kerberos认证服务搭建、认证、常用命令


Principal 是由三个部分组成:名字(name),实例(instance),REALM(域)。比如一个标准的 Kerberos 的用户是:name/instance@REALM

安装KDC 服务器

安装命令

yum -y install krb5-server krb5-libs krb5-workstation

修改配置

修改KDC的配置文件

[root@node1 ~]#cat /var/kerberos/krb5kdc/kdc.conf 
[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
 NSH.COM = {
  #master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }
[root@node1 ~]# 

配置说明

[kdcdefaults]
#该部分包含在此文件中列出的所有通用的配置。
 kdc_ports = 88  #指定KDC的默认端口
 kdc_tcp_ports = 88 # 指定KDC的TCP协议默认端口。

[realms]
#该部分列出每个领域的配置。
 NSH.COM = {#是设定的 realms。名字随意,推荐为大写!,但须与/etc/krb5.conf保持一致。Kerberos 可以支持多个 realms,会增加复杂度。大小写敏感。
  #master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl #标注了 admin 的用户权限的文件,若文件不存在,需要用户自己创建。即该参数允许为具有对Kerberos数据库的管理访问权限的UPN指定ACL。
  dict_file = /usr/share/dict/words #该参数指向包含潜在可猜测或可破解密码的文件。
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab #KDC 进行校验的 keytab。
  max_life        #该参数指定如果指定为2天。这是票据的最长存活时间。
 max_renewable_life   #该参数指定在多长时间内可重获取票据。
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal #指定此KDC支持的各种加密类型。
 }

配置KDC服务的权限管理文件

[root@node1 ~]# cat /var/kerberos/krb5kdc/kadm5.acl
*/admin@NSH.COM	*
[root@node1 ~]# 

配置说明
上述参数只有两列,第一列为用户名,第二列为权限分配。

*/admin@NSH.COM	    #表示以"/admin@NSH.COM"结尾的用户。
*             #表示UNP可以执行任何操作,因为权限为所有权限,

修改Kerberos的配置文件信息

包含KDC的位置,Kerberos的admin的realms 等。需要所有使用的Kerberos的机器上的配置文件都同步。

[root@node1 ~]# cat /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
 default_realm = NSH.COM
#default_ccache_name = KEYRING:persistent:%{uid}

[realms]
NSH.COM = {
  kdc = node1.nsh.com:88
  admin_server = node1.nsh.com:749
  default_domain = NSH.COM
}

[domain_realm]
.nsh.com = NSH.COM
nsh.com = NSH.COM
[root@node1 ~]# 

配置说明

[logging]:
  #Kerberos守护进程的日志记录方式。换句话说,表示 server 端的日志的打印位置。
    default                         :默认的krb5libs.log日志文件存放路径
    kdc                             :默认的krb5kdc.log日志文件存放路径
    admin_server                    :默认的kadmind.log日志文件存放路径

[libdefaults]:
  #Kerberos使用的默认值,当进行身份验证而未指定Kerberos域时,则使用default_realm参数指定的Kerberos域。即每种连接的默认配置,需要注意以下几个关键的配置:
    dns_lookup_realm                :DNS查找域名,我们可以理解为DNS的正向解析,该功能我没有去验证过,默认禁用。(我猜测该功能和domain_realm配置有关)
    ticket_lifetime                 :凭证生效的时限,设置为7天。
    rdns                            :我理解是和dns_lookup_realm相反,即反向解析技术,该功能我也没有去验证过,默认禁用即可。(我猜测该功能和domain_realm配置有关)
    pkinit_anchors                  :在KDC中配置pkinit的位置,该参数的具体功能我没有做进一步验证。
    default_realm = YINZHENGJIE.COM :设置 Kerberos 应用程序的默认领域。如果您有多个领域,只需向 [realms] 节添加其他的语句。其中YINZHENGJIE.COM可以为任意名字,推荐为大写。必须跟要配置的realm的名称一致。
    default_ccache_name:           :顾名思义,默认的缓存名称,不推荐使用该参数。
   
   renew_lifetime                  :凭证最长可以被延期的时限,一般为7天。当凭证过期之后,对安全认证的服务的后续访问则会失败。
   forwardable                     :如果此参数被设置为true,则可以转发票据,这意味着如果具有TGT的用户登陆到远程系统,则KDC可以颁发新的TGT,而不需要用户再次进行身份验证。
   renewable                       :是否允许票据延迟

