Security Notes


Adding a host to the KDC with kadmin:

addprinc -randkey host/<fqdn>

So, I would run this command on my main server which hosts the KDC for my network.

If running Kerberos services on other hosts (e.g., klogind or eklogind), then such an Application Server needs a local copy of its key. To this end you could run kadmin on the A.S. and create the key table file right away (usually /etc/krb5.keytab). Or, you can run kadmin on the KDC host and write the key to a temporary file which is then transferred (securely) to the corresponding A.S. Run the kadmin command:

ktadd -k <keytab> host/<fqdn>

Some inetd entries for Kerberos remote login and remote shell:

# Kerberos
klogin    stream tcp nowait root /usr/libexec/klogind  klogind -k -c
eklogin   stream tcp nowait root /usr/libexec/klogind  klogind -k -c -e
kshell    stream tcp nowait root /usr/libexec/kshd     kshd -kc

In case there is a system in your network that is running an older version of Kerberos which only supports older cipher algorithms, you should only add keys for the supported cipher algorithms to the KDC database. Else, you will likely get a "Bad encryption type" error from the Application Server.
If, for example, that older Kerberos version supports Triple DES but not the AES family, then you can specify the supported cipher algorithm(s) when creating the principal:

addprinc -randkey -e des3-hmac-sha1:normal host/<fqdn>

When creating the keytab file for the Application Server, you must also specify which cipher algorithm(s) are to be written:

ktadd -k <keytab> -e des3-hmac-sha1:normal host/<fqdn>

Refer to the chapter on the kdc.conf file in the Kerberos administration documentation, sections Encryption Types and Keysalt Lists.

Public and Private Keys

Create primary key (private & public):

openssl genrsa -aes256 -out psk.pem 2048
openssl rsa -in psk.pem -outform PEM -pubout -out
Create secondary key (private & public):

openssl genrsa -aes256 -out ssk.pem 2048
openssl rsa -in ssk.pem -outform PEM -pubout -out
Create signature of PPK:

openssl dgst -sha256 -sign psk.pem -out ppk.sig
Verify PPK with public key:

openssl dgst -sha256 -verify -signature ppk.sig
Create signature of SPK using PSK:

openssl dgst -sha256 -sign psk.pem -out spk.sig
Verify SPK:

openssl dgst -sha256 -verify -signature spk.sig

Self-signed Certificate for Server

Generate server key (skip if using existing server key):

openssl genrsa -out server.key 2048
Create self-signed certificate:

openssl req -new -sha256 -key server.key -nodes -out server.csr \
        -subj "/C=<country-code>/ST=<state>/L=<city>/O=<organization>/OU=Org/CN=<common-name>"
Set appropriate values for --subj option.

openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt
The server key can optionally be added (i.e., concatenated) with the certificate file.

Print self-signed certificate:

openssl x509 -in server.crt -text -noout

Public Key Access with SSH

Logging in from System-A to System-B using public and private keys.

On System-A create public and private keys:

System-A> ssh-keygen -t rsa
System-A> ls ~/.ssh
The public and private key files should be there: resp. id_rsa.

Add the public key to your ~/.ssh/authorized_keys file on System-B. The ssh-copy-id utility (if you have it) can automate this for you, otherwise you have copy and paste the public key into the authorized_keys file yourself.

The "ssh-copy-id" option:

System-A> ssh-copy-id <user>@System-B

Or, the "manual" option:

System-A> cat ~/.ssh/
System-A> # copy output of the cat command

System-B> # append copied output to ~/.ssh/authorized_keys
System-B> echo "<insert-pubkey-string>" >> ~/.ssh/authorized_keys
Make sure the SSH service on System-B allows public key authentication (i.e., PubkeyAuthentication setting).

Now, try to log in to System-B:

System-A> ssh <user>@System-B

February 4, 2018 — arthur