Getting Started With Kerberos

Recently, I have been playing with Kerberos, a popular Single Sign On system (SSO) that is used in many large organizations. My first contact with Kerberos has been at university in a network security course, but that only covered the cryptographic part, not the more practical issues like setting up an implementation and using it.

Since Hadoop security uses Kerberos under the hood, I felt that I needed to get reacquainted and finally get some practical experience. This is what I've been doing for the last couple of weekends, so I'm far from being an expert, but the information I collected might still save you some time.

To get started quickly, I recommend beginning with the official tutorial from the Kerberos Consortium. It explains the basic concepts and describes the protocol in detail. Read this thoroughly, it is absolutely essential to understand the architecture, so you know what kind of security Kerberos provides and what it doesn't. Using a security system without a basic understanding of how it works is dangerous, arguably worse in some cases than not using security at all.

After all the theory you can then get your hands dirty and set up a Kerberos implementation (I use MIT Kerberos). From all the documents I've found online, I liked Ubuntu's Kerberos Guide best. Work through sections 1 to 6 to set up the server software (the KDC), the client and test the basic setup. You should be able to acquire a ticket (a TGT, to be precise) from the server.

As the next step, you should try to protect a server resource via Kerberos. For simplicity I strongly recommend to use an Apache server as the protected resource because the setup is simple and it's easy to test using a web browser or curl(1). Ubuntu's guide contains a section on Apache, so just follow the instructions there. Be careful though: The keytab you use with Apache must be readable by the Apache user (usually "www-data") and nobody else or you will get weird, unhelpful error messages.

When the Apache setup is done, test it using curl. The correct command line to use is curl -i --negotiate -u : URL (note the empty user name and password left and right of the colon). You can also use a modern web browser, but this usually requires extra configuration.

When Apache and your browser are configured correctly and you have a valid ticket, then you should not be prompted for a password. In this case: Congratulations, you have a working Kerberos setup!