[realms]:
  #域特定的信息,例如域的Kerberos服务器的位置。可能有几个,每个域一个。可以为KDC和管理服务器指定一个端口。如果没有配置,则KDC使用端口88,管理服务器使用749。即列举使用的 realm域。
  kdc                              :代表要KDC的位置。格式是 机器:端口
  admin_server                     :代表admin的位置。格式是 机器:端口
   default_domain                   :顾名思义,指定默认的域名。

[domain_realm]:
   #指定DNS域名和Kerberos域名之间映射关系。指定服务器的FQDN,对应的domain_realm值决定了主机所属的域。
  
[kdc]:
  #kdc的配置信息。即指定kdc.conf的位置。
  profile                          :kdc的配置文件路径,默认值下若无文件则需要创建。

初始化KDC数据库

[root@node1 ~]# kdb5_util create -r NSH.COM -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'NSH.COM',
master key name 'K/M@NSH.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: [1]
Re-enter KDC database master key to verify:

说明

注意,-s选项指定将数据库的主节点密钥存储在文件中,从而可以在每次启动KDC时自动重新生成主节点密钥。记住主密钥,稍后回使用。

[1] 这里需要输入一个管理KDC服务器的密码!千万别忘记了,忘记的话你就只能重新初始化KDC数据库啦!(如果遇到数据库已经存在的提示,可以把/var/kerberos/krb5kdc/目录下的principal的相关文件都删除掉。默认的数据库名字都是principal。可以使用-d指定数据库名字。)

如下所示

[root@node1 ~]# kdb5_util create -r NSH.COM -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'NSH.COM',
master key name 'K/M@NSH.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: 
Re-enter KDC database master key to verify: 
kdb5_util: Cannot open DB2 database '/var/kerberos/krb5kdc/principal': 文件已存在 while creating database '/var/kerberos/krb5kdc/principal'
[root@node1 ~]# 
[root@node1 ~]# 
[root@node1 ~]# ls /var/kerberos/krb5kdc/
kadm5.acl  kdc.conf  principal  principal.kadm5  principal.kadm5.lock  principal.ok
[root@node1 ~]# 
[root@node1 ~]# rm -rf /var/kerberos/krb5kdc/principal*
[root@node1 ~]# 
[root@node1 ~]# kdb5_util create -r NSH.COM -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'NSH.COM',
master key name 'K/M@NSH.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: 
Re-enter KDC database master key to verify: 
[root@node1 ~]# 

kerberos数据库创建完之后,默认会创建以下5个文件,红色标出

[root@node1 ~]# ll -a /var/kerberos/krb5kdc/

总用量 28

drwxr-xr-x 2 root root 146 1月 16 14:00 .

drwxr-xr-x. 4 root root 33 1月 16 11:42 …

-rw------- 1 root root 72 1月 16 14:00 .k5.NSH.COM

-rw------- 1 root root 18 1月 16 11:47 kadm5.acl

-rw------- 1 root root 447 1月 16 11:44 kdc.conf

-rw------- 1 root root 8192 1月 16 14:00 principal

-rw------- 1 root root 8192 1月 16 14:00 principal.kadm5

-rw------- 1 root root 0 1月 16 14:00 principal.kadm5.lock

-rw------- 1 root root 0 1月 16 14:00 principal.ok

[root@node1 ~]#

启动KDC服务器

[root@node1 ~]# systemctl status krb5kdc

● krb5kdc.service - Kerberos 5 KDC

  Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; vendor preset: disabled)

  Active: inactive (dead)

[root@node1 ~]# systemctl start krb5kdc

[root@node1 ~]# systemctl status krb5kdc

krb5kdc.service - Kerberos 5 KDC

  Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; vendor preset: disabled)

  Active: active (running) since 四 2020-01-16 14:10:23 CST; 3s ago

  Process: 25314 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=0/SUCCESS)

 Main PID: 25315 (krb5kdc)

  CGroup: /system.slice/krb5kdc.service

        └─25315 /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid

1月 16 14:10:23 node1.nsh.com systemd[1]: Starting Kerberos 5 KDC…

1月 16 14:10:23 node1.nsh.com systemd[1]: Can’t open PID file/var/run/krb5kdc.pid (yet?) after start: No such file or directory

1月 16 14:10:23 node1.nsh.com systemd[1]: Started Kerberos 5 KDC.

