kerberos安装
sudo apt-get install krb5-kdc krb5-admin-server 安装
which kinit 查看是否安装成功
一、kerberos配置 默认安装路径为 /etc/ker5kdc
[kdc]
profile = /etc/krb5kdc/kdc.conf
[logging]
default= FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
default_tgs_enctypes = des3-hmac-sha1
default_tkt_enctypes = des3-hmac-sha1
permitted_enctypes = des3-hmac-sha1
[libdefaults]
default_realm = LOCAL.DOMAIN
forwardable = yes
ccache_type = 4
proxiable = true
renew_lifetime = 1d
clockskew = 1000000000
#dns_lookup_kdc = true
#dns_lookup_realm = true
[realms]
LOCAL.DOMAIN = {
kdc = localhost
admin_server = localhost
default_domain = localhost
}
[domain_realm]
.local.domain = LOCAL.DOMAIN
local.domain = LOCAL.DOMAIN
[login]
krb4_convert = true
krb4_get_tickets = falsey
[libdefaults] default_realm = LOCAL.DOMAIN kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true [realms] LOCAL.DOMAIN = { kdc = kdc.kerberos.local.domain admin_server = kerberos.local.domain } [domain_realm] .local.domain = LOCAL.DOMAIN local.domain = LOCAL.DOMAIN [login] krb4_convert = true krb4_get_tickets = false2、/etc/krb5kdc/kdc.conf 若没有此文件则自己创建 ( 默认安装路径 /etc/krb5kdc)
[kdcdefaults] kdc_ports = 750,88 [realms] BOKECC.COM = { database_name = /var/lib/krb5kdc/principal admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab acl_file = /etc/krb5kdc/kadm5.acl key_stash_file = /etc/krb5kdc/stash kdc_ports = 750,88 max_life = 24h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = des3-hmac-sha1 supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3 default_principal_flags = +preauth }
*/[email protected] *
*/*@LOCAL.DOMAIN c
*@LOCAL.DOMAIN c
$ /usr/sbin/kdb5_util create -r LOCAL.DOMAIN -s 或者 $ krb5_newrealm
以上操作出以下提示,创建database的密码(例如123.com)
This script should be run on the master KDC/admin server to initialize a Kerberos realm. It will ask you to type in a master key password. This password will be used to generate a key that is stored in /etc/krb5kdc/stash. You should try to remember this password, but it is much more important that it be a strong password than that it be remembered. However, if you lose the password and /etc/krb5kdc/stash, you cannot decrypt your Kerberos database. Loading random data Initializing database '/var/lib/krb5kdc/principal' for realm 'LOCAL.DOMAIN', master key name 'K/[email protected]' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: Now that your realm is set up you may wish to create an administrative principal using the addprinc subcommand of the kadmin.local program. Then, this principal can be added to /etc/krb5kdc/kadm5.acl so that you can use the kadmin program on other computers. Kerberos admin principals usually belong to a single user and end in /admin. For example, if jruser is a Kerberos administrator, then in addition to the normal jruser principal, a jruser/admin principal should be created. Don't forget to set up DNS information so your clients can find your KDC and admin servers. Doing so is documented in the administration guide.
以上操作结束后kadmind krb5kdc 进程自动启动 。
/usr/sbin/kadmind -P /var/run/kadmind.pid
/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid
Principal 是由三个部分组成:名字(name),实例(instance),REALM(域)。比如一个标准的 Kerberos 的用户是:name/instance@REALM
5、登录 kerberos
$ /usr/sbin/kadmin.local
kadmin.local : listprincs
K/[email protected] kadmin/[email protected] kadmin/[email protected] kadmin/[email protected] krbtgt/[email protected]
kadmin.local : delprinc kadmin/[email protected]
kadmin.local :ktadd -k /etc/krb5kdc/kadm5.keytab kadmin/admin kadmin/changepw
添加用户输入密码
addprinc liyq/[email protected]
添加服务器
ank -randkey host/[email protected]
生成krb5.keytab
ktadd -k /tmp/hostname.keytab host/[email protected]
将上述/tmp/hostname.keytab 文件放到要登录服务器的/etc/下并重命名为krb5.keytab
在要登录服务器的该目录文件下添加用户/root/.k5login
liyq/[email protected]
在跳板机上切换到对应用户下,ssh -vv root@hostname 尝试登录查看。
6、重启krb5kdc和kadmind进程
7、运行kerberos
8、在KDC服务器上测试申请票据,测试票据请求
********************************************************************************