How to Configure Kerberos Authentication on RHEL 9

December 1, 2025
Linux
Comment off

Kerberos is a network authentication protocol that uses symmetric-key cryptography and a trusted third party — the Key Distribution Center (KDC) — to authenticate users and services without transmitting passwords over the network. RHEL 9 ships the MIT Kerberos implementation and it integrates tightly with SSH, NFS, and other network services through GSSAPI. This tutorial covers setting up a KDC on RHEL 9, configuring clients, obtaining Kerberos tickets, and enabling Kerberos-based SSH authentication.

Prerequisites

RHEL 9 server with a resolvable FQDN (e.g., kdc.example.com) — forward and reverse DNS are required
The realm name should be the uppercase version of the domain (EXAMPLE.COM)
All participating hosts must have synchronised clocks (Kerberos requires time skew < 5 minutes)
Firewall ports 88 (TCP/UDP) and 749 (TCP) open for KDC and kadmin services
Root access on both KDC and client machines

Step 1 — Install Kerberos Server and Client Packages

Install the KDC server package on the server, and the client workstation package on any machine that needs to authenticate. On the KDC server itself, install both:

dnf install -y krb5-server krb5-workstation

firewall-cmd --permanent --add-service=kerberos
firewall-cmd --permanent --add-port=749/tcp
firewall-cmd --reload

Step 2 — Configure /etc/krb5.conf

Edit the main Kerberos configuration file on the KDC. This file must also be distributed to every client host. Replace EXAMPLE.COM with your realm and kdc.example.com with your KDC hostname:

cat > /etc/krb5.conf << 'EOF'
[libdefaults]
    default_realm = EXAMPLE.COM
    dns_lookup_realm = false
    dns_lookup_kdc = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true

[realms]
    EXAMPLE.COM = {
        kdc = kdc.example.com:88
        admin_server = kdc.example.com:749
    }

[domain_realm]
    .example.com = EXAMPLE.COM
    example.com = EXAMPLE.COM
EOF

Step 3 — Initialise the KDC Database and Create the Admin Principal

Create the Kerberos database with kdb5_util. The -s flag creates a stash file so the KDC can start without manual password entry. Then open a local kadmin session to create an admin principal and a root admin ACL entry:

kdb5_util create -s -r EXAMPLE.COM

kadmin.local -q "addprinc admin/admin"

echo "*/[email protected] *" > /var/kerberos/krb5kdc/kadm5.acl

Enable and start the KDC and kadmin services:

systemctl enable --now krb5kdc kadmin

Step 4 — Create Host and Service Principals

Each host that participates in Kerberos needs a host principal. Service principals follow the format service/hostname@REALM. Create them with kadmin.local on the KDC and export keytabs so services can authenticate without storing a password:

# Create a host principal for the KDC itself
kadmin.local -q "addprinc -randkey host/kdc.example.com"
kadmin.local -q "ktadd host/kdc.example.com"

# Create a host principal for a client machine
kadmin.local -q "addprinc -randkey host/client.example.com"
kadmin.local -q "ktadd -k /tmp/client.keytab host/client.example.com"

# Create an HTTP service principal
kadmin.local -q "addprinc -randkey HTTP/web.example.com"
kadmin.local -q "ktadd -k /etc/httpd/conf/http.keytab HTTP/web.example.com"

Transfer /tmp/client.keytab to the client machine securely (e.g., via scp) and install it as /etc/krb5.keytab.

Step 5 — Configure the Kerberos Client and Obtain a Ticket

On the client machine, install the workstation package and copy the same /etc/krb5.conf from the KDC. Then create a user principal and test ticket acquisition:

# On KDC: create a user principal
kadmin.local -q "addprinc jdoe"

# On client: obtain a Kerberos ticket
kinit [email protected]

# Verify the ticket
klist

Expected klist output shows the principal, issue time, expiry, and the service ticket for the TGT:

Credentials cache: API:...
        Principal: [email protected]

  Issued                Expires               Principal
May 17 10:00:00 2026   May 18 10:00:00 2026  krbtgt/[email protected]

Step 6 — Enable Kerberos Authentication for SSH

Configure SSH to use GSSAPI so users with valid Kerberos tickets can log in without entering a password. Edit /etc/ssh/sshd_config on the server:

GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

On the client, enable GSSAPI delegation in /etc/ssh/ssh_config or ~/.ssh/config:

Host *.example.com
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials yes

Reload sshd and test passwordless login:

systemctl reload sshd

# Obtain a ticket first, then SSH
kinit [email protected]
ssh [email protected]

Conclusion

You have deployed a Kerberos KDC on RHEL 9, configured the realm, initialised the KDC database, created host and user principals, verified ticket acquisition with kinit and klist, and enabled GSSAPI-based SSH authentication. Kerberos now provides strong, ticket-based authentication across your infrastructure without passwords on the wire.

Next steps: How to Install and Configure FreeIPA on RHEL 9, How to Set Up LDAP with OpenLDAP on RHEL 9, and How to Configure Kerberos Delegation for NFS on RHEL 9.