Home | 簡體中文 | 繁體中文 | 雜文 | 打賞(Donations) | ITEYE 博客 | OSChina 博客 | Facebook | Linkedin | 知乎專欄 | Search | Email

1.3. Network Authentication

1.3.1. Network Information Service (NIS)

1.3.1.1. 安裝NIS伺服器

過程 1.1. 安裝NIS伺服器

  1. ypserv

    				
    # yum install ypserv -y
    				
    				
  2. /etc/hosts

    				
    [root@nis ~]# hostname nis.example.com				
    [root@nis ~]# echo "192.168.3.5 nis.example.com" >> /etc/hosts
    [root@nis ~]# cat /etc/hosts
    # Do not remove the following line, or various programs
    # that require network functionality will fail.
    127.0.0.1 datacenter.example.com datacenter localhost.localdomain localhost
    ::1 localhost6.localdomain6 localhost6
    127.0.0.1 kerberos.example.com
    192.168.3.5 nis.example.com
    				
    				
  3. 設置NIS域名

    				
    # nisdomainname example.com
    # nisdomainname
    example.com
    				
    				

    加入 /etc/rc.local 開機腳本

    				
    # echo '/bin/nisdomainname example.com' >> /etc/rc.local
    # echo 'NISDOMAIN=example.com' >> /etc/sysconfig/network
    				
    				
  4. 設置/etc/ypserv.conf主配置檔案

    				
    # vim /etc/ypserv.conf
    
    127.0.0.0/255.255.255.0 : * : * : none
    192.168.3.0/255.255.255.0 : * : * : none
    * : * : * : deny
    				
    				
  5. 創建 /var/yp/securenets 檔案

    securenets 安全配置檔案

    				
    # vim /var/yp/securenets
    host 127.0.0.1
    255.255.255.0 192.168.3.0
    				
    				
  6. 啟動NIS伺服器

    NIS伺服器需要portmap服務的支持,並且需要啟動ypserv和yppasswdd兩個服務

    				
    [root@nis ~]# service portmap status
    portmap (pid 2336)
    is running...
    [root@nis ~]# service ypserv start
    Starting YP
    server services: [ OK ]
    [root@nis ~]# service yppasswdd start
    Starting YP passwd service: [ OK ]
    				
    				
  7. 構建NIS資料庫

    32bit: /usr/lib/yp/ypinit -m

    64bit: /usr/lib64/yp/ypinit -m

    				
    [root@nis ~]# /usr/lib64/yp/ypinit -m
    
    At this point, we have to construct a list of the hosts which will run NIS
    servers.  nis.example.com is in the list of NIS server hosts.  Please continue to add
    the names for the other hosts, one per line.  When you are done with the
    list, type a <control D>.
            next host to add:  nis.example.com
            next host to add:
            next host to add:
    The current list of NIS servers looks like this:
    
    nis.example.com
    
    
    Is this correct?  [y/n: y]
    We need a few minutes to build the databases...
    Building /var/yp/example.com/ypservers...
    Running /var/yp/Makefile...
    gmake[1]: Entering directory `/var/yp/example.com'
    Updating passwd.byname...
    Updating passwd.byuid...
    Updating group.byname...
    Updating group.bygid...
    Updating hosts.byname...
    Updating hosts.byaddr...
    Updating rpc.byname...
    Updating rpc.bynumber...
    Updating services.byname...
    Updating services.byservicename...
    Updating netid.byname...
    Updating protocols.bynumber...
    Updating protocols.byname...
    Updating mail.aliases...
    gmake[1]: Leaving directory `/var/yp/example.com'
    
    nis.example.com has been set up as a NIS master server.
    
    Now you can run ypinit -s nis.example.com on all slave server.
    
