| Home | Mirror | Search |
http://web.mit.edu/Kerberos/
kerberos是由MIT開發的提供網絡認證服務的系統,很早就聽說過它的大名,但一直沒有使用過它。 它可用來為網絡上的各種server提供認證服務,使得口令不再是以明文方式在網絡上傳輸,並且聯接之間通訊是加密的; 它和PKI認證的原理不一樣,PKI使用公鑰體制(不對稱密碼體制),kerberos基于私鑰體制(對稱密碼體制)。
獲得krb5的安裝包
yum search krb5[root@centos ~]# yum search krb5 ========================================== Matched: krb5 =========================================== krb5-auth-dialog.x86_64 : Kerberos 5 authentication dialog krb5-devel.i386 : Development files needed to compile Kerberos 5 programs. krb5-devel.x86_64 : Development files needed to compile Kerberos 5 programs. krb5-libs.i386 : The shared libraries used by Kerberos 5. krb5-libs.x86_64 : The shared libraries used by Kerberos 5. krb5-server.x86_64 : The KDC and related programs for Kerberos 5. krb5-workstation.x86_64 : Kerberos 5 programs for use on workstations. pam_krb5.i386 : A Pluggable Authentication Module for Kerberos 5. pam_krb5.x86_64 : A Pluggable Authentication Module for Kerberos 5.
安裝
yum install krb5-server.i386[root@centos ~]# yum install krb5-server Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package krb5-server.x86_64 0:1.6.1-36.el5_4.1 set to be updated --> Finished Dependency Resolution Dependencies Resolved ==================================================================================================== Package Arch Version Repository Size ==================================================================================================== Installing: krb5-server x86_64 1.6.1-36.el5_4.1 updates 914 k Transaction Summary ==================================================================================================== Install 1 Package(s) Update 0 Package(s) Remove 0 Package(s) Total download size: 914 k Is this ok [y/N]: y Downloading Packages: krb5-server-1.6.1-36.el5_4.1.x86_64.rpm | 914 kB 00:01 Running rpm_check_debug Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Installing : krb5-server 1/1 Installed: krb5-server.x86_64 0:1.6.1-36.el5_4.1 Complete! [root@datacenter ~]#Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package krb5-server.x86_64 0:1.6.1-36.el5_4.1 set to be updated --> Finished Dependency Resolution Dependencies Resolved ==================================================================================================== Package Arch Version Repository Size ==================================================================================================== Installing: krb5-server x86_64 1.6.1-36.el5_4.1 updates 914 k Transaction Summary ==================================================================================================== Install 1 Package(s) Update 0 Package(s) Remove 0 Package(s) Total download size: 914 k Is this ok [y/N]: y Downloading Packages: krb5-server-1.6.1-36.el5_4.1.x86_64.rpm | 914 kB 00:01 Running rpm_check_debug Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Installing : krb5-server 1/1 Installed: krb5-server.x86_64 0:1.6.1-36.el5_4.1 Complete!yum install krb5-workstation
[root@centos ~]# yum install krb5-workstationyum install krb5-libs
過程 54.3. installation
$ sudo apt-get install krb5-admin-server
Configuring
┌──────────────────────────────┤ Configuring krb5-admin-server ├───────────────────────────────┐ │ │ │ Setting up a Kerberos Realm │ │ │ │ This package contains the administrative tools required to run the Kerberos master server. │ │ │ │ However, installing this package does not automatically set up a Kerberos realm. This can │ │ be done later by running the "krb5_newrealm" command. │ │ │ │ Please also read the /usr/share/doc/krb5-kdc/README.KDC file and the administration guide │ │ found in the krb5-doc package. │ │ │ │ <Ok> │ │ │ └──────────────────────────────────────────────────────────────────────────────────────────────┘
OK
┌───────────────────────────────┤ Configuring krb5-admin-server ├───────────────────────────────┐ │ │ │ Kadmind serves requests to add/modify/remove principals in the Kerberos database. │ │ │ │ It is required by the kpasswd program, used to change passwords. With standard setups, this │ │ daemon should run on the master KDC. │ │ │ │ Run the Kerberos V5 administration daemon (kadmind)? │ │ │ │ <Yes> <No> │ │ │ └───────────────────────────────────────────────────────────────────────────────────────────────┘
Yes
過程 54.4. Kerberos Server 配置步驟
Create the Database
創建Kerberos的本地資料庫
kdb5_util create -r EXAMPLE.COM -s[root@datacenter ~]# kdb5_util create -r EXAMPLE.COM -s Loading random data Initializing database '/var/kerberos/krb5kdc/principal' for realm 'EXAMPLE.COM', master key name 'K/M@EXAMPLE.COM' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify:
/etc/krb5.conf
# cp /etc/krb5.conf /etc/krb5.conf.old
# vim /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com:88
admin_server = kerberos.example.com:749
default_domain = example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
檢查下面配置檔案 /var/kerberos/krb5kdc/kadm5.acl
[root@datacenter ~]# cat /var/kerberos/krb5kdc/kadm5.acl */admin@EXAMPLE.COM *
格式
The format of the file is:
Kerberos_principal permissions [target_principal] [restrictions]
Add Administrators to the Kerberos Database
創建賬號
[root@datacenter ~]# kadmin.local Authenticating as principal root/admin@EXAMPLE.COM with password. kadmin.local: addprinc admin/admin@EXAMPLE.COM WARNING: no policy specified for admin/admin@EXAMPLE.COM; defaulting to no policy Enter password for principal "admin/admin@EXAMPLE.COM": Re-enter password for principal "admin/admin@EXAMPLE.COM": Principal "admin/admin@EXAMPLE.COM" created. kadmin.local:
也同樣可以使用下面命令
kadmin.local -q "addprinc username/admin"[root@datacenter ~]# kadmin.local -q "addprinc krbuser" Authenticating as principal admin/admin@EXAMPLE.COM with password. WARNING: no policy specified for krbuser@EXAMPLE.COM; defaulting to no policy Enter password for principal "krbuser@EXAMPLE.COM": Re-enter password for principal "krbuser@EXAMPLE.COM": Principal "krbuser@EXAMPLE.COM" created.
