Kerberos-Anaconda Repository setup example¶

Kerberos authentication adds a layer of security to Anaconda Repository. The following example show how to set up a minimal working installation with three machines: One running anaconda server, one running the MIT Kerberos Key Distribution Center (KDC), and a client from where we are going to connect to both services.

For this example we assume that both the KDC and Anaconda Repository are already configured and the 3 systems have the Network Time Protocol (NTP) service working.

Initial Setup¶

All 3 machines are running CentOS 7 but the configurations mentioned here apply for many other Linux distributions. We are going to use the following domain names:

Anaconda Repository: anaconda.kerberos.local
Kerberos KDC: kdc.kerberos.local
Client: client.kerberos.local

Make sure that the information is correct in the configuration files /etc/hostname and /etc/hosts to allow reverse-DNS lookups.

The name of the Kerberos realm is KERBEROS.LOCAL. The 3 machines have the same configuration file /etc/krb5.conf:

[logging]
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log
    default = SYSLOG:NOTICE:DAEMON

[libdefaults]
    dns_lookup_realm = true
    dns_lookup_kdc = true
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    default_realm = KERBEROS.LOCAL
    default_ccache_name = KEYRING:persistent:%{uid}

[realms]
    KERBEROS.LOCAL = {
        kdc = kdc.kerberos.local
        admin_server = kdc.kerberos.local
 }

[domain_realm]
    .kerberos.local = KERBEROS.LOCAL
    kerberos.local = KERBEROS.LOCAL

On kdc.kerberos.local the files /var/kerberos/krb5kdc/kdc.conf and /var/kerberos/krb5kdc/kadm5.acl should be configured accordingly.

Configure Anaconda Repostiory¶

At this point Anaconda Repository is up and running, it’s installed on /home/anaconda-server/repo, the administrator account in this example is superuser. To allow authentication we first create a service principal and the keytab containing this principal. This is accomplished running the following commands as root from a terminal on anaconda.kerberos.local.

kadmin -q "addprinc HTTP/anaconda.kerberos.local"
kadmin -q "ktadd -k /home/anaconda-server/repo/etc/anaconda-server/http.keytab HTTP/anaconda.kerberos.local"
chown anaconda-server:anaconda-server \
   /home/anaconda-server/repo/etc/anaconda-server/http.keytab
chmod 600 /home/anaconda-server/repo/etc/anaconda-server/http.keytab

Now edit the configuration file /home/anaconda-server/repo/etc/anaconda-server/config.yaml and add the following lines:

AUTH_TYPE: KERBEROS
KRB5_KTNAME: /home/anaconda-server/repo/etc/anaconda-server/http.keytab

Finally, add the principal for the admin account on the kerberos realm:

kadmin -q "addprinc superuser@KERBEROS.LOCAL"

Reboot the server for the changes to take effect.

Client Configuration¶

To log in to Anaconda Repository with Kerberos Authentication, a browser that supports said authentication protocol is necessary. In this example we are using Firefox. Some extra tweaking is required.

Open Firefox and type about:config in the navigation bar, click the confirmation button if necessary to proceed to the configuration page.
Type negotiate in the Search field to filter out the options, double click network.negotiate-auth.trusted-uris and enter .kerberos.local in the text box.
Do the same for network.negotiate-auth.delegation-uris.

Finally a ticket for the superuser should be stored on the local machine. The following command will request it:

kinit superuser@KERBEROS.LOCAL

Now it is possible to open anaconda server on firefox, in this case the URL is anaconda.kerberos.local:8080, after clicking Sign In, the user should be able to log in immediately without having to enter any credentials.