Kerberos simple installation configuration

Others 2020-03-20 20:51:14 views: null

Kerberos simple installation configuration

Tags (separated by spaces): Kerberos

First, a brief history of Kerberos

Kerberos is a network authentication protocol security, was first developed by the Massachusetts Institute of Technology, used to protect a network server provided by Athena project. The agreement with the Greek mythological character Kerberos (or Cerberus) name, he is the Hades of a ferocious three-headed guard dog god in Greek mythology.

kerberos

The Internet is a very unsafe place. Many protocols used in the Internet does not provide any security. Some sites use a firewall to try to solve network security problems. Unfortunately, the firewall if "bad guys" are on the outside, often it is very foolish to assume. The reality is that most computer crime destruction events are initiated from the inside.

Kerberos network solutions as security issues, the use of strong encryption technology, so that clients can connect on an insecure network to prove the identity of the server. After the client and server use Kerberos to prove the identity of each other, they can also encrypt all communications to ensure the integrity and privacy of data. Kerberos on the system design using C / S architecture, based on DEC encryption technology that supports client and server mutual authentication.

In short, Kerberos is a network security solution to the problem. It provides strong encryption and authentication to web-based tools to help you protect your information systems across the enterprise.

Two, Kerberos basic principles

1, Kerberos authentication principle

Kerberos is a third-party authentication mechanisms through which the user and the user wishes to access the service depends on the Kerberos server to authenticate each other. This mechanism also supports encryption of all communication between the user and service. Kerberos server as a key distribution center, referred to as the KDC. At a high level, it consists of three parts:
: 1, database users and services (ie, principals) and their respective Kerberos password
2, an authentication server (AS), perform initial authentication and issuing authorization ticket (TGT)
3, Ticket grant server (TGS) service ticket issued follow-up (ST) based on the initial TGT

On the relationship AS, TGS, user client, Application server, TGT and ST's, illustrated in Figure 17:

image.png-113kB

Principal user, the authentication request from the AS, AS returns a password encrypted using kerberos principal user's TGT, it is only its principal user and AS. Users principal local use Kerberos password to decrypt the TGT, and starting from this point until the bill expires, the user principal can use this TGT to obtain a service ticket (ST) from TGS.

Kerberos authentication system using a series of encrypted messages to prove to the demonstrator client is running in the specified user. Kerberos to reduce the number of messages needed basis by using a time stamp verification, in addition to "tikcket-granting" (TGS) service is used to support subsequent authentication, the principal does not need to re-enter the password.

Initially, the client and the server did not share the encryption key. Whenever a new client to verify machine authenticate itself to rely on a new generation of encryption keys AS, and safely distribute each other. The new encryption key called a session key, Kerberos ticket is used to distribute it to the demonstrator.

Since the service principal can not always provide the password to decrypt the TGT, it uses a special file, called a keytab, this file contains its authentication and authorization.
This allows the principal service ticket to access various services. Kerberos host server control set, and the service is referred to as a user domain (realm).

2, Kerberos Notes

User Name / FQDN (Full Quafilied Domain Name) host name @REALM (protected domain, all uppercase)

Of course, this requires the user name exists in Linux user

FQDN fully qualified domain name, is sure to bring hostname.domain this form, of course, if your host does not give domain, then the domain name can not write. Anyway, that is all to the host name plus domain name (domain name if one exists), which is the host name hostname -f output. But in fact, in which Kerberos, the host name is not called, but called Instance, instance name, he can not name any host server, but easy to understand and recognize that we still get him to look at the original host name it.

REALM, Kerberos domain protected by that is that a class or a group set by the Kerberos server protection service, which you can imagine as a Windows domain. Due to a KDC can protect multiple domains simultaneously, for example, you can not only protect HADOOP on a KDC server group, but also to protect MYSQL server group, so we usually use the domain name to distinguish.

If you use the hostname inside the domain name, then you have to write the second part of the Principal, otherwise you will not be able to verify the legitimacy of the host KDC, encrypted with a tgt to the host name information.

