KERBEROS: Configure a system to authenticate using Kerberos.

Prerequisites

Before configuring a Kerberos client, you have to configure a KDC.
Also, to get Kerberos running, NTP synchronization and hostname resolution must be working.
If DNS is not configured, add the following lines in the /etc/hosts file (replace the specified ip addresses with yours):

192.168.1.11 kbserver.example.com
192.168.1.12 kbclient.example.com

Client Configuration

Install the Kerberos client packages:

# yum install -y krb5-workstation pam_krb5

Edit the /etc/krb5.conf file, replace EXAMPLE.COM with your own realm, example.com with your own domain name, and kerberos.example.com with your own KDC server name (here kbserver.example.com).

Create a user for test:

# useradd user01

Add the client machine name (here kbclient.example.com) to the principals:

# kadmin -q "addprinc -randkey host/kbclient.example.com"
Authenticating as principal root/admin@EXAMPLE.COM with password.
Password for root/admin@EXAMPLE.COM: kerberos
WARNING: no policy specified for host/kbclient.example.com@EXAMPLE.COM; defaulting to no policy
Principal "host/kbclient.example.com@EXAMPLE.COM" created.
# kadmin -q "ktadd -k /etc/krb5.keytab host/kbclient.example.com"
Authenticating as principal root/admin@EXAMPLE.COM with password.
Password for root/admin@EXAMPLE.COM: kerberos
Entry for principal host/kbclient.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kbclient.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kbclient.example.com with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kbclient.example.com with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kbclient.example.com with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kbclient.example.com with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/krb5.keytab.

Edit the /etc/ssh/ssh_config file and add/uncomment the following lines:

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

Reload the sshd service configuration:

# service sshd reload

Configure the PAM component with a text interface:

# authconfig-tui

Select “[*] Use Kerberos” in the Authentication column, then Next and OK.

Alternatively, configure the PAM component at the command line:

# authconfig --enablekrb5 --update

Test your configuration (here kbserver.example.com is the KDC server name):

# kinit user01
Password for user01@EXAMPLE.COM: user01
# ssh user01@kbserver.example.com
$ klist
Ticket cache: FILE:/tmp/krb5cc_500_TGWbLJ1810
Default principal: user01@EXAMPLE.COM

Valid starting Expires Service principal
02/12/14 17:51:58 02/13/14 17:50:46 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 02/12/14 17:50:46

Now, you should be able to quit and reconnect without giving any password.
In addition, the first time you log in to a Kerberos client, you have to provide a login/password. Then, you get a ticket that allows you to log in to all the other Kerberos clients in the same realm and you don’t need to provide a password any more as long as your ticket is valid.
Note: To delete a ticket, use the kdestroy command.

Source: RHEL 5 Deployment Guide.