Kerberos认证实验
2015-06-06 14:56
435 查看
Kerberos认证实验
实验目的
1.了解身份认证的原理及其重要意义
2.学习Kerberos身份认证全过程
3.学会在Linux下配置Kerberos身份认证系统
系统环境
Kerberos的实验同样需要3台机器,分别扮演不同的角色:(服务器为linux6.2)
192.168.71.134 kdc.example.com Kerberos服务器和NIS服务器
192.168.71.131 server.example.com
应用服务器,如ssh,ftp,krb5-telnet等
192.168.71.137 client.example.com
客户机
Kerberos版本:kerberosv5
1.63
192.168.71.134kdc的配置:
步骤一:安装kerberos:
[root@localhost~]# rpm -qa |grep krb5*
krb5-libs-1.9-22.el6.i686
krb5-auth-dialog-0.13-3.el6.i686
krb5-workstation-1.9-22.el6.i686
krb5-server-ldap-1.9-22.el6.i686
krb5-server-1.9-22.el6.i686
pam_krb5-2.3.11-9.el6.i686
#useradd-u 6001 user1
创建一普通用户
步骤二:时间同步服务器NTP的安装:
注意:kerberos对时间同步要求严格,所以需要配置ntp服务。
[root@localhost~]# rpm -qa |grep ntp
ntpdate-4.2.4p8-2.el6.i686
fontpackages-filesystem-1.41-1.1.el6.noarch
ntp-4.2.4p8-2.el6.i686
以上是ntp所需的rpm包,查看系统是否安装,没有安装需要安装ntp-4.2.4p8-2.el6.i686
即可。
通过ntpd可以同步Kerberos系统中各台主机的时间。修改/etc/ntp.conf,然后添加一行。
restrict192.168.71.0 mask 255.255.255.0 nomodify notrap
表示对192.168.7
1c507
1.0网内主机提供时间同步服务。
然后重启ntp服务:[root@localhost~]#
service ntpd restart
步骤三:.配置NIS(network
information service)
目的是将kdc.example.com配置成NIS和Kerberos的服务器,NIS提供用户信息(UserInfomation),Kerberos提供认证信息(Authentication)。
1、NIS服务器的安装(服务名ypserv:)
[root@localhost~]# rpm -qa |grep ypserv
[root@localhost~]# cd /mnt/cdrom
[root@localhostcdrom]# cd Packages/
[root@localhostPackages]# ls yp*
ypbind-1.20.4-29.el6.i686.rpm yp-tools-2.9-12.el6.i686.rpm
ypserv-2.19-22.el6.i686.rpm
[root@localhostPackages]# rpm -ivh ypserv-2.19-22.el6.i686.rpm
( #yum-y install ypserv)
warning:ypserv-2.19-22.el6.i686.rpm: Header V3 RSA/SHA256 Signature, key IDfd431d51: NOKEY
Preparing... ########################################### [100%]
1:ypserv ########################################### [100%]
配置ypserv,增加NIS域,NISDOMAIN=hebau
#vim/etc/sysconfig/network
#nisdomainnamehebau
固定ypserv的端口,在vim/etc/sysconfig/network添加参数YPSERV_ARGS=808
2、[root@localhostyp]# nisdomainname hebau
编辑
/etc/rc.d/rc.local文件
#!/bin/sh
#
#This script will be executed *after* all the other init scripts.
#You can put your own initialization stuff in here if you don't
#want to do the full Sys V style init stuff.
touch/var/lock/subsys/local
/bin/nisdomainnamehebau
生成NIS库:
[root@localhost~]# /usr/lib/yp/ypinit -m
Atthis point, we have to construct a list of the hosts which will runNIS
servers. localhost is in the list of NIS server hosts. Please continue toadd
thenames for the other hosts, one per line. When you are done with the
list,type a <control D>.
nexthost to add: localhost
nexthost to add:
Thecurrent list of NIS servers looks like this:
localhost
Isthis correct? [y/n: y] y
Weneed a few minutes to build the databases...
Building/var/yp/(none)/ypservers...
Running/var/yp/Makefile...
Domainname cannot be (none)
localhosthas been set up as a NIS master server.
Nowyou can run ypinit -s localhost on all slave server
编辑/etc/hosts文件
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6localhost6.localdomain6
192.168.71.134 kerberos kerberos.example.com
192.168.71.134 kdc kerberos.example.com
配置KDC
修改krb5的配置文件/etc/krb5.conf
[logging]段是日志,可以不动
[libdefaults]是默认配置,其中default_realm指出了默认的realm,即认证的范围,一般是全大写字母
default_realm= KDC.EXAMPLE.COM
[realms]段是范围的配置。
[realms]
KDC.EXAMPLE.COM= {
kdc= Kerberos.example.com:88
admin_server= Kerberos.example.com:749
}
[domain_realm]域和realm的关系,即哪些机器可以在哪个realm里认证
.example.com= KDC.EXAMPLE.COM #所有example.com域的用户和机器都可以在KDC.EXAMPLE.COM上认证
[appdefaults]段指出pam的一些参数,如票据的存活时间等等。
修改/etc/krb5.conf结果如下:
forwardable= true
[realms]
EXAMPLE.COM= {
kdc=kerberos.example.com:88
admin_server=kerberos.example.com:749
default_domain=example.com
}
[domain_realm]
.example.com=EXAMPLE.COM
example.com=EXAMPLE.COM
[kdc]
profile=/var/krb5kdc/kdc.conf
[appdefaults]
pam= {
debug=false
ticket_lifetime=36000
renew_lifetime=36000
forwardable=true
krb4_convert=false
}
配置/var/kerberos/krb5kdc/kdc.conf,这个配置文件是专门为kdc定义的参数
[kdcdefaults]
kdc_ports= 88
kdc_tcp_ports= 88
[realms]
EXAMPLE.COM= {
master_key_type= aes256-cts
acl_file= /var/kerberos/krb5kdc/kadm5.acl
dict_file= /usr/share/dict/words
admin_keytab= /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes= aes256-cts:normal aes128-cts:normal
des3-hmac-sha1:normalarcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normaldes-cbc-crc:normal
}
修改/var/kerberos/krb5kdc/kadm5.acl,此文件为kadmin的访问控制文件改成如下内容。
*/admin@KDC.EXAMPLE.COM*
生成本地KDC的数据库,-s表示通过kadmin登录本机不需要密码。
#kdb5_utilcreate -r KDC.EXAMPLE.COM -s
[root@localhostetc]# kdb5_util create -r KDC.EXAMPLE.COM(Kerberos.example.com) -s
Loadingrandom data
Initializingdatabase '/var/kerberos/krb5kdc/principal' for realm'KDC.EXAMPLE.COM',
masterkey name 'K/M@KDC.EXAMPLE.COM'
Youwill be prompted for the database Master Password.
Itis important that you NOT FORGET this password.
EnterKDC database master key:
Re-enterKDC database master key to verify:
注意:记住KDCmaster的口令
该命令将创建如下文件(缺省目录是:/usr/local/var/krb5kdc.)
这个命令用来生成kerberos的本地数据库,
principal.db:Kerberosdatabase
files, 存放principal(和索引文件)
principal.ok:Kerberosdatabase
lock files.
principal.kadm5:theKerberos
administrative database file,
principal.kadm5.lock:theadministrative
database lock file;
.k5stash:thestash
file,存储KDCmaster key
-r指定realm(kerberos术语),我们随便取一个叫EXAMPLE.COM.principal拥有名字和密码,需要通过KDC来认证身份,它和KDC之间共享密钥,principal有两类,一类是普通用户,需要通过KDC认证身份并获取服务票据,另一类是服务提供者,它需要通过对KDC提供给用户的票据进行确认以信任用户并为用户提供服务。第一类principal在登录系统手动输入密码。第二类principal解密KDC发的票据时需要用到自己的密钥,这个密钥存放在某个.keytab文件里。Keytab文件是通过KDC上的一个工具ktadd来生成的。该文件一般位于/etc下。
Kerberos库中缺省具有下列用户票据;
#Kadmin.local
#kadmin.local: listprincs
K/M@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/history@EXAMPLE.COM
kadmin/kerberos.example.com@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
登录KDC,添加管理员和一般用户的principal:
root@kerberoskrb5kdc]# kadmin.local
Authenticatingas principal root/admin@EXAMPLE.COM with password.
kadmin.local: addprinc root/admin
WARNING:no policy specified for root/admin@EXAMPLE.COM; defaulting to nopolicy
Enterpassword for principal "root/admin@EXAMPLE.COM":
Re-enterpassword for principal "root/admin@EXAMPLE.COM":
Principal"root/admin@EXAMPLE.COM" created.
kadmin.local: addprinc user1(可用student替代)
WARNING:no policy specified for user1@EXAMPLE.COM; defaulting to no policy
Enterpassword for principal "user1@EXAMPLE.COM":
Re-enterpassword for principal "user1@EXAMPLE.COM":
Principal"user1@EXAMPLE.COM" create
([root@kerberoskrb5kdc]# kadmin
Authenticatingas principal root/admin@EXAMPLE.COM with password.
Passwordfor root/admin@EXAMPLE.COM:
kadmin: addprinc admin/admin
WARNING:no policy specified for admin/admin@EXAMPLE.COM; defaulting to nopolicy
Enterpassword for principal "admin/admin@EXAMPLE.COM":
Re-enterpassword for principal "admin/admin@EXAMPLE.COM":
Principal"admin/admin@EXAMPLE.COM" created.)
kadmin.local:ps.addprinc会要求输入密码,root/admin的密码一定不能泄漏,否则就完了,user1的密码就是指登录密码。
运行kinit和klist命令,检查admin/admin账号是否正常。
[root@kerberoskrb5kdc]# kinit root/admin
Passwordfor root/admin@EXAMPLE.COM:
[root@kerberoskrb5kdc]# klist
Ticketcache: FILE:/tmp/krb5cc_0
Defaultprincipal: root/admin@EXAMPLE.COM
Validstarting Expires Service principal
05/02/1504:01:33 05/03/15 04:01:33 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renewuntil 05/02/15 04:01:33
查看,删除已有的principal的命令:
kadmin.local: listprincs
K/M@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/kerberos.example.com@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
root/admin@EXAMPLE.COM
user1@EXAMPLE.COM
kadmin.local:getprincuser1
kadmin.local:delprincuser1(删除principal命令下面还要用到,不用实际操作)
导出kadmin服务的keytab文件,退出kadmin
kadmin.local:ktadd -k /var/kerberos/krb5kdc/kadm5.keytab
root/admin
Entryfor principal kadmin/admin with kvno 3, encryption typeaes256-cts-hmac-sha1-96 added to keytabWRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entryfor principal kadmin/admin with kvno 3, encryption typeaes128-cts-hmac-sha1-96 added to keytabWRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entryfor principal kadmin/admin with kvno 3, encryption type des3-cbc-sha1added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entryfor principal kadmin/admin with kvno 3, encryption type arcfour-hmacadded to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entryfor principal kadmin/admin with kvno 3, encryption type des-hmac-sha1added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entryfor principal kadmin/admin with kvno 3, encryption type des-cbc-md5added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
kadmin.local:ktadd-k /var/kerberos/krb5kdc/kadm5.keytab kadmin/changepw
Entryfor principal kadmin/changepw with kvno 3, encryption typeaes256-cts-hmac-sha1-96 added to keytabWRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entryfor principal kadmin/changepw with kvno 3, encryption typeaes128-cts-hmac-sha1-96 added to keytabWRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entryfor principal kadmin/changepw with kvno 3, encryption typedes3-cbc-sha1 added to keytabWRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entryfor principal kadmin/changepw with kvno 3, encryption typearcfour-hmac added to keytabWRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entryfor principal kadmin/changepw with kvno 3, encryption typedes-hmac-sha1 added to keytabWRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entryfor principal kadmin/changepw with kvno 3, encryption typedes-cbc-md5 added to keytabWRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
为管理员账号admin/admin指定权限
现在为管理账号指定权限,它由文件/usr/local/var/krb5kdc/kadm5.acl中的条目决定。为了给账号admin/admin授予“管理所有委托人”的权限,通过添加下面这样一行到/usr/local/var/krb5kdc/kadm5.acl中,并使用通配符实现:
admin/admin@EXAMPLE.COM *
修正前面的相关文件的SELINUX设置
[root@kerberoskrb5kdc]# restorecon -R -v /var/kerberos/krb5kdc/
[root@kerberoskrb5kdc]# restorecon -R -v /var/log/
[root@kerberoskrb5kdc]# restorecon -R -v /etc/krb5.conf
启动服务
[root@kerberoskrb5kdc]# service krb5kdc restart(第一次服务是start)
[root@kerberoskrb5kdc]# service kadmin restart(第一次服务是start)
以上是kerberos服务器的配置过程。
192.168.71.131应用服务器的配置:
1、首先安装Krb5同kdc
2、复制kdc.example.com的/etc/krb5.conf文件过来,省得再配了
#scproot@kdc.example.com:/etc/krb5.conf
/etc/krb5.conf
Theauthenticity of host 'kdc.example.com (192.168.71.131)' can't beestablished.
RSAkey fingerprint is c3:e8:b9:b8:5a:ad:63:e7:51:29:57:50:2b:a3:f9:6a.
Areyou sure you want to continue connecting (yes/no)? yes
Warning:Permanently added 'kdc.example.com,192.168.71.131' (RSA) to the listof known hosts.
root@kdc.example.com'spassword:
krb5.conf 100% 449 0.4KB/s 00:00
#restorecon-R -v /etc/krb5.conf
安装所有相关软件。Vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6localhost6.localdomain6
192.168.71.134 kerberos kerberos.example.com
192.168.71.134 kdc kdc.example.com
192.168.71.131 telnet server.example.com
kinit-k -t /etc/krb5.keytab host/server.example.com
配置服务器为NIS的客户端,并且使用Kerberos认证
#authconfig-tui,修改相应的NIS信息就行
在KDC增加服务的principal,并且导出生成server自己的钥匙
server#kadmin
kadmin:addprinc-randkey host/server.example.com #krb5-telnet和ssh的principal都是host
kadmin:addprinc-randkey ftp/server.example.com #gssftp
的principal是ftp
导出到本地
kadmin:ktadd -k/etc/krb5.keytab host/server.example.com
kadmin:ktadd -k/etc/krb5.keytab ftp/server.example.com
检查防火墙和selinux
实验目的
1.了解身份认证的原理及其重要意义
2.学习Kerberos身份认证全过程
3.学会在Linux下配置Kerberos身份认证系统
系统环境
Kerberos的实验同样需要3台机器,分别扮演不同的角色:(服务器为linux6.2)
192.168.71.134 kdc.example.com Kerberos服务器和NIS服务器
192.168.71.131 server.example.com
应用服务器,如ssh,ftp,krb5-telnet等
192.168.71.137 client.example.com
客户机
Kerberos版本:kerberosv5
1.63
192.168.71.134kdc的配置:
步骤一:安装kerberos:
[root@localhost~]# rpm -qa |grep krb5*
krb5-libs-1.9-22.el6.i686
krb5-auth-dialog-0.13-3.el6.i686
krb5-workstation-1.9-22.el6.i686
krb5-server-ldap-1.9-22.el6.i686
krb5-server-1.9-22.el6.i686
pam_krb5-2.3.11-9.el6.i686
#useradd-u 6001 user1
创建一普通用户
步骤二:时间同步服务器NTP的安装:
注意:kerberos对时间同步要求严格,所以需要配置ntp服务。
[root@localhost~]# rpm -qa |grep ntp
ntpdate-4.2.4p8-2.el6.i686
fontpackages-filesystem-1.41-1.1.el6.noarch
ntp-4.2.4p8-2.el6.i686
以上是ntp所需的rpm包,查看系统是否安装,没有安装需要安装ntp-4.2.4p8-2.el6.i686
即可。
通过ntpd可以同步Kerberos系统中各台主机的时间。修改/etc/ntp.conf,然后添加一行。
restrict192.168.71.0 mask 255.255.255.0 nomodify notrap
表示对192.168.7
1c507
1.0网内主机提供时间同步服务。
然后重启ntp服务:[root@localhost~]#
service ntpd restart
步骤三:.配置NIS(network
information service)
目的是将kdc.example.com配置成NIS和Kerberos的服务器,NIS提供用户信息(UserInfomation),Kerberos提供认证信息(Authentication)。
1、NIS服务器的安装(服务名ypserv:)
[root@localhost~]# rpm -qa |grep ypserv
[root@localhost~]# cd /mnt/cdrom
[root@localhostcdrom]# cd Packages/
[root@localhostPackages]# ls yp*
ypbind-1.20.4-29.el6.i686.rpm yp-tools-2.9-12.el6.i686.rpm
ypserv-2.19-22.el6.i686.rpm
[root@localhostPackages]# rpm -ivh ypserv-2.19-22.el6.i686.rpm
( #yum-y install ypserv)
warning:ypserv-2.19-22.el6.i686.rpm: Header V3 RSA/SHA256 Signature, key IDfd431d51: NOKEY
Preparing... ########################################### [100%]
1:ypserv ########################################### [100%]
配置ypserv,增加NIS域,NISDOMAIN=hebau
#vim/etc/sysconfig/network
#nisdomainnamehebau
固定ypserv的端口,在vim/etc/sysconfig/network添加参数YPSERV_ARGS=808
2、[root@localhostyp]# nisdomainname hebau
编辑
/etc/rc.d/rc.local文件
#!/bin/sh
#
#This script will be executed *after* all the other init scripts.