[root@node1 ~]#

启动Kerberos服务器

[root@node1 ~]# systemctl status kadmin

● kadmin.service - Kerberos 5 Password-changing and Administration

  Loaded: loaded (/usr/lib/systemd/system/kadmin.service; disabled; vendor preset: disabled)

  Active: inactive (dead)

[root@node1 ~]# systemctl start kadmin

[root@node1 ~]# systemctl status kadmin

kadmin.service - Kerberos 5 Password-changing and Administration

  Loaded: loaded (/usr/lib/systemd/system/kadmin.service; disabled; vendor preset: disabled)

  Active: active (running) since 四 2020-01-16 14:19:50 CST; 1s ago

  Process: 25778 ExecStart=/usr/sbin/_kadmind -P /var/run/kadmind.pid $KADMIND_ARGS (code=exited, status=0/SUCCESS)

 Main PID: 25779 (kadmind)

  CGroup: /system.slice/kadmin.service

        └─25779 /usr/sbin/kadmind -P /var/run/kadmind.pid

1月 16 14:19:50 node1.nsh.com systemd[1]: Starting Kerberos 5 Password-changing and Administration…

1月 16 14:19:50 node1.nsh.com systemd[1]: Can’t open PID file /var/run/kadmind.pid (yet?) after start: No such file or directory

1月 16 14:19:50 node1.nsh.com systemd[1]: Started Kerberos 5 Password-changing and Administration.

[root@node1 ~]#

KDC 服务器上添加超级管理员账户

[root@node1 ~]# cat /var/kerberos/krb5kdc/kadm5.acl

*/admin@NSH.COM *

[root@node1 ~]# kadmin.local

Authenticating as principal root/admin@NSH.COM with password.

kadmin.local: addprinc root/admin

WARNING: no policy specified for root/admin@NSH.COM; defaulting to no policy

Enter password for principal “root/admin@NSH.COM”:

Re-enter password for principal “root/admin@NSH.COM”:

Principal “root/admin@NSH.COM” created.

kadmin.local: listprincs

K/M@NSH.COM

kadmin/admin@NSH.COM

kadmin/changepw@NSH.COM

kadmin/node1.nsh.com@NSH.COM

kiprop/node1.nsh.com@NSH.COM

krbtgt/NSH.COM@NSH.COM

root/admin@NSH.COM

kadmin.local:

kadmin.local: q

[root@node1 ~]#

我们为KDC添加一个管理员用户,关于管理员规则我们以及在"/var/kerberos/krb5kdc/kadm5.acl"中定义的。细心的小伙伴发现,我们写的是"root/admin",但是创建用户却显示的是"root@admin@YINZHENGJIE.COM"

搭建Kerberos客户端环境

yum install -y krb5-lib krb5-workstation

将服务端的配置文件拷贝到客户端

scp /etc/krb5.conf node2.nsh.com:/etc/

客户端配置文件和服务段同步后,进行登陆,验证是否可以成功登陆

这是验证成功的提示

[root@node1 ~]# kinit root/admin
Password for root/admin@NSH.COM: 
[root@node1 ~]# kinit root/admin@NSH.COM
Password for root/admin@NSH.COM: 
[root@node1 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root/admin@NSH.COM

Valid starting       Expires              Service principal
2020-01-16T14:43:16  2020-01-17T14:43:16  krbtgt/NSH.COM@NSH.COM
[root@node1 ~]# 

这是输错密码的提示

[root@node1 ~]# kinit root/admin@NSH.COM
Password for root/admin@NSH.COM: 
kinit: Password incorrect while getting initial credentials
[root@node1 ~]# 

Kerberos 一些基本操作命令

使用kadmin.local命令进入本地管理员模式

kadmin.local

[root@node1 ~]# kadmin.local
Authenticating as principal root/admin@NSH.COM with password.
kadmin.local:  ?
Available kadmin.local requests:

add_principal, addprinc, ank
                         #Add principal
delete_principal, delprinc
                         #Delete principal
modify_principal, modprinc
                         #Modify principal
rename_principal, renprinc
                         #Rename principal
change_password, cpw     #Change password
get_principal, getprinc  #Get principal
list_principals, listprincs, get_principals, getprincs
                         #List principals
add_policy, addpol       #Add policy
modify_policy, modpol    #Modify policy
delete_policy, delpol    #Delete policy
get_policy, getpol       #Get policy
list_policies, listpols, get_policies, getpols
                         #List policies
get_privs, getprivs      #Get privileges
ktadd, xst               #Add entry(s) to a keytab
ktremove, ktrem          #Remove entry(s) from a keytab
lock                     #Lock database exclusively (use with extreme caution!)
unlock                   #Release exclusive database lock
purgekeys                #Purge previously retained old keys from a principal
get_strings, getstrs     #Show string attributes on a principal
set_string, setstr       #Set a string attribute on a principal
del_string, delstr       #Delete a string attribute on a principal
list_requests, lr, ?     #List available requests.
quit, exit, q            #Exit program.
kadmin.local:  

