[ Team LiB ] Previous Section Next Section

Recipe 4.13 Adding Hosts to a Kerberos Realm

4.13.1 Problem

You want to add a new host to an existing MIT Kerberos-5 realm.

4.13.2 Solution

Copy /etc/krb5.conf from your KDC (or any other realm host) to the new host. Then run kadmin on the new host, say, samaritan:

samaritan# kadmin -p pat/admin
Authenticating as principal pat/[email protected] with password.
Enter password: ********
kadmin: ank -randkey -policy hosts host/samaritan.dogood.org
kadmin: ktadd -k /etc/krb5.keytab host/samaritan.dogood.org
kadmin: quit

4.13.3 Discussion

Assume the Kerberos realm we set up previously, DOGOOD.ORG [Recipe 4.11], and suppose your new host is samaritan.dogood.org. Once the DOGOOD.ORG realm configuration file (/etc/krb5.conf) has been copied from the KDC to samaritan, we can take advantage of the kadmin protocol we set up on the KDC to administer the Kerberos database remotely, directly from samaritan. We add a host principal for our new machine and store the host's secret key in the local keytab file. (kadmin can find the Kerberos admin server from the krb5.conf file we just installed.)

samaritan# kadmin -p pat/admin
Authenticating as principal pat/[email protected] with password.
Enter password: ********

kadmin:  ank -randkey -policy hosts host/samaritan.dogood.org
Principal "host/[email protected]" created.

kadmin:  ktadd -k /etc/krb5.keytab host/samaritan.dogood.org
Entry for principal host/samaritan.dogood.org with kvno 3, encryption type 
  Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.

kadmin:  quit

That's it! Test by doing a kinit in your user account (pat):

# su - pat
pat@samaritan$ kinit
Password for [email protected]: ********

Having succeeded, use klist to examine your credentials:

pat@samaritan$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: [email protected]

Valid starting     Expires            Service principal
03/05/03 03:48:35  03/05/03 13:48:35  krbtgt/[email protected]

and try connecting to yourself via ssh with Kerberos authentication, to test the operation of the host principal: [Recipe 4.14]

pat@samaritan$ ssh -v1 samaritan
OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f
debug1: Reading configuration data /home/res/.ssh/config
...
debug1: Trying Kerberos v5 authentication.
debug1: Kerberos v5 authentication accepted.
...
pat@samaritan$

4.13.4 See Also

kadmin(8), kinit(1), klist(1), ssh(1).
    [ Team LiB ] Previous Section Next Section