#You can put your own initialization stuff in here if you don't
#want to do the full Sys V style init stuff.
touch/var/lock/subsys/local
/bin/nisdomainnamehebau
生成NIS库:
[root@localhost~]# /usr/lib/yp/ypinit -m
Atthis point, we have to construct a list of the hosts which will runNIS
servers. localhost is in the list of NIS server hosts. Please continue toadd
thenames for the other hosts, one per line. When you are done with the
list,type a <control D>.
nexthost to add: localhost
nexthost to add:
Thecurrent list of NIS servers looks like this:
localhost
Isthis correct? [y/n: y] y
Weneed a few minutes to build the databases...
Building/var/yp/(none)/ypservers...
Running/var/yp/Makefile...
Domainname cannot be (none)
localhosthas been set up as a NIS master server.
Nowyou can run ypinit -s localhost on all slave server
编辑/etc/hosts文件
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6localhost6.localdomain6
192.168.71.134 kerberos kerberos.example.com
192.168.71.134 kdc kerberos.example.com
配置KDC
修改krb5的配置文件/etc/krb5.conf
[logging]段是日志,可以不动
[libdefaults]是默认配置,其中default_realm指出了默认的realm,即认证的范围,一般是全大写字母
default_realm= KDC.EXAMPLE.COM
[realms]段是范围的配置。
[realms]
KDC.EXAMPLE.COM= {
kdc= Kerberos.example.com:88
admin_server= Kerberos.example.com:749
}
[domain_realm]域和realm的关系,即哪些机器可以在哪个realm里认证
.example.com= KDC.EXAMPLE.COM #所有example.com域的用户和机器都可以在KDC.EXAMPLE.COM上认证
[appdefaults]段指出pam的一些参数,如票据的存活时间等等。
修改/etc/krb5.conf结果如下:
forwardable= true
[realms]
EXAMPLE.COM= {
kdc=kerberos.example.com:88
admin_server=kerberos.example.com:749
default_domain=example.com
}
[domain_realm]
.example.com=EXAMPLE.COM
example.com=EXAMPLE.COM
[kdc]
profile=/var/krb5kdc/kdc.conf
[appdefaults]
pam= {
debug=false
ticket_lifetime=36000
renew_lifetime=36000
forwardable=true
krb4_convert=false
}
配置/var/kerberos/krb5kdc/kdc.conf,这个配置文件是专门为kdc定义的参数
[kdcdefaults]
kdc_ports= 88
kdc_tcp_ports= 88
[realms]
EXAMPLE.COM= {
master_key_type= aes256-cts
acl_file= /var/kerberos/krb5kdc/kadm5.acl
dict_file= /usr/share/dict/words
admin_keytab= /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes= aes256-cts:normal aes128-cts:normal
des3-hmac-sha1:normalarcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normaldes-cbc-crc:normal
}
修改/var/kerberos/krb5kdc/kadm5.acl,此文件为kadmin的访问控制文件改成如下内容。
*/admin@KDC.EXAMPLE.COM*
生成本地KDC的数据库,-s表示通过kadmin登录本机不需要密码。
#kdb5_utilcreate -r KDC.EXAMPLE.COM -s
[root@localhostetc]# kdb5_util create -r KDC.EXAMPLE.COM(Kerberos.example.com) -s
Loadingrandom data
Initializingdatabase '/var/kerberos/krb5kdc/principal' for realm'KDC.EXAMPLE.COM',
masterkey name 'K/M@KDC.EXAMPLE.COM'
Youwill be prompted for the database Master Password.
Itis important that you NOT FORGET this password.
