Single Sign On using LDAP + Kerberos

最新推荐文章于 2022-11-10 17:40:30 发布
置顶 最新推荐文章于 2022-11-10 17:40:30 发布
阅读量2.5k 收藏 1
点赞数
分类专栏: ldap kerberos 文章标签: ldap kerberos sso

Environment

openLDAP server :  krb-ldap.shadow.com    192.168.122.16 
Kerberos KDC    :  krb-kdc1.shadow.com    192.168.122.18  
Client Machine  :  krb-client.shadow.com  192.168.122.20

Preliminary setup

Add the below entries to /etc/hosts of three machines

192.168.122.16  krb-ldap.shadow.com    krb-ldap
192.168.122.18  krb-kdc1.shadow.com    krb-kdc1
192.168.122.20  krb-client.shadow.com  krb-client

Set proper hostname on all machines. the command hostname -f should return the FQDN of the instances.Thin is really important.

Setting up LDAP authentication

Configuring openldap

[root@krb-ldap ~]# yum install openldap-servers
[root@krb-ldap ~]# slappasswd 
New password: 
Re-enter new password: 
{SSHA}VErfr3f/zUoomq1Q8Mx651/yDbNdZ+cN
[root@krb-ldap ~]# nano /etc/openldap/slapd.conf 
[root@krb-ldap ~]# grep -B4 rootpw /etc/openldap/slapd.conf

database	bdb
suffix		"dc=krb,dc=shadow,dc=com"
rootdn		"cn=Manager,dc=krb,dc=shadow,dc=com"
rootpw		{SSHA}VErfr3f/zUoomq1Q8Mx651/yDbNdZ+cN

[root@krb-ldap ~]# chkconfig ldap on ; service ldap restart
Stopping slapd:                                            [FAILED]
Checking configuration files for slapd:  config file testing succeeded   [  OK  ]
Starting slapd:                                            [  OK  ]

Import basic user/group authentication data

[root@krb-ldap ~]# cat base.ldif 
dn: dc=krb,dc=shadow,dc=com
objectClass: domain
objectClass: top
dc: krb

dn: ou=People,dc=krb,dc=shadow,dc=com
objectClass: organizationalUnit
objectClass: top
ou: People

dn: ou=Group,dc=krb,dc=shadow,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Group

Import sample users and groups

[root@krb-ldap ~]# cat users.ldif 
dn: uid=bkurian,ou=People,dc=krb,dc=shadow,dc=com
objectClass: shadowAccount
objectClass: posixAccount
objectClass: account
objectClass: top
cn: Basil Kurian
gidNumber: 1000
homeDirectory: /home/bkurian
uid: bkurian
uidNumber: 1000
gecos: Basil Kurian
loginShell: /bin/bash
userPassword:: e1NIQX1la1MzUGtWNmd6aldNei9CZ3JzK3dqbC90MWs9

dn: cn=web,ou=Group,dc=krb,dc=shadow,dc=com
objectClass: posixGroup
objectClass: top
cn: web
gidNumber: 1005
description: Websites
memberUid: bkurian

dn: cn=users,ou=Group,dc=krb,dc=shadow,dc=com
objectClass: posixGroup
objectClass: top
cn: users
gidNumber: 1000
description: Users

dn: uid=milon,ou=People,dc=krb,dc=shadow,dc=com
objectClass: shadowAccount
objectClass: posixAccount
objectClass: account
objectClass: top
cn: Milon James
gidNumber: 1000
homeDirectory: /home/milon
uid: milon
uidNumber: 1002
gecos: Milon James
loginShell: /bin/bash
userPassword:: e1NIQX1UbTMwSm4wT1ZwcUJ5VnJadVdGWlV3V0lJa2c9

[root@krb-ldap ~]# ldapadd -x -W -D "cn=Manager,dc=krb,dc=shadow,dc=com" -f base.ldif 
-bash: ldapadd: command not found
[root@krb-ldap ~]# 
[root@krb-ldap ~]# yum install openldap-client

[root@krb-ldap ~]# ldapadd -x -W -D "cn=Manager,dc=krb,dc=shadow,dc=com" -f base.ldif -v
ldap_initialize( <DEFAULT> )
Enter LDAP Password: 
add objectClass:
	domain
	top
add dc:
	krb
adding new entry "dc=krb,dc=shadow,dc=com"
modify complete

add objectClass:
	organizationalUnit
	top
add ou:
	People
adding new entry "ou=People,dc=krb,dc=shadow,dc=com"
modify complete

add objectClass:
	organizationalUnit
	top
add ou:
	Group
adding new entry "ou=Group,dc=krb,dc=shadow,dc=com"
modify complete

[root@krb-ldap ~]# 

[root@krb-ldap ~]# ldapadd -x -W -D "cn=Manager,dc=krb,dc=shadow,dc=com" -f users.ldif -v
ldap_initialize( <DEFAULT> )
Enter LDAP Password: 
add objectClass:
	shadowAccount
	posixAccount
	account
	top
add cn:
	Basil Kurian
add gidNumber:
	1000
add homeDirectory:
	/home/bkurian
add uid:
	bkurian
add uidNumber:
	1000
add gecos:
	Basil Kurian
add loginShell:
	/bin/bash
add userPassword:
	{SHA}ekS3PkV6gzjWMz/Bgrs+wjl/t1k=
adding new entry "uid=bkurian,ou=People,dc=krb,dc=shadow,dc=com"
modify complete

add objectClass:
	posixGroup
	top
add cn:
	web
add gidNumber:
	1005
add description:
	Websites
add memberUid:
	bkurian
adding new entry "cn=web,ou=Group,dc=krb,dc=shadow,dc=com"
modify complete

add objectClass:
	posixGroup
	top
add cn:
	users
add gidNumber:
	1000
add description:
	Users
adding new entry "cn=users,ou=Group,dc=krb,dc=shadow,dc=com"
modify complete

add objectClass:
	shadowAccount
	posixAccount
	account
	top
add cn:
	Milon James
add gidNumber:
	1000
add homeDirectory:
	/home/milon
add uid:
	milon
add uidNumber:
	1002
add gecos:
	Milon James
add loginShell:
	/bin/bash
add userPassword:
	{SHA}Tm30Jn0OVpqByVrZuWFZUwWIIkg=
adding new entry "uid=milon,ou=People,dc=krb,dc=shadow,dc=com"
modify complete

[root@krb-ldap ~]#

Authenticating LDAP users

[root@krb-ldap ~]# authconfig --enableldap --enableldapauth --enablemkhomedir --ldapserver=krb-ldap.shadow.com --ldapbasedn="dc=krb,dc=shadow,dc=com" --update
[root@krb-ldap ~]# ssh bkurian@krb-ldap.shadow.com
The authenticity of host 'krb-ldap.shadow.com (192.168.122.16)' can't be established.
RSA key fingerprint is 28:14:e7:30:b7:3e:d3:c2:e1:3f:a5:0d:18:a1:c7:34.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'krb-ldap.shadow.com,192.168.122.16' (RSA) to the list of known hosts.
bkurian@krb-ldap.shadow.com's password: 
Creating directory '/home/bkurian'.
Creating directory '/home/bkurian/.mozilla'.
Creating directory '/home/bkurian/.mozilla/plugins'.
Creating directory '/home/bkurian/.mozilla/extensions'.
[bkurian@krb-ldap ~]$

Setting up NTP

Kerberos requires time to be in proper sync

[root@krb-ldap ~]# yum -y install ntp && ntpdate ntp.ubuntu.com && chkconfig ntpd on && /etc/init.d/ntpd start

[root@krb-kdc ~]# yum -y install ntp && ntpdate ntp.ubuntu.com && chkconfig ntpd on && /etc/init.d/ntpd start

[root@krb-client ~]# yum -y install ntp && ntpdate ntp.ubuntu.com && chkconfig ntpd on && /etc/init.d/ntpd start

Configuring Kerberos KDC

 [root@krb-kdc1 ~]# yum install -y krb5-server krb5-workstation
  • Setting up iptables rules
  • 192.168.122.0/24 is the local network
[root@krb-kdc1 ~]# iptables -A INPUT -s 192.168.122.0/24 -p tcp --dport 22 -j ACCEPT
[root@krb-kdc1 ~]# iptables -A INPUT -s 127.0.0.0/8 -j ACCEPT
[root@krb-kdc1 ~]# iptables -P INPUT DROP


[root@krb-kdc1 ~]# iptables -N KDC
[root@krb-kdc1 ~]# iptables -I INPUT -j KDC
[root@krb-kdc1 ~]# iptables -A KDC -s 192.168.122.0/24  -p tcp --dport 88 -j ACCEPT -m comment --comment "kerberos"
[root@krb-kdc1 ~]# iptables -A KDC -s 192.168.122.0/24  -p udp --dport 88 -j ACCEPT -m comment --comment "kerberos"
[root@krb-kdc1 ~]# iptables -A KDC -s 192.168.122.0/24  -p udp --dport 464 -j ACCEPT -m comment --comment "kerberos"
[root@krb-kdc1 ~]# iptables -A KDC -s 192.168.122.0/24  -p tcp --dport 749 -j ACCEPT -m comment --comment "kerberos"
[root@krb-kdc1 ~]# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

