| openSUSE Documentation Part VI. Security / Chapter 39. Installing and Administering Kerberos | ||||
|---|---|---|---|---|
 | 38.4. For More Information | 39.2. Choosing the Kerberos Realms |  | |
| openSUSE Documentation Part VI. Security / Chapter 39. Installing and Administering Kerberos | ||||
|---|---|---|---|---|
| 38.4. For More Information | 39.2. Choosing the Kerberos Realms | | |
Contents
A Kerberos environment as described in Chapter 38, Network Authentication—Kerberos consists of several different components. A key distribution center (KDC) holds the central database with all Kerberos-relevant data. All clients rely on the KDC for proper authentication across the network. Both the KDC and the clients need to be configured to match your setup:
Check your network setup and make sure it meets the minimum requirements outlined in Section 39.1, “Kerberos Network Topology”. Choose an appropriate realm for your Kerberos setup, see Section 39.2, “Choosing the Kerberos Realms”. Carefully set up the machine that is to serve as the KDC and apply tight security, see Section 39.3, “Setting Up the KDC Hardware”. Set up a reliable time source in your network to make sure all tickets contain valid timestamps, see Section 39.4, “Configuring Time Synchronization”.
Configure the KDC and the clients, see Section 39.5, “Configuring the KDC” and Section 39.6, “Configuring Kerberos Clients”. Enable remote administration for your Kerberos service, so you do not need physical access to your KDC machine, see Section 39.7, “Configuring Remote Kerberos Administration”. Create service principals for every service in your realm, see Section 39.8, “Creating Kerberos Service Principals”.
Various services in your network can make use of Kerberos. To add Kerberos password-checking to applications using PAM, proceed as outlined in Section 39.9, “Enabling PAM Support for Kerberos”. To configure SSH or LDAP with Kerberos authentication, proceed as outlined in Section 39.10, “Configuring SSH for Kerberos Authentication” and Section 39.11, “Using LDAP and Kerberos”.
Any Kerberos environment must meet the following requirements to be fully functional:
Provide a DNS server for name resolution across your network, so clients and servers can locate each other. Refer to Chapter 22, The Domain Name System for information on DNS setup.
Provide a time server in your network. Using exact time stamps is crucial to a Kerberos setup, because valid Kerberos tickets must contain correct time stamps. Refer to Chapter 24, Time Synchronization with NTP for information on NTP setup.
Provide a key distribution center (KDC) as the center piece of the Kerberos architecture. It holds the Kerberos database. Use the tightest possible security policy on this machine to prevent any attacks on this machine compromising your entire infrastructure.
Configure the client machines to use Kerberos authentication.
The following figure depicts a simple example network with just the minimum components needed to build a Kerberos infrastructure. Depending on the size and topology of your deployment, you might need to use a different setup.
![[Tip]](admon/tip.png) | Configuring Subnet Routing |
|---|---|
For a setup similar to the one in Figure 39.1, “Kerberos Network Topology”, configure routing between the two subnets (192.168.1.0/24 and 192.168.2.0/24). Refer to Section 20.4.1.1.4, “Configuring Routing” for more information on configuring routing with YaST. | |
