碼上快樂

相關內容    簡體    繁體

(原創推薦文章)kerberos服務器端與客戶端

本文轉載自   查看原文   2017-08-23 16:46   4722 

#環境

兩台裝centos7的虛擬機即可。

kerberos服務器端與客戶端各一台

(本文檔推薦使用Typora軟件觀看)

# 1.kerberos服務器端配置

## 1.1安裝配置Kerberos Server

```bash
[root@localhost ~]# yum install krb5-server krb5-libs krb5-auth-dialog -y
[root@localhost ~]# vi /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88

[realms]
EXAMPLE.COM = {
#master_key_type = aes256-cts #由於,JAVA使用aes256-cts驗證方式需要安裝額外的jar包,更多參考2.2.9關於AES-256加密:。推薦不使用。
acl_file = /var/kerberos/krb5kdc/kadm5.acl #標注了admin的用戶權限。文件格式是Kerberos_principal permissions [target_principal] [restrictions]支持通配符等。
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab #KDC進行校驗的keytab(密鑰表)。后文會提及如何創建。
max_renewable_life = 7d
supported_enctypes = aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
#supported_enctypes表示支持的校驗方式。注意把aes256-cts去掉。
}
```

 

```bash
[root@localhost ~]# vi /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
default = FILE:/var/log/krb5libs.log #表示server端的日志的打印位置
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h #表明憑證生效的時限,一般為24小時。
renew_lifetime = 7d #表明憑證最長可以被延期的時限,一般為一個禮拜。當憑證過期之后,對安全認證的服務的后續訪問則會失敗。
forwardable = true
rdns = false
default_realm = EXAMPLE.COM #默認的realm,必須跟要配置的realm的名稱一致。
default_ccache_name = KEYRING:persistent:%{uid}
# udp_preference_limit = 1 禁止使用udp可以防止一個Hadoop中的錯誤

[realms] #列舉使用的realm。
EXAMPLE.COM = {
kdc = kerberos.example.com #代表要kdc的位置。格式是 機器:端口
admin_server = kerberos.example.com #代表admin的位置。格式是機器:端口
}

[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
```

 

## 1.2創建/初始化Kerberos database

```bash
[root@localhost ~]# /usr/sbin/kdb5_util create -s -r EXAMPLE.COM
[root@localhost krb5kdc]# ll /var/kerberos/krb5kdc
總用量 24
-rw-------. 1 root root 22 12月 7 2016 kadm5.acl
-rw-------. 1 root root 459 8月 23 10:45 kdc.conf
-rw-------. 1 root root 8192 8月 23 10:46 principal
-rw-------. 1 root root 8192 8月 23 10:42 principal.kadm5
-rw-------. 1 root root 0 8月 23 10:42 principal.kadm5.lock
-rw-------. 1 root root 0 8月 23 10:46 principal.ok
[-s]表示生成stash file,並在其中存儲master server key(krb5kdc);還可以用[-r]來指定一個realm name —— 當krb5.conf中定義了多個realm時才是必要的。
如果需要重建數據庫,將該目錄下的principal相關的文件刪除即可,其它兩個不要刪除
在此過程中,我們會輸入database的管理密碼。這里設置的密碼一定要記住,如果忘記了,就無法管理Kerberos server,密碼是test
```

