JavaScript must be enabled in order for you to see "WP Copy Data Protect" effect. However, it seems JavaScript is either disabled or not supported by your browser. To see full result of "WP Copy Data Protector", enable JavaScript by changing your browser options, then try again.

Setup the kerberos KDC under the CentOS 6.6 x64


因為最近太少發廢文了,所以個人決定再發一篇,想說端午連假Study LDAP與Kerberos的整合,但是我突然發現沒有了解Kerberos,於是去了維基欣賞欣賞它的History等等之類的,發現它其實是一種網路認證的協議,如果你想要知道更多,可以去問看看估狗大神;當然,玩這個一定沒辦法一步登天,所以還是一步一腳印,先架設個Kerberos KDC壓壓驚,不過在架設之前,切記先注意NTP時間同步以及DNS域名解析的部分;廢話不多說,直接看下去怎麼做吧,如下:

I.Setup the kerberos server w/ KDC(Kerberos Key Distribution Center)

1) Check the related packages that’s be installed(On server site)
#rpm -qa | grep -i krb5
sssd-krb5-1.11.6-30.el6.x86_64
sssd-krb5-common-1.11.6-30.el6.x86_64
krb5-workstation-1.10.3-33.el6.x86_64
krb5-appl-clients-1.0.1-7.el6_2.1.x86_64
krb5-devel-1.10.3-33.el6.x86_64
krb5-server-ldap-1.10.3-33.el6.x86_64
krb5-appl-servers-1.0.1-7.el6_2.1.x86_64
krb5-pkinit-openssl-1.10.3-33.el6.x86_64
pam_krb5-2.3.11-9.el6.x86_64
krb5-server-1.10.3-33.el6.x86_64
krb5-auth-dialog-0.13-3.el6.x86_64
krb5-libs-1.10.3-33.el6.x86_64

2) Edit the configuration w/ krb5.conf(On server site&same as hostname)
#vi /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com
admin_server = kerberos.example.com
default_domain = example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[login]
krb4_convert = false
#cat /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
EXAMPLE.COM = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}

3) Edit the hosts for resolving and create the db about krb5(On server site)
#cat /etc/hosts
127.0.0.1 localhost.localdomain localhost
192.168.1.99 kerberos.example.com kerberos
192.168.1.199 client.example.com client
#kdb5_util create -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'EXAMPLE.COM',
master key name 'K/M@EXAMPLE.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:

4) Check the acl of kadm5 and create a account of krbadm(On server site)
#cat /var/kerberos/krb5kdc/kadm5.acl
*/admin@EXAMPLE.COM *
#service kadmin status
kadmind is stopped
#service kadmin start
Starting Kerberos 5 Admin Server: [ OK ]
#kadmin.local -q "addprinc krbadm@EXAMPLE.COM"
Authenticating as principal root/admin@EXAMPLE.COM with password.
WARNING: no policy specified for krbadm@EXAMPLE.COM; defaulting to no policy
Enter password for principal "krbadm@EXAMPLE.COM":
Re-enter password for principal "krbadm@EXAMPLE.COM":
Principal "krbadm@EXAMPLE.COM" created.
#service krb5kdc start
Starting Kerberos 5 KDC: [ OK ]

