Before moving ahead to the configuration of Kerberos let’s discuss why we need Kerberos.
In this digital world, cybercrime is increasing in ways where no companies are safe.
Cyber attackers are targeting companies to steal important data. For good practice, companies should adopt powerful solutions which help to keep their data secure and safe from these attackers. Today I am talking about a most secure authentication service – “Kerberos” which provides a robust solution in an untrusted network in a secure manner.
Kerberos is an authentication protocol which works on the basis of tickets between two or more different nodes in an insecure network like the internet using secret-key cryptography. It provides secure communication between nodes.
Kerberos runs as a third party trusted server known as Kerberos Distribution Center (KDC). KDC is the heart of Kerberos.
It has three main components.
A. Application Server (AS) : Application Server authenticate user and basis of authentication generates ticket granting ticket(TGT)
B. Database : Application Server verify the rights of users(principal) from the database.
C. Ticket granting server (TGS) : TGS issues the service ticket for the server.
Below are the steps which involve during the Kerberos authentication process.
Step1:
User requests to the Application server for the access of service.
step2:
Application server authenticates the user by verifying its rights from the database and then generates a TGT(ticket granting ticket) and sends it to users. results are encrypted by the password of users.
Step3:
Then the user decrypts the message and sends the ticket to the Ticket granting server. A ticket contains authenticator information like username, network address.
Step4:
ticket granting server decrypts the ticket and authenticator verifies the request then TGS generates a service ticket to the user to allow for the services.
step5:
the user sends a service ticket and authenticator to the server.
step6:
server verifies the service ticket and authenticator then allows the user to access the services.
Before moving further let’s have a brief introduction about realm and principals as these terms will be used in further steps.
Realm: realm is a domain or logical area where Kerberos authentication server authenticates the users and services.
Principals: principals is the user in Kerberos which has unique identity within realm.
Steps to start the Kerberos configuration
Server side:-
Change the hostname as FQDN
sudo hostnamectl set-hostname EDGE.HADOOP.COMCheck by running hostname command
Open /etc/hosts file
sudo vim /etc/hostsAnd add below mentioned line on that
10.0.0.33 EDGE.HADOOP.COMwhere 10.0.0.33 is the IP of Kerberos server
Install mentioned packages
sudo apt-get install krb5-kdc krb5-admin-server -yInitialize new realm in this instance so that this will act as KDC server
sudo krb5_newrealmThis will ask for the KDC database master key password.
Please enter twice to verify same password
Now change the configuration file of KDC which resides under /etc/krb5kdc/
Change port number to 88 if not there
sudo vim /etc/krb5kdc/kdc.confAnd also change realm to HADOOP.COM
Now start and enable daemon services for kerberos
sudo systemctl start krb5-kdc.service
sudo systemctl enable krb5-kdc.service
sudo systemctl start krb5-admin-server.service
sudo systemctl enable krb5-admin-server.service
Client side:-
Make same host file entry in client side
sudo vim /etc/hosts
10.0.0.118 EDGE.HADOOP.COMNow install client kerberos packages in client side
sudo apt install krb5-user libpam-krb5 libpam-ccreds auth-client-config -yThis will ask for default kerberos version 5 realm:
Need to enter there “HADOOP.COM”
Then go with default one with ok
Configure the config file of kerberos client
sudo vim /etc/krb5.conf[libdefaults]
default_realm = HADOOP.COM
udp_preference_limit = 1
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
[realms]
HADOOP.COM = {
kdc = EDGE.HADOOP.COM
admin_server = EDGE.HADOOP.COM
default_domain = HADOOP.COM
}
[domain_realm]
.hadoop.com = HADOOP.COM
hadoop.com = HADOOP.COM
Now we can say Kerberos client configuration has been done.
Note:- these are the ports that need to open from firewall side
749 kerberos administration
88,464 kerberos protocolServer side:
below is the command to add ubuntu principal in kerberos.
Client side:
we can verify whether kerberos is working properly by running kinit command.
kinit ubuntu/admin@HADOOP.COMwhere ubuntu/admin@HADOOP.COM is the principal which has added in server side
this Kerberos authentication can be used with big data technologies like HADOOP HDFS, YARN and with file servers as well like NFS, SAMBA.
Conclusion:
This is all about the Kerberos configuration for server and client end which is popular nowadays for implementing big data projects.
References:
https://blog.eduonix.com/bigdata-and-hadoop/learn-secure-hadoop-cluster-using-kerberos-part-1/