    				
    				

    檢查

    				
    # ls /var/yp/
    binding example.com Makefile nicknames securenets ypservers				
    				
    				
  8. Service

    				
    [root@datacenter ~]# chkconfig --list | grep yp
    ypbind          0:off   1:off   2:off   3:off   4:off   5:off   6:off
    yppasswdd       0:off   1:off   2:off   3:off   4:off   5:off   6:off
    ypserv          0:off   1:off   2:off   3:off   4:off   5:off   6:off
    ypxfrd          0:off   1:off   2:off   3:off   4:off   5:off   6:off
    
    [root@nis ~]# chkconfig ypserv on
    [root@nis ~]# chkconfig yppasswdd on
    				
    				

1.3.1.2. Slave NIS Server

Now you can run ypinit -s nis.example.com on all slave server.

		
# ypinit -s nis.example.com		
		
		

1.3.1.3. 客戶機軟件安裝

過程 1.2. 安裝NIS客戶端軟件

  1. NIS客戶機需要安裝ypbind和yp-tools兩個軟件包

    				
    # yum install ypbind yp-tools -y
    				
    				
  2. NIS域名

    				
    # nisdomainname example.com
    				
    				
  3. /etc/hosts

    				
    192.168.3.5 nis.example.com
    				
    				
  4. /etc/yp.conf

    				
    # vim /etc/yp.conf
    domain example.com server nis.example.com
    				
    				
  5. /etc/nsswitch.conf

    				
    # vim /etc/nsswitch.conf
    passwd: files nis
    shadow: files nis
    group: files nis
    hosts: files nis dns
    				
    				
  6. 啟動ypbind服務程序

    				
    [root@test ~]# service portmap status
    portmap is stopped
    [root@test ~]# service portmap start
    Starting portmap: [ OK ]
    [root@test ~]# service ypbind start
    Turning on allow_ypbind SELinux boolean
    Binding to the NIS domain: [ OK ]
    Listening for an NIS domain server..
    				
    				
  7. yp-tools 測試工具

    yptest 命令可對NIS伺服器進行自動測試

    				
    # yptest	
    				
    				

    ypwhich 命令可顯示NIS客戶機所使用的NIS伺服器的主機名稱和資料庫檔案列表

    				
    # ypwhich
    # ypwhich -x			
    				
    				

    ypcat命令顯示資料庫檔案列表和指定資料庫的內容

    				
    # ypcat -x
    # ypcat passwd				
    				
    				
  8. NIS Client Service

    				
    # chkconfig ypbind on				
    				
    				

1.3.1.4. Authentication Configuration

		
# authconfig-tui		
		
		

Use NIS

		
                ┌────────────────┤ Authentication Configuration ├─────────────────┐
                │                                                                 │
                │  User Information        Authentication                         │
                │  [ ] Cache Information   [*] Use MD5 Passwords                  │
                │  [ ] Use Hesiod          [*] Use Shadow Passwords               │
                │  [ ] Use LDAP            [ ] Use LDAP Authentication            │
                │  [*] Use NIS             [ ] Use Kerberos                       │
                │  [ ] Use Winbind         [ ] Use SMB Authentication             │
                │                          [ ] Use Winbind Authentication         │
                │                          [ ] Local authorization is sufficient  │
                │                                                                 │
                │            ┌────────┐                      ┌──────┐             │
                │            │ Cancel │                      │ Next │             │
                │            └────────┘                      └──────┘             │
                │                                                                 │
                │                                                                 │
                └─────────────────────────────────────────────────────────────────┘		
		
		

NIS Settings

		
                        ┌─────────────────┤ NIS Settings ├─────────────────┐
                        │                                                  │
                        │ Domain: example.com_____________________________ │
                        │ Server: nis.example.com_________________________ │
                        │                                                  │
                        │         ┌──────┐                 ┌────┐          │
                        │         │ Back │                 │ Ok │          │
                        │         └──────┘                 └────┘          │
                        │                                                  │
                        │                                                  │
                        └──────────────────────────────────────────────────┘
		
		

1.3.1.5. application example

nis server:

在NIS伺服器上創建一個test用戶

		
# adduser test
# passwd test
# /usr/lib64/yp/ypinit -m
		
		

nis client

使用test用戶登錄到客戶機

		
ssh test@client.example.com		
		
		