查看已经存在的凭据

listprincs

kadmin.local:  listprincs 
K/M@YINZHENGJIE.COM
admin/admin@YINZHENGJIE.COM
kadmin/admin@YINZHENGJIE.COM
kadmin/changepw@YINZHENGJIE.COM
kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM
kiprop/node101.yinzhengjie.org.cn@YINZHENGJIE.COM
krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM
kadmin.local:  

创建凭据

addprinc -randkey hdfs/node3

addprinc -pw 123456 jack/node4

kadmin.local:  listprincs 
K/M@NSH.COM
kadmin/admin@NSH.COM
kadmin/changepw@NSH.COM
kadmin/node1.nsh.com@NSH.COM
kiprop/node1.nsh.com@NSH.COM
krbtgt/NSH.COM@NSH.COM
root/admin@NSH.COM
kadmin.local:
kadmin.local:  addprinc -randkey hdfs/node3 ##生成随机key的凭据
WARNING: no policy specified for hdfs/node3@NSH.COM; defaulting to no policy
Principal "hdfs/node3@NSH.COM" created.
kadmin.local:  listprincs 
K/M@NSH.COM
hdfs/node3@NSH.COM
kadmin/admin@NSH.COM
kadmin/changepw@NSH.COM
kadmin/node1.nsh.com@NSH.COM
kiprop/node1.nsh.com@NSH.COM
krbtgt/NSH.COM@NSH.COM
root/admin@NSH.COM
kadmin.local: 
kadmin.local:  addprinc -pw 123456 jack/node4 ###生成指定key的凭据 
WARNING: no policy specified for jack/node4@NSH.COM; defaulting to no policy
Principal "jack/node4@NSH.COM" created.
kadmin.local:  listprincs 
K/M@NSH.COM
hdfs/node3@NSH.COM
jack/node4@NSH.COM
kadmin/admin@NSH.COM
kadmin/changepw@NSH.COM
kadmin/node1.nsh.com@NSH.COM
kiprop/node1.nsh.com@NSH.COM
krbtgt/NSH.COM@NSH.COM
root/admin@NSH.COM
kadmin.local:  

注意:这里生成的jack/node4是指定key,如果通过
ktadd -k /root/node4.keytab jack/node4导出密钥后,创建时指定的key失效,
原因:每次生成秘钥文件时,密码可能会进行随机改变,后续再通过指定key进行认证时会报
kinit: Password incorrect while getting initial credentials
生成密钥时,添加"-norandkey"即可解决问题

删除凭据

delprinc nsh/111

kadmin.local:  addprinc -pw 111 nsh/111
WARNING: no policy specified for nsh/111@NSH.COM; defaulting to no policy
Principal "nsh/111@NSH.COM" created.
kadmin.local:  listprincs 
K/M@NSH.COM
hdfs/node3@NSH.COM
jack/node4@NSH.COM
kadmin/admin@NSH.COM
kadmin/changepw@NSH.COM
kadmin/node1.nsh.com@NSH.COM
kiprop/node1.nsh.com@NSH.COM
krbtgt/NSH.COM@NSH.COM
nsh/111@NSH.COM
root/admin@NSH.COM
kadmin.local:  delprinc nsh/111 ##删除凭据
Are you sure you want to delete the principal "nsh/111@NSH.COM"? (yes/no): yes
Principal "nsh/111@NSH.COM" deleted.
Make sure that you have removed this principal from all ACLs before reusing.
kadmin.local:  listprincs 
K/M@NSH.COM
hdfs/node3@NSH.COM
jack/node4@NSH.COM
kadmin/admin@NSH.COM
kadmin/changepw@NSH.COM
kadmin/node1.nsh.com@NSH.COM
kiprop/node1.nsh.com@NSH.COM
krbtgt/NSH.COM@NSH.COM
root/admin@NSH.COM
kadmin.local: 