[root@krb-kdc1 ~]# iptables -L -n
Chain INPUT (policy DROP)
target     prot opt source               destination         
YP         all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  192.168.122.0/24     0.0.0.0/0           tcp dpt:22 
ACCEPT     all  --  127.0.0.0/8          0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain YP (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  192.168.122.0/24     0.0.0.0/0           tcp dpt:88 /* kerberos */ 
ACCEPT     udp  --  192.168.122.0/24     0.0.0.0/0           udp dpt:88 /* kerberos */ 
ACCEPT     udp  --  192.168.122.0/24     0.0.0.0/0           udp dpt:464 /* kerberos */ 
ACCEPT     tcp  --  192.168.122.0/24     0.0.0.0/0           tcp dpt:749 /* kerberos */ 


[root@krb-kdc1 ~]# service iptables save
Saving firewall rules to /etc/sysconfig/iptables:          [  OK  ]
[root@krb-kdc1 ~]# 



 [root@krb-kdc1 ~]# nano /etc/krb5.conf 
[root@krb-kdc1 ~]# cat /etc/krb5.conf 
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = SHADOW.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 SHADOW.COM = {
  kdc = krb-kdc1.shadow.com:88
  admin_server = krb-kdc1.shadow.com:749
  default_domain = shadow.com
 }

[domain_realm]
 .shadow.com = SHADOW.COM
 shadow.com = SHADOW.COM

[appdefaults]
 pam = {
   validate = true
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }


[root@krb-kdc1 ~]# nano /var/kerberos/krb5kdc/kdc.conf

[root@krb-kdc1 ~]# cat /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
 v4_mode = nopreauth
 kdc_tcp_ports = 88

[realms]
 SHADOW.COM = {
  # master_key_type = des3-hmac-sha1
  default_principal_flags = +preauth
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
}


[root@krb-kdc1 ~]# nano /var/kerberos/krb5kdc/kadm5.acl
[root@krb-kdc1 ~]# cat /var/kerberos/krb5kdc/kadm5.acl
*/admin@SHADOW.COM	*
[root@krb-kdc1 ~]#

The above rule grants all rights to any principal authenticated with a /admin instance.


  • Make KDC database to hold Kerberos data
[root@krb-kdc1 ~]# kdb5_util create -r SHADOW.COM -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'SHADOW.COM',
master key name 'K/M@SHADOW.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: 
Re-enter KDC database master key to verify: 
[root@krb-kdc1 ~]# ls /var/kerberos/krb5kdc/*
/var/kerberos/krb5kdc/kadm5.acl  /var/kerberos/krb5kdc/principal        /var/kerberos/krb5kdc/principal.kadm5.lock
/var/kerberos/krb5kdc/kdc.conf   /var/kerberos/krb5kdc/principal.kadm5  /var/kerberos/krb5kdc/principal.ok
[root@krb-kdc1 ~]#
  • Create a principal for the admin user as well as bkurian. Export the admin details to the kadmind key tab.
[root@krb-kdc1 ~]# kadmin.local
Authenticating as principal root/admin@SHADOW.COM with password.
kadmin.local:  addprinc root/admin
WARNING: no policy specified for root/admin@SHADOW.COM; defaulting to no policy
Enter password for principal "root/admin@SHADOW.COM": 
Re-enter password for principal "root/admin@SHADOW.COM": 
Principal "root/admin@SHADOW.COM" created.
kadmin.local:  addprinc bkurian
WARNING: no policy specified for bkurian@SHADOW.COM; defaulting to no policy
Enter password for principal "bkurian@SHADOW.COM": 
Re-enter password for principal "bkurian@SHADOW.COM": 
Principal "bkurian@SHADOW.COM" created.
kadmin.local:  ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin
Entry for principal kadmin/admin with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/admin with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/admin with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/admin with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/admin with kvno 3, encryption type DES with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/admin with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
kadmin.local:  ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/changepw
Entry for principal kadmin/changepw with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type DES with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
kadmin.local:  exit
[root@krb-kdc1 ~]# 


[root@krb-kdc1 ~]# /etc/init.d/krb5kdc start; /etc/init.d/kadmin start ; chkconfig krb5kdc on; chkconfig kadmin on
Starting Kerberos 5 KDC:                                   [  OK  ]
Starting Kerberos 5 Admin Server:                          [  OK  ]
  • Copy the krb.conf file to relevant hosts
[root@krb-kdc1 ~]# scp /etc/krb5.conf root@krb-ldap.shadow.com:/etc/
root@krb-ldap.shadow.com's password: 
krb5.conf                                                                                                                                   100%  616     0.6KB/s   00:00    

[root@krb-kdc1 ~]# scp /etc/krb5.conf root@krb-client.shadow.com:/etc/
root@krb-client.shadow.com's password: 
krb5.conf                                                                                                                                   100%  616     0.6KB/s   00:00    
[root@krb-kdc1 ~]#

Adding host principals

On krb-kdc1

[root@krb-kdc1 ~]# kadmin.local
Authenticating as principal root/admin@SHADOW.COM with password.
kadmin.local:  addprinc -randkey host/krb-kdc1.shadow.com
WARNING: no policy specified for host/krb-kdc1.shadow.com@SHADOW.COM; defaulting to no policy
Principal "host/krb-kdc1.shadow.com@SHADOW.COM" created.
kadmin.local:  ktadd host/krb-kdc1.shadow.com
Entry for principal host/krb-kdc1.shadow.com with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/krb-kdc1.shadow.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/krb-kdc1.shadow.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/krb-kdc1.shadow.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/krb-kdc1.shadow.com with kvno 3, encryption type DES with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/krb-kdc1.shadow.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5.keytab.
kadmin.local:  exit
[root@krb-kdc1 ~]#


On krb-ldap

[root@krb-ldap ~]# kadmin
Authenticating as principal root/admin@SHADOW.COM with password.
Password for root/admin@SHADOW.COM: 
kadmin:  addprinc -randkey host/krb-ldap.shadow.com
WARNING: no policy specified for host/krb-ldap.shadow.com@SHADOW.COM; defaulting to no policy
Principal "host/krb-ldap.shadow.com@SHADOW.COM" created.
kadmin:  ktadd host/krb-ldap.shadow.com
Entry for principal host/krb-ldap.shadow.com with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/krb-ldap.shadow.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/krb-ldap.shadow.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/krb-ldap.shadow.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/krb-ldap.shadow.com with kvno 3, encryption type DES with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/krb-ldap.shadow.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5.keytab.
kadmin:  exit
[root@krb-ldap ~]#

On krb-client

[root@krb-client ~]# kadmin
Authenticating as principal root/admin@SHADOW.COM with password.
Password for root/admin@SHADOW.COM: 
kadmin:  addprinc -randkey host/krb-client.shadow.com
WARNING: no policy specified for host/krb-client.shadow.com@SHADOW.COM; defaulting to no policy
Principal "host/krb-client.shadow.com@SHADOW.COM" created.
kadmin:  ktadd host/krb-client.shadow.com
Entry for principal host/krb-client.shadow.com with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/krb-client.shadow.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/krb-client.shadow.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/krb-client.shadow.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/krb-client.shadow.com with kvno 3, encryption type DES with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/krb-client.shadow.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5.keytab.
kadmin:  exit
[root@krb-client ~]#

Delete userPassword information on LDAP database

  • Delete userPassword field for the user bkurian (and any other relevant users), to make login via LDAP password impossible.
[root@krb-ldap ~]# nano bkurian.ldif 

[root@krb-ldap ~]# cat bkurian.ldif 
dn: uid=bkurian,ou=People,dc=krb,dc=shadow,dc=com
changetype: modify
delete: userPassword
[root@krb-ldap ~]# 

[root@krb-ldap ~]# ldapmodify -x -W -D "cn=Manager,dc=krb,dc=shadow,dc=com" -v -f bkurian.ldif 
ldap_initialize( <DEFAULT> )
Enter LDAP Password: 
delete userPassword:
modifying entry "uid=bkurian,ou=People,dc=krb,dc=shadow,dc=com"
modify complete

[root@krb-client ~]# ssh bkurian@krb-ldap.shadow.com
bkurian@krb-ldap.shadow.com's password: 
Permission denied, please try again.
bkurian@krb-ldap.shadow.com's password:

Enabling Kerberos authentication

[root@krb-ldap ~]# authconfig --enablekrb5  --enablemkhomedir --krb5kdc=krb-kdc1.shadow.com --krb5adminserver=krb-kdc1.shadow.com --krb5realm=SHADOW.COM --update

