Setting Up a Kerberos 5 Client on Red Hat Linux 7.0

Setting up a Kerberos 5 client is less involved than setting up a server. At minimum, you'll need to install the client packages and provide your clients with a valid krb5.conf configuration file. Kerberized versions of rsh and rlogin will also require some configuration changes.

  1. Install the krb5-libs and krb5-workstation packages on all of the clients in your realm. You will need to supply your own version of /etc/krb5.conf for your client workstations; usually this can be the same krb5.conf used by the KDC.

  2. Before a particular workstation in your realm can allow users to connect using kerberized rsh and rlogin, that workstation will need to have the xinetd package installed and have its own host principal in the Kerberos database. The kshd and klogind server programs will also need access to the keys for their service's principal.

    Using kadmin, add a host principal for the workstation. The instance in this case will be the hostname of the workstation. Because you'll never need to type the password for this principal again, and you probably don't want to bother with coming up with a good password, you can use the -randkey option to kadmin's addprinc command to create the principal and assign it a random key:

    addprinc -randkey host/blah.example.com

    Now that you have created the principal, you can extract the keys for the workstation by running kadmin on the workstation itself, and using kadmin's ktadd command:

    ktadd -k /etc/krb5.keytab host/blah.example.com

    In order to use the kerberized versions of rsh and rlogin, you'll need to use either ntsysv or chkconfig to enable klogin, eklogin, and kshell.

  3. Other kerberized network services will need to be started. To use kerberized telnet, you'll need to use ntsysv or chkconfig to enable ktelnet.

    If you want to provide FTP access as well, you'll need to create and extract a key for a principal with a root of ftp, and the instance set to the hostname of the FTP server. Then use ntsysv or chkconfig to enable gssftp.

    The IMAP server included in the imap package will use GSS-API authentication using Kerberos 5 if it finds the proper key in /etc/krb5.keytab. The root for the principal should be imap. The CVS gserver uses a principal with a root of (surprise!) cvs, and is otherwise identical to a pserver.

That should be all you need to do to set up a simple Kerberos realm.