导出某个用户的keytab证书(使用xst命令或者ktadd命令)

ktadd -k /root/node3.keytab hdfs/node3

xst -k /root/node4.keytab jack/node4

xst -norandkey -k /root/node34.keytab hdfs/node3 jack/node4

kadmin.local:  listprincs 
K/M@NSH.COM
hdfs/node3@NSH.COM
jack/node4@NSH.COM
kadmin/admin@NSH.COM
kadmin/changepw@NSH.COM
kadmin/node1.nsh.com@NSH.COM
kiprop/node1.nsh.com@NSH.COM
krbtgt/NSH.COM@NSH.COM
root/admin@NSH.COM
kadmin.local:  
kadmin.local:  
kadmin.local:  ktadd -k /root/node3.keytab hdfs/node3 ##导出凭据
Entry for principal hdfs/node3 with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/root/node3.keytab.
Entry for principal hdfs/node3 with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/root/node3.keytab.
Entry for principal hdfs/node3 with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/root/node3.keytab.
Entry for principal hdfs/node3 with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/root/node3.keytab.
Entry for principal hdfs/node3 with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/root/node3.keytab.
Entry for principal hdfs/node3 with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/root/node3.keytab.
Entry for principal hdfs/node3 with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/root/node3.keytab.
Entry for principal hdfs/node3 with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/root/node3.keytab.
kadmin.local: 
kadmin.local:  xst -k /root/node4.keytab jack/node4 ##导出凭据
Entry for principal jack/node4 with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/root/node4.keytab.
Entry for principal jack/node4 with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/root/node4.keytab.
Entry for principal jack/node4 with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/root/node4.keytab.
Entry for principal jack/node4 with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/root/node4.keytab.
Entry for principal jack/node4 with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/root/node4.keytab.
Entry for principal jack/node4 with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/root/node4.keytab.
Entry for principal jack/node4 with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/root/node4.keytab.
Entry for principal jack/node4 with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/root/node4.keytab.
kadmin.local:
kadmin.local:  xst -norandkey -k /root/node34.keytab hdfs/node3 jack/node4 ###将多个principal生产一个keytab
Entry for principal hdfs/node3 with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/root/node34.keytab.
Entry for principal hdfs/node3 with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/root/node34.keytab.
Entry for principal hdfs/node3 with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/root/node34.keytab.
Entry for principal hdfs/node3 with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/root/node34.keytab.
Entry for principal hdfs/node3 with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/root/node34.keytab.
Entry for principal hdfs/node3 with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/root/node34.keytab.
Entry for principal hdfs/node3 with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/root/node34.keytab.
Entry for principal hdfs/node3 with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/root/node34.keytab.
Entry for principal jack/node4 with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/root/node34.keytab.
Entry for principal jack/node4 with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/root/node34.keytab.
Entry for principal jack/node4 with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/root/node34.keytab.
Entry for principal jack/node4 with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/root/node34.keytab.
Entry for principal jack/node4 with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/root/node34.keytab.
Entry for principal jack/node4 with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/root/node34.keytab.
Entry for principal jack/node4 with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/root/node34.keytab.
Entry for principal jack/node4 with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/root/node34.keytab.
kadmin.local: 

查看当前客户端认证用户

[root@node1 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root/admin@NSH.COM

Valid starting       Expires              Service principal
2020-01-16T14:43:16  2020-01-17T14:43:16  krbtgt/NSH.COM@NSH.COM
[root@node1 ~]# 

删除当前的认证的缓存

[root@node1 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root/admin@NSH.COM

Valid starting       Expires              Service principal
2020-01-16T14:43:16  2020-01-17T14:43:16  krbtgt/NSH.COM@NSH.COM
[root@node1 ~]# 
[root@node1 ~]# 
[root@node1 ~]# kdestroy
[root@node1 ~]# 
[root@node1 ~]# klist
klist: No credentials cache found (filename: /tmp/krb5cc_0)
[root@node1 ~]#

认证用户

基于密钥认证

[root@node1 ~]# kadmin.local 
Authenticating as principal root/admin@NSH.COM with password.
kadmin.local:  
kadmin.local:  
kadmin.local:  listprincs 
K/M@NSH.COM
hdfs/node3@NSH.COM
jack/node4@NSH.COM
kadmin/admin@NSH.COM
kadmin/changepw@NSH.COM
kadmin/node1.nsh.com@NSH.COM
kiprop/node1.nsh.com@NSH.COM
krbtgt/NSH.COM@NSH.COM
root/admin@NSH.COM
kadmin.local:  q
[root@node1 ~]# 
[root@node1 ~]# kinit -kt node3.keytab hdfs/node3 ##基于密钥进行认证
[root@node1 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hdfs/node3@NSH.COM

