Kerberos-Anaconda Repository setup example¶
Kerberos authentication adds a layer of security to Anaconda Repository. The following example show how to set up a minimal working installation with three machines: One running anaconda server, one running the MIT Kerberos Key Distribution Center (KDC), and a client from where we are going to connect to both services.
For this example we assume that both the KDC and Anaconda Repository are already configured and the 3 systems have the Network Time Protocol (NTP) service working.
Initial Setup¶
All 3 machines are running CentOS 7 but the configurations mentioned here apply for many other Linux distributions. We are going to use the following domain names:
- Anaconda Repository:
anaconda.kerberos.local
- Kerberos KDC:
kdc.kerberos.local
- Client:
client.kerberos.local
Make sure that the information is correct in the configuration files
/etc/hostname
and /etc/hosts
to allow reverse-DNS lookups.
The name of the Kerberos realm is KERBEROS.LOCAL
. The 3 machines have the
same configuration file /etc/krb5.conf
:
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
default = SYSLOG:NOTICE:DAEMON
[libdefaults]
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = KERBEROS.LOCAL
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
KERBEROS.LOCAL = {
kdc = kdc.kerberos.local
admin_server = kdc.kerberos.local
}
[domain_realm]
.kerberos.local = KERBEROS.LOCAL
kerberos.local = KERBEROS.LOCAL
On kdc.kerberos.local
the files /var/kerberos/krb5kdc/kdc.conf
and
/var/kerberos/krb5kdc/kadm5.acl
should be configured accordingly.
Configure Anaconda Repostiory¶
At this point Anaconda Repository is up and running, it’s installed on
/home/anaconda-server/repo
, the administrator account in this example is
superuser
. To allow authentication we first create a service principal and
the keytab containing this principal. This is accomplished running the
following commands as root from a terminal on anaconda.kerberos.local
.
kadmin -q "addprinc HTTP/anaconda.kerberos.local"
kadmin -q "ktadd -k /home/anaconda-server/repo/etc/anaconda-server/http.keytab HTTP/anaconda.kerberos.local"
chown anaconda-server:anaconda-server \
/home/anaconda-server/repo/etc/anaconda-server/http.keytab
chmod 600 /home/anaconda-server/repo/etc/anaconda-server/http.keytab
Now edit the configuration file
/home/anaconda-server/repo/etc/anaconda-server/config.yaml
and add the
following lines:
AUTH_TYPE: KERBEROS
KRB5_KTNAME: /home/anaconda-server/repo/etc/anaconda-server/http.keytab
Finally, add the principal for the admin account on the kerberos realm:
kadmin -q "addprinc superuser@KERBEROS.LOCAL"
Reboot the server for the changes to take effect.
Client Configuration¶
To log in to Anaconda Repository with Kerberos Authentication, a browser that supports said authentication protocol is necessary. In this example we are using Firefox. Some extra tweaking is required.
- Open Firefox and type about:config in the navigation bar, click the confirmation button if necessary to proceed to the configuration page.
- Type negotiate in the Search field to filter out the options, double
click network.negotiate-auth.trusted-uris and enter
.kerberos.local
in the text box. - Do the same for network.negotiate-auth.delegation-uris.
Finally a ticket for the superuser
should be stored on the local machine.
The following command will request it:
kinit superuser@KERBEROS.LOCAL
Now it is possible to open anaconda server on firefox, in this case the URL is
anaconda.kerberos.local:8080
, after clicking Sign In, the user should
be able to log in immediately without having to enter any credentials.