## 1.3 添加database administrator數據庫管理員

我們需要為Kerberos database添加administrative principals (即能夠管理database的principals安全個體) —— 至少要添加1個principal來使得Kerberos的管理進程kadmind能夠在網絡上與程序kadmin進行通訊。

```bash
[root@localhost ~]# /usr/sbin/kadmin.local -q "addprinc admin/admin"
Authenticating as principal root/admin@EXAMPLE.COM with password.
WARNING: no policy specified for admin/admin@EXAMPLE.COM; defaulting to no policy
Enter password for principal "admin/admin@EXAMPLE.COM": testtest
Re-enter password for principal "admin/admin@EXAMPLE.COM": testtest
Principal "admin/admin@EXAMPLE.COM" created.
[root@localhost ~]#

添加佣有管理員權限的管理員ryan密碼為123456
[root@localhost ~]# kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local: addprinc ryan/admin #添加ryan/admin
WARNING: no policy specified for ryan/admin@EXAMPLE.COM; defaulting to no policy
Enter password for principal "ryan/admin@EXAMPLE.COM": 123456
Re-enter password for principal "ryan/admin@EXAMPLE.COM": 123456
Principal "ryan/admin@EXAMPLE.COM" created.
kadmin.local: listprincs #查看有多少
K/M@EXAMPLE.COM
admin/admin@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/localhost@EXAMPLE.COM
kiprop/localhost@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
ryan/admin@EXAMPLE.COM
kadmin.local: delprinc ryan/admin #刪除ryan/admin 不能只是ryan
Are you sure you want to delete the principal "ryan/admin@EXAMPLE.COM"? (yes/no): yes
Principal "ryan/admin@EXAMPLE.COM" deleted.
Make sure that you have removed this principal from all ACLs before reusing.
kadmin.local: modprinc -maxrenewlife 1week ryan/admin@EXAMPLE.COM #修改renewlife為7天
Principal "ryan/admin@EXAMPLE.COM" modified.
kadmin.local: exit

以下命令還不能使用:
[root@localhost ~]# kadmin
-bash: kadmin: 未找到命令
```

## 1.4 為database administrator設置ACL權限

```bash
[root@localhost krb5kdc]# cat /var/kerberos/krb5kdc/kadm5.acl
*/admin@EXAMPLE.COM *
# 代表名稱匹配*/admin@EXAMPLE.COM的,都認為是admin,權限是 *。代表全部權限。
在KDC上我們需要編輯acl文件來設置權限,該acl文件的默認路徑是 /var/kerberos/krb5kdc/kadm5.acl(也可以在文件kdc.conf中修改)。Kerberos的kadmind daemon會使用該文件來管理對Kerberos database的訪問權限。對於那些可能會對pincipal產生影響的操作,acl文件也能控制哪些principal能操作哪些其他pricipals。


```

# 1.5 在master KDC啟動Kerberos daemons

```bash
[root@localhost krb5kdc]# systemctl status krb5kdc
● krb5kdc.service - Kerberos 5 KDC
Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; vendor preset: disabled)
Active: inactive (dead)
[root@localhost krb5kdc]# systemctl start krb5kdc
[root@localhost krb5kdc]# systemctl enable krb5kdc

[root@localhost krb5kdc]# systemctl status kadmin
● kadmin.service - Kerberos 5 Password-changing and Administration
Loaded: loaded (/usr/lib/systemd/system/kadmin.service; disabled; vendor preset: disabled)
Active: inactive (dead)
[root@localhost krb5kdc]# systemctl start kadmin
[root@localhost krb5kdc]# systemctl enable kadmin

[root@localhost krb5kdc]# tail -f /var/log/krb5kdc.log
otp: Loaded
8月 23 11:17:20 localhost.localdomain krb5kdc[4914](info): setting up network...
8月 23 11:17:20 localhost.localdomain krb5kdc[4914](info): listening on fd 9: udp 0.0.0.0.88 (pktinfo)
krb5kdc: setsockopt(10,IPV6_V6ONLY,1) worked
8月 23 11:17:20 localhost.localdomain krb5kdc[4914](info): listening on fd 10: udp ::.88 (pktinfo)
krb5kdc: setsockopt(11,IPV6_V6ONLY,1) worked
8月 23 11:17:20 localhost.localdomain krb5kdc[4914](info): listening on fd 12: tcp 0.0.0.0.88
8月 23 11:17:20 localhost.localdomain krb5kdc[4914](info): listening on fd 11: tcp ::.88
8月 23 11:17:20 localhost.localdomain krb5kdc[4914](info): set up 4 sockets
8月 23 11:17:20 localhost.localdomain krb5kdc[4915](info): commencing operation
[root@localhost krb5kdc]# tail -f /var/log/kadmind.log
8月 23 11:17:32 localhost.localdomain kadmind[4940](info): listening on fd 10: udp ::.464 (pktinfo)
kadmind: setsockopt(11,IPV6_V6ONLY,1) worked
8月 23 11:17:32 localhost.localdomain kadmind[4940](info): listening on fd 12: tcp 0.0.0.0.464
8月 23 11:17:32 localhost.localdomain kadmind[4940](info): listening on fd 11: tcp ::.464
8月 23 11:17:32 localhost.localdomain kadmind[4940](info): listening on fd 13: rpc 0.0.0.0.749
kadmind: setsockopt(14,IPV6_V6ONLY,1) worked
8月 23 11:17:32 localhost.localdomain kadmind[4940](info): listening on fd 14: rpc ::.749
8月 23 11:17:32 localhost.localdomain kadmind[4940](info): set up 6 sockets
8月 23 11:17:32 localhost.localdomain kadmind[4941](info): Seeding random number generator
8月 23 11:17:32 localhost.localdomain kadmind[4941](info): starting
```

現在KDC已經在工作了。這兩個daemons將會在后台運行,可以查看它們的日志文件(/var/log/krb5kdc.log 和 /var/log/kadmind.log)。
可以通過客戶端命令kinit來檢查這兩個daemons是否正常工作。

 

# 2.客戶端操作

## 2.1安裝客戶端

```bash
[root@localhost ~]# yum install -y krb5-workstation krb5-libs krb5-auth-dialog
```

## 2.2 配置krb5.conf

配置這些主機上的/etc/krb5.conf,這個文件的內容與KDC服務器中的文件保持一致即可。

## 2.3驗證后登錄

登錄到管理員賬戶: 如果在本機上,可以通過kadmin.local直接登錄。其它機器的,先使用kinit進行驗證。

```bash
驗證:
[root@localhost ~]# kinit ryan/admin@EXAMPLE.COM
Password for ryan/admin@EXAMPLE.COM: 123456
登錄:
[root@localhost ~]# kadmin
Authenticating as principal ryan/admin@EXAMPLE.COM with password.
Password for ryan/admin@EXAMPLE.COM:
kadmin: list_principals #列出所有帳戶
K/M@EXAMPLE.COM
admin/admin@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/localhost@EXAMPLE.COM
kiprop/localhost@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
ryan/admin@EXAMPLE.COM
kadmin:
查看當前的認證用戶:
[root@localhost ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: ryan/admin@EXAMPLE.COM

Valid starting Expires Service principal
2017-08-23T14:01:32 2017-08-24T14:01:32 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 2017-08-30T14:01:32
[root@localhost ~]#
```

## 2.4 創建keytab

```bash
[root@localhost tmp]# mkdir -p /var/kerberos/krb5kdc/
[root@localhost tmp]# kinit ryan/admin@EXAMPLE.COM
[root@localhost tmp]# kadmin
#創建key table(密鑰表)命令(第一種)
kadmin: xst -k /var/kerberos/krb5kdc/kadm5.keytab ryan/admin@EXAMPLE.COM
Entry for principal ryan/admin@EXAMPLE.COM with kvno 25, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal ryan/admin@EXAMPLE.COM with kvno 25, encryption type des3-cbc-sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal ryan/admin@EXAMPLE.COM with kvno 25, encryption type arcfour-hmac added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal ryan/admin@EXAMPLE.COM with kvno 25, encryption type camellia256-cts-cmac added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal ryan/admin@EXAMPLE.COM with kvno 25, encryption type camellia128-cts-cmac added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal ryan/admin@EXAMPLE.COM with kvno 25, encryption type des-hmac-sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal ryan/admin@EXAMPLE.COM with kvno 25, encryption type des-cbc-md5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
#創建key table(密鑰表)命令(第二種)
kadmin: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab ryan/admin@EXAMPLE.COM
Entry for principal ryan/admin@EXAMPLE.COM with kvno 24, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal ryan/admin@EXAMPLE.COM with kvno 24, encryption type des3-cbc-sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal ryan/admin@EXAMPLE.COM with kvno 24, encryption type arcfour-hmac added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal ryan/admin@EXAMPLE.COM with kvno 24, encryption type camellia256-cts-cmac added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal ryan/admin@EXAMPLE.COM with kvno 24, encryption type camellia128-cts-cmac added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal ryan/admin@EXAMPLE.COM with kvno 24, encryption type des-hmac-sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal ryan/admin@EXAMPLE.COM with kvno 24, encryption type des-cbc-md5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
kadmin:
查看keytab里添加了哪些密鑰(每個帳戶有不同類型的)
[root@localhost ~]# klist -e -k -t /var/kerberos/krb5kdc/kadm5.keytab
```

## 2.5使用密鑰表的方式登錄(無需輸入密碼)

```bash
使用之前的密碼方式登錄,會報密碼錯誤,因為生成密鑰表的時候,會重新生成一個隨機密鑰,然后再寫入keytab密鑰表文件中。以下kinit驗證步驟可省略:
[root@localhost ~]# kinit -kt /var/kerberos/krb5kdc/kadm5.keytab ryan/admin@EXAMPLE.COM
[root@localhost ~]# kadmin -kt /var/kerberos/krb5kdc/kadm5.keytab -p ryan/admin@EXAMPLE.COM
Authenticating as principal ryan/admin@EXAMPLE.COM with keytab /var/kerberos/krb5kdc/kadm5.keytab.
kadmin: ?
```

## 2.6刪除當前認證緩存

```bash
[root@localhost ~]# kdestroy
```

## 2.7延長憑證過期時間

```bash
[root@localhost ~]# kinit -kt /var/kerberos/krb5kdc/kadm5.keytab ryan/admin@EXAMPLE.COM
[root@localhost ~]# kinit -R #延長憑證過期時間
kinit: KDC can't fulfill requested option while renewing credentials
注:提示無法延長憑證過期時間,可能是因為renewlife參數設置為0day了。

[root@localhost ~]# kadmin.local
kadmin.local: modprinc -maxrenewlife 1week ryan/admin@EXAMPLE.COM
Principal "ryan/admin@EXAMPLE.COM" modified.

[root@localhost ~]# kinit -kt /var/kerberos/krb5kdc/kadm5.keytab ryan/admin@EXAMPLE.COM
[root@localhost ~]# kinit -R
[root@localhost ~]# #沒有返回信息,說明已經成功延長憑證過期時間了
```

 

 

# 3.常見錯誤

```bash
[root@localhost ~]# /usr/sbin/kdb5_util create -s -r EXAMPLE.COM
kdb5_util: Required parameters in kdc.conf missing while initializing the Kerberos admin interface
配置文件中的supported_enctypes的某個加密類型不可用。


```

 

```bash
[root@localhost ~]# /usr/sbin/kadmin.local -q "addprinc admin/admin"
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local: Cannot find master key record in database while initializing kadmin.local interface
需要重新運行創建kerberos數據庫的命令,即/usr/sbin/kdb5_util create -s -r EXAMPLE.COM
```

 

```bash
[root@localhost ~]# kinit ryan/admin@EXAMPLE.COM
kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting initial credentials
KDC服務器的防火牆沒關,或者KDC服務器服務沒啟動
```

 

```bash
[root@localhost ~]# kinit ryan/admin@EXAMPLE.COM
Password for ryan/admin@EXAMPLE.COM:
kinit: Password incorrect while getting initial credentials
提示密碼錯誤,或者是因為執行創建密鑰表的操作,重新生成隨機密鑰,寫入密鑰表文件中。
```

 

 

4.參考文章

```bash
http://dongxicheng.org/mapreduce/hadoop-kerberos-introduction/
http://blog.csdn.net/wulantian/article/details/42418231
http://idior.cnblogs.com/archive/2006/03/20/354027.html
```

 

 

```bash
http://docs.oracle.com/cd/E24847_01/html/819-7061/setup-9.html
http://www.cnblogs.com/xiaodf/p/5968178.html
```

 


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 服務器端Session和客戶端Session 客戶端到服務器端的通信過程 python tcp 服務器端+客戶端 服務器端渲染和客戶端渲染 Android客戶端連接服務器端,向服務器端發送請求HttpURLConnection PostgreSQL編碼格式:客戶端服務器、客戶端、服務器端相關影響 Flex4之DataGrid四個的示例【客戶端和服務器端】 sessionID是如何在客戶端和服務器端傳遞的 服務器端怎么判斷客戶端已斷開連接 一次完整的HTTP請求從客戶端到服務器端所經過的各個環節
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM