Kerberos Server HowTo

Kerberos is a network authentication protocol which works on the basis of “tickets” to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. (Source Kerberos_(protocol))

Preparation

Prerequisites

Please read about here Kerberos_(protocol) and especially Kerberos How-to.

Required Packages

Server (OpenWrt)

  • krb5-server
    • krb5-libs (dependency of krb5-server)

Client (OpenWrt)

  • krb5-client

Installation

opkg 

opkg install krb5-server

Configuration

Server configuration

Create the file /etc/krb5.conf with the following credentials. Example: 

[libdefaults]
    default_realm = YOURDOMAIN.ORG
    dns_lookup_realm = false
    dns_lookup_kdc = false
    ticket_lifetime = 24h
    forwardable = yes

[realms]
    YOURDOMAIN.ORG = {
        kdc = server_address_of_this_machine:88
        admin_server = server_address_of_this_machine:749
        default_domain = yourdomain.org
    }

[domain_realm]
    .yourdomain.org = YOURDOMAIN.ORG
    yourdomain.org = YOURDOMAIN.ORG

Replace YOURDOMAIN.ORG / yourdomain.org with the domain name of your domain the server should act for (names must be specified in UPPER- / lowercase as shown above). Replace server_address_of_this_machine with the host name/IP adress of this server you're setting up.

Starting the server

Start the server by issuing 

/etc/init.d/krb5kdc start

This should create the /etc/krb5kdc/ directory with the following files 

-rw-------    1 root     root         8192 Feb 13 11:17 principal
-rw-------    1 root     root         8192 Feb 13 09:12 principal.kadm5
-rw-------    1 root     root            0 Feb 13 09:12 principal.kadm5.lock
-rw-------    1 root     root            0 Feb 13 11:17 principal.ok

In case you don't get any error messages check your server by logging on with 

kadmin.local

In case everything works well you will see the following message 

root@bridge:~# kadmin.local
Authenticating as principal xxxxxxx/admin@YOURDOMAIN.ORG with password.
kadmin.local:

Testing the server

Perform the tests as described in the Kerberos How-to document on page 16/17.

Start on boot

To enable/disable automatic start on boot:

/etc/init.d/krb5kdc enable

this simply creates a symlink: /etc/rc.d/S60krb5kdc → /etc/init.d/krb5kdc

/etc/init.d/krb5kdc disable

this removes the symlink again

Notes

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2018/03/03 20:47
  • by