測試

		
[root@test ~]# yptest
Test 1: domainname
Configured domainname is "example.com"

Test 2: ypbind
Used NIS server:
nis.example.com

Test 3: yp_match
WARNING: No such key in map (Map
passwd.byname, key nobody)

Test 4: yp_first
neo
neo:$1$e1nd3pts$s7NikMnKwpL4vUp2LM/N9.:500:500::/home/neo:/bin/bash

Test 5: yp_next
test
test:$1$g4.VCB7i$I/N5W/imakprFdtP02i8/.:502:502::/home/test:/bin/bash
svnroot svnroot:!!:501:501::/home/svnroot:/bin/bash

Test 6: yp_master
nis.example.com

Test 7: yp_order
1271936660

Test 8: yp_maplist
rpc.byname
protocols.bynumber
ypservers
passwd.byname
hosts.byname
rpc.bynumber
group.bygid
services.byservicename
mail.aliases
passwd.byuid
services.byname
netid.byname
protocols.byname
group.byname
hosts.byaddr

Test 9: yp_all
neo
neo:$1$e1nd3pts$s7NikMnKwpL4vUp2LM/N9.:500:500::/home/neo:/bin/bash
test
test:$1$g4.VCB7i$I/N5W/imakprFdtP02i8/.:502:502::/home/test:/bin/bash
svnroot svnroot:!!:501:501::/home/svnroot:/bin/bash
1 tests failed		
		
		

更改密碼

		
$ yppasswd
Changing NIS account information for test on nis.example.com.
Please enter old password:
Changing NIS password for test on
nis.example.com.
Please enter new password:
Please retype new password:

The NIS password has been changed on nis.example.com.		
		
		
		
-bash-3.2$ ypcat hosts 
127.0.0.1 localhost.localdomain localhost 
127.0.0.1 kerberos.example.com
192.168.3.5 nis.example.com

-bash-3.2$ ypcat passwd
neo:$1$e1nd3pts$s7NikMnKwpL4vUp2LM/N9.:500:500::/home/neo:/bin/bash
test:$1$g4.VCB7i$I/N5W/imakprFdtP02i8/.:502:502::/home/test:/bin/bash
svnroot:!!:501:501::/home/svnroot:/bin/bash
		
		
		
-bash-3.2$
ypwhich
nis.example.com

ypwhich -x
Use "ethers" for map "ethers.byname"
Use "aliases" for map "mail.aliases"
Use "services" for map "services.byname"
Use "protocols" for map "protocols.bynumber"
Use "hosts" for map "hosts.byname"
Use "networks" for map "networks.byaddr"
Use "group" for map "group.byname"
Use "passwd" for map "passwd.byname"
		
		

1.3.1.6. Mount /home volume from NFS

在NIS伺服器中將“/home”輸出為NFS共享目錄

		
# vi /etc/exports
/home 192.168.3.0/24(sync,rw,no_root_squash)		
		
		

重啟NFS服務

		
# service nfs restart
		
		

在NIS客戶端中掛載“/home”目錄

		
		# vi /etc/fstab
192.168.1.10:/home/ /home nfs 	defaults 0 0		
		
		

mount home volume

		
# mount /home
		
		

1.3.2. OpenLDAP

1.3.2.1. Server

  1. First, install the OpenLDAP server daemon slapd and ldap-utils, a package containing LDAP management utilities:

    sudo apt-get install slapd ldap-utils				
    				

    By default the directory suffix will match the domain name of the server. For example, if the machine's Fully Qualified Domain Name (FQDN) is ldap.example.com, the default suffix will be dc=example,dc=com. If you require a different suffix, the directory can be reconfigured using dpkg-reconfigure. Enter the following in a terminal prompt:

    sudo dpkg-reconfigure slapd				
    				
  2. example.com.ldif

    dn: ou=people,dc=example,dc=com
    objectClass: organizationalUnit
    ou: people
    
