kerberos安裝
sudo apt-get install krb5-kdc krb5-admin-server 安裝
which kinit 查看是否安裝成功
一、kerberos配置 默認安裝路徑爲 /etc/ker5kdc
[kdc]
profile = /etc/krb5kdc/kdc.conf
[logging]
default= FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
default_tgs_enctypes = des3-hmac-sha1
default_tkt_enctypes = des3-hmac-sha1
permitted_enctypes = des3-hmac-sha1
[libdefaults]
default_realm = LOCAL.DOMAIN
forwardable = yes
ccache_type = 4
proxiable = true
renew_lifetime = 1d
clockskew = 1000000000
#dns_lookup_kdc = true
#dns_lookup_realm = true
[realms]
LOCAL.DOMAIN = {
kdc = localhost
admin_server = localhost
default_domain = localhost
}
[domain_realm]
.local.domain = LOCAL.DOMAIN
local.domain = LOCAL.DOMAIN
[login]
krb4_convert = true
krb4_get_tickets = falsey
[libdefaults]
default_realm = LOCAL.DOMAIN
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
LOCAL.DOMAIN = {
kdc = kdc.kerberos.local.domain
admin_server = kerberos.local.domain
}
[domain_realm]
.local.domain = LOCAL.DOMAIN
local.domain = LOCAL.DOMAIN
[login]
krb4_convert = true
krb4_get_tickets = false
2、/etc/krb5kdc/kdc.conf 若沒有此文件則自己創建 ( 默認安裝路徑 /etc/krb5kdc)[kdcdefaults]
kdc_ports = 750,88
[realms]
BOKECC.COM = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 24h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
default_principal_flags = +preauth
}
*/[email protected] *
*/*@LOCAL.DOMAIN c
*@LOCAL.DOMAIN c
$ /usr/sbin/kdb5_util create -r LOCAL.DOMAIN -s
或者
$ krb5_newrealm
以上操作出以下提示,創建database的密碼(例如123.com)
This script should be run on the master KDC/admin server to initialize
a Kerberos realm. It will ask you to type in a master key password.
This password will be used to generate a key that is stored in
/etc/krb5kdc/stash. You should try to remember this password, but it
is much more important that it be a strong password than that it be
remembered. However, if you lose the password and /etc/krb5kdc/stash,
you cannot decrypt your Kerberos database.
Loading random data
Initializing database '/var/lib/krb5kdc/principal' for realm 'LOCAL.DOMAIN',
master key name 'K/[email protected]'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
Now that your realm is set up you may wish to create an administrative
principal using the addprinc subcommand of the kadmin.local program.
Then, this principal can be added to /etc/krb5kdc/kadm5.acl so that
you can use the kadmin program on other computers. Kerberos admin
principals usually belong to a single user and end in /admin. For
example, if jruser is a Kerberos administrator, then in addition to
the normal jruser principal, a jruser/admin principal should be
created.
Don't forget to set up DNS information so your clients can find your
KDC and admin servers. Doing so is documented in the administration
guide.
以上操作結束後kadmind krb5kdc 進程自動啓動 。
/usr/sbin/kadmind -P /var/run/kadmind.pid
/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid
Principal 是由三個部分組成:名字(name),實例(instance),REALM(域)。比如一個標準的 Kerberos 的用戶是:name/instance@REALM
5、登錄 kerberos
$ /usr/sbin/kadmin.local
kadmin.local : listprincs
K/[email protected] kadmin/[email protected] kadmin/[email protected] kadmin/[email protected] krbtgt/[email protected]
kadmin.local : delprinc kadmin/[email protected]
kadmin.local :ktadd -k /etc/krb5kdc/kadm5.keytab kadmin/admin kadmin/changepw
添加用戶輸入密碼
addprinc liyq/[email protected]
添加服務器
ank -randkey host/[email protected]
生成krb5.keytab
ktadd -k /tmp/hostname.keytab host/[email protected]
將上述/tmp/hostname.keytab 文件放到要登錄服務器的/etc/下並重命名爲krb5.keytab
在要登錄服務器的該目錄文件下添加用戶/root/.k5login
liyq/[email protected]
在跳板機上切換到對應用戶下,ssh -vv root@hostname 嘗試登錄查看。
6、重啓krb5kdc和kadmind進程
7、運行kerberos
8、在KDC服務器上測試申請票據,測試票據請求
********************************************************************************