Valid starting       Expires              Service principal
2020-01-16T15:12:10  2020-01-17T15:12:10  krbtgt/NSH.COM@NSH.COM
[root@node1 ~]# kinit -kt node3.keytab hdfs/node3@NSH.COM ##基于密钥进行认证
[root@node1 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hdfs/node3@NSH.COM

Valid starting       Expires              Service principal
2020-01-16T15:12:48  2020-01-17T15:12:48  krbtgt/NSH.COM@NSH.COM
[root@node1 ~]# 

基于密码认证

要求

  1. 导出密钥时,需要指定-norandkey参数
  2. 创建凭据时,需要指定key
[root@node1 ~]# klist
klist: No credentials cache found (filename: /tmp/krb5cc_0)
[root@node1 ~]# kinit tom/node5
Password for tom/node5@NSH.COM: 
[root@node1 ~]# 
[root@node1 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: tom/node5@NSH.COM

Valid starting       Expires              Service principal
2020-01-16T15:29:15  2020-01-17T15:29:15  krbtgt/NSH.COM@NSH.COM
[root@node1 ~]# 

修改Kerberos用户的密码

[root@node1 ~]# kpasswd tom/node5
Password for tom/node5@NSH.COM: 
Enter new password: 
Enter it again: 
Password changed.

下面这种方式不需要知道旧密码

[root@node1 ~]# kadmin.local
Authenticating as principal tom/admin@NSH.COM with password.
kadmin.local:  
kadmin.local:  change_password tom/node5
Enter password for principal "tom/node5@NSH.COM": 
Re-enter password for principal "tom/node5@NSH.COM": 
Password for "tom/node5@NSH.COM" changed.
kadmin.local:  

获取凭据信息

kadmin.local:  getprinc tom/node5
Principal: tom/node5@NSH.COM
Expiration date: [never]
Last password change: 四 1月 16 15:40:12 CST 2020
Password expiration date: [never]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 0 days 00:00:00
Last modified: 四 1月 16 15:40:12 CST 2020 (tom/admin@NSH.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 8
Key: vno 3, aes256-cts-hmac-sha1-96
Key: vno 3, aes128-cts-hmac-sha1-96
Key: vno 3, des3-cbc-sha1
Key: vno 3, arcfour-hmac
Key: vno 3, camellia256-cts-cmac
Key: vno 3, camellia128-cts-cmac
Key: vno 3, des-hmac-sha1
Key: vno 3, des-cbc-md5
MKey: vno 1
Attributes:
Policy: [none]
kadmin.local: 

查看keytab文件中的帐号列表

[root@node1 ~]# klist -kt node34.keytab 
Keytab name: FILE:node34.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   2 2020-01-16T15:05:53 hdfs/node3@NSH.COM
   2 2020-01-16T15:05:53 hdfs/node3@NSH.COM
   2 2020-01-16T15:05:53 hdfs/node3@NSH.COM
   2 2020-01-16T15:05:53 hdfs/node3@NSH.COM
   2 2020-01-16T15:05:53 hdfs/node3@NSH.COM
   2 2020-01-16T15:05:53 hdfs/node3@NSH.COM
   2 2020-01-16T15:05:53 hdfs/node3@NSH.COM
   2 2020-01-16T15:05:53 hdfs/node3@NSH.COM
   2 2020-01-16T15:05:53 jack/node4@NSH.COM
   2 2020-01-16T15:05:53 jack/node4@NSH.COM
   2 2020-01-16T15:05:53 jack/node4@NSH.COM
   2 2020-01-16T15:05:53 jack/node4@NSH.COM
   2 2020-01-16T15:05:53 jack/node4@NSH.COM
   2 2020-01-16T15:05:53 jack/node4@NSH.COM
   2 2020-01-16T15:05:53 jack/node4@NSH.COM
   2 2020-01-16T15:05:53 jack/node4@NSH.COM
[root@node1 ~]# 
发布了39 篇原创文章 · 获赞 5 · 访问量 4万+
展开阅读全文

没有更多推荐了,返回首页

©️2019 CSDN 皮肤主题: 技术工厂 设计师: CSDN官方博客

分享到微信朋友圈

×

扫一扫,手机浏览