Veryfying functionality

[root@krb-client ~]# ssh bkurian@krb-ldap.shadow.com
bkurian@krb-ldap.shadow.com's password: 
Last login: Tue Mar  6 12:40:19 2012 from krb-client.shadow.com
[bkurian@krb-ldap ~]$ logout

Thus we can see that Kerbero authentication is working :)

Veryfying kerberos single singon (SSO)

Create a ticket

[root@krb-client ~]# kinit bkurian
Password for bkurian@SHADOW.COM:

List the tickets

[root@krb-client ~]# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: bkurian@SHADOW.COM

Valid starting     Expires            Service principal
03/06/12 12:50:38  03/07/12 12:50:38  krbtgt/SHADOW.COM@SHADOW.COM


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[root@krb-client ~]#

Now login to the servers binded to Kerberos automatically

[root@krb-client ~]# ssh bkurian@krb-ldap.shadow.com
Last login: Tue Mar  6 12:50:19 2012 from krb-client.shadow.com
[bkurian@krb-ldap ~]$

With a much more verbosity

[root@krb-client ~]# ssh bkurian@krb-ldap.shadow.com -v
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to krb-ldap.shadow.com [192.168.122.16] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: loaded 3 keys
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'krb-ldap.shadow.com' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:2
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Authentication succeeded (gssapi-with-mic).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Last login: Tue Mar  6 12:53:43 2012 from krb-client.shadow.com
[bkurian@krb-ldap ~]$


  • KDC logs
Mar 06 12:55:07 krb-kdc1.shadow.com krb5kdc[21230](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 192.168.122.20: ISSUE: authtime 1331018707, etypes {rep=18 tkt=18 ses=18}, bkurian@SHADOW.COM for krbtgt/SHADOW.COM@SHADOW.COM
Mar 06 12:55:27 krb-kdc1.shadow.com krb5kdc[21230](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.122.20: ISSUE: authtime 1331018707, etypes {rep=18 tkt=18 ses=18}, bkurian@SHADOW.COM for host/krb-ldap.shadow.com@SHADOW.COM


  • SSHD logs
[root@krb-ldap ~]# tail -f /var/log/secure

Mar  6 12:55:27 localhost sshd[22249]: Authorized to bkurian, krb5 principal bkurian@SHADOW.COM (krb5_kuserok)
Mar  6 12:55:28 localhost sshd[22249]: Accepted gssapi-with-mic for bkurian from 192.168.122.20 port 46343 ssh2
Mar  6 12:55:28 localhost sshd[22249]: pam_unix(sshd:session): session opened for user bkurian by (uid=0)


References

I started with this tutorial : http://rackerhacker.com/2012/02/05/the-kerberos-haters-guide-to-installing-kerberos/

Appendix

sshd config file in RHEL/CentOS 5.x

Protocol 2

SyslogFacility AUTHPRIV
PasswordAuthentication yes
ChallengeResponseAuthentication no

GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES 
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 
AcceptEnv LC_IDENTIFICATION LC_ALL
X11Forwarding yes

Subsystem	sftp	/usr/libexec/openssh/sftp-server

ssh config file in RHEL/Centos 5.x

Host *
      	GSSAPIAuthentication yes
快乐程序员
关注
  • 0
    点赞
  • 1
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
OpenLDAP安装错误不完全列表
autofei的专栏
11-13 4995
 1.Unable to locate cc 等没有安装gcc和g++编译环境,在debian下使用apt-get install gcc g++解决2.error: Could not locate TLS/SSL packageYou have not installed OpenSSL properly or you did not set your environmental vari
linux dhcp命令没有,Linux dhcpd 命令 command not found dhcpd 命令详解 dhcpd 命令未找到 dhcpd 命令安装 - CommandNotFound ...
weixin_39611331的博客
05-15 1413
显示行号|选择喜欢的代码风格默认GitHubDuneLakeSidePlateauVibrantBlueEightiesTranquildhcpd 是 Internet Systems Consortium DHCP 的服务,它被用作局域网环境中的路由管理。注意: dhcpd (DHCP (server) daemon) 不是 dhcpcd (DHCP client daemon),dhcpd 包...
学习Ldap
liuying1802028915的博客
09-07 1055
最近刚入职新公司,接了一个关于Ldap的需求,这边开始着手学习一下有关Ldap的知识. 以前在上一家公司接触过Ldap,只知道它主要为了存放用户名密码的一个服务器.具体的还是不清楚.接下来查了一些资料,这里对学习过的知识做一个总结. 首先,什么是Ldap呢,Ldap 是轻量级目录访问协议.英文全称是: Lightweight Directory Acess Protocal.一般都简称为Lda...
Windowds10安装LDAP服务器和客户端及遇到问题的整理
yuer011的博客
11-10 2905
Windows10安装openldap服务器过程及遇到的问题解决方法 openldap添加条目方法 ldap客户端使用
ldap+gerrit+gitweb集成化安装部署
04-06
本文档详细介绍了如何在linux系统下安装ldap、gerrit、gitweb的安装流程。还包括gerrit的ldap认证配置,gerrit+gitweb集成化安装部署流程。
ldap+gerrit详细安装视频讲解
04-06
此视频详细讲解了ldap服务器和gerrit服务器的安装流程,以及对gerrit进行ldap认证配置也进行详细的讲解。
svn+ldap+sasl认证(svn通过ldap用户进行认证登陆)
06-30
svn+ldap+sasl认证(svn通过ldap用户进行认证登陆)
JAAS.rar_Kerberos_jaas_ldap kerberos
09-14
它让你能够将一些标准的安全机制,例如Solaris NIS(网络信息服务)、Windows NT、LDAP(轻量目录存取协议),Kerberos等通过一种通用的,可配置的方式集成到系统中。本文首先向你介绍JAAS验证中的一些核心部分,...
LDAP++-开源
07-09
LDAP++ 是 libldap 的 C++ 包装器。 需要开发人员!
Linux useradd命令执行,出现 bash:useradd:command not found
ken的专栏
10-31 2万+
两种可能 1种是你的系统没安装这个uesradd命令 1种是你没有吧/usr/sbin配置到环境变量 首先,测试: 如果是root用户 使用/usr/sbin/useradd xxx  如果正常,证明不是系统安装问题,如果出错,则证明没有该命令,用yum自行安装 那么,如果有该命令呢 非root用户 su - 切换到root用户 (因为你没权限啊) 在UNIX系统里面,每
执行ldapadd 命令时报错:ldap_bind: Invalid credentials (49)
weixin_33758863的博客
01-09 2917
转载自:http://www.linuxfly.org/post/671/某项目,需要在Asianux 4.0上配置LDAP服务。参考以前的[原]操作ldap 数据库一文,在执行ldapadd 命令时报错:引用ldap_bind: Invalid credentials (49)经分析及查询相关资料,原来该版本的OpenLDAP已改用其他格式保存配置数据,原来的slapd.c...
执行sudo命令时command not found的解决办法
热门推荐
xueli1991的博客
05-31 12万+
问题的原因: 在编译sudo包的时候默认开启了- -with-secure-path选项。  方法1: 在/etc/sudoers文件内增加这么一行:Defaults secure_path=”/bin:/usr/bin:/usr/local/bin:…”, 把要用的命令path包括进去。  方法2: 用命令的绝对路径。  方法3: 使用sudo的env选项,像这样sudo en
bash: useradd: command not found如何解决
扎克begod的专栏
12-25 3083
由于,‘su root’或者'sudo su'只改变root权限不改变环境变量,而‘su -root ’指令就可以。‘su -root’可以取得ROOT用户的权限和环境。 所以需要再执行一项: su - 即可解决。...
Linux下LDAP Server/Client配置 --OpenLDAP
明月天涯
04-04 7万+
OpenLDAP 在Linux上的配置与使用
LDAP command
点点滴滴
09-27 572
#install ldap1. install BerkeleyDB.4.62. add /usr/local/BerkeleyDB.4.6/lib to /etc/ld.so.conf, then execute ldconfig3. env CPPFLAGS="-I/usr/local/BerkeleyDB.4.6/include" LDFLAGS="-L/usr/local/Berkeley
Ldap+jenkins
最新发布
10-12
Ldap是一种轻量级目录访问协议,而Jenkins是一个流行的开源持续集成和持续交付工具。将它们结合起来可以实现Jenkins用户的身份验证和授权管理。 具体来说,可以通过安装LDAP插件来实现Jenkins与LDAP的集成。这样,Jenkins就可以使用LDAP服务器中的用户和组进行身份验证和授权管理。 在配置LDAP插件时,需要指定LDAP服务器的地址、端口、管理员DN和密码等信息。还需要配置用户过滤器和组过滤器,以便从LDAP服务器中检索用户和组信息。 一旦配置完成,Jenkins就可以使用LDAP进行身份验证和授权管理了。此外,还可以通过LDAP Group策略插件来实现基于LDAP组的授权管理。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值