1 KDC安装配置
1.1 获取kdc安装包
安装kdc的节点需要获取krb5-server、krb5-libs、krb5-workstation这三个安装包,通过yum源获取。
yum install krb5-server krb5-libs krb5-workstation -y
1.2 修改kerberos kdc kdc.conf配置文件
1.[root@dap81 ~]# vim /var/kerberos/krb5kdc/kdc.conf
2.[kdcdefaults]
3.kdc_ports = 88
4.kdc_tcp_ports = 88
5.[realms]
6.DEV.EXAMPLE.COM = {
7.#master_key_type = aes256-cts
8.acl_file = /var/kerberos/krb5kdc/kadm5.acl
9.dict_file = /usr/share/dict/words
10.admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
11.upported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
12.}
kdc_ports kdc监听的udp端口。
kdc_tcp_ports kdc监听的tcp端口。
acl_file 管理服务用于进行访问控制的文件位置。
dict_file 指定不允许用作密码的单词文件,这些秘密是容易被破解的。
supported_enctypes 列出了kdc支持的所有加密类型。
max_renewable_life 指定票据更新的最长时间。客户端请求一个不超过该长度的时间,默认是7天。
1.3 修改kerberos krb5.conf配置文件
1. [root@dap81 ~]# vim /etc/krb5.conf
2. # Configuration snippets may be placed in this directory as well
3. includedir /etc/krb5.conf.d/
4. [logging]
5. default = FILE:/var/log/krb5libs.log
6. kdc = FILE:/var/log/krb5kdc.log
7. admin_server = FILE:/var/log/kadmind.log
8. [libdefaults]
9. dns_lookup_realm = false
10. ticket_lifetime = 24h
11. renew_lifetime = 7d
12. forwardable = true
13. rdns = false
14. pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
15. default_realm = DEV.EXAMPLE.COM
16. default_ccache_name = KEYRING:persistent:%{uid}
17. [realms]
18. DEV.EXAMPLE.COM = {
19. kdc = 172.16.161.81
20. admin_server = 172.16.161.81
21. }
22. # EXAMPLE.COM = {
23. # kdc = kerberos.example.com
24. # admin_server = kerberos.example.com
25. # }
26. [domain_realm]
27. # .example.com = EXAMPLE.COM
28. # example.com = EXAMPLE.COM
Libdefaults:
dns_lookup_realm 可以使用dns指定使用哪个kerberos域。
ticket_lifetime 设置票据持续有效时间,可以是kdc指定的最大值以内的任意时间长度。默认24小时。
renew_lifetime 设置票据最长可以被延期的时限,一般为7天。票据可以在不进行客户端认证的情况下,由kdc进行更新。必须在票据过期前进行。
Forwardable 指定票据是否可以转发。如果一个用户已经拥有一个TGT,但登录到其他远程系统,那么kdc可以无需重新认证的情况下向其重新分发一个TGT。
default_realm 默认情况下使用的域。
1.4 初始化kerberos database
1. [root@dap81 ~]# kdb5_util create -s -r DEV.EXAMPLE.COM
2. Loading random data
3. Initializing database '/var/kerberos/krb5kdc/principal' for realm 'DEV.EXAMPLE.COM',
4. master key name 'K/M@DEV.EXAMPLE.COM'
5. You will be prompted for the database Master Password.
6. It is important that you NOT FORGET this password.
7. Enter KDC database master key:
8. Re-enter KDC database master key to verify:
9. [root@dap81 ~]#
创建数据库,并设置数据库访问密码。其中,[-s]表示生成stash file,并存储在master server key(krb5kdc),还可以使用 [-r]来指定一个realm name,当krb5.conf配置了多个realm时才是必要的。
1.5 修改database administrator 的ACL权限
1. [root@dap81 ~]# vim /var/kerberos/krb5kdc/kadm5.acl
2. */admin@DEV.EXAMPLE.COM *
管理kdc的资料,有两种方式。一种是直接在kdc本机上执行,不需要密码。另一种是需要输入账号密码才能管理。
kadmin.local 无需账号密码即可管理kdc资料,需要在kdc服务所在的机器上操作。
Kadmin 需要账号密码才能管理kdc资料,可以在任意一台kdc领域的系统上操作。
1.6 启动kerberos daemons
1. [root@dap81 ~]# systemctl start kadmin krb5kdc
2. [root@dap81 ~]# systemctl enable kadmin krb5kdc
3. Created symlink from /etc/systemd/system/multi-user.target.wants/kadmin.service to /usr/lib/systemd/system/kadmin.service.
