Kerberos V5 Installation
This document outlines the steps needed to install a Key Distibution Centre (KDC) server.
It was last updated on 18 July 2021.
Pre-requisites
NTP Service: The NTP service must be installed on the KDC server.
DNS Resolution:
You must have DNS hostname resolution available in the network where the KDC server is installed.
Your KDC must be resolvable by its fully qualified domain name.
This means that the KDC hostname must resolve to an IP address and that IP address must resolve back to the hostname.
Linux Server: A Linux VM with root access. In this installation, I have installed Debian 10.10 with 1024GB RAM, 8GB hard disk space, 2 vCPUs
I have assigned the hostname
kdc-server
. This is automatically picked up by my router’s DNS resolver and assigned a DHCP address. Sincebigtom.local
is my local network’s domain name, fully qualitified domain name for this server iskdc-server.bigtom.local
.Update the server with
$ sudo apt update
and$ sudo apt upgrade -y
to ensure the OS has the latest updates.Install dnsutils with
$ sudo apt install -y dnsutils
and take a snapshot of the VM. This providesdig
andhosts
to ensure our DNS resolution works correctly.The diagram above shows that the IP address 192.168.1.225 is associated with
kdc-server.bigtom.local
KDC Installation
Issue
$ sudo apt-get install krb5-admin-server krb5-kdc -y
as your privileged user.
Default Realm
The first install dialog box bring up the following screen:
You can set the realm (or domain in Windows world) to anything you desire. In this case, I have set it to a fictitious
BANKGROUP.BANK.COM
.Note this does NOT setup an actual realm. It only sets the default real / domain in cases where the realm / domain has not been specified.
After these initial installation steps, we would still need to setup a realm.
Kerberos Server Name (KDC)
The next dialog box requests for the KDC server name:
Administrative Server Name
The installation then requests for the administrative server name:
In our case, as this is a single server installation, the KDC server name and administrative server names are the same.
Kerberos Administrative Tools
A message box then appears to tell the installer that the kerberos administrative tools have been setup, but that the realm has not been setup.
Completion of Initial Installation
The installation of the KDC server packages have now completed and the system tries to start the KDC server. However, the KDC server will not start as we have not setup a realm or a principal for that real yet.
Configuring the KDC server
Reference URL: http://blog.manula.org/2012/04/setting-up-kerberos-server-with-debian.html
Setting up a New Real
The system will require you to enter a new master password for the Kerberos administrative server.
As shown above, the /etc/krb5.conf
configuration file is now updated with the new realm and server details.
Now that we have a valid realm, check the status of the krb5-kdc service:
Managing users (Principles)
To manage users in this default realm, we need to use the kadmin.local
command line tool. It must be started as root with $ sudo kadmin.local
.
Adding users (Principles)
We now need to add users to the realm / domain that we just created.
This is done with the
addprinc
command, e.g.,$ addprinc trader
, which would create the trader user.
You will need to enter a password twice for this user as shown above.
Listing users (Principles)
To list the users / Principles in this real, use the listprinc
command. You will see that the newly created trader user has been created along with other default which already exist for this realm.
Testing with a Java Client
We are going to test the setup with a simple Java command line application.
You can download the source code here
zip
and unzip all files into a single folder.It contains two Java source code files:
Krb5client.java
andLoginCallbackHandler.java
.The code has been tested to compile and run on JDK 15 in Windows and JDK 11 on Linux.
Line 33 needs to be set with the correct realm, in this case “BANKGROUP.BANK.COM”.
Line 35 needs to be updated with the correct kdc server, in this case “kdc-server.bigtom.local”.
The code can then be compiled with a Java compiler on Windows or Linux as described below.
Windows
If you are using Windows, modify the file kerberos-test.bat
and modify the first line to point to your Java installation path.
Then run the kerberos-test.bat
file.
Linux
If you are using Linux, modify the second line of the file
kerberos-test.sh
to point to your Java application.Ensure that the file is set with execute permission with
$ chmod u+x kerberos-test.sh
.
Then run the kerberos-test.sh
file.
Output
This concludes the Kerberos KDC server setup and Java client test.