kerberos安装
联网安装 kerberos
sudo apt-get install krb5-kdc krb5-admin-server 安装
which kinit 查看是否安装成功
一、kerberos配置 默认安装路径为 /etc/ker5kdc
1、/etc/krb5.conf 若没有此文件则自己创建
[kdc]
profile = /etc/krb5kdc/kdc.conf
[logging]
default= FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
default_tgs_enctypes = des3-hmac-sha1
default_tkt_enctypes = des3-hmac-sha1
permitted_enctypes = des3-hmac-sha1
[libdefaults]
default_realm = LOCAL.DOMAIN
forwardable = yes
ccache_type = 4
proxiable = true
renew_lifetime = 1d
clockskew = 1000000000
#dns_lookup_kdc = true
#dns_lookup_realm = true
[realms]
LOCAL.DOMAIN = {
kdc = localhost
admin_server = localhost
default_domain = localhost
}
[domain_realm]
.local.domain = LOCAL.DOMAIN
local.domain = LOCAL.DOMAIN
[login]
krb4_convert = true
krb4_get_tickets = falsey
[kdc] kdc位置
[logging]日志位置
[libdefaults]默认域
[realms] kerberos域,表示KDC所管辖的范围;
[libdefaults]
default_realm = LOCAL.DOMAIN
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
LOCAL.DOMAIN = {
kdc = kdc.kerberos.local.domain
admin_server = kerberos.local.domain
}
[domain_realm]
.local.domain = LOCAL.DOMAIN
local.domain = LOCAL.DOMAIN
[login]
krb4_convert = true
krb4_get_tickets = false
2、/etc/krb5kdc/kdc.conf 若没有此文件则自己创建 ( 默认安装路径 /etc/krb5kdc)
[kdcdefaults]
kdc_ports = 750,88
[realms]
BOKECC.COM = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 24h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
default_principal_flags = +preauth
}
3、/etc/krb5kdc/kadm5.acl 若没有此文件则自己创建
*/[email protected] *
*/*@LOCAL.DOMAIN c
*@LOCAL.DOMAIN c
4、创建 kerberos 数据库
$ /usr/sbin/kdb5_util create -r LOCAL.DOMAIN -s 或者 $ krb5_newrealm
以上操作出以下提示,创建database的密码(例如123.com)
This script should be run on the master KDC/admin server to initialize a Kerberos realm. It will ask you to type in a master key password. This password will be used to generate a key that is stored in /etc/krb5kdc/stash. You should try to remember this password, but it is much more important that it be a strong password than that it be remembered. However, if you lose the password and /etc/krb5kdc/stash, you cannot decrypt your Kerberos database. Loading random data Initializing database '/var/lib/krb5kdc/principal' for realm 'LOCAL.DOMAIN', master key name 'K/[email protected]' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: Now that your realm is set up you may wish to create an administrative principal using the addprinc subcommand of the kadmin.local program. Then, this principal can be added to /etc/krb5kdc/kadm5.acl so that you can use the kadmin program on other computers. Kerberos admin principals usually belong to a single user and end in /admin. For example, if jruser is a Kerberos administrator, then in addition to the normal jruser principal, a jruser/admin principal should be created. Don't forget to set up DNS information so your clients can find your KDC and admin servers. Doing so is documented in the administration guide.
以上操作结束后kadmind krb5kdc 进程自动启动 。
/usr/sbin/kadmind -P /var/run/kadmind.pid
/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid
Principal 是由三个部分组成:名字(name),实例(instance),REALM(域)。比如一个标准的 Kerberos 的用户是:name/instance@REALM
5、登录 kerberos
$ /usr/sbin/kadmin.local
查看用户
kadmin.local : listprincs
默认创建的用户
K/[email protected] kadmin/[email protected] kadmin/[email protected] kadmin/[email protected] krbtgt/[email protected]
添加用户
kadmin.local : delprinc kadmin/[email protected]
创建keytable文件 生成 kadmin/admin kadmin/changepw 两个用户的 keytab 文件到 krb5kdc 目录
kadmin.local :ktadd -k /etc/krb5kdc/kadm5.keytab kadmin/admin kadmin/changepw
注意:keytab 得与配置文件kdc.conf里面配置一致
添加用户输入密码
addprinc liyq/[email protected]
添加服务器
ank -randkey host/[email protected]
生成krb5.keytab
ktadd -k /tmp/hostname.keytab host/[email protected]
将上述/tmp/hostname.keytab 文件放到要登录服务器的/etc/下并重命名为krb5.keytab
在要登录服务器的该目录文件下添加用户/root/.k5login
liyq/[email protected]
在跳板机上切换到对应用户下,ssh -vv root@hostname 尝试登录查看。
6、重启krb5kdc和kadmind进程
/usr/sbin/kadmind
/usr/sbin/krb5kdc
7、运行kerberos
$ sudo /usr/sbin/krb5kdc
$ sudo /usr/sbin/kadmind
8、在KDC服务器上测试申请票据,测试票据请求
$ /usr/sbin/kadmin.local
$ kadmin.local: addprinc [email protected]
提示创建密码,然后退出
$ su linlin
$ kinit [email protected]
$ klist
$ /usr/sbin/kadmin.local
$ kadmin.local: addprinc -randkey hdfs/[email protected]
ktadd -norandkey -k hdfs.keytab hdfs/LL-167
查看自己申请的票据
********************************************************************************