Checking the version of Kerberos installed on your system is also essential, as it directly impacts how you can use it for various purposes. Here is a quick guide that helps you understand why you need to be aware of the Kerberos version and how to do it.
Kerberos: The Basics
Authentication is one of the most crucial security objectives, along with accounting and authorization. It also intends to find a person’s identity using the system or the resource. There are several authentication systems currently used nowadays.
Amongst them, Kerberos is one of the most widely employed authentication protocols in Linux. Compared to standard password-based authentication, passwords in Kerberos authentication are never transmitted over the network, even if the services on the other systems are accessed.
Currently, Kerberos 4 and 5 are also widely used. Version 5 is the first version used for administrative purposes beyond MIT, where it was founded. This article also explains how we can find the version of Kerberos on Linux.
Why Finding a Version is Important
It is very important also to find the version currently being used in your system as there is a significant difference in the features provided by Kerberos 4 and Kerberos 5. For instance:
- Ticketing system: Both versions support the ticket system. However, Kerberos 5 provides several new functions for ticket support, such as renewing, forwarding, and post-date tickets.
- Encoding scheme: Kerberos 5 uses ASN.1 encoding system, whereas version 4 is based on the receiver specifying the right encoding scheme.
- Encryption scheme: Kerberos 5 can use different encryption schemes whereas version 4 uses data encryption standards (DES).
- Ticket lifetime: The lifetime of a ticket is specified in units of 5 minutes. However, in Kerberos 5, one can specify an arbitrary lifetime.
What are the Key Differences Between Kerberos 4 and Kerberos 5?
As you may have heard, Kerberos 4 and Kerberos 5 have an array of differences in their build. And here are some of the key differences between the two versions of Kerberos are listed below:
Kerberos 4
- Key Salt Algorithm: Partially uses the principal name
- Encoding System: Receiver-Makes-Right
- Ticket support system: Satisfactory yet basic
- Network IP addresses: Comes with a few IP addresses and other addresses for types of network protocols
- Cross-realm authentication support: No current support for it
- Encryption Methods: DES encryption system included
- Ticket Lifespan: Identified in units for a lifespan of 5 minutes
- Key: The single key is also used repeatedly to gain a service from a specific server, there is a threat that an attacker can replay messages from an old session to the client or server
Kerberos 5
- Key Salt Algorithm: Utilizes the principal name entirely
- Encoding System: Integrated with ASN.1 coding system
- Ticket support system: Established and built to also enhance forwarding, post-dating, and renewal of ticket
- Network IP addresses: Has an array of multiple IP addresses and other addresses for several types of network protocols
- Cross-realm authentication support: A decent structure of support present for such authentication protocols
- Encryption Methods: Tagging of the ciphertext with an encryption type identifier
- Ticket Lifespan: The ticket has a single lifespan identification from the beginning to the end
- Key: The threat is entirely avoided by requiring a sub-session key and it can only be used for a single connection
Prerequisites
Before checking the Kerberos version, ensure that it is properly installed and configured. In particular, check the following:
1. Ensure that Kerberos is installed in the system. If not, install using the following command:
$ rpm -q krb5-server krb5-workstationYou can also use the following command:
$ apt-get install krb5-kdc krb5-Admin-server2. Add the following to your path environment variable /usr/kerberos/bin and /usr/kerberos/sbin. You can set that in .bashrc file
3. Select a real name and put that information in following files:
/etc/krb5.conf
/var/kerberos/krb5kdc/kdc.conf
/var/kerberos/krb5kdc/kadm5.acl
4. Create the kdc principal database using the following command:
$kdb5_util create
5. Start the kdc service:
$krb5kdc [-m]
Checking the version of Kerberos in your system
Now let’s discuss how one can check the version of Kerberos in his system. One can use the following steps for this purpose.
Check if Kerberos is installed on your system
The first step is checking if Kerberos is installed on your system. You can use the rpm ivh command to check if Kerberos is installed. The general usage of this command is:
$ rpm -ivh [package-name]-[version].rpmType the following command on the console to check Kerberos installation:
$ rpm -ivh krb5-server-198.162.2.9.el6_4.6.x86_64.rpmCreate a ticket using the kinit tool
To check the version easily, one should create a ticket using the kinit tool. This tool is very useful in creating and caching Kerberos tickets. The general command to use this tool is:
kinit [ commands ] <principal name> [<password>]
To create a ticket, type the following command on the console:
kinit -1 10h -r 5d principalThis will create a ticket for five days and 10 hours for the user principal.
Note: To use this command, the user must be registered as a principal with a key distribution center.
Find the list of currently cached tickets
To check your credentials after the ticket is created, use the klist command. Type the following commands:
$klistYou will get the following output:
Check your Kerberos version
Finally, you can check the version of Kerberos installed in your system using the following command:
$sudo apt-getAnd that’s all! This tutorial explains how one can find the correct version of Kerberos installed in his system. Do let us know your thoughts in the comments section.
If this guide helped you, please share it.