    dn: ou=groups,dc=example,dc=com
    objectClass: organizationalUnit
    ou: groups
    
    dn: uid=john,ou=people,dc=example,dc=com
    objectClass: inetOrgPerson
    objectClass: posixAccount
    objectClass: shadowAccount
    uid: john
    sn: Doe
    givenName: John
    cn: John Doe
    displayName: John Doe
    uidNumber: 1000
    gidNumber: 10000
    userPassword: password
    gecos: John Doe
    loginShell: /bin/bash
    homeDirectory: /home/john
    shadowExpire: -1
    shadowFlag: 0
    shadowWarning: 7
    shadowMin: 8
    shadowMax: 999999
    shadowLastChange: 10877
    mail: john.doe@example.com
    postalCode: 31000
    l: Toulouse
    o: Example
    mobile: +33 (0)6 xx xx xx xx
    homePhone: +33 (0)5 xx xx xx xx
    title: System Administrator
    postalAddress: 
    initials: JD
    
    dn: cn=example,ou=groups,dc=example,dc=com
    objectClass: posixGroup
    cn: example
    gidNumber: 10000
    				
  3. To add the entries to the LDAP directory use the ldapadd utility:

    ldapadd -x -D cn=admin,dc=example,dc=com -W -f example.com.ldif
    				

    We can check that the content has been correctly added with the tools from the ldap-utils package. In order to execute a search of the LDAP directory:

    ldapsearch -xLLL -b "dc=example,dc=com" uid=john sn givenName cn
    
    dn: uid=john,ou=people,dc=example,dc=com
    cn: John Doe
    sn: Doe
    givenName: John				
    				

Just a quick explanation:

-x: will not use SASL authentication method, which is the default.

-LLL: disable printing LDIF schema information.

1.3.2.2. Client

  1. libnss-ldap

    sudo apt-get install libnss-ldap
    				
  2. reconfigure ldap-auth-config

    sudo dpkg-reconfigure ldap-auth-config
    				
  3. auth-client-config

    sudo auth-client-config -t nss -p lac_ldap				
    				
  4. pam-auth-update.

    sudo pam-auth-update
    				

1.3.2.3. User and Group Management

sudo apt-get install ldapscripts
		

/etc/ldapscripts/ldapscripts.conf

SERVER=localhost
BINDDN='cn=admin,dc=example,dc=com'
BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
SUFFIX='dc=example,dc=com'
GSUFFIX='ou=Groups'
USUFFIX='ou=People'
MSUFFIX='ou=Computers'
GIDSTART=10000
UIDSTART=10000
MIDSTART=10000		
		

Now, create the ldapscripts.passwd file to allow authenticated access to the directory:

sudo sh -c "echo -n 'secret' > /etc/ldapscripts/ldapscripts.passwd"
sudo chmod 400 /etc/ldapscripts/ldapscripts.passwd		
		

1.3.3. Kerberos

(Kerberos: Network Authentication Protocol)

http://web.mit.edu/Kerberos/

kerberos是由MIT開發的提供網絡認證服務的系統,很早就聽說過它的大名,但一直沒有使用過它。 它可用來為網絡上的各種server提供認證服務,使得口令不再是以明文方式在網絡上傳輸,並且聯接之間通訊是加密的; 它和PKI認證的原理不一樣,PKI使用公鑰體制(不對稱密碼體制),kerberos基于私鑰體制(對稱密碼體制)。

1.3.3.1. Kerberos 安裝

1.3.3.1.1. CentOS 安裝

獲得krb5的安裝包

yum search krb5
[root@centos ~]# yum search krb5
========================================== Matched: krb5 ===========================================
krb5-auth-dialog.x86_64 : Kerberos 5 authentication dialog
krb5-devel.i386 : Development files needed to compile Kerberos 5 programs.
krb5-devel.x86_64 : Development files needed to compile Kerberos 5 programs.
krb5-libs.i386 : The shared libraries used by Kerberos 5.
krb5-libs.x86_64 : The shared libraries used by Kerberos 5.
krb5-server.x86_64 : The KDC and related programs for Kerberos 5.
krb5-workstation.x86_64 : Kerberos 5 programs for use on workstations.
pam_krb5.i386 : A Pluggable Authentication Module for Kerberos 5.
pam_krb5.x86_64 : A Pluggable Authentication Module for Kerberos 5.
		

