Kerberos-Anaconda Repository setup example

Kerberos authentication adds a layer of security to Anaconda Repository. The following example show how to set up a minimal working installation with three machines: One running anaconda server, one running the MIT Kerberos Key Distribution Center (KDC), and a client from where we are going to connect to both services.

For this example we assume that both the KDC and Anaconda Repository are already configured and the 3 systems have the Network Time Protocol (NTP) service working.

Initial Setup

All 3 machines are running CentOS 7 but the configurations mentioned here apply for many other Linux distributions. We are going to use the following domain names:

  • Anaconda Repository: anaconda.kerberos.local
  • Kerberos KDC: kdc.kerberos.local
  • Client: client.kerberos.local

Make sure that the information is correct in the configuration files /etc/hostname and /etc/hosts to allow reverse-DNS lookups.

The name of the Kerberos realm is KERBEROS.LOCAL. The 3 machines have the same configuration file /etc/krb5.conf:

[logging]
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log
    default = SYSLOG:NOTICE:DAEMON

[libdefaults]
    dns_lookup_realm = true
    dns_lookup_kdc = true
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    default_realm = KERBEROS.LOCAL
    default_ccache_name = KEYRING:persistent:%{uid}

[realms]
    KERBEROS.LOCAL = {
        kdc = kdc.kerberos.local
        admin_server = kdc.kerberos.local
 }

[domain_realm]
    .kerberos.local = KERBEROS.LOCAL
    kerberos.local = KERBEROS.LOCAL

On kdc.kerberos.local the files /var/kerberos/krb5kdc/kdc.conf and /var/kerberos/krb5kdc/kadm5.acl should be configured accordingly.

Configure Anaconda Repostiory

At this point Anaconda Repository is up and running, it’s installed on /home/anaconda-server/repo, the administrator account in this example is superuser. To allow authentication we first create a service principal and the keytab containing this principal. This is accomplished running the following commands as root from a terminal on anaconda.kerberos.local.

kadmin -q "addprinc HTTP/anaconda.kerberos.local"
kadmin -q "ktadd -k /home/anaconda-server/repo/etc/anaconda-server/http.keytab HTTP/anaconda.kerberos.local"
chown anaconda-server:anaconda-server \
   /home/anaconda-server/repo/etc/anaconda-server/http.keytab
chmod 600 /home/anaconda-server/repo/etc/anaconda-server/http.keytab

Now edit the configuration file /home/anaconda-server/repo/etc/anaconda-server/config.yaml and add the following lines:

AUTH_TYPE: KERBEROS
KRB5_KTNAME: /home/anaconda-server/repo/etc/anaconda-server/http.keytab

Finally, add the principal for the admin account on the kerberos realm:

kadmin -q "addprinc superuser@KERBEROS.LOCAL"

Reboot the server for the changes to take effect.

Client Configuration

To log in to Anaconda Repository with Kerberos Authentication, a browser that supports said authentication protocol is necessary. In this example we are using Firefox. Some extra tweaking is required.

  • Open Firefox and type about:config in the navigation bar, click the confirmation button if necessary to proceed to the configuration page.
  • Type negotiate in the Search field to filter out the options, double click network.negotiate-auth.trusted-uris and enter .kerberos.local in the text box.
  • Do the same for network.negotiate-auth.delegation-uris.

Finally a ticket for the superuser should be stored on the local machine. The following command will request it:

kinit superuser@KERBEROS.LOCAL

Now it is possible to open anaconda server on firefox, in this case the URL is anaconda.kerberos.local:8080, after clicking Sign In, the user should be able to log in immediately without having to enter any credentials.