In an earlier blog I wrote that SSH keys need to be managed. It’s important! In the comments I was asked about keytabs. I felt this such a good question that it deserved it’s own blog entry. The basics of Kerberos auth In essence, kerberos is a “ticket based” authentication scheme. You start by requesting a TGT (“Ticket granting ticket”). This, typically, is where you enter your password. This TGT is then used to request service tickets to access resources.
Not only have I been playing with Kerberos, but I’ve also been playing with IPv6. So, naturally, kerberos over IPv6 was a test I had to do. Now because I’m only playing with IPv6 I’ve been using different DNS names; so kdc.spuddy.org is on IPv4 but kdc.ip6.spuddy.org is on IPv6. So, test! $ telnet -a -f kdc.ip6.spuddy.org Trying 2001:470:1f07:dc4:3c46:1aff:fef4:d7a3... Connected to kdc.ip6.spuddy.org (2001:470:1f07:dc4:3c46:1aff:fef4:d7a3). Escape character is '^]'. [ Kerberos V5 accepts you as ``sweh@SPUDDY.
So I built a quick AD domain based on W2k3 R2. I created TESTDOM.AD.SPUDDY.ORG as my AD domain, and made my primary DNS delegate that part of DNS to the AD server. I was able to join an XP client to the domain. So far, so good! So then I built a CentOS 5.6 machine and configured it for Kerberos. set up krb5.conf: [libdefaults] default_realm = TESTDOM.AD.SPUDDY.ORG dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes [realms] # TESTDOM.
Disclaimer: I know nothing about Kerberos. I’m learning it all from scratch. I wanted to do some playing around with Kerberos (once I know Kerberos then I can look better at how to integrate with AD), so at home I set up a couple of CentOS 5.6 server VMs on my home network, built one out as a KDC (“yum install krb5-server”) and one as a Kerberos client talking to the KDC (krb5-workstation installed by default).