Kerberos 基本安装与配置

版权声明:本文为博主原创文章,如需转载,请注明出处。 https://blog.csdn.net/Post_Yuan/article/details/54406148

由于最近环境需要用到Kerberos认证,之前对Kerberos这块了解甚少,今天抽空自己手动安装一下Kerberos,以此加深对Kerberos的理解。

1 选择一台机器运行KDC,安装Kerberos相关服务

yum install -y krb5-devel krb5-server krb5-workstation

2 配置Kerberos,包括krb5.conf和kdc.conf,修改其中的realm,把默认的EXAMPLE.COM修改为自己要定义的值

[root@cent-1 ~]# cat /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = TRAFKDC.COM  --修改之处
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 TRAFKDC.COM = {  --修改之处
  kdc = namenode01  --修改之处
  admin_server = namenode01  --修改之处
 }

[domain_realm]
 .TRAFKDC.com = TRAFKDC.COM  --修改之处
 TRAFKDC.com = TRAFKDC.COM  --修改之处

[root@cent-1 ~]# cat /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
 TRAFKDC.COM = {  --修改之处
  max_life = 24h  --添加
  max_renewable_life = 7d  --添加
  default_principal_flags = +renewable --添加
  #master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }

3 创建KDC数据库,其中需要设置管理员密码,创建完成会在/var/kerberos/krb5kdc/下面生成一系列文件,若重建数据库则需先删除/var/kerberos/krb5kdc下面principal相关文件

[root@cent-1 ~]# /usr/sbin/kdb5_util create -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'TRAFKDC.COM',
master key name 'K/M@TRAFKDC.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:

[root@cent-1 ~]# ll /var/kerberos/krb5kdc/
total 24
-rw-------. 1 root root   22 Mar  9  2016 kadm5.acl
-rw-------. 1 root root  403 Jan 13 10:18 kdc.conf
-rw-------. 1 root root 8192 Jan 13 10:23 principal
-rw-------. 1 root root 8192 Jan 13 10:23 principal.kadm5
-rw-------. 1 root root    0 Jan 13 10:23 principal.kadm5.lock
-rw-------. 1 root root    0 Jan 13 10:24 principal.ok

4 给数据库管理员添加ACL权限,修改kadm5.acl文件,*代表全部权限

[root@cent-1 ~]# cat /var/kerberos/krb5kdc/kadm5.acl
*/admin@TRAFKDC.COM *

5 添加数据库管理员,注意kadmin.local可以直接运行在KDC上,而无需通过Kerberos认证

[root@cent-1 ~]# