Contents

List of Figures 2

List of Tables 3

Introduction 4
0.1 Kerbros Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
0.2 How does it work ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

1 Setting up 5
1.1 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2 Configuring DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.3 Time synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3.1 Time server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3.2 Synchronize machines . . . . . . . . . . . . . . . . . . . . . . . 7
1.4 Configuring KDC[1][2] . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.4.1 Package installation . . . . . . . . . . . . . . . . . . . . . . . . 8
1.4.2 Database creation . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.4.3 Principles creation . . . . . . . . . . . . . . . . . . . . . . . . 9
1.4.4 Server restart . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1.5 Configuring Client and Service[1][2] . . . . . . . . . . . . . . . . . . . 11
1.5.1 Client configuration . . . . . . . . . . . . . . . . . . . . . . . . 11
1.5.2 Service configuration [3] . . . . . . . . . . . . . . . . . . . . . 11

2 SSH Authentication 12
2.1 User creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.2 SSH authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.3 Principal creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.4 OpenSSH Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.5 SSH authentication without password . . . . . . . . . . . . . . . . . . 13

Conclusion 15

References 16

1
List of Figures

1.1 /etc/hosts file content . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1.2 /etc/ntp.conf file content in KDC machine . . . . . . . . . . . . . . . 6
1.3 /etc/ntp.conf file content in Client and Service machines . . . . . . . 7
1.4 Synchronizing time on Client machine . . . . . . . . . . . . . . . . . . 7
1.5 Defining realm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.6 Defining Kerberos server . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.7 Defining administrative server . . . . . . . . . . . . . . . . . . . . . . 8
1.8 Creating new database . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.9 Create administrator principal . . . . . . . . . . . . . . . . . . . . . . 10
1.10 Grant privileges to admin . . . . . . . . . . . . . . . . . . . . . . . . 10
1.11 Check krb5-admin-server running correctly . . . . . . . . . . . . . . . 10
1.12 Creating new database . . . . . . . . . . . . . . . . . . . . . . . . . . 11

2.1 sshd configuration file . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

2.2 Initializing and listing ticket . . . . . . . . . . . . . . . . . . . . . . . 13
2.3 SSH login without password . . . . . . . . . . . . . . . . . . . . . . . 14

2
List of Tables

1.1 Machines set up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

3
Introduction

In this report, we will explain how to set up a Kerberos authentication system based
on linux systems. In this system, we will have a Key Distribution Center, a Client
and a Service. The Client will be able to connect to Service using SSH and Kerberos
authentication.

0.1 Kerbros Definition

Kerberos is an AAA authentication protocol from the Massachusetts Institute of
Technology (MIT) ”Athena” project. Its name ”Kerberos” comes from Greek mythol-
ogy and corresponds to the name of the three-headed dog guardian of the gates of
Hades. It is aptly named because it is responsible for authenticating, authorizing,
and monitoring users who want to access resources and services on your network. It
acts as a watchdog against intruders on your network services. The Kerberos pro-
tocol has been standardized in version 5 by the IETF in RFC 1510 (in September
1993) and RFC 1964 (June 1996).

0.2 How does it work ?

Kerberos is a standard that solves many security, administrative, and productivity
issues in authenticating clients and services within a network. Indeed, kerberos
introduces the principle of Single Sign-On (SSO). Thus with a single authentication,
the user will have access to all the services of the network.
Kerberos relies on a trusted third party to manage authentication, the KDC
(Key Distribution Center). All users and services on the network trust this third
party. To achieve authentication security, Kerberos uses an encryption mechanism
based on symmetric key algorithms. Each subject and service in the network has a
secret key shared with the KDC.
Kerberos uses a ticket system to perform authentication and introduces the prin-
ciple of SSO (Single Sign On). The user authenticates on the KDC and then uses a
ticket to authenticate on each requested service. The user never sends his password
to the service.

4
Chapter 1

Setting up

In this chapter, we will show how to set up all the machines in order to create a
Kerberos-based authentication system.