安裝

yum install krb5-server.i386
[root@centos ~]# yum install krb5-server
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package krb5-server.x86_64 0:1.6.1-36.el5_4.1 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

====================================================================================================
 Package                 Arch               Version                       Repository           Size
====================================================================================================
Installing:
 krb5-server             x86_64             1.6.1-36.el5_4.1              updates             914 k

Transaction Summary
====================================================================================================
Install      1 Package(s)
Update       0 Package(s)
Remove       0 Package(s)

Total download size: 914 k
Is this ok [y/N]: y
Downloading Packages:
krb5-server-1.6.1-36.el5_4.1.x86_64.rpm                                      | 914 kB     00:01
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing     : krb5-server                                                                  1/1

Installed:
  krb5-server.x86_64 0:1.6.1-36.el5_4.1

Complete!
[root@datacenter ~]#Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package krb5-server.x86_64 0:1.6.1-36.el5_4.1 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

====================================================================================================
 Package                 Arch               Version                       Repository           Size
====================================================================================================
Installing:
 krb5-server             x86_64             1.6.1-36.el5_4.1              updates             914 k

Transaction Summary
====================================================================================================
Install      1 Package(s)
Update       0 Package(s)
Remove       0 Package(s)

Total download size: 914 k
Is this ok [y/N]: y
Downloading Packages:
krb5-server-1.6.1-36.el5_4.1.x86_64.rpm                                      | 914 kB     00:01
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing     : krb5-server                                                                  1/1

Installed:
  krb5-server.x86_64 0:1.6.1-36.el5_4.1

Complete!
		
yum install krb5-workstation
[root@centos ~]# yum install krb5-workstation
		
yum install krb5-libs
		
		
1.3.3.1.2. Install by apt-get

過程 1.3. installation

  1. $ sudo apt-get install krb5-admin-server		
    				
  2. Configuring

    				
      ┌──────────────────────────────┤ Configuring krb5-admin-server ├───────────────────────────────┐
      │                                                                                              │
      │ Setting up a Kerberos Realm                                                                  │
      │                                                                                              │
      │ This package contains the administrative tools required to run the Kerberos master server.   │
      │                                                                                              │
      │ However, installing this package does not automatically set up a Kerberos realm.  This can   │
      │ be done later by running the "krb5_newrealm" command.                                        │
      │                                                                                              │
      │ Please also read the /usr/share/doc/krb5-kdc/README.KDC file and the administration guide    │
      │ found in the krb5-doc package.                                                               │
      │                                                                                              │
      │                                            <Ok>                                              │
      │                                                                                              │
      └──────────────────────────────────────────────────────────────────────────────────────────────┘
    				
    				

    OK

    				
     ┌───────────────────────────────┤ Configuring krb5-admin-server ├───────────────────────────────┐
     │                                                                                               │
     │ Kadmind serves requests to add/modify/remove principals in the Kerberos database.             │
     │                                                                                               │
     │ It is required by the kpasswd program, used to change passwords. With standard setups, this   │
     │ daemon should run on the master KDC.                                                          │
     │                                                                                               │
     │ Run the Kerberos V5 administration daemon (kadmind)?                                          │
     │                                                                                               │
     │                           <Yes>                              <No>                             │
     │                                                                                               │
     └───────────────────────────────────────────────────────────────────────────────────────────────┘				
    				
    				

