因為最近太少發廢文了,所以個人決定再發一篇,想說端午連假來Study LDAP與Kerberos的整合,但是我突然發現沒有很了解Kerberos,於是去了維基先欣賞欣賞它的History等等之類的,發現它其實是一種網路認證的協議,如果你想要知道更多,可以去問看看估狗大神;當然,玩這個一定沒辦法一步登天,所以還是一步一腳印,先架設個Kerberos KDC先壓壓驚,不過在架設之前,切記先注意NTP時間同步以及DNS域名解析的部分;廢話不多說,直接看下去怎麼做吧,如下:
I.Setup the kerberos server w/ KDC(Kerberos Key Distribution Center)
1) Check the related packages that’s be installed(On server site)
#rpm -qa | grep -i krb5
sssd-krb5-1.11.6-30.el6.x86_64
sssd-krb5-common-1.11.6-30.el6.x86_64
krb5-workstation-1.10.3-33.el6.x86_64
krb5-appl-clients-1.0.1-7.el6_2.1.x86_64
krb5-devel-1.10.3-33.el6.x86_64
krb5-server-ldap-1.10.3-33.el6.x86_64
krb5-appl-servers-1.0.1-7.el6_2.1.x86_64
krb5-pkinit-openssl-1.10.3-33.el6.x86_64
pam_krb5-2.3.11-9.el6.x86_64
krb5-server-1.10.3-33.el6.x86_64
krb5-auth-dialog-0.13-3.el6.x86_64
krb5-libs-1.10.3-33.el6.x86_64
2) Edit the configuration w/ krb5.conf(On server site&same as hostname)
#vi /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com
admin_server = kerberos.example.com
default_domain = example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[login]
krb4_convert = false
#cat /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
EXAMPLE.COM = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
3) Edit the hosts for resolving and create the db about krb5(On server site)
#cat /etc/hosts
127.0.0.1 localhost.localdomain localhost
192.168.1.99 kerberos.example.com kerberos
192.168.1.199 client.example.com client
#kdb5_util create -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'EXAMPLE.COM',
master key name 'K/M@EXAMPLE.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
4) Check the acl of kadm5 and create a account of krbadm(On server site)
#cat /var/kerberos/krb5kdc/kadm5.acl
*/admin@EXAMPLE.COM *
#service kadmin status
kadmind is stopped
#service kadmin start
Starting Kerberos 5 Admin Server: [ OK ]
#kadmin.local -q "addprinc krbadm@EXAMPLE.COM"
Authenticating as principal root/admin@EXAMPLE.COM with password.
WARNING: no policy specified for krbadm@EXAMPLE.COM; defaulting to no policy
Enter password for principal "krbadm@EXAMPLE.COM":
Re-enter password for principal "krbadm@EXAMPLE.COM":
Principal "krbadm@EXAMPLE.COM" created.
#service krb5kdc start
Starting Kerberos 5 KDC: [ OK ]
5) Assign the keytab and setup kadmin/root/admin/ldapadm’s password(On server site)
#kadmin.local -q "ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin"
Authenticating as principal root/admin@EXAMPLE.COM with password.
Entry for principal kadmin/admin with kvno 4, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/admin with kvno 4, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/admin with kvno 4, encryption type des3-cbc-sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/admin with kvno 4, encryption type arcfour-hmac added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/admin with kvno 4, encryption type des-hmac-sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/admin with kvno 4, encryption type des-cbc-md5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
#kadmin.local -q "ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/changepw"
Authenticating as principal root/admin@EXAMPLE.COM with password.
Entry for principal kadmin/changepw with kvno 3, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type des3-cbc-sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type arcfour-hmac added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type des-hmac-sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type des-cbc-md5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
#kadmin.local -q "addprinc ldapadm@EXAMPLE.COM"
Authenticating as principal root/admin@EXAMPLE.COM with password.
WARNING: no policy specified for ldapadm@EXAMPLE.COM; defaulting to no policy
Enter password for principal "ldapadm@EXAMPLE.COM":
Re-enter password for principal "ldapadm@EXAMPLE.COM":
Principal "ldapadm@EXAMPLE.COM" created.
#service krb5kdc restart
Stopping Kerberos 5 KDC: [ OK ]
Starting Kerberos 5 KDC: [ OK ]
6) Verify the account of krbadm(On server site)
#klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
#kinit krbadm@EXAMPLE.COM
Password for krbadm@EXAMPLE.COM:
#klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: krbadm@EXAMPLE.COM
Valid starting Expires Service principal
06/20/15 14:05:31 06/21/15 14:05:31 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 06/20/15 14:05:31
#kdestroy
#klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
7) Create a corresponding account/password and add the kerberos.example.com into the KDC(On server site)
#useradd test
#kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local: addprinc root/admin
WARNING: no policy specified for root/admin@EXAMPLE.COM; defaulting to no policy
Enter password for principal "root/admin@EXAMPLE.COM":
Re-enter password for principal "root/admin@EXAMPLE.COM":
Principal "root/admin@EXAMPLE.COM" created.
kadmin.local: addprinc test
WARNING: no policy specified for test@EXAMPLE.COM; defaulting to no policy
Enter password for principal "test@EXAMPLE.COM":
Re-enter password for principal "test@EXAMPLE.COM":
Principal "test@EXAMPLE.COM" created.
kadmin.local: addprinc -randkey host/kerberos.example.com
WARNING: no policy specified for host/kerberos.example.com@EXAMPLE.COM; defaulting to no policy
Principal "host/kerberos.example.com@EXAMPLE.COM" created.
