Kerberos V5 Installation

  • This document outlines the steps needed to install a Key Distibution Centre (KDC) server.

  • It was last updated on 18 July 2021.

Pre-requisites

  • NTP Service: The NTP service must be installed on the KDC server.

  • DNS Resolution:

    • You must have DNS hostname resolution available in the network where the KDC server is installed.

    • Your KDC must be resolvable by its fully qualified domain name.

    • This means that the KDC hostname must resolve to an IP address and that IP address must resolve back to the hostname.

  • Linux Server: A Linux VM with root access. In this installation, I have installed Debian 10.10 with 1024GB RAM, 8GB hard disk space, 2 vCPUs

    • I have assigned the hostname kdc-server. This is automatically picked up by my router’s DNS resolver and assigned a DHCP address. Since bigtom.local is my local network’s domain name, fully qualitified domain name for this server is kdc-server.bigtom.local.

    • Update the server with $ sudo apt update and $ sudo apt upgrade -y to ensure the OS has the latest updates.

    • Install dnsutils with $ sudo apt install -y dnsutils and take a snapshot of the VM. This provides dig and hosts to ensure our DNS resolution works correctly.

      ../../_images/dig_kdc-server.png

      Results of dig shows the hostname and IP address

    • The diagram above shows that the IP address 192.168.1.225 is associated with kdc-server.bigtom.local

KDC Installation

  • Issue $ sudo apt-get install krb5-admin-server krb5-kdc -y as your privileged user.

Default Realm

The first install dialog box bring up the following screen:

../../_images/dialog-default-realm.png

Create your default Realm / Domain as requested in this first Kerberos server install dialog

  • You can set the realm (or domain in Windows world) to anything you desire. In this case, I have set it to a fictitious BANKGROUP.BANK.COM.

  • Note this does NOT setup an actual realm. It only sets the default real / domain in cases where the realm / domain has not been specified.

  • After these initial installation steps, we would still need to setup a realm.

Kerberos Server Name (KDC)

The next dialog box requests for the KDC server name:

../../_images/dialog-kdc-server.png

Hostname of the kdc server

Administrative Server Name

The installation then requests for the administrative server name:

../../_images/dialog-admin-server.png

Hostname of the administrative server

In our case, as this is a single server installation, the KDC server name and administrative server names are the same.

Kerberos Administrative Tools

A message box then appears to tell the installer that the kerberos administrative tools have been setup, but that the realm has not been setup.

../../_images/dialog-krb5-tools.png

Warning that the realm has not been created

Completion of Initial Installation

../../_images/kdc-initial-install.png

Packages for the KDC server now completes

The installation of the KDC server packages have now completed and the system tries to start the KDC server. However, the KDC server will not start as we have not setup a realm or a principal for that real yet.

Configuring the KDC server

Reference URL: http://blog.manula.org/2012/04/setting-up-kerberos-server-with-debian.html

Setting up a New Real

../../_images/new-realm-setup.png

We setup a new realm with the krb5_newrealm command

The system will require you to enter a new master password for the Kerberos administrative server.

../../_images/krb5-conf.png

As shown above, the /etc/krb5.conf configuration file is now updated with the new realm and server details.

Now that we have a valid realm, check the status of the krb5-kdc service:

../../_images/krb5-kdc-service.png

Status of the krb5-kdc service once it has a valid realm

Managing users (Principles)

To manage users in this default realm, we need to use the kadmin.local command line tool. It must be started as root with $ sudo kadmin.local.

../../_images/admin-local.png

The kadmin.local must be started as root and is used for managing users

Adding users (Principles)

  • We now need to add users to the realm / domain that we just created.

  • This is done with the addprinc command, e.g., $ addprinc trader, which would create the trader user.

../../_images/addprinc.png

Add users to the realm with the addprinc commaind in admin.local

  • You will need to enter a password twice for this user as shown above.

Listing users (Principles)

../../_images/listprinc.png

Displaying the list of users / Principles in a realm with listprinc

To list the users / Principles in this real, use the listprinc command. You will see that the newly created trader user has been created along with other default which already exist for this realm.

Testing with a Java Client

  • We are going to test the setup with a simple Java command line application.

  • You can download the source code here zip and unzip all files into a single folder.

  • It contains two Java source code files: Krb5client.java and LoginCallbackHandler.java.

  • The code has been tested to compile and run on JDK 15 in Windows and JDK 11 on Linux.

../../_images/Java-Krb5Client-Config.PNG

The Java source code containing the Kerberos client that connects to the KDC server

  • Line 33 needs to be set with the correct realm, in this case “BANKGROUP.BANK.COM”.

  • Line 35 needs to be updated with the correct kdc server, in this case “kdc-server.bigtom.local”.

  • The code can then be compiled with a Java compiler on Windows or Linux as described below.

Windows

If you are using Windows, modify the file kerberos-test.bat and modify the first line to point to your Java installation path.

../../_images/win-client.png

Then run the kerberos-test.bat file.

Linux

  • If you are using Linux, modify the second line of the file kerberos-test.sh to point to your Java application.

  • Ensure that the file is set with execute permission with $ chmod u+x kerberos-test.sh.

../../_images/linux-client.png

Then run the kerberos-test.sh file.

Output

../../_images/client-success.png

A successful connection to the kdc server.

../../_images/client-failure.png

The client fails to connect if the password is wrong.

This concludes the Kerberos KDC server setup and Java client test.