1.1 Requirements
In order to create this system, we will need

• A domain name : ”insat.tn”

1
• A realm : ”INSAT.TN”

• At least 3 machines with admin privilege, one for the KDC, one for the client
and one for the service

Role IP Sub-domain name

KDC 192.168.42.133 kdc.insat.tn
Service 192.168.42.132 service1.insat.tn
Client 192.168.42.186 client1.insat.tn

Table 1.1: Machines set up

All of the machines above are running on Ubuntu 18.04.

All the setting up operation must be run as admin :
$ su

1.2 Configuring DNS

A DNS server is required to match domain names with their IPs. For this example,
we will simply use the hosts file. We run :
$ nano / e t c / h o s t s
1
A Kerberos realm is the domain over which a Kerberos authentication server has the authority
to authenticate a user, host or service. A realm name is often, but not always the upper case
version of the name of the DNS domain over which it presides.

5
Kerberos Based System

and put the following content :

Figure 1.1: /etc/hosts file content

For each machine, we set a new hostname.

In KDC :
$ h o s t n a m e c t l set hostname kdc . i n s a t . tn
In Client :
$ h o s t n a m e c t l set hostname c l i e n t 1 . i n s a t . tn
In Service :
$ h o s t n a m e c t l set hostname s e r v i c e 1 . i n s a t . tn

1.3 Time synchronization

Kerberos is time sensitive. It uses timestamps mechanism to check the validity of a
ticket.
Thus, we will create our own time server and synchronize all the machines to it.

1.3.1 Time server

Our time server will be the KDC machine. We need to install ntp [4] :
$ apt i n s t a l l ntp
Then, edit /etc/ntp.conf as follow :

Figure 1.2: /etc/ntp.conf file content in KDC machine

CHAPTER 1. SETTING UP 6
Kerberos Based System

1.3.2 Synchronize machines

Once the time server is set, we install ntp and ntpdate of Client and Service machines
$ apt i n s t a l l ntp
$ apt i n s t a l l ntpd ate
Then, edit /etc/ntp.conf as follow :

Figure 1.3: /etc/ntp.conf file content in Client and Service machines

Now, we update the machine time by running :

$ ntp date dv 1 9 2 . 1 6 8 . 4 2 . 1 3 3

Figure 1.4: Synchronizing time on Client machine

CHAPTER 1. SETTING UP 7
Kerberos Based System

1.4 Configuring KDC[1][2]

1.4.1 Package installation
In order to configure KDC, we need to insatll krb5-kdc, krb5-admin-server and
krb5-config
$ apt i n s t a l l krb5 kdc krb5 admin s e r v e r krb5 c o n f i g
During installation, we need to set realm, Kerberos server and administrative
server as follow :

Figure 1.5: Defining realm

Figure 1.6: Defining Kerberos server

Figure 1.7: Defining administrative server

Installation will throw an error because no database will be found. We will create
one in the next sub-section

CHAPTER 1. SETTING UP 8
Kerberos Based System

1.4.2 Database creation

We create a database by running :
$ krb5 newrealm
and choosing a strong password.

Figure 1.8: Creating new database

1.4.3 Principles creation

We create an admin principal and a host principal for KDC and generate keytab for
host.
To do so, we login as local admin
$ kadmin . l o c a l
We create an admin principal with a strong password
a d d p r i n c r o o t /admin
We create a host principal with and generate keytab
a d d p r i n c randkey h o s t / kdc . i n s a t . tn
ktadd h o s t / kdc . i n s a t . tn

CHAPTER 1. SETTING UP 9
Kerberos Based System

Figure 1.9: Create administrator principal

Next, we grant all the privileges to admin in /etc/krb5kdc/kadm5.acl file.

Figure 1.10: Grant privileges to admin

The last line means ”Give to admin all privileges”, * means all privileges.

1.4.4 Server restart

Restart kbr5-admin-server
$ s y s t e m c t l r e s t a r t krb5 admin s e r v e r
Check that service has restarted correctly
$ s y s t e m c t l s t a t u s krb5 admin s e r v e r

Figure 1.11: Check krb5-admin-server running correctly

CHAPTER 1. SETTING UP 10
Kerberos Based System

1.5 Configuring Client and Service[1][2]

Client and Service machines are considered as Kerberos clients.

1.5.1 Client configuration

1.5.1.1 Package installation
We need install krb5-user and some other packages by running :
$ apt i n s t a l l y krb5 u s e r libpam krb5 libpam c c r e d s
auth c l i e n t c o n f i g
and type the same information as in figures 1.5, 1.6 and 1.7.

1.5.1.2 Principle configuration

To configure Kerberos client, we need to login KDC as admin :
$ kadmin
Type admin password, then create a new principle and add keytabs:
$ a d d p r i n c randkey h o s t / c l i e n t 1 . i n s a t . tn
$ ktadd h o s t / c l i e n t 1 . i n s a t . tn

Figure 1.12: Creating new database

Now, the Client is ready to authenticate using Kerberos.

1.5.2 Service configuration [3]

We followed the same steps as in section 1.5.1 and adjusted information accordingly.

1.5.2.1 OpenSSH installation

In order to connect to Service machine using SSH, we need to install OpenSsh
$ apt i n s t a l l openssh s e r v e r
We allow OpenSSH in FireWall
$ ufw a l l o w openssh

CHAPTER 1. SETTING UP 11
Chapter 2

SSH Authentication

2.1 User creation

We need to create a new user both on Client and Service machine
$ useradd m s / b i n / bash s s h u s e r

2.2 SSH authentication

If we try to authenticate to Service using SSH from the Client machine
$ s s h s e r v i c e 1 . i n s a t . tn
We will be asked to enter a password and this is not the requested use case.

2.3 Principal creation

We need to create a principal for this user. This action can be performed as admin
from any machine. We choose to do it from Client machine.
$ kadmin
Type admin password, then create a new principle and add keytabs:
addprinc sshuser
and then close the interface.

2.4 OpenSSH Configuration

We need to adjust OpenSsh to allow authentication using Kerberos by changing
these lines in /etc/ssh/sshd config in Service machine

12
Kerberos Based System

Figure 2.1: sshd configuration file

and restart sshd service

$ s y s t e m c t l r e s t a r t sshd

2.5 SSH authentication without password

We change user
$ su sshuser
We get a ticket from KDC
$ kinit sshuser
To list all our ticket, we run
$ klist

Figure 2.2: Initializing and listing ticket

Now, we can log to the Service using without password

$ s s h s e r v i c e 1 . i n s a t . tn

CHAPTER 2. SSH AUTHENTICATION 13

Kerberos Based System

Figure 2.3: SSH login without password

CHAPTER 2. SSH AUTHENTICATION 14

Conclusion

To summarize, setting up a kerberos protocol demands a domain name, realm and

3 machines, configuring a DNS, setting up a time synchronization allowing us to
use the timestamp mechanism, configurring the KDC, the client and the server and
finally establishing the SSH authentification.
The kerberos protocol remains one of the strongest authentication protocols
which allows mutual authentication between user and server. It also helps to avoid
many attacks like ”Man in The Middle” thanks to the use of timestamps. Kerberos
o↵ers one great advantage allowing the user to enter his password once (Single Sign
On) .
Nevertheless, Kerberos has loopholes such as SPOF (single point of failure) which
means that if the server fails the whole system goes down, necessity to synchronize
every machine in the system, and the danger that represents a compromised AS
which leads the hacker to access all services, leaves us to consider.

15
References

[1] https://linuxconfig.org/how-to-install-kerberos-kdc-server-and-client-on-
ubuntu-18-04.

[2] https://www.howtoforge.com/how-to-setup-kerberos-server-and-client-on-
ubuntu-1804-lts.

[3] https://web.ornl.gov/ romeja/HowToKerb.html.

[4] https://doc.ubuntu-fr.org/ntp.

16