .hadoop.com = HADOOP.COM
        hadoop.com = HADOOP.COM

Now we can say Kerberos client configuration has been done.

Note:- these are the ports that need to open from firewall side
        749       kerberos administration
        88,464    kerberos protocol

Server side:

below is the command to add ubuntu principal in kerberos.

Client side:

we can verify whether kerberos is working properly by running kinit command.

kinit ubuntu/admin@HADOOP.COM

where ubuntu/admin@HADOOP.COM is the principal which has added in server side

this Kerberos authentication can be used with big data technologies like HADOOP HDFS, YARN and with file servers as well like NFS, SAMBA.

Conclusion:

This is all about the Kerberos configuration for server and client end which is popular nowadays for implementing big data projects.

References:

https://web.mit.edu/kerberos/

https://blog.eduonix.com/bigdata-and-hadoop/learn-secure-hadoop-cluster-using-kerberos-part-1/