    Yes

1.3.3.2. Kerberos Server

過程 1.4. Kerberos Server 配置步驟

  1. Create the Database

    創建Kerberos的本地資料庫

    kdb5_util create -r EXAMPLE.COM -s
    [root@datacenter ~]# kdb5_util create -r EXAMPLE.COM -s
    Loading random data
    Initializing database '/var/kerberos/krb5kdc/principal' for realm 'EXAMPLE.COM',
    master key name 'K/M@EXAMPLE.COM'
    You will be prompted for the database Master Password.
    It is important that you NOT FORGET this password.
    Enter KDC database master key:
    Re-enter KDC database master key to verify:		
    				
  2. /etc/krb5.conf

    # cp /etc/krb5.conf /etc/krb5.conf.old
    # vim /etc/krb5.conf
    [logging]
     default = FILE:/var/log/krb5libs.log
     kdc = FILE:/var/log/krb5kdc.log
     admin_server = FILE:/var/log/kadmind.log
    
    [libdefaults]
     default_realm = EXAMPLE.COM
     dns_lookup_realm = false
     dns_lookup_kdc = false
     ticket_lifetime = 24h
     forwardable = yes
    
    [realms]
     EXAMPLE.COM = {
      kdc = kerberos.example.com:88
      admin_server = kerberos.example.com:749
      default_domain = example.com
     }
    
    [domain_realm]
     .example.com = EXAMPLE.COM
     example.com = EXAMPLE.COM
    
    [appdefaults]
     pam = {
       debug = false
       ticket_lifetime = 36000
       renew_lifetime = 36000
       forwardable = true
       krb4_convert = false
     }
    				

    檢查下面配置檔案 /var/kerberos/krb5kdc/kadm5.acl

    [root@datacenter ~]# cat /var/kerberos/krb5kdc/kadm5.acl
    */admin@EXAMPLE.COM     *
    				

    格式

    The format of the file is:
    
         Kerberos_principal      permissions     [target_principal]	[restrictions]
    				
  3. Add Administrators to the Kerberos Database

    創建賬號

    [root@datacenter ~]# kadmin.local
    Authenticating as principal root/admin@EXAMPLE.COM with password.
    kadmin.local:  addprinc admin/admin@EXAMPLE.COM
    WARNING: no policy specified for admin/admin@EXAMPLE.COM; defaulting to no policy
    Enter password for principal "admin/admin@EXAMPLE.COM":
    Re-enter password for principal "admin/admin@EXAMPLE.COM":
    Principal "admin/admin@EXAMPLE.COM" created.
    kadmin.local:
    				

    也同樣可以使用下面命令

    kadmin.local -q "addprinc username/admin"
    [root@datacenter ~]# kadmin.local -q "addprinc krbuser"
    Authenticating as principal admin/admin@EXAMPLE.COM with password.
    WARNING: no policy specified for krbuser@EXAMPLE.COM; defaulting to no policy
    Enter password for principal "krbuser@EXAMPLE.COM":
    Re-enter password for principal "krbuser@EXAMPLE.COM":
    Principal "krbuser@EXAMPLE.COM" created.
    				
  4. Create a kadmind Keytab

    				
    [root@datacenter ~]# kadmin.local -q  "ktadd -k /var/kerberos/krb5kdc/kadm5.keytab => kadmin/admin kadmin/changepw"
    Authenticating as principal admin/admin@EXAMPLE.COM with password.
    kadmin.local: Principal => does not exist.
    Entry for principal kadmin/admin with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
    Entry for principal kadmin/admin with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
    Entry for principal kadmin/changepw with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
    Entry for principal kadmin/changepw with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.				
    				