EnterKDC database master key:
Re-enterKDC database master key to verify:
注意:记住KDCmaster的口令
该命令将创建如下文件(缺省目录是:/usr/local/var/krb5kdc.)
这个命令用来生成kerberos的本地数据库,
principal.db:Kerberosdatabase
files, 存放principal(和索引文件)
principal.ok:Kerberosdatabase
lock files.
principal.kadm5:theKerberos
administrative database file,
principal.kadm5.lock:theadministrative
database lock file;
.k5stash:thestash
file,存储KDCmaster key
-r指定realm(kerberos术语),我们随便取一个叫EXAMPLE.COM.principal拥有名字和密码,需要通过KDC来认证身份,它和KDC之间共享密钥,principal有两类,一类是普通用户,需要通过KDC认证身份并获取服务票据,另一类是服务提供者,它需要通过对KDC提供给用户的票据进行确认以信任用户并为用户提供服务。第一类principal在登录系统手动输入密码。第二类principal解密KDC发的票据时需要用到自己的密钥,这个密钥存放在某个.keytab文件里。Keytab文件是通过KDC上的一个工具ktadd来生成的。该文件一般位于/etc下。
Kerberos库中缺省具有下列用户票据;
#Kadmin.local
#kadmin.local: listprincs
K/M@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/history@EXAMPLE.COM
kadmin/kerberos.example.com@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
登录KDC,添加管理员和一般用户的principal:
root@kerberoskrb5kdc]# kadmin.local
Authenticatingas principal root/admin@EXAMPLE.COM with password.
kadmin.local: addprinc root/admin
WARNING:no policy specified for root/admin@EXAMPLE.COM; defaulting to nopolicy
Enterpassword for principal "root/admin@EXAMPLE.COM":
Re-enterpassword for principal "root/admin@EXAMPLE.COM":
Principal"root/admin@EXAMPLE.COM" created.
kadmin.local: addprinc user1(可用student替代)
WARNING:no policy specified for user1@EXAMPLE.COM; defaulting to no policy
Enterpassword for principal "user1@EXAMPLE.COM":
Re-enterpassword for principal "user1@EXAMPLE.COM":
Principal"user1@EXAMPLE.COM" create
([root@kerberoskrb5kdc]# kadmin
Authenticatingas principal root/admin@EXAMPLE.COM with password.
Passwordfor root/admin@EXAMPLE.COM:
kadmin: addprinc admin/admin
WARNING:no policy specified for admin/admin@EXAMPLE.COM; defaulting to nopolicy
Enterpassword for principal "admin/admin@EXAMPLE.COM":
Re-enterpassword for principal "admin/admin@EXAMPLE.COM":
Principal"admin/admin@EXAMPLE.COM" created.)
kadmin.local:ps.addprinc会要求输入密码,root/admin的密码一定不能泄漏,否则就完了,user1的密码就是指登录密码。
运行kinit和klist命令,检查admin/admin账号是否正常。
[root@kerberoskrb5kdc]# kinit root/admin
Passwordfor root/admin@EXAMPLE.COM:
[root@kerberoskrb5kdc]# klist
Ticketcache: FILE:/tmp/krb5cc_0
Defaultprincipal: root/admin@EXAMPLE.COM
Validstarting Expires Service principal
05/02/1504:01:33 05/03/15 04:01:33 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renewuntil 05/02/15 04:01:33
查看,删除已有的principal的命令:
kadmin.local: listprincs
K/M@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/kerberos.example.com@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
root/admin@EXAMPLE.COM
user1@EXAMPLE.COM
kadmin.local:getprincuser1
kadmin.local:delprincuser1(删除principal命令下面还要用到,不用实际操作)
导出kadmin服务的keytab文件,退出kadmin
kadmin.local:ktadd -k /var/kerberos/krb5kdc/kadm5.keytab
root/admin
Entryfor principal kadmin/admin with kvno 3, encryption typeaes256-cts-hmac-sha1-96 added to keytabWRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entryfor principal kadmin/admin with kvno 3, encryption typeaes128-cts-hmac-sha1-96 added to keytabWRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entryfor principal kadmin/admin with kvno 3, encryption type des3-cbc-sha1added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entryfor principal kadmin/admin with kvno 3, encryption type arcfour-hmacadded to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entryfor principal kadmin/admin with kvno 3, encryption type des-hmac-sha1added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entryfor principal kadmin/admin with kvno 3, encryption type des-cbc-md5added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
