Recipe 4.13 Adding Hosts to a Kerberos Realm

Previous page
Table of content
Next page

4.13.1 Problem

You want to add a new host to an existing MIT Kerberos-5 realm.

4.13.2 Solution

Copy /etc/krb5.conf from your KDC (or any other realm host) to the new host. Then run kadmin on the new host, say, samaritan:

samaritan# kadmin -p pat/admin Authenticating as principal pat/admin@DOGOOD.ORG with password. Enter password: ******** kadmin: ank -randkey -policy hosts host/samaritan.dogood.org kadmin: ktadd -k /etc/krb5.keytab host/samaritan.dogood.org kadmin: quit

4.13.3 Discussion

Assume the Kerberos realm we set up previously, DOGOOD.ORG [Recipe 4.11], and suppose your new host is samaritan.dogood.org. Once the DOGOOD.ORG realm configuration file (/etc/krb5.conf) has been copied from the KDC to samaritan, we can take advantage of the kadmin protocol we set up on the KDC to administer the Kerberos database remotely, directly from samaritan. We add a host principal for our new machine and store the host's secret key in the local keytab file. (kadmin can find the Kerberos admin server from the krb5.conf file we just installed.)

samaritan# kadmin -p pat/admin Authenticating as principal pat/admin@DOGOOD.ORG with password. Enter password: ******** kadmin:  ank -randkey -policy hosts host/samaritan.dogood.org Principal "host/samaritan.dogood.org@DOGOOD.ORG" created. kadmin:  ktadd -k /etc/krb5.keytab host/samaritan.dogood.org Entry for principal host/samaritan.dogood.org with kvno 3, encryption type    Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. kadmin:  quit

That's it! Test by doing a kinit in your user account (pat):

# su - pat pat@samaritan$ kinit Password for pat@DOGOOD.ORG: ********

Having succeeded, use klist to examine your credentials:

pat@samaritan$ klist Ticket cache: FILE:/tmp/krb5cc_500 Default principal: pat@DOGOOD.ORG Valid starting     Expires            Service principal 03/05/03 03:48:35  03/05/03 13:48:35  krbtgt/DOGOOD.ORG@DOGOOD.ORG

and try connecting to yourself via ssh with Kerberos authentication, to test the operation of the host principal: [Recipe 4.14]

pat@samaritan$ ssh -v1 samaritan OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f debug1: Reading configuration data /home/res/.ssh/config ... debug1: Trying Kerberos v5 authentication. debug1: Kerberos v5 authentication accepted. ... pat@samaritan$

4.13.4 See Also

kadmin(8), kinit(1), klist(1), ssh(1).

Previous page
Table of content
Next page
Linux Security Cookbook
Linux Security Cookbook
ISBN: 0596003919
EAN: 2147483647
Year: 2006
Pages: 247
Authors: Daniel J. Barrett, Richard E. Silverman, Robert G. Byrnes
BUY ON AMAZON
Inside Network Security Assessment: Guarding Your IT Infrastructure
Introducing Microsoft Office InfoPath 2003 (Bpg-Other)
SQL Tips & Techniques (Miscellaneous)
InDesign Type: Professional Typography with Adobe InDesign CS2
Quantitative Methods in Project Management
FileMaker 8 Functions and Scripts Desk Reference
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy