Configure Heimdal Kerberos on FreeBSD


Synopsis

Below is a quick guide on configuring Heimdal Kerberos included in the base installation of FreeBSD. However, unlike the official version, this is abbreviated to be used as more of a cheat sheet.

The same conventions will be used in this document as is with FreeBSD's, whereby the domain is example.org and the realm is EXAMPLE.ORG.

[top]

Requirements

Although this guide doesn't use DNS for distributing the KDC information, a working DNS for the domain is advised. Otherwise /etc/hosts will need to be configured and the kdc and admin_server attributes in the /etc/krb5.conf file will need to be their respective IP addresses.

[top]

Run Control Configuration

Enable the services systematically in /etc/rc.conf.local on the KDC:

kdc_enable="YES"
kadmind_enable="YES"

[top]

Configure Realm

The primary configuration for Kerberos is /etc/krb5.conf and is the same on all systems in the realm.

[libdefaults]
 default_realm = EXAMPLE.ORG
[realms]
 EXAMPLE.ORG = {
  kdc = kerberos.example.org
  admin_server = kerberos.example.org
}
[domain_realm]
 .example.org = EXAMPLE.ORG

[top]

Set Master Key

Run the following command to set the master key for encrypting the KDC database:

# kstash

[top]

Initialise Database

Run the following to initialise the database for the realm:

# kadmin -l
kadmin> init EXAMPLE.ORG

[top]

Add User Principal

# kadmin -l
kadmin> add luser

[top]

Add Host Principal

# kadmin -l
kadmin> add --random-key host/kerberos.example.org
...
kadmin> ext_keytab --keytab=/tmp/example.keytab host/kerberos.example.org

Copy the extracted keytab file to /etc/krb5.keytab with 0600 permissions.

[top]

Kerberise SSH

Edit /etc/ssh/sshd_config:

GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

Edit /etc/ssh/ssh_config or ~/.ssh/config:

Host *
 GSSAPIAuthentication yes
 GSSAPIDelegateCredentials yes

[top]

Service Accounts

To allow users to access a service account, add the following to the account's ~/.k5login file:

luser@EXAMPLE.ORG

Users can then access the account via ssh service@kerberos.example.org.

[top]

Control Services

# service kdc|kadmind start|stop|restart

[top]

Firewall Rules

On the KDC:

pass in on $if inet proto {tcp,udp} from $subnet to $kdcip port 88
pass in on $if inet proto tcp from $subnet to $kdcip port 749

On a client:

pass out on $if inet proto {tcp,udp} from $clientip to $kdcip port 88
pass out on $if inet proto tcp from $clientip to $kdcip port 749

[top]

Copyright 2018