测试设备名字需要写入/etc/hosts中
192.168.2.20 centos20.test.com
192.168.2.21 centos21.test.com
环境简介:
Centos20为KDC服务器端安装包名为:
krb5-devel krb5-server krb5-workstation pam_krb5
Centos21为Client端安装包为:
krb5-devel krb5-workstation pam_krb5
服务端安装过程
1.安装所需包
Yum install krb5-libs krb5-server krb5-workstation pam_krb5
2.配置文件修改
2.1 文件/etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
# default_realm = EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}
default_realm = TEST.COM
dns_lookup_kdc = false
[realms]
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
TEST.COM = {
kdc = centos20.test.com
admin_server = centos20.test.com
}
TEST.COM = {
kdc = centos20.test.com
admin_server = centos20.test.com
}
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
.TEST.com = TEST.COM
TEST.com = TEST.COM
test.com = TEST.COM
.test.com = TEST.COM
2.2 文件/var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
# EXAMPLE.COM = {
# #master_key_type = aes256-cts
# acl_file = /var/kerberos/krb5kdc/kadm5.acl
# dict_file = /usr/share/dict/words
# admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
# supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
# }
TEST.COM = {
max_life = 24h
max_renewable_life = 7d
default_principal_flags = +renewable
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
3.创建KDC数据库,需要设置管理员密码,创建完成后会在/var/kerberos/krb5kdc/下生成principal.*文件,如果需要重建直接删除principal.*类似文件即可
命令:
/usr/sbin/kdb5_util create -s
4.为数据库管理员添加ACL权限,需要修改kadm5.acl文件,* 代表所有权限
文件/var/kerberos/krb5kdc/kadm5.acl
内容:*/[email protected] *
5.启动KDC服务
systemctl restart kadmin
systemctl restart krb5kdc
6.添加数据库管理员,kadmin.local可以直接运行在KDC上,无需密码认证
命令:kadmin.local
在该命令执行,会有输入密码,改密码为后期kadmin远程登陆使用
addprinc root/admin
在该命令执行,会有输入密码,创建一个普通的principal
addprinc myname
7.将server的hostname或ip加到kerberos的数据库
命令:kadmin.local
在该命令中执行
addprinc -randkey host/centos20.test.com
ktadd host/centos20.test.com
命令:klist -k
该命令导出kadmin的keytab文件
8.修改/etc/ssh/ssh_config文件
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
GSSAPIKeyExchange yes
GSSAPITrustDNS yes
重启sshd服务
systemctl reload sshd
9.配置PAM权限认证
命令使用authconfig-tui或authconfig --enablekrb5 --update或setup
10.添加或者清除防火墙配置
10.1添加配置
添加文件/etc/firewalld/services/kerberos.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>Kerberos</short>
<description>Kerberos network authentication protocol server</description>
<port protocol="tcp" port="88"/>
<port protocol="udp" port="88"/>
<port protocol="tcp" port="749"/>
</service>
执行添加
firewall-cmd --permanent --add-service=kerberos
执行重新加载
firewall-cmd --reload
10.2清除防火墙配置
systemctl stop firewalld
systemctl disable firewalld
Iptable -F
11.添加principal信息
文件:/root/.k5login
Client配置
1.安装包
yum install -y krb5-libs krb5-workstation pam_krb5
如果是ubuntu需要安装
apt install krb5-user
2.更新配置文件/etc/krb5.conf内容类同server机
3.向kerberos库中添加client域名或IP
命令:
销毁以前的凭证
kdestroy
远程登陆KDC服务
kadmin -p 'root/admin'
在该命令下添加凭证
addprinc -randkey host/centos21.test.com
Ktadd host/centos21.test.com
生产keytab文件
klist -k
初始化用户
kinit myname
查看凭证
klist
测试登陆远程机器
如果是客户端接入免密登陆需要修改如下文件
centos修改:/etc/ssh_config
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
GSSAPIKeyExchange yes
GSSAPITrustDNS yes
ubuntu修改:/etc/sshd_config
GSSAPIAuthentication yes
然后重启ssh服务