    				
  5. Start the Kerberos Daemons on the Master KDC

    啟動 Kerberos進程

    [root@datacenter ~]# sudo /etc/init.d/krb524 start
    Starting Kerberos 5-to-4 Server:                           [  OK  ]
    
    [root@datacenter ~]# sudo /etc/init.d/krb5kdc restart
    Stopping Kerberos 5 KDC:                                   [  OK  ]
    Starting Kerberos 5 KDC:                                   [  OK  ]
    
    [root@datacenter ~]# sudo /etc/init.d/kadmin start
    Starting Kerberos 5 Admin Server:                          [  OK  ]
    				
  6. Log 檔案

    [root@datacenter ~]# cat /var/log/krb5kdc.log
    
    [root@datacenter ~]# cat /var/log/krb5libs.log
    
    [root@datacenter ~]# cat /var/log/kadmind.log
    				

1.3.3.3. Kerberos Client

過程 1.5. Kerberos Client 配置步驟

  1. Ticket Management

    1. Obtaining Tickets with kinit

      [root@datacenter ~]# kinit admin/admin
      Password for admin/admin@EXAMPLE.COM:				
      				
    2. Viewing Your Tickets with klist

      [root@datacenter ~]# klist
      Ticket cache: FILE:/tmp/krb5cc_0
      Default principal: admin/admin@EXAMPLE.COM
      
      Valid starting     Expires            Service principal
      03/25/10 16:15:18  03/26/10 16:15:18  krbtgt/EXAMPLE.COM@ZEXAMPLECOM
      
      
      Kerberos 4 ticket cache: /tmp/tkt0
      klist: You have no tickets cached
      				
    3. Destroying Your Tickets with kdestroy

      [root@datacenter ~]# kdestroy
      [root@datacenter ~]# klist
      klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
      
      
      Kerberos 4 ticket cache: /tmp/tkt0
      klist: You have no tickets cached
      				
  2. Password Management

    Changing Your Password

     
    				   
    [root@datacenter ~]# kpasswd
    Password for admin/admin@EXAMPLE.COM:
    Enter new password:
    Enter it again:
    Password changed.
    				
    				

1.3.3.4. Kerberos Management

1.3.3.4.1. ktutil - Kerberos keytab file maintenance utility
[root@datacenter ~]# ktutil
ktutil: rkt /var/kerberos/krb5kdc/kadm5.keytab
ktutil:  l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    3                  kadmin/admin@EXAMPLE.COM
   2    3                  kadmin/admin@EXAMPLE.COM
   3    3               kadmin/changepw@EXAMPLE.COM
   4    3               kadmin/changepw@EXAMPLE.COM
ktutil: q
			
1.3.3.4.2. klist - list cached Kerberos tickets
[root@datacenter ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin/admin@EXAMPLE.COM

Valid starting     Expires            Service principal
03/25/10 16:53:02  03/26/10 16:53:02  krbtgt/EXAMPLE.COM@EXAMPLE.COM
03/25/10 17:02:10  03/26/10 16:53:02  host/172.16.0.8@


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
			

1.3.3.5. OpenSSH Authentications

1.3.3.5.1. Configuring the Application server system
[root@datacenter ~]# kinit   admin/admin
Password for admin/admin@EXAMPLE.COM:

[root@datacenter ~]# kadmin.local -q "addprinc -randkey host/172.16.0.8"
Authenticating as principal admin/admin@EXAMPLE.COM with password.
WARNING: no policy specified for host/172.16.0.8@EXAMPLE.COM; defaulting to no policy
Principal "host/172.16.0.8@EXAMPLE.COM" created.

[root@datacenter ~]# kadmin.local -q " ktadd -k /var/kerberos/krb5kdc/kadm5.keytab host/172.16.0.8"
Authenticating as principal admin/admin@EXAMPLE.COM with password.
Entry for principal host/172.16.0.8 with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal host/172.16.0.8 with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
[root@datacenter ~]# ktutil
ktutil:  rkt /var/kerberos/krb5kdc/kadm5.keytab
ktutil:  l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    3                  kadmin/admin@EXAMPLE.COM
   2    3                  kadmin/admin@EXAMPLE.COM
   3    3               kadmin/changepw@EXAMPLE.COM
   4    3               kadmin/changepw@EXAMPLE.COM
   5    3               host/172.16.0.8@EXAMPLE.COM
   6    3               host/172.16.0.8@EXAMPLE.COM
ktutil:  q
[root@datacenter ~]#
			