5) Assign the keytab and setup kadmin/root/admin/ldapadm’s password(On server site)
#kadmin.local -q "ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin"
Authenticating as principal root/admin@EXAMPLE.COM with password.
Entry for principal kadmin/admin with kvno 4, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/admin with kvno 4, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/admin with kvno 4, encryption type des3-cbc-sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/admin with kvno 4, encryption type arcfour-hmac added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/admin with kvno 4, encryption type des-hmac-sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/admin with kvno 4, encryption type des-cbc-md5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
#kadmin.local -q "ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/changepw"
Authenticating as principal root/admin@EXAMPLE.COM with password.
Entry for principal kadmin/changepw with kvno 3, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type des3-cbc-sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type arcfour-hmac added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type des-hmac-sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type des-cbc-md5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
#kadmin.local -q "addprinc ldapadm@EXAMPLE.COM"
Authenticating as principal root/admin@EXAMPLE.COM with password.
WARNING: no policy specified for ldapadm@EXAMPLE.COM; defaulting to no policy
Enter password for principal "ldapadm@EXAMPLE.COM":
Re-enter password for principal "ldapadm@EXAMPLE.COM":
Principal "ldapadm@EXAMPLE.COM" created.
#service krb5kdc restart
Stopping Kerberos 5 KDC: [ OK ]
Starting Kerberos 5 KDC: [ OK ]

6) Verify the account of krbadm(On server site)
#klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
#kinit krbadm@EXAMPLE.COM
Password for krbadm@EXAMPLE.COM:
#klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: krbadm@EXAMPLE.COM
Valid starting Expires Service principal
06/20/15 14:05:31 06/21/15 14:05:31 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 06/20/15 14:05:31
#kdestroy
#klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)

7) Create a corresponding account/password and add the kerberos.example.com into the KDC(On server site)
#useradd test
#kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local: addprinc root/admin
WARNING: no policy specified for root/admin@EXAMPLE.COM; defaulting to no policy
Enter password for principal "root/admin@EXAMPLE.COM":
Re-enter password for principal "root/admin@EXAMPLE.COM":
Principal "root/admin@EXAMPLE.COM" created.
kadmin.local: addprinc test
WARNING: no policy specified for test@EXAMPLE.COM; defaulting to no policy
Enter password for principal "test@EXAMPLE.COM":
Re-enter password for principal "test@EXAMPLE.COM":
Principal "test@EXAMPLE.COM" created.
kadmin.local: addprinc -randkey host/kerberos.example.com
WARNING: no policy specified for host/kerberos.example.com@EXAMPLE.COM; defaulting to no policy
Principal "host/kerberos.example.com@EXAMPLE.COM" created.
kadmin.local: ktadd host/kerberos.example.com
Entry for principal host/kerberos.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kerberos.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kerberos.example.com with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kerberos.example.com with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kerberos.example.com with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kerberos.example.com with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.
kadmin.local: quit

8) Modify the ssh_config and check the related function(On server site)
#vi /etc/ssh/ssh_config
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
#service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]

#authconfig-tui


#netstat -tunpl | grep -i krb
tcp 0 0 0.0.0.0:88 0.0.0.0:* LISTEN 17431/krb5kdc
tcp 0 0 :::88 :::* LISTEN 17431/krb5kdc
udp 0 0 0.0.0.0:88 0.0.0.0:* 17431/krb5kdc
udp 0 0 fe80::20c:29ff:fe18:78c2:88 :::* 17431/krb5kdc
#su - test
$kinit
Password for test@EXAMPLE.COM:
$klist
Ticket cache: FILE:/tmp/krb5cc_502
Default principal: test@EXAMPLE.COM
Valid starting Expires Service principal
06/20/15 15:00:37 06/21/15 15:00:37 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 06/20/15 15:00:37
$ssh kerberos.example.com
The authenticity of host 'kerberos.example.com (192.168.1.99)' can't be established.
RSA key fingerprint is de:2a:d6:56:ce:f1:36:da:20:99:e5:8e:2d:28:9c:95.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'kerberos.example.com,192.168.1.99' (RSA) to the list of known hosts.
test@kerberos.example.com's password:
$ssh client.example.com
test@client.example.com's password:

II.Setup the kerberos client w/ KDC

1) Check the related packages that’s be installed(On client site)
#rpm -qa | grep -i krb5-
krb5-server-ldap-1.10.3-33.el6.x86_64
sssd-krb5-common-1.11.6-30.el6.x86_64
krb5-devel-1.10.3-33.el6.x86_64
pam_krb5-2.3.11-9.el6.x86_64
krb5-appl-servers-1.0.1-7.el6_2.1.x86_64
krb5-libs-1.10.3-33.el6.x86_64
krb5-pkinit-openssl-1.10.3-33.el6.x86_64
krb5-workstation-1.10.3-33.el6.x86_64
krb5-appl-clients-1.0.1-7.el6_2.1.x86_64
krb5-server-1.10.3-33.el6.x86_64
sssd-krb5-1.11.6-30.el6.x86_64

2) Edit the configuration w/ krb5.conf(On client site&same as hostname)
#vi /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
EXAMPLE.COM = {
default_domain = example.com
kdc = kerberos.example.com
admin_server = kerberos.example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
#cat /etc/hosts
127.0.0.1 localhost.localdomain localhost
192.168.1.99 kerberos.example.com kerberos
192.168.1.199 client.example.com client

3) Verify the account of krbadm(On client site)
#klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
#kinit krbadm@EXAMPLE.COM
Password for krbadm@EXAMPLE.COM:
#klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: krbadm@EXAMPLE.COM
Valid starting Expires Service principal
06/20/15 14:30:23 06/21/15 14:30:23 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 06/20/15 14:30:23

4) Setup the configuration about the PAM w/ KDC(On client site)
#authconfig --enablekrb5 --update
#vi /etc/ssh/ssh_config
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
#service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]

5) Add the client.example.com into the KDC and create a a corresponding account(On client site)
#kadmin -p krbadm
Authenticating as principal krbadm with password.
Password for krbadm@EXAMPLE.COM:
kadmin: addprinc -randkey host/client.example.com
WARNING: no policy specified for host/client.example.com@EXAMPLE.COM; defaulting to no policy
add_principal: Operation requires ``add'' privilege while creating "host/client.example.com@EXAMPLE.COM".
kadmin: ktadd host/client.example.com
kadmin: Operation requires ``change-password'' privilege while changing host/client.example.com's key
kadmin: quit
#useradd test

6) Verify the function w/ KDC Server(On client site)
#su - test
$klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_501)
$kinit
Password for test@EXAMPLE.COM:
$klist
Ticket cache: FILE:/tmp/krb5cc_501
Default principal: test@EXAMPLE.COM
Valid starting Expires Service principal
06/20/15 21:42:03 06/21/15 21:42:03 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 06/20/15 21:42:03
$ssh client.example.com
The authenticity of host 'client.example.com (192.168.1.199)' can't be established.
RSA key fingerprint is 5c:a1:bb:67:1d:f0:ff:65:e9:cb:4b:3b:d3:d3:ce:ad.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'client.example.com,192.168.1.199' (RSA) to the list of known hosts.
test@client.example.com's password:
$ssh kerberos.example.com
The authenticity of host 'kerberos.example.com (192.168.1.99)' can't be established.
RSA key fingerprint is 32:a0:62:ba:ba:17:d7:b7:2c:e8:c8:31:f6:6b:47:66.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'kerberos.example.com,192.168.1.99' (RSA) to the list of known hosts.
test@kerberos.example.com's password:
Last login: Sat Jun 20 21:35:09 2015 from 192.168.1.99
$who am i
test pts/2 2015-06-20 21:42 (192.168.1.199)

◎、以上就是Setup the kerberos KDC under the CentOS 6.6 x64簡易過程,上述架設的步驟均參考CertDepot這篇另一篇文章外,也有參考Linuxproblems這篇文章,此外,若看倌們對LDAP與Kerberos整合有興趣,可以參考Linux-Mag這篇另一篇文章,由於有些許複雜,在下只能留到下次搭Ubuntu驗證了,先到這,收工囉!

  1. ticket lifetime設成24h 感覺有偷吃步哦
    用who am i 是要看目前連線的是誰嗎

Leave a Comment


NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

 
This site is protected by WP-CopyRightPro