kadmin.local:ktadd-k /var/kerberos/krb5kdc/kadm5.keytab kadmin/changepw
Entryfor principal kadmin/changepw with kvno 3, encryption typeaes256-cts-hmac-sha1-96 added to keytabWRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entryfor principal kadmin/changepw with kvno 3, encryption typeaes128-cts-hmac-sha1-96 added to keytabWRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entryfor principal kadmin/changepw with kvno 3, encryption typedes3-cbc-sha1 added to keytabWRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entryfor principal kadmin/changepw with kvno 3, encryption typearcfour-hmac added to keytabWRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entryfor principal kadmin/changepw with kvno 3, encryption typedes-hmac-sha1 added to keytabWRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entryfor principal kadmin/changepw with kvno 3, encryption typedes-cbc-md5 added to keytabWRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
为管理员账号admin/admin指定权限
现在为管理账号指定权限,它由文件/usr/local/var/krb5kdc/kadm5.acl中的条目决定。为了给账号admin/admin授予“管理所有委托人”的权限,通过添加下面这样一行到/usr/local/var/krb5kdc/kadm5.acl中,并使用通配符实现:
admin/admin@EXAMPLE.COM *
修正前面的相关文件的SELINUX设置
[root@kerberoskrb5kdc]# restorecon -R -v /var/kerberos/krb5kdc/
[root@kerberoskrb5kdc]# restorecon -R -v /var/log/
[root@kerberoskrb5kdc]# restorecon -R -v /etc/krb5.conf
启动服务
[root@kerberoskrb5kdc]# service krb5kdc restart(第一次服务是start)
[root@kerberoskrb5kdc]# service kadmin restart(第一次服务是start)
以上是kerberos服务器的配置过程。
192.168.71.131应用服务器的配置:
1、首先安装Krb5同kdc
2、复制kdc.example.com的/etc/krb5.conf文件过来,省得再配了
#scproot@kdc.example.com:/etc/krb5.conf
/etc/krb5.conf
Theauthenticity of host 'kdc.example.com (192.168.71.131)' can't beestablished.
RSAkey fingerprint is c3:e8:b9:b8:5a:ad:63:e7:51:29:57:50:2b:a3:f9:6a.
Areyou sure you want to continue connecting (yes/no)? yes
Warning:Permanently added 'kdc.example.com,192.168.71.131' (RSA) to the listof known hosts.
root@kdc.example.com'spassword:
krb5.conf 100% 449 0.4KB/s 00:00
#restorecon-R -v /etc/krb5.conf
安装所有相关软件。Vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6localhost6.localdomain6
192.168.71.134 kerberos kerberos.example.com
192.168.71.134 kdc kdc.example.com
192.168.71.131 telnet server.example.com
kinit-k -t /etc/krb5.keytab host/server.example.com
配置服务器为NIS的客户端,并且使用Kerberos认证
#authconfig-tui,修改相应的NIS信息就行
在KDC增加服务的principal,并且导出生成server自己的钥匙
server#kadmin
kadmin:addprinc-randkey host/server.example.com #krb5-telnet和ssh的principal都是host
kadmin:addprinc-randkey ftp/server.example.com #gssftp
的principal是ftp
导出到本地
kadmin:ktadd -k/etc/krb5.keytab host/server.example.com
kadmin:ktadd -k/etc/krb5.keytab ftp/server.example.com
检查防火墙和selinux
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- Linux socket 初步
- 10 篇对初学者和专家都有用的 Linux 命令教程
- Linux 与 Windows 对UNICODE 的处理方式
- Ubuntu12.04下QQ完美走起啊!走起啊!有木有啊!
- 解決Linux下Android开发真机调试设备不被识别问题
- 运维入门
- 运维提升
- Linux 自检和 SystemTap
- OpenSSL编程之RSA
- Ubuntu Linux使用体验
- c语言实现hashmap(转载)
- Linux 信号signal处理机制
- linux下mysql添加用户
- Scientific Linux 5.5 图形安装教程
- 基于 Linux 集群环境上 GPFS 的问题诊断
- 谁是桌面王者?Win PK Linux三大镇山之宝
- vivi下重新调整分区
- Linux VS Unix:Linux欲一统天下 Unix不死
- linux下设定环境变量