1.3.3.5.2. Configuring the Application client system

/etc/ssh/sshd_config

KerberosAuthentication yes
			

1.3.4. FreeRADIUS (Remote Authentication Dial In User Service)

radiusd - Authentication, Authorization and Accounting server

I want to authorize Wi-Fi Protected Access with freeradius for Wi-Fi Route.

http://freeradius.org/

  • debian/ubuntu

  • FreeRADIUS

  • D-Link DI-624+A

1.3.4.1. 安裝 FreeRADIUS

1.3.4.1.1. Ubuntu

some package of freeradius.

netkiller@shenzhen:~$ apt-cache search freeradius

freeradius - a high-performance and highly configurable RADIUS server
freeradius-dialupadmin - set of PHP scripts for administering a FreeRADIUS server
freeradius-iodbc - iODBC module for FreeRADIUS server
freeradius-krb5 - kerberos module for FreeRADIUS server
freeradius-ldap - LDAP module for FreeRADIUS server
freeradius-mysql - MySQL module for FreeRADIUS server
			

install

netkiller@shenzhen:~$ sudo apt-get install freeradius
			

OK, we have installed let's quickly test it. the '******' is your password.

netkiller@shenzhen:~$ radtest netkiller ****** localhost 0 testing123
Sending Access-Request of id 237 to 127.0.0.1 port 1812
        User-Name = "netkiller"
        User-Password = "******"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=237, length=20
			

if you can see 'Access-Accept', you have succeed

let me to input an incorrect password.

netkiller@shenzhen:~$ radtest netkiller ****** localhost 0 testing123
Sending Access-Request of id 241 to 127.0.0.1 port 1812
        User-Name = "netkiller"
        User-Password = "******"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 0
Re-sending Access-Request of id 241 to 127.0.0.1 port 1812
        User-Name = "netkiller"
        User-Password = "******"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 0
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=241, length=20
			

you will see 'Access-Reject'.

預設你只能通過localhost訪問radius, 如需其他網絡訪問需要在配置檔案中添加類似下面配置,配置檔案在 /etc/freeradius/clients.conf

# vim /etc/freeradius/clients.conf

client 172.16.0.0/24 {
       secret          = testing123
       shortname       = freeradius.example.com
}
			
1.3.4.1.2. 安裝 radiusd

CentOS與Ubuntu安裝包有所不同,配置檔案在 /etc/raddb下面

過程 1.6. 安裝步驟

  1. yum 安裝

    yum install -y freeradius
    					
    # yum install freeradius freeradius-utils			
    					
  2. 設置啟動檔案

    chkconfig radiusd on
    service radiusd start
    					
  3. 配置 radiusd

    cp /etc/raddb/clients.conf{,.original}
    cp /etc/raddb/users{,.original}
    cp /etc/raddb/sites-enabled/default{,.original}
    					
    					
    cat >> /etc/raddb/clients.conf <<EOF
    
    client 192.168.0.0/16 {
           secret          = testing123
           shortname       = freeradius.example.com
    }
    EOF				
    					
    					

    /etc/raddb/users

    guest Cleartext-Password := "test"
    					

    /etc/raddb/sites-enabled/default

    					
  4. 測試 radiusd

    $ radtest guest test 192.168.2.1 1812 testing123
    Sending Access-Request of id 223 to 192.168.2.1 port 1812
    	User-Name = "guest"
    	User-Password = "test"
    	NAS-IP-Address = 127.0.1.1
    	NAS-Port = 1812
    	Message-Authenticator = 0x00000000000000000000000000000000
    rad_recv: Access-Accept packet from host 192.168.2.1 port 1812, id=223, length=20
    					

1.3.4.2. ldap

1.3.4.3. mysql

1.3.4.4. WAP2 Enterprise

WRT54G

1.3.5. SASL (Simple Authentication and Security Layer)

1.3.6. GSSAPI (Generic Security Services Application Program Interface)