How to Configure Kerberos Authentication on RHEL 7

How to Configure Kerberos Authentication on RHEL 7

Kerberos is a network authentication protocol that uses symmetric-key cryptography to allow clients and servers to prove their identity to each other securely without transmitting passwords over the network. It is the backbone of authentication in Active Directory environments and is natively supported across Linux through MIT Kerberos. On RHEL 7, setting up a Key Distribution Center (KDC) and integrating Kerberos with SSH provides single sign-on capabilities, strong mutual authentication, and a centralized credential store. This guide covers every stage: installing the KDC, configuring the realm, creating principals, testing the client workflow with kinit and klist, integrating SSH with GSSAPI, and creating service principals for NFS and HTTP.

Prerequisites

• RHEL 7 server designated as the KDC, with root or sudo access
• Static IP address and a resolvable fully qualified hostname (e.g., kdc.example.com)
• Synchronized system clocks on all participating hosts — Kerberos authentication fails if clocks differ by more than 5 minutes; configure NTP or Chrony on all machines
• Firewall access: UDP/TCP port 88 (Kerberos), TCP port 749 (kadmin), UDP port 464 (kpasswd)
• Correct forward and reverse DNS for all hosts joining the realm

Step 1: Install Kerberos Server Packages

sudo yum install -y krb5-server krb5-libs krb5-workstation

The krb5-server package provides the KDC daemon (krb5kdc) and the administration daemon (kadmind). The krb5-workstation package provides client tools such as kinit, klist, kdestroy, and kadmin. Installing all three on the KDC machine means it can also act as a client for testing.

Step 2: Configure /etc/krb5.conf

The /etc/krb5.conf file defines the realm, KDC location, and default settings for both the server and all Kerberos clients. Replace EXAMPLE.COM with your realm name (always uppercase by convention) and adjust hostnames accordingly.

# /etc/krb5.conf

[libdefaults]
    default_realm = EXAMPLE.COM
    dns_lookup_realm = false
    dns_lookup_kdc = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    udp_preference_limit = 0

[realms]
    EXAMPLE.COM = {
        kdc = kdc.example.com:88
        admin_server = kdc.example.com:749
        default_domain = example.com
    }

[domain_realm]
    .example.com = EXAMPLE.COM
    example.com = EXAMPLE.COM

[logging]
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log
    default = SYSLOG:NOTICE:DAEMON

Step 3: Configure /var/kerberos/krb5kdc/kdc.conf

The kdc.conf file is specific to the KDC process and controls the database path, supported encryption types, and ACL file location.

# /var/kerberos/krb5kdc/kdc.conf

[kdcdefaults]
    kdc_ports = 88
    kdc_tcp_ports = 88

[realms]
    EXAMPLE.COM = {
        acl_file = /var/kerberos/krb5kdc/kadm5.acl
        dict_file = /usr/share/dict/words
        admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
        supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal
        max_life = 1d
        max_renewable_life = 7d
    }

Configure the ACL file to grant the admin principal full administrative rights:

# /var/kerberos/krb5kdc/kadm5.acl
*/[email protected] *

Step 4: Create the Kerberos Database

Initialize the KDC database. The -s flag creates a stash file that stores the master key so the KDC can start automatically without a password prompt.

sudo kdb5_util create -s -r EXAMPLE.COM

You will be prompted to set the Kerberos database master password. Choose a strong password and store it securely — losing it means losing access to the entire Kerberos database.

Step 5: Create Initial Principals

Use kadmin.local to create principals without needing to authenticate over the network (this works only on the KDC host itself).

sudo kadmin.local

At the kadmin.local: prompt:

# Create an admin principal
addprinc root/admin

# Create a user principal
addprinc jdoe

# Create a host principal for the KDC itself
addprinc -randkey host/kdc.example.com

# List all principals
listprincs

# Export the host principal to a keytab
ktadd host/kdc.example.com

# Exit
quit

Step 6: Start and Enable KDC Services

sudo systemctl enable krb5kdc kadmin
sudo systemctl start krb5kdc kadmin
sudo systemctl status krb5kdc kadmin

Open the required firewall ports:

sudo firewall-cmd --permanent --add-port=88/udp
sudo firewall-cmd --permanent --add-port=88/tcp
sudo firewall-cmd --permanent --add-port=749/tcp
sudo firewall-cmd --permanent --add-port=464/udp
sudo firewall-cmd --reload

Step 7: Test the Client Workflow — kinit, klist, kdestroy

On the KDC host (or any client with /etc/krb5.conf configured), test the ticket-granting workflow:

# Obtain a Kerberos ticket for the jdoe principal
kinit jdoe

# Display the current ticket cache
klist

# Sample klist output:
# Ticket cache: FILE:/tmp/krb5cc_0
# Default principal: [email protected]
#
# Valid starting       Expires              Service principal
# 05/17/2026 10:00:00  05/18/2026 10:00:00  krbtgt/[email protected]

# Destroy all tickets in the current cache
kdestroy

If kinit fails with a clock skew error, synchronize time across all machines:

sudo yum install -y chrony
sudo systemctl enable --now chronyd
chronyc tracking

Step 8: Configure Client Hosts (krb5-workstation)

On every client host that will participate in the Kerberos realm, install the client package and distribute the same /etc/krb5.conf:

sudo yum install -y krb5-workstation

Copy /etc/krb5.conf from the KDC to each client (via SCP or configuration management), then create a host principal and add it to the client’s keytab using kadmin (networked version):

# On the client — authenticate as admin principal
kadmin -p root/[email protected]

# At the kadmin: prompt:
addprinc -randkey host/client1.example.com
ktadd host/client1.example.com
quit

Step 9: Integrate SSH with Kerberos (GSSAPIAuthentication)

SSH supports Kerberos authentication via GSSAPI, allowing users with a valid Kerberos ticket to log in without a password prompt.

On the SSH server, edit /etc/ssh/sshd_config:

GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIStrictAcceptorCheck yes
UseDNS yes

sudo systemctl reload sshd

On the SSH client, edit /etc/ssh/ssh_config or ~/.ssh/config:

Host *.example.com
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials yes

With a valid ticket (kinit jdoe), SSH to the server without a password:

kinit jdoe
ssh [email protected]

Step 10: Create Service Principals for NFS and HTTP

Services such as NFS and HTTP require their own Kerberos principals so that clients can authenticate to them. The convention is service/hostname@REALM.

sudo kadmin.local

# NFS principal
addprinc -randkey nfs/fileserver.example.com
ktadd -k /etc/krb5.keytab nfs/fileserver.example.com

# HTTP principal (for Apache mod_auth_gssapi or similar)
addprinc -randkey HTTP/webserver.example.com
ktadd -k /etc/krb5.keytab HTTP/webserver.example.com

quit

For NFS with Kerberos on RHEL 7, ensure the nfs-secure and rpcgssd services are running:

sudo systemctl enable --now rpcgssd nfs-secure

Conclusion

A properly configured MIT Kerberos KDC on RHEL 7 provides strong, ticket-based authentication for users and services without transmitting credentials over the network. The integration with SSH via GSSAPI delivers single sign-on for interactive logins once users have obtained a ticket with kinit, and service principals extend that protection to NFS, HTTP, and other network services. Regular principal password rotations, monitoring of KDC logs, and ensuring NTP synchronization across the realm are the key ongoing maintenance tasks that keep Kerberos healthy and secure in production.