Create a kadmind Keytab
[root@datacenter ~]# kadmin.local -q "ktadd -k /var/kerberos/krb5kdc/kadm5.keytab => kadmin/admin kadmin/changepw" Authenticating as principal admin/admin@EXAMPLE.COM with password. kadmin.local: Principal => does not exist. Entry for principal kadmin/admin with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab. Entry for principal kadmin/admin with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab. Entry for principal kadmin/changepw with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab. Entry for principal kadmin/changepw with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Start the Kerberos Daemons on the Master KDC
啟動 Kerberos進程
[root@datacenter ~]# sudo /etc/init.d/krb524 start Starting Kerberos 5-to-4 Server: [ OK ] [root@datacenter ~]# sudo /etc/init.d/krb5kdc restart Stopping Kerberos 5 KDC: [ OK ] Starting Kerberos 5 KDC: [ OK ] [root@datacenter ~]# sudo /etc/init.d/kadmin start Starting Kerberos 5 Admin Server: [ OK ]
Log 檔案
[root@datacenter ~]# cat /var/log/krb5kdc.log [root@datacenter ~]# cat /var/log/krb5libs.log [root@datacenter ~]# cat /var/log/kadmind.log
過程 54.5. Kerberos Client 配置步驟
Ticket Management
Obtaining Tickets with kinit
[root@datacenter ~]# kinit admin/admin Password for admin/admin@EXAMPLE.COM:
Viewing Your Tickets with klist
[root@datacenter ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin/admin@EXAMPLE.COM Valid starting Expires Service principal 03/25/10 16:15:18 03/26/10 16:15:18 krbtgt/EXAMPLE.COM@ZEXAMPLECOM Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached
Destroying Your Tickets with kdestroy
[root@datacenter ~]# kdestroy [root@datacenter ~]# klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached
Password Management
Changing Your Password
[root@datacenter ~]# kpasswd Password for admin/admin@EXAMPLE.COM: Enter new password: Enter it again: Password changed.
[root@datacenter ~]# ktutil ktutil: rkt /var/kerberos/krb5kdc/kadm5.keytab ktutil: l slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 3 kadmin/admin@EXAMPLE.COM 2 3 kadmin/admin@EXAMPLE.COM 3 3 kadmin/changepw@EXAMPLE.COM 4 3 kadmin/changepw@EXAMPLE.COM ktutil: q
[root@datacenter ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin/admin@EXAMPLE.COM Valid starting Expires Service principal 03/25/10 16:53:02 03/26/10 16:53:02 krbtgt/EXAMPLE.COM@EXAMPLE.COM 03/25/10 17:02:10 03/26/10 16:53:02 host/172.16.0.8@ Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached
[root@datacenter ~]# kinit admin/admin Password for admin/admin@EXAMPLE.COM: [root@datacenter ~]# kadmin.local -q "addprinc -randkey host/172.16.0.8" Authenticating as principal admin/admin@EXAMPLE.COM with password. WARNING: no policy specified for host/172.16.0.8@EXAMPLE.COM; defaulting to no policy Principal "host/172.16.0.8@EXAMPLE.COM" created. [root@datacenter ~]# kadmin.local -q " ktadd -k /var/kerberos/krb5kdc/kadm5.keytab host/172.16.0.8" Authenticating as principal admin/admin@EXAMPLE.COM with password. Entry for principal host/172.16.0.8 with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab. Entry for principal host/172.16.0.8 with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab. [root@datacenter ~]# ktutil ktutil: rkt /var/kerberos/krb5kdc/kadm5.keytab ktutil: l slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 3 kadmin/admin@EXAMPLE.COM 2 3 kadmin/admin@EXAMPLE.COM 3 3 kadmin/changepw@EXAMPLE.COM 4 3 kadmin/changepw@EXAMPLE.COM 5 3 host/172.16.0.8@EXAMPLE.COM 6 3 host/172.16.0.8@EXAMPLE.COM ktutil: q [root@datacenter ~]#