4.13. Adding Hosts to a Kerberos Realm

Problem

You want to add a new host to an existing MIT Kerberos-5 realm.

Solution

Copy /etc/krb5.conf from your KDC (or any other realm host) to the new host. Then run kadmin on the new host, say, samaritan:

samaritan# kadmin -p pat/admin
Authenticating as principal pat/admin@DOGOOD.ORG with password.
Enter password: ********
kadmin: ank -randkey -policy hosts host/samaritan.dogood.org
kadmin: ktadd -k /etc/krb5.keytab host/samaritan.dogood.org
kadmin: quit

Discussion

Assume the Kerberos realm we set up previously, DOGOOD.ORG [Recipe 4.11], and suppose your new host is samaritan.dogood.org. Once the DOGOOD.ORG realm configuration file (/etc/krb5.conf) has been copied from the KDC to samaritan, we can take advantage of the kadmin protocol we set up on the KDC to administer the Kerberos database remotely, directly from samaritan. We add a host principal for our new machine and store the host’s secret key in the local keytab file. (kadmin can find the Kerberos admin server from the krb5.conf file we just installed.)

samaritan# kadmin -p pat/admin
Authenticating as principal pat/admin@DOGOOD.ORG with password.
Enter password: ********

kadmin:  ank -randkey -policy hosts host/samaritan.dogood.org
Principal "host/samaritan.dogood.org@DOGOOD.ORG" created.

kadmin:  ktadd -k /etc/krb5.keytab host/samaritan.dogood.org
Entry for principal host/samaritan.dogood.org with kvno 3, encryption type 
  Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.

kadmin:  quit

That’s it! Test by doing a kinit in your user account (pat):

# su - pat
pat@samaritan$ kinit
Password for pat@DOGOOD.ORG: ********

Having succeeded, use klist to examine your credentials:

pat@samaritan$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: pat@DOGOOD.ORG

Valid starting     Expires            Service principal
03/05/03 03:48:35  03/05/03 13:48:35  krbtgt/DOGOOD.ORG@DOGOOD.ORG

and try connecting to yourself via ssh with Kerberos authentication, to test the operation of the host principal: [Recipe 4.14]

pat@samaritan$ ssh -v1 samaritan
OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f
debug1: Reading configuration data /home/res/.ssh/config
...
debug1: Trying Kerberos v5 authentication.
debug1: Kerberos v5 authentication accepted.
...
pat@samaritan$

See Also

kadmin(8), kinit(1), klist(1), ssh(1).

Get Linux Security Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial