How to Configure Kerberos Authentication on RHEL 8

Kerberos is a mature, ticket-based network authentication protocol that allows services and users to prove their identity to one another without transmitting passwords over the network. MIT Kerberos is the reference implementation and is packaged in RHEL 8’s default repositories. Setting up a Key Distribution Center (KDC) gives you a centralised authentication infrastructure that integrates with SSH, NFS, web services, and many other protocols through GSSAPI. This tutorial covers installing the KDC, configuring the realm, initialising the principal database, managing principals with kadmin.local, and verifying authentication with kinit and GSSAPI-enabled SSH.

Prerequisites

• RHEL 8 server with a static IP and a fully qualified hostname (e.g. kdc.example.com)
• Correct forward and reverse DNS resolution for all hosts in the realm
• Root or sudo access
• Ports 88 (TCP/UDP), 464 (TCP/UDP), and 749 (TCP) open in firewalld
• Synchronised system clocks (Kerberos tolerates a maximum 5-minute skew)

Step 1 — Install Kerberos Packages

Install the KDC server, the administration server, and client tools in a single dnf command.

# Install KDC server, admin server, and client libraries
dnf install -y krb5-server krb5-workstation krb5-libs

# Verify the installed versions
rpm -q krb5-server krb5-workstation krb5-libs

# Confirm the KDC configuration directory exists
ls /var/kerberos/krb5kdc/

Step 2 — Configure the Realm

Edit /etc/krb5.conf to define the realm and point clients to the KDC. Then edit the KDC-side configuration in /var/kerberos/krb5kdc/kdc.conf. Use uppercase for realm names by convention.

# /etc/krb5.conf — client and library settings
cat > /etc/krb5.conf < /var/kerberos/krb5kdc/kdc.conf << 'EOF'
[kdcdefaults]
    kdc_ports = 88
    kdc_tcp_ports = 88

[realms]
    EXAMPLE.COM = {
        master_key_type = aes256-cts
        acl_file = /var/kerberos/krb5kdc/kadm5.acl
        dict_file = /usr/share/dict/words
        admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
        supported_enctypes = aes256-cts:normal aes128-cts:normal
    }
EOF

Step 3 — Initialise the Principal Database

Create the Kerberos principal database with kdb5_util. The -s flag creates a stash file so the KDC can start without a manual password entry.

# Initialise the database (you will be prompted for a master password)
kdb5_util create -s -r EXAMPLE.COM

# Set the ACL to allow admin/admin full access
echo "*/[email protected] *" > /var/kerberos/krb5kdc/kadm5.acl

# Enable and start both services
systemctl enable --now krb5kdc kadmin

# Confirm both are active
systemctl status krb5kdc kadmin

Step 4 — Create Principals with kadmin.local

kadmin.local connects directly to the KDC database without requiring a Kerberos ticket, making it ideal for initial setup. Add an admin principal, a host principal for the KDC server, and a test user principal.

# Enter the kadmin.local shell
kadmin.local

# Inside kadmin.local:
# Create an admin principal
addprinc admin/[email protected]

# Create a host principal for the KDC itself
addprinc -randkey host/[email protected]

# Export the host principal to the system keytab
ktadd host/[email protected]

# Create a regular user principal
addprinc [email protected]

# List all principals
listprincs

# Exit
quit

Step 5 — Obtain a Ticket and Test Authentication

Use kinit to request a Ticket-Granting Ticket (TGT) for a principal. klist shows the current ticket cache.

# Obtain a TGT for the jdoe principal
kinit [email protected]

# Display the ticket cache
klist

# Expected output:
# Ticket cache: KEYRING:persistent:0:0
# Default principal: [email protected]
# Valid starting    Expires           Service principal
# 05/17/26 10:00  05/18/26 10:00  krbtgt/[email protected]

# Destroy the ticket
kdestroy

Step 6 — Enable SSH GSSAPI Authentication

Configure SSH to accept Kerberos GSSAPI authentication so users can SSH without passwords when they hold a valid Kerberos ticket.

# On the SSH server: edit /etc/ssh/sshd_config
sed -i 's/^#GSSAPIAuthentication.*/GSSAPIAuthentication yes/' /etc/ssh/sshd_config
sed -i 's/^#GSSAPICleanupCredentials.*/GSSAPICleanupCredentials yes/' /etc/ssh/sshd_config

systemctl reload sshd

# Add the server's host principal to the keytab (if not already done)
kadmin.local -q "ktadd host/[email protected]"

# Open Kerberos ports in firewalld
firewall-cmd --permanent --add-service=kerberos
firewall-cmd --permanent --add-port=749/tcp
firewall-cmd --reload

# Test GSSAPI SSH (after obtaining a ticket with kinit)
kinit [email protected]
ssh -K [email protected]

Conclusion

You have deployed a fully functional MIT Kerberos KDC on RHEL 8, configured the realm in both krb5.conf and kdc.conf, initialised the principal database, and created admin, host, and user principals. The kinit/klist workflow confirms ticket issuance, and GSSAPI SSH lets authenticated users connect without passwords. This KDC forms the authentication backbone for a broader identity infrastructure.

Next steps: How to Configure PAM Kerberos Authentication for Linux Logins on RHEL 8, How to Set Up Kerberos-Secured NFS on RHEL 8, and How to Integrate Kerberos with OpenLDAP on RHEL 8.