Atlantic.Net Blog

How to Setup Kerberos Server and Client on Ubuntu 20.04

Hitesh Jethva
by Atlantic.Net (299 posts) under Dedicated Server Hosting
0 Comments

Kerberos is a network authentication protocol that provides authentication against the devices to enable secure communication between client and server. It uses secret-key cryptography for verifying users’ identities. Generally, Kerberos is used in POSIX authentication, as well as Active Directory, NFS, and Samba.

In this tutorial, we will show you how to install the Kerberos server and client on Ubuntu 20.04.

Prerequisites

  • Two fresh Ubuntu 20.04 VPSes on the Atlantic.net Cloud Platform
  • A root password configured on your server

Step 1 – Create an Atlantic.Net Cloud Server

First, log in to your Atlantic.Net Cloud Server. Create a new server, choosing Ubuntu 20.04 as the operating system with at least 2 GB RAM. Connect to your Cloud Server via SSH and log in using the credentials highlighted at the top of the page.

Once you are logged in to your Ubuntu 20.04 server, run the following command to update your base system with the latest available packages.

apt-get update -y

Step 2 – Setup Hostname Resolution

First, you will need to set up a fully qualified hostname on both server and client machine.

On the server machine, set the fully qualified hostname with the following command:

hostnamectl set-hostname server.myexample.com

On the client machine, set the fully qualified hostname with the following command:

hostnamectl set-hostname client.myexample.com

Next, edit the /etc/hosts files on both server and client machines and set up the hostname resolution so that both systems can communicate using the hostname.

nano /etc/hosts

Add the following lines:

your-server-ip server.myexample.com
your-client-ip client.myexample.com

Save and close the file when you are finished.

Step 3 – Install Kerberos Server

Next, you will need to install the Kerberos server package on the server machine. You can install all the packages with the following command:

apt-get install krb5-kdc krb5-admin-server krb5-config -y

During the installation, you will be asked to provide Kerberos Realm, as shown below:

Provide myexample.com and click on the OK button. You will be asked to provide the Kerberos server hostname as shown below:

Provide server.myexample.com and click on the OK button. You will be asked to provide the hostname of the administrative server as shown below:

Provide server.myexample.com and click on the OK button. You should see the following page:

Click on the OK button to finish the installation.

Step 4 – Configure Kerberos Server

Next, you will need to generate the password for the Kerberos Realm. You can generate it with the following command:

krb5_newrealm

You will be asked to provide a secure password as shown below:

This script should be run on the master KDC/admin server to initialize
a Kerberos realm. It will ask you to type in a master key password.
This password will be used to generate a key that is stored in
/etc/krb5kdc/stash. You should try to remember this password, but it
is much more important that it be a strong password than that it be
remembered. However, if you lose the password and /etc/krb5kdc/stash,
you cannot decrypt your Kerberos database.
Loading random data
Initializing database '/var/lib/krb5kdc/principal' for realm 'myexample.com',
master key name 'K/[email protected]'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:

Now that your realm is set up you may wish to create an administrative
principal using the addprinc subcommand of the kadmin.local program.
Then, this principal can be added to /etc/krb5kdc/kadm5.acl so that
you can use the kadmin program on other computers. Kerberos admin
principals usually belong to a single user and end in /admin. For
example, if jruser is a Kerberos administrator, then in addition to
the normal jruser principal, a jruser/admin principal should be
created.

Don't forget to set up DNS information so your clients can find your
KDC and admin servers. Doing so is documented in the administration
guide.

Next, you will need to add the admin user principle to the access control. You can do it by editing the following file:

nano /etc/krb5kdc/kadm5.acl

Add the following line:

*/admin *

Save and close the file when you are finished.

Next, you will need to add the admin principal to the Kerberos database. You can do it with the following command:

kadmin.local

You should see the following output:

Authenticating as principal root/[email protected] with password.

Next, run the following command to add the principal name kuser:

kadmin.local: addprinc kuser

You will be asked to set the password as shown below:

WARNING: no policy specified for [email protected]; defaulting to no policy
Enter password for principal "[email protected]":
Re-enter password for principal "[email protected]":
Principal "[email protected]" created.

Next, exit from the kadmin console with the following command:

kadmin.local: quit

Next, restart the Kerberos server with the following command:

systemctl restart krb5-admin-server

You can verify the status of Kerberos with the following command:

systemctl status krb5-admin-server

You should get the following output:

  • krb5-admin-server.service - Kerberos 5 Admin Server
    Loaded: loaded (/lib/systemd/system/krb5-admin-server.service; enabled; vendor preset: enabled)
    Active: active (running) since Sat 2020-11-07 06:22:19 UTC; 6s ago
    Main PID: 2183 (kadmind)
    Tasks: 1 (limit: 4691)
    Memory: 728.0K
    CGroup: /system.slice/krb5-admin-server.service
    └─2183 /usr/sbin/kadmind -nofork
Nov 07 06:22:19 server.myexample.com kadmind[2183]: Setting up TCP socket for address 0.0.0.0.464
Nov 07 06:22:19 server.myexample.com kadmind[2183]: Setting up TCP socket for address ::.464
Nov 07 06:22:19 server.myexample.com kadmind[2183]: setsockopt(12,IPV6_V6ONLY,1) worked
Nov 07 06:22:19 server.myexample.com kadmind[2183]: Setting up RPC socket for address 0.0.0.0.749
Nov 07 06:22:19 server.myexample.com kadmind[2183]: Setting up RPC socket for address ::.749
Nov 07 06:22:19 server.myexample.com kadmind[2183]: setsockopt(14,IPV6_V6ONLY,1) worked
Nov 07 06:22:19 server.myexample.com kadmind[2183]: set up 6 sockets
Nov 07 06:22:19 server.myexample.com kadmind[2183]: Seeding random number generator
Nov 07 06:22:19 server.myexample.com kadmind[2183]: starting
Nov 07 06:22:19 server.myexample.com kadmind[2183]: kadmind: starting...

Step 5 – Install Kerberos Client

Next, you will need to install the Kerberos client on the client machine. You can install it with the following command:

apt-get install krb5-user -y

During the installation, you will be asked to provide Kerberos Realm as shown below:

Provide myexample.com and click on the OK button. You will be asked to provide the Kerberos server hostname as shown below:

Provide server.myexample.com and click on the OK button. You will be asked to provide the Hostname of the administrative as shown below:

Provide server.myexample.com and click on the OK button. You should see the following page:

Click on the OK button to finish the installation.

Next, authenticate to the Kerberos server and obtain a ticket from it with the following command:

kinit kuser

You will be asked to provide a password for the kuser principal as shown below:

Password for [email protected]:

Next, obtain a ticket with the following command:

klist

You should get the following output:

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]

Valid starting Expires Service principal
11/07/2020 06:25:40 11/07/2020 16:25:40 krbtgt/[email protected]
renew until 11/08/2020 06:25:33

Step 6 – Verify Authentication

Next, you will need to verify the details of the principal on the Kerberos server.

On the Kerberos server machine, run the following command:

kadmin.local

Authenticating as principal root/[email protected] with password.

Next, print the principal details with the following command:

kadmin.local: getprinc kuser

You should get the following output:

Principal: [email protected]
Expiration date: [never]
Last password change: Sat Nov 07 06:21:46 UTC 2020
Password expiration date: [never]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Sat Nov 07 06:21:46 UTC 2020 (root/[email protected])
Last successful authentication: Sat Nov 07 06:25:40 UTC 2020
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
Key: vno 1, aes256-cts-hmac-sha1-96
Key: vno 1, aes128-cts-hmac-sha1-96
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: [none]
kadmin.local: quit

Conclusion

Congratulations! You have successfully installed and configure the Kerberos server and client on Ubuntu 20.04. You can now use Kerberos on your network for the authentication of users. Try it on your dedicated server hosting account from Atlantic.Net!

Get A Free To Use Cloud VPS

Free Tier Includes:
G3.2GB Cloud VPS Free to Use for One Year
50 GB of Block Storage Free to Use for One Year
50 GB of Snapshots Free to Use for One Year


Looking for a Hosting Solution?

We Provide Cloud, Dedicated, & Colocation.

  • Seven Global Data Center Locations.
  • Flexible Private, Public, & Hybrid Hosting.
  • 24x7x365 Security, Support, & Monitoring.
Contact Us Now! Med Tech Award FTC
SOC Audit HIPAA Audit HITECH Audit

Recent Posts

What Digital Transformations Are Coming to Healthcare?
Rocky Linux Cloud VPS Hosting Is Now Available at All Seven Data Center Locations!
Top 10 Database Offerings
Should You Choose an AMD or Intel-Based Dedicated Server?
Post-Pandemic: Top Cybersecurity Threats to Healthcare Security

Get started with 12 months of free cloud VPS hosting

Free Tier includes:
G3.2GB Cloud VPS Server Free to Use for One Year
50 GB of Block Storage Free to Use for One Year
50 GB of Snapshots Free to Use for One Year


New York, NY

100 Delawanna Ave, Suite 1

Clifton, NJ 07014

United States

San Francisco, CA

2820 Northwestern Pkwy,

Santa Clara, CA 95051

United States

Dallas, TX

2323 Bryan Street,

Dallas, Texas 75201

United States

Ashburn, VA

1807 Michael Faraday Ct,

Reston, VA 20190

United States

Orlando, FL

440 W Kennedy Blvd, Suite 3

Orlando, FL 32810

United States

Toronto, Canada

20 Pullman Ct, Scarborough,

Ontario M1X 1E4

Canada

London, UK

14 Liverpool Road, Slough,

Berkshire SL1 4QZ

United Kingdom

Resources