In addition to making sure every machine on your network knows which Kerberos realm it is in and what KDC to contact, create a host principal for it. So far, only user credentials have been discussed. However, Kerberos-compatible services usually need to authenticate themselves to the client user, too. Therefore, special host principals must be present in the Kerberos database for each host in the realm.
The naming convention for host principals is
host/<hostname>@<REALM>
, where
hostname
is the host's fully qualified hostname.
Host principals are similar to user principals, but have significant
differences. The main difference between a user principal and a host
principal is that the key of the former is protected by a
password—when a user obtains a ticket-granting ticket from the KDC, he
needs to type his password so Kerberos can decrypt the ticket. It
would be quite inconvenient for the system administrator if he had to obtain
new tickets for the SSH daemon every eight hours or so.
Instead, the key required to decrypt the initial ticket for the host
principal is extracted by the administrator from the KDC once and stored in
a local file called the keytab. Services such the SSH
daemon read this key and use it to obtain new tickets automatically when
needed. The default keytab file resides in
/etc/krb5.keytab
.
To create a host principal for test.example.com
,
enter the following commands during your kadmin
session:
kadmin -p newbie/admin Authenticating as principal newbie/admin@EXAMPLE.COM with password. Password for newbie/admin@EXAMPLE.COM: kadmin: addprinc -randkey host/test.example.com WARNING: no policy specified for host/test.example.com@EXAMPLE.COM; defaulting to no policy Principal "host/test.example.com@EXAMPLE.COM" created.
Instead of setting a password for the new principal, the
-randkey
flag tells kadmin to generate a
random key. This is used here because no user interaction is wanted for this
principal. It is a server account for the machine.
Finally, extract the key and store it in the local keytab file
/etc/krb5.keytab
. This file is owned by the superuser,
so you must be root
to execute the
next command in the kadmin shell:
kadmin: ktadd host/test.example.com Entry for principal host/test.example.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/test.example.com with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab. kadmin:
When completed, make sure that you destroy the admin ticket obtained with kinit above with kdestroy.