4. Created symlink from /etc/systemd/system/multi-user.target.wants/krb5kdc.service to /usr/lib/systemd/system/krb5kdc.service.
5. [root@dap81 ~]# systemctl status kadmin krb5kdc
6. ● kadmin.service - Kerberos 5 Password-changing and Administration
7. Loaded: loaded (/usr/lib/systemd/system/kadmin.service; enabled; vendor preset: disabled)
8. Active: active (running) since 三 2020-05-20 10:11:38 CST; 23s ago
9. Main PID: 29252 (kadmind)
10. CGroup: /system.slice/kadmin.service
11. └─29252 /usr/sbin/kadmind -P /var/run/kadmind.pid
12. 5月 20 10:11:37 dap81 systemd[1]: Starting Kerberos 5 Password-changing and Administration...
13. 5月 20 10:11:38 dap81 systemd[1]: Started Kerberos 5 Password-changing and Administration.
14. ● krb5kdc.service - Kerberos 5 KDC
15. Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; enabled; vendor preset: disabled)
16. Active: active (running) since 三 2020-05-20 10:11:38 CST; 24s ago
17. Main PID: 29251 (krb5kdc)
18. CGroup: /system.slice/krb5kdc.service
19. └─29251 /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid
20. 5月 20 10:11:37 dap81 systemd[1]: Starting Kerberos 5 KDC...
21. 5月 20 10:11:38 dap81 systemd[1]: Started Kerberos 5 KDC.
22. [root@dap81 ~]#
2 Client安装配置
2.1 获取kerberos client 安装包
安装kerberos client的节点,需要获取krb5-libs、krb5-workstation这两个安装包,通过yum源获取。
yum install krb5-libs krb5-workstation -y
2.2 修改kerberos krb5.conf配置文件
1. [root@dap82 ~]# vim /etc/krb5.conf
2. # Configuration snippets may be placed in this directory as well
3. includedir /etc/krb5.conf.d/
4.
5. [logging]
6. default = FILE:/var/log/krb5libs.log
7. kdc = FILE:/var/log/krb5kdc.log
8. admin_server = FILE:/var/log/kadmind.log
9.
10. [libdefaults]
11. dns_lookup_realm = false
12. ticket_lifetime = 24h
13. renew_lifetime = 7d
14. forwardable = true
15. rdns = false
16. pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
17. default_realm = DEV.EXAMPLE.COM
18. default_ccache_name = KEYRING:persistent:%{uid}
19.
20. [realms]
21. DEV.EXAMPLE.COM = {
22. kdc = 172.16.161.81
23. admin_server = 172.16.161.81
24. }
25. # EXAMPLE.COM = {
26. # kdc = kerberos.example.com
27. # admin_server = kerberos.example.com
28. # }
29.
30. [domain_realm]
31. # .example.com = EXAMPLE.COM
32. # example.com = EXAMPLE.COM
请参考: 1.3 修改kerberos krb5.conf配置文件 ,本测配置默认与kdc服务所在节点的krb5.conf文件保持一致。Kerberos 跨域互信认证除外。
3 Kerberos 常用命令
3.1 Kadmin相关操作
使用kadmin.local命令行工具,在kdc所在的节点执行以下操作。
3.1.1 添加Admin管理员用户
1. [root@dap81 ~]# kadmin.local
2. Authenticating as principal root/admin@DEV.EXAMPLE.COM with password.
3. kadmin.local: addprinc root/admin
4. WARNING: no policy specified for root/admin@DEV.EXAMPLE.COM; defaulting to no policy
5. Enter password for principal "root/admin@DEV.EXAMPLE.COM":
6. Re-enter password for principal "root/admin@DEV.EXAMPLE.COM":
7. Principal "root/admin@DEV.EXAMPLE.COM" created.
8. kadmin.local:
使用addprinc root/admin 添加一个root/admin的用户,并设置密码。参考:1.5修改database administrator 的ACL权限,匹配该配置项的用户,将有管理员权限。
3.1.2 添加用户
3.1.2.1 指定用户密码
1. kadmin.local: addprinc dap81
2. WARNING: no policy specified for dap81@DEV.EXAMPLE.COM; defaulting to no policy
3. Enter password for principal "dap81@DEV.EXAMPLE.COM":
4. Re-enter password for principal "dap81@DEV.EXAMPLE.COM":
5. Principal "dap81@DEV.EXAMPLE.COM" created.
6. kadmin.local:
使用addprinc dap81 添加一个dap81的用户,并设置密码。
3.1.2.2 随机生成用户密码
1. kadmin.local: addprinc -randkey dap81/dev
2. WARNING: no policy specified for servicename/hostname@realnameDEV.EXAMPLE.COM; defaulting to no policy
3. Principal "dap81/dev@DEV.EXAMPLE.COM" created.
4. kadmin.local:
使用addprinc -randkey dap81/dev 添加一个dap81/dev的用户,随机生成密码。
3.1.3 获取用户列表
1. kadmin.local: list_principals
2. K/M@DEV.EXAMPLE.COM
3. dap81/dev@DEV.EXAMPLE.COM
4. dap81@DEV.EXAMPLE.COM
5. kadmin/admin@DEV.EXAMPLE.COM
6. kadmin/changepw@DEV.EXAMPLE.COM
7. kadmin/dap81@DEV.EXAMPLE.COM
8. kiprop/dap81@DEV.EXAMPLE.COM
9. krbtgt/DEV.EXAMPLE.COM@DEV.EXAMPLE.COM
10. root/admin@DEV.EXAMPLE.COM
11. kadmin.local:
使用list_principals命令获取用户列表信息。
3.1.4 生成用户keytab文件
[root@dap81 ~]# mkdir -p /etc/krb5
创建一个用于存放keytab文件的文件夹,生成keytab文件时需要指定该目录,如果指定的是一个不存在的目录,生成keytab文件将会报错。
3.1.4.1 生成keytab文件并随机生成用户密码
1. kadmin.local: ktadd -k /etc/krb5/dap81Dev.keytab dap81/dev@DEV.EXAMPLE.COM
2. Entry for principal dap81/dev@DEV.EXAMPLE.COM with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5/dap81Dev.keytab.
3. Entry for principal dap81/dev@DEV.EXAMPLE.COM with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5/dap81Dev.keytab.
4. Entry for principal dap81/dev@DEV.EXAMPLE.COM with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5/dap81Dev.keytab.
5. Entry for principal dap81/dev@DEV.EXAMPLE.COM with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5/dap81Dev.keytab.
6. Entry for principal dap81/dev@DEV.EXAMPLE.COM with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/krb5/dap81Dev.keytab.
7. Entry for principal dap81/dev@DEV.EXAMPLE.COM with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/krb5/dap81Dev.keytab.
8. Entry for principal dap81/dev@DEV.EXAMPLE.COM with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/krb5/dap81Dev.keytab.
9. Entry for principal dap81/dev@DEV.EXAMPLE.COM with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/krb5/dap81Dev.keytab.
10. kadmin.local:
使用ktadd -k /etc/krb5/dap81Dev.keytab dap81/dev@DEV.EXAMPLE.COM 为dap81/dev@DEV.EXAMPLE.COM用户生成keytab文件,并放置在/etc/krb5目录下。生成keytab文件默认也会随机生成用户的密码。
3.1.4.2 生成keytab文件不随机生成用户密码
1. kadmin.local: ktadd -k /etc/krb5/dap81.keytab -norandkey dap81@DEV.EXAMPLE.COM
2. Entry for principal dap81@DEV.EXAMPLE.COM with kvno 1, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5/dap81.keytab.
3. Entry for principal dap81@DEV.EXAMPLE.COM with kvno 1, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5/dap81.keytab.
4. Entry for principal dap81@DEV.EXAMPLE.COM with kvno 1, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5/dap81.keytab.
5. Entry for principal dap81@DEV.EXAMPLE.COM with kvno 1, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5/dap81.keytab.
6. Entry for principal dap81@DEV.EXAMPLE.COM with kvno 1, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/krb5/dap81.keytab.
7. Entry for principal dap81@DEV.EXAMPLE.COM with kvno 1, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/krb5/dap81.keytab.
8. Entry for principal dap81@DEV.EXAMPLE.COM with kvno 1, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/krb5/dap81.keytab.
9. Entry for principal dap81@DEV.EXAMPLE.COM with kvno 1, encryption type des-cbc-md5 added to keytab WRFILE:/etc/krb5/dap81.keytab.
10. kadmin.local:
使用ktadd -k /etc/krb5/dap81.keytab -norandkey dap81@DEV.EXAMPLE.COM为dap81@DEV.EXAMPLE.COM用户生成keytab文件,通过-norandkey指定生成keytab文件时不重新生成用户密码,并将keytab文件放在/etc/krb5目录下。
3.2 Client相关操作
3.2.1 Kinit生成票据
客户端使用kinit命令生成票据,常用的方式有两种。一种是使用账号密码进行kinit,生成票据,另一种是使用keytab文件+账号生成票据,keytab文件中包含了该账户的密码。
3.2.1.1 Kinit+账户密码认证
1. [root@dap81 ~]# kinit dap81@DEV.EXAMPLE.COM
2. Password for dap81@DEV.EXAMPLE.COM:
3. [root@dap81 ~]# klist
4. Ticket cache: KEYRING:persistent:0:0
5. Default principal: dap81@DEV.EXAMPLE.COM
6.
7. Valid starting Expires Service principal
8. 2020-05-20T13:54:45 2020-05-21T13:54:45 krbtgt/DEV.EXAMPLE.COM@DEV.EXAMPLE.COM
9. [root@dap81 ~]#
使用kinit dap81@DEV.EXAMPLE.COM 对dap81@DEV.EXAMPLE.COM账号进行认证,认证过程中需要录入该账户的密码。
3.2.1.2 Kinit+keytab+账户认证
1. [root@dap82 ~]# kinit -k -t /etc/krb5/dap81Dev.keytab dap81/dev
2. [root@dap82 ~]# klist
3. Ticket cache: KEYRING:persistent:0:0
4. Default principal: dap81/dev@DEV.EXAMPLE.COM
5.
6. Valid starting Expires Service principal
7. 2020-05-20T14:03:46 2020-05-21T14:03:46 krbtgt/DEV.EXAMPLE.COM@DEV.EXAMPLE.COM
8. [root@dap82 ~]#
使用kinit -k -t /etc/krb5/dap81Dev.keytab dap81/dev对dap81/dev@DEV.EXAMPLE.COM账户进行认证。认证过程中使用了该账户的keytab文件。
3.2.2 Klist查看票据认证信息
1. [root@dap81 ~]# klist
2. Ticket cache: KEYRING:persistent:0:0
3. Default principal: dap81@DEV.EXAMPLE.COM
4.
5. Valid starting Expires Service principal
6. 2020-05-20T13:54:45 2020-05-21T13:54:45 krbtgt/DEV.EXAMPLE.COM@DEV.EXAMPLE.COM
7. [root@dap81 ~]#
使用klist命令获取票据认证信息:
Default principal 当前票据的用户主体
Valid starting 票据认证成功时间
Expires 票据到期时间
3.2.3 Kdestroy删除当前认证的缓存
1. [root@dap82 ~]# kdestroy
2. [root@dap82 ~]# klist
3. klist: Credentials cache keyring 'persistent:0:0' not found
4. [root@dap82 ~]#
使用kdestroy删除当前认证通过的缓存信息.