kadmin.local: ktadd host/kerberos.example.com
Entry for principal host/kerberos.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kerberos.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kerberos.example.com with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kerberos.example.com with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kerberos.example.com with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kerberos.example.com with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.
kadmin.local: quit
8) Modify the ssh_config and check the related function(On server site)
#vi /etc/ssh/ssh_config
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
#service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
#authconfig-tui
#netstat -tunpl | grep -i krb
tcp 0 0 0.0.0.0:88 0.0.0.0:* LISTEN 17431/krb5kdc
tcp 0 0 :::88 :::* LISTEN 17431/krb5kdc
udp 0 0 0.0.0.0:88 0.0.0.0:* 17431/krb5kdc
udp 0 0 fe80::20c:29ff:fe18:78c2:88 :::* 17431/krb5kdc
#su - test
$kinit
Password for test@EXAMPLE.COM:
$klist
Ticket cache: FILE:/tmp/krb5cc_502
Default principal: test@EXAMPLE.COM
Valid starting Expires Service principal
06/20/15 15:00:37 06/21/15 15:00:37 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 06/20/15 15:00:37
$ssh kerberos.example.com
The authenticity of host 'kerberos.example.com (192.168.1.99)' can't be established.
RSA key fingerprint is de:2a:d6:56:ce:f1:36:da:20:99:e5:8e:2d:28:9c:95.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'kerberos.example.com,192.168.1.99' (RSA) to the list of known hosts.
test@kerberos.example.com's password:
$ssh client.example.com
test@client.example.com's password:
II.Setup the kerberos client w/ KDC
1) Check the related packages that’s be installed(On client site)
#rpm -qa | grep -i krb5-
krb5-server-ldap-1.10.3-33.el6.x86_64
sssd-krb5-common-1.11.6-30.el6.x86_64
krb5-devel-1.10.3-33.el6.x86_64
pam_krb5-2.3.11-9.el6.x86_64
krb5-appl-servers-1.0.1-7.el6_2.1.x86_64
krb5-libs-1.10.3-33.el6.x86_64
krb5-pkinit-openssl-1.10.3-33.el6.x86_64
krb5-workstation-1.10.3-33.el6.x86_64
krb5-appl-clients-1.0.1-7.el6_2.1.x86_64
krb5-server-1.10.3-33.el6.x86_64
sssd-krb5-1.11.6-30.el6.x86_64
2) Edit the configuration w/ krb5.conf(On client site&same as hostname)
#vi /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
EXAMPLE.COM = {
default_domain = example.com
kdc = kerberos.example.com
admin_server = kerberos.example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
#cat /etc/hosts
127.0.0.1 localhost.localdomain localhost
192.168.1.99 kerberos.example.com kerberos
192.168.1.199 client.example.com client
3) Verify the account of krbadm(On client site)
#klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
#kinit krbadm@EXAMPLE.COM
Password for krbadm@EXAMPLE.COM:
#klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: krbadm@EXAMPLE.COM
Valid starting Expires Service principal
06/20/15 14:30:23 06/21/15 14:30:23 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 06/20/15 14:30:23
4) Setup the configuration about the PAM w/ KDC(On client site)
#authconfig --enablekrb5 --update
#vi /etc/ssh/ssh_config
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
#service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
5) Add the client.example.com into the KDC and create a a corresponding account(On client site)
#kadmin -p krbadm
Authenticating as principal krbadm with password.
Password for krbadm@EXAMPLE.COM:
kadmin: addprinc -randkey host/client.example.com
WARNING: no policy specified for host/client.example.com@EXAMPLE.COM; defaulting to no policy
add_principal: Operation requires ``add'' privilege while creating "host/client.example.com@EXAMPLE.COM".
kadmin: ktadd host/client.example.com
kadmin: Operation requires ``change-password'' privilege while changing host/client.example.com's key
kadmin: quit
#useradd test
6) Verify the function w/ KDC Server(On client site)
#su - test
$klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_501)
$kinit
Password for test@EXAMPLE.COM:
$klist
Ticket cache: FILE:/tmp/krb5cc_501
Default principal: test@EXAMPLE.COM
Valid starting Expires Service principal
06/20/15 21:42:03 06/21/15 21:42:03 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 06/20/15 21:42:03
$ssh client.example.com
The authenticity of host 'client.example.com (192.168.1.199)' can't be established.
RSA key fingerprint is 5c:a1:bb:67:1d:f0:ff:65:e9:cb:4b:3b:d3:d3:ce:ad.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'client.example.com,192.168.1.199' (RSA) to the list of known hosts.
test@client.example.com's password:
$ssh kerberos.example.com
The authenticity of host 'kerberos.example.com (192.168.1.99)' can't be established.
RSA key fingerprint is 32:a0:62:ba:ba:17:d7:b7:2c:e8:c8:31:f6:6b:47:66.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'kerberos.example.com,192.168.1.99' (RSA) to the list of known hosts.
test@kerberos.example.com's password:
Last login: Sat Jun 20 21:35:09 2015 from 192.168.1.99
$who am i
test pts/2 2015-06-20 21:42 (192.168.1.199)
◎、以上就是Setup the kerberos KDC under the CentOS 6.6 x64的簡易過程,上述架設的步驟均參考CertDepot的這篇與另一篇文章外,也有參考Linuxproblems的這篇文章,此外,若看倌們對LDAP與Kerberos整合有興趣,可以參考Linux-Mag的這篇及另一篇文章,由於有些許複雜,在下只能留到下次搭Ubuntu來驗證了,先到這,收工囉!
ticket lifetime設成24h 感覺有偷吃步哦
用who am i 是要看目前連線的是誰嗎
難怪有人要找你去…..