Kerberos for Beginners: Intro to Network Authentication Protocol/

...

/

Playground I

Playground I

This lesson provides hands-on practice with MIT Kerberos.

We'll cover the following...

Set up

We’ll set up MIT Kerberos on Ubuntu running in a docker container and then see how the theory we have covered so far looks in practice. Fire-up the terminal and then enter the commands shown in the widget below.

Along the way, we’ll discuss the various components of the system and their use. As you execute the various commands, you should be able to relate and connect the concepts we have discussed in theory.

Press + to interact
# Get latest packages
apt-get update
# installing Kerberos server
apt install krb5-kdc krb5-admin-server krb5-config -y
# Enter the following string (or any of your choice) when 
# prompted for 'Default Kerberos version 5 realm'
DATAJEK
# Enter localhost when prompted for 'Kerberos servers for your realm'
localhost
# Enter localhost when prompted for 'Administrative server for your Kerberos realm'
localhost
# Initialize the realm we created and then enter a suitable password when prompted
krb5_newrealm
# You should have a KDC up and running at this point. You can execute the following
# command and look for the process krb5kdc
ps -aef
# Now install the client packages for interacting with the KDC
apt install -y krb5-user libpam-krb5 libpam-ccreds auth-client-config
# Set the following environment variable so that we see detailed outputs
export  KRB5_TRACE=/dev/stdout
# Examine the configuration file
cat /etc/krb5.conf
# Check for any tickets
klist
# Start the kadmin console
kadmin.local
# Print the list of existing user principals
kadmin.local: list_principals
# Add the user principal laila
kadmin.local: add_principal laila/educative
# Quit the kadmin console
kadmin.local: quit
# Request a TGT from Authentication Server
kinit -V laila/educative
# View the list of tickets
klist
# Destroy the ticket
kdestroy
# Perform a listing again and see the credential cache empty
klist
Terminal 1
Terminal
Loading...

Note that in this set-up, the KDC, Admin Server, and the client are all running on the same machine/VM. As a quick check, you can execute the following command and look for the KDC process:

ps -aef

The process named krb5kdc is the Kerberos V5 Authentication Service and Key Distribution Center (AS/KDC).

krb5.conf

First, we’ll examine the configuration file that consists of several defaults.

cat /etc/krb5.conf

The krb5.conf file contains Kerberos configuration information, including the locations of KDCs and admin servers for the Kerberos realms of interest, defaults for the current realm and for Kerberos applications, and mappings of hostnames onto Kerberos ...