Also, special attention is, domain (domain name) there is a second part, realm (domain) The third part of the word in Chinese is the same, but completely different from the English word, meaning they express completely different. Since the Kerberos Realm is usually part of the domain name will be written in the form, it will be confusing, but in fact, you understood as part of the realm of workgroup or home windows inside this domain is possible. The name can easily play, not necessarily with your real domain name. Just a code name to distinguish different set of services.

Note: Kerberos protocol is time-sensitive, all hosts in the domain must be time-synchronized. Even the local system time difference between the client and the KDC as small as 5 minutes, your client might authentication failure.

Three, KDC service installation and configuration

1. Verify that the hosts can parse

hostname -f hostname hosts file is acquired in FQDN format (the case in accordance with the hosts file), Kerberos host FQDN format requirements must be named in lowercase.
Therefore, the hosts file in the following format:

ip vecs02583.domain.com vecs02583

If you do not like long domain.com domain, it must be noted that the host name must be lowercase letters.
Ensure that the time between all clients and servers synchronization and DNS are properly resolved.

2, the installation KDC service

KDC host itself to be very safe, usually only run the KDC host program.
After the above software is installed, the configuration file is generated on the KDC /var/kerberos/krb5kdc/kdc.conf /etc/krb5.conf and host, respectively reflect the realm name and domain-to-realm mappings.
Under enters vecs02583 (KDC Server node is node) of the root user

yum -y install krb5-server krb5-libs krb5-auth-dialog krb5-workstation openldap-clients

3, modify the main configuration file /etc/krb5.conf, this lower profile is distributed to all subsequent kerberos client server.

/etc/krb5.conf: contains configuration information Kerberos. For example, KDC position, admin Kerberos-like realms. Profile on the need to use Kerberos all machines are synchronized, including kerberos Server and Kerberos Client machines. To name just need the basic configuration.
Configuration example:

vim /etc/krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
[libdefaults]
 default_realm = HADOOP.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
[realms]
 HADOOP.COM = {
  kdc = vecs02583
  admin_server = vecs02583
 }
[domain_realm]
 .hadoop.com = HADOOP.COM
 hadoop.com = HADOOP.COM

Description:
[logging]: Indicates that the print server side logging the location of
[libdefaults]: The default configuration for each connection, you need to pay attention to the following key small configuration
default_realm = HADOOP.COM default realm, the name must be configured with the realm of consistent.
udp_preference_limit = 1 can be prevented from prohibiting the use of a Hadoop udp error in
time oticket_lifetime the certificates in effect, generally 24 hours.
orenew_lifetime show proof longest time limit may be deferred, usually for a week. When the certificate expires,
subsequent access to secure certification services will fail.
kdc: kdc representatives to the location. The format is machine: Port
admin_server: admin on behalf position. The format is machine: Port
default_domain: represents the default domain name.

4, configuration kdc.conf

Default on /var/kerberos/krb5kdc/kdc.conf. Or modify the configuration file location by covering KRB5_KDC_PROFILE environment variable.
vim /var/kerberos/krb5kdc/kdc.conf

[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88
[realms]
 HADOOP.COM = {
  #master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }

Description:
HADOOP.COM: a set of realms. Name at random. Kerberos can support multiple realms, it will increase the complexity. This article does not discuss. Case-sensitive, typically used to identify all caps. The realms of the host machine with no major relationship.
max_renewable_life = 7d renwe relates to whether the ticket must be configured.
master_key_type: supported_enctypes and use aes256-cts default. Since, JAVA using aes256-cts authentication need to install additional jar package, further references on AES-256 encryption 2.2.9: It recommended not to use.
acl_file: marked the admin user rights. The file format is
Kerberos_principal permissions [target_principal] [restrictions] support wildcards and so on.
admin_keytab: KDC be keytab check. I will mention later how to create.
supported_enctypes: Supported check mode. Note aes256-cts extra jar installation requires JDK.

Fifth, create / initialize Kerberos database

Initialized and started: After completing the above two configuration files, it can be initialized and started.

[root@VECS02583 ~]# /usr/sbin/kdb5_util create -s -r HADOOP.COM

Wherein, [- s] represents generation stash file, and stores the master server key (krb5kdc); can also use [-r] to specify a realm name - When a plurality realm defined in krb5.conf is necessary of.
Save path / var / kerberos / krb5kdc If you need to rebuild the database, principal in the directory related files can be deleted
in this process, we will enter the database password management. Password set here must remember, if you forget, you can not manage Kerberos server.
When the Kerberos database is created, you can see the directory / var / kerberos / krb5kdc swells into several files:

-rw------- 1 root root   22 Nov 23  2016 kadm5.acl
-rw------- 1 root root  405 Feb 23 20:25 kdc.conf
-rw------- 1 root root 8192 Feb 23 22:26 principal
-rw------- 1 root root 8192 Feb 23 21:56 principal.kadm5
-rw------- 1 root root    0 Feb 23 21:56 principal.kadm5.lock
-rw------- 1 root root    0 Feb 23 22:26 principal.ok

Six, adding kdc database administrator

We need to add administrative principals (ie, the ability to manage database of principals) for the Kerberos database - at least to add a Kerberos principal to make the management process of kadmind able to communicate with kadmin program on the network.
Performed on the maste KDC (vecs02583):

/usr/sbin/kadmin.local -q "addprinc admin/admin"

And set a password.

kadmin.local
can be run directly on the master KDC, without first by Kerberos authentication, in fact, it only needs to present
read and write access to the file.

Seven, set the ACL permissions for the database administrator

On the KDC we need to edit the file to set permissions acl, acl default path of the file is /var/kerberos/krb5kdc/kadm5.acl (You can also modify the file in kdc.conf). Kerberos is kadmind daemon uses this file to manage access to the Kerberos database. For those operations may have pincipal impact, acl files which principal can control what other pricipals can operate.

We are now set permissions for the administrator: the contents of the file /var/kerberos/krb5kdc/kadm5.acl edit

vim /var/kerberos/krb5kdc/kadm5.acl

*/[email protected]

Represents the name matching /[email protected] are considered to be admin, permission yes. On behalf of all authority.

Eight, kerberos start and set the background process is deamon

Start Kerberos daemons in the master KDC

[root@VECS02583 /]# service krb5kdc start
[root@VECS02583 /]# service kadmin start

At startup

[root@VECS02583 /]# chkconfig krb5kdc on
[root@VECS02583 /]# chkconfig kadmin on

KDC has now at work. These two daemons will run in the background, you can view their log files (/var/log/krb5kdc.log and /var/log/kadmind.log).
Kinit command can be checked by two daemons is working properly.

Nine, on AES-256 encryption

For centos5, 6 and above systems, encrypted using AES-256 default. This requires that all nodes in the cluster to install Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy File.
The downloaded file is a zip bag, untied, the inside of the two files into the following directory: $ JAVA_HOME / jre / lib / security

Configuring JCE, because CentOS6.5 and above systems using AES-256 encryption by default, requiring all nodes to install and configure JCE, JCE download path: http://www.oracle.com/technetwork/java/javase/downloads/ jce8-download-2133166.html

Ten, configure the cluster other Kerberos Clients

Kerberos client to use the following mounting machine

yum install krb5-workstation krb5-libs krb5-auth-dialog

Configuration krb5.conf
configuration /etc/krb5.conf on these hosts, the contents of this file with the KDC files can be consistent.

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = HADOOP.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 HADOOP.COM = {
  kdc = vecs02583
  admin_server = vecs02583
 }

[domain_realm]
 .hadoop.com = HADOOP.COM
 hadoop.com = HADOOP.COM

Guess you like

Origin www.cnblogs.com/hit-zb/p/12534426.html
Recommended
Ranking
vue project automated build tools 1.0, support for multi-page build
JDBC add, update, delete data
SpringCloud combat service in response to the decline tutorial series (Chapter IV)
A segmentation fault (core dumped) error occurs when C+11 compiles and calls the PCL library
Django achieve websocket
Go语言并发之道--笔记1
Three-tier structure and application
Zhejiang data structure after-school exercise practice two 7-2 Reversing Linked List (25 points)
Front-end interview brushing day9 (updated daily high-frequency inspection points for front-end interviews)
The difference between the shell of the single and double quote
Daily
More
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)

Code World

© 2018 codetd.com