ssh单点登入-第一步 配置mac和kerberos认证

基础
系统 Centos 7
目标
mac ==> Kerberos 验证权限,获取ticket

服务器端安装
安装软件
sudo yum install krb5-server krb5-libs pam_krb5 -y

修改配置文件
krb5.conf
kerberos的配置文件 下面是配置文件详解
配置文件参考文档

提前设置后配置文件中用到的域名解析.
kerberos.yufuid.org ==> 10.0.12.12

sudo vim /etc/krb5.conf

includedir /etc/krb5.conf.d/

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h \ticket过期时间
renew_lifetime = 7d \可续期的时间,时间内不需要输入权限,即可续签票证.windows,mac可在用户无感知情况下,完成续期
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
default_realm = YUFUID.ORG \ 这里需要和下方realms中相同.字段无具体意义,只需要相同即可.
default_ccache_name = KEYRING:persistent:%{uid}

dns_lookup_kdc = false
[realms]
YUFUID.ORG = { \ 修改次字段,字段无具体意义,只需要相同即可.
kdc = kerberos.yufuid.org \填写kdc的服务器地址,我们的demo中kerberos和kdc安装在一台服务器上,填写此台服务器ip或者域名.
admin_server = kerberos.yufuid.org \填写此台服务器ip或者域名
}

[domain_realm]
.yufuid.org = YUFUID.ORG \ 标准写法,前方是后期需要接入kerberos认证资源的域名.例如: appservice1.yufuid.org需要通过 kerberos进行ssh认证.
yufuid.org = YUFUID.ORG
kdc.conf
kdc是kerberos的数据库,主要存储认证信息

sudo vim /var/kerberos/krb5kdc/kdc.conf

[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88

[realms]
YUFUID.ORG = { \ 修改次字段,字段无具体意义,只需要相同即可.
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
创建数据库
使用之前realms中的标签字段
创建时设置kdb数据库密码

$ kdb5_util create -s -r YUFUID.ORG

Loading random data
Initializing database ‘/var/kerberos/krb5kdc/principal’ for realm ‘YUFUID.COM’,
master key name ‘K/[email protected]’
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
kdb5_util: Permission denied while creating database ‘/var/kerberos/krb5kdc/principal’
修改acl
设置可以访问kdb的用户和来源主机

sudo vim /var/kerberos/krb5kdc/kadm5.acl

*/[email protected] *
初始化数据库
使用本地管理员进入kdc,创建nanzhang 的用户
kerberos常用命令

kadmin.local
Authenticating as principal root/[email protected] with password.
kadmin.local: addprinc nanzhang
WARNING: no policy specified for [email protected]; defaulting to no policy
Enter password for principal “[email protected]”:
Re-enter password for principal “[email protected]”:
Principal “[email protected]” created.

创建管理员账户

kadmin.local: addprinc root/admin
WARNING: no policy specified for root/[email protected]; defaulting to no policy
Enter password for principal “root/[email protected]”:
Re-enter password for principal “root/[email protected]”:
Principal “root/[email protected]” created.

查看nanzhang和管理员 用户

kadmin.local: listprincs
K/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kiprop/[email protected]
krbtgt/[email protected]
[email protected]
root/[email protected]
kadmin.local:
启动kerberos服务

sudo systemctl restart krb5kdc.service
sudo systemctl restart kadmin.service
sudo systemctl enable krb5kdc.service
sudo systemctl enable kadmin.service
到此服务器端配置完毕
mac客户端安装
mac版本
10.14.3

修改mac下的ker配置
配置文件内容和服务器/etc/krb5.conf相同,但是没有这一行 "includedir /etc/krb5.conf.d/
"

vim /Library/Preferences/edu.mit.Kerberos

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h \ticket过期时间
renew_lifetime = 7d \可续期的时间,时间内不需要输入权限,即可续签票证.windows,mac可在用户无感知情况下,完成续期
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
default_realm = YUFUID.ORG \ 这里需要和下方realms中相同.字段无具体意义,只需要相同即可.
default_ccache_name = KEYRING:persistent:%{uid}

dns_lookup_kdc = false
[realms]
YUFUID.ORG = { \ 修改次字段,字段无具体意义,只需要相同即可.
kdc = kerberos.yufuid.org \填写kdc的服务器地址,我们的demo中kerberos和kdc安装在一台服务器上,填写此台服务器ip或者域名.
admin_server = kerberos.yufuid.org \填写此台服务器ip或者域名
}

[domain_realm]
.yufuid.org = YUFUID.ORG \ 标准写法,前方是后期需要接入kerberos认证资源的域名.例如: appservice1.yufuid.org需要通过 kerberos进行ssh认证.
yufuid.org = YUFUID.ORG
通过认证,测试mac端访问kerberos服务器端
通过iterm

Sam-MacBook-Air:~ Sam$ kinit nanzhang
[email protected]’s password:
Sam-MacBook-Air:~ Sam$ klist
Credentials cache: API:4C347D78-DC4B-435E-B4EC-1372A0919F46
Principal: [email protected]

Issued Expires Principal
Jun 18 14:28:51 2019 Jun 19 14:28:46 2019 krbtgt/[email protected]