由於最近環境需要用到Kerberos認證,之前對Kerberos這塊瞭解甚少,今天抽空自己手動安裝一下Kerberos,以此加深對Kerberos的理解。
1 選擇一臺機器運行KDC,安裝Kerberos相關服務
yum install -y krb5-devel krb5-server krb5-workstation
2 配置Kerberos,包括krb5.conf和kdc.conf,修改其中的realm,把默認的EXAMPLE.COM修改爲自己要定義的值
[root@cent-1 ~]# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = TRAFKDC.COM --修改之處
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
TRAFKDC.COM = { --修改之處
kdc = namenode01 --修改之處
admin_server = namenode01 --修改之處
}
[domain_realm]
.TRAFKDC.com = TRAFKDC.COM --修改之處
TRAFKDC.com = TRAFKDC.COM --修改之處
[root@cent-1 ~]# cat /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
TRAFKDC.COM = { --修改之處
max_life = 24h --添加
max_renewable_life = 7d --添加
default_principal_flags = +renewable --添加
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
3 創建KDC數據庫,其中需要設置管理員密碼,創建完成會在/var/kerberos/krb5kdc/下面生成一系列文件,若重建數據庫則需先刪除/var/kerberos/krb5kdc下面principal相關文件
[root@cent-1 ~]# /usr/sbin/kdb5_util create -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'TRAFKDC.COM',
master key name 'K/[email protected]'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
[root@cent-1 ~]# ll /var/kerberos/krb5kdc/
total 24
-rw-------. 1 root root 22 Mar 9 2016 kadm5.acl
-rw-------. 1 root root 403 Jan 13 10:18 kdc.conf
-rw-------. 1 root root 8192 Jan 13 10:23 principal
-rw-------. 1 root root 8192 Jan 13 10:23 principal.kadm5
-rw-------. 1 root root 0 Jan 13 10:23 principal.kadm5.lock
-rw-------. 1 root root 0 Jan 13 10:24 principal.ok
4 給數據庫管理員添加ACL權限,修改kadm5.acl文件,*代表全部權限
[root@cent-1 ~]# cat /var/kerberos/krb5kdc/kadm5.acl
*/[email protected] *
5 添加數據庫管理員,注意kadmin.local可以直接運行在KDC上,而無需通過Kerberos認證
[root@cent-1 ~]# /usr/sbin/kadmin.local -q "addprinc kdcadmin/admin"
Enter password for principal "kdcadmin/[email protected]":
Re-enter password for principal "kdcadmin/[email protected]":
Principal "kdcadmin/[email protected]" created.
[root@cent-1 ~]# kadmin.local
Authenticating as principal centos/[email protected] with password.
kadmin.local: listprinc
kadmin.local: Unknown request "listprinc". Type "?" for a request list.
kadmin.local: listprincs
K/[email protected]
kdcadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
krbtgt/[email protected]
6 啓動Kerberos進程並設置開機啓動,通過/var/log/krb5kdc.log 和 /var/log/kadmind.log查看日誌,通過kinit檢查Kerberos正常運行
service krb5kdc start
service kadmin start
chkconfig krb5kdc on
chkconfig kadmin on
7 配置JCE,這是因爲CentOS6.5及以上系統默認使用AES-256加密,因此需要所有節點安裝並配置JCE,JCE下載路徑: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
[root@cent-1 UnlimitedJCEPolicyJDK8]# ll
total 16
-rw-rw-r--. 1 root root 3035 Dec 21 2013 local_policy.jar
-rw-r--r--. 1 root root 7323 Dec 21 2013 README.txt
-rw-rw-r--. 1 root root 3023 Dec 21 2013 US_export_policy.jar
[root@cent-1 security]# cp /home/centos/UnlimitedJCEPolicyJDK8/ /usr/java/jdk1.8.0_11/jre/lib/security/
local_policy.jar README.txt US_export_policy.jar
[root@cent-1 security]# cp /home/centos/UnlimitedJCEPolicyJDK8/US_export_policy.jar /usr/java/jdk1.8.0_11/jre/lib/security/
cp: overwrite `/usr/java/jdk1.8.0_11/jre/lib/security/US_export_policy.jar'? y
8 到此,Kerberos服務端已搭好,現在選擇另外一臺機器安裝客戶端,並配置/etc/krb5.conf與KDC相同
yum install -y krb5-workstation
9 驗證客戶端可以訪問KDC
kadmin -p 'kdcadmin/admin' -w '<kdcadmin/admin password>' -s '<kdc server ip>' -q 'list_principals'
10 kadmin生成keytab,如果是KDC上面直接運行kadmin.local,如果是在客戶端先kinit再kadmin
(1)KDC
[root@cent-1 ~]# kadmin.local
Authenticating as principal trafodion/[email protected] with password.
kadmin.local: listprincs
K/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
krbtgt/[email protected]
[email protected]
kadmin.local: xst -k /opt/trafodion.keytab trafodion
Entry for principal trafodion with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/opt/trafodion.keytab.
Entry for principal trafodion with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/opt/trafodion.keytab.
Entry for principal trafodion with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/opt/trafodion.keytab.
Entry for principal trafodion with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/opt/trafodion.keytab.
Entry for principal trafodion with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/opt/trafodion.keytab.
[root@cent-1 opt]# ll /opt/trafodion.keytab
-rw-------. 1 root root 279 Jan 13 13:05 /opt/trafodion.keytab
(2)Client(需先kinit)
[root@cent-2 ~]# kinit kadmin/admin
Password for kadmin/[email protected]:
[root@cent-2 ~]# kadmin
Authenticating as principal kadmin/[email protected] with password.
Password for kadmin/[email protected]:
kadmin: addprinc centos
WARNING: no policy specified for [email protected]; defaulting to no policy
Enter password for principal "[email protected]":
Re-enter password for principal "[email protected]":
Principal "[email protected]" created.
kadmin: listprincs
K/[email protected]
[email protected]
kadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
krbtgt/[email protected]
[email protected]
11 相關Kerberos命令
//添加principal
kadmin -p 'kdcadmin/admin' -w '<kdc password>' -s '<kdc server>' -q 'addprinc -randkey trafodion'
//生成keytab文件
ktadd -k /opt/trafodion.keytab trafodion
//認證用戶
kinit -kt /opt/trafodion.keytab trafodion
//查看當前認證用戶信息
klist
原文地址:https://blog.csdn.net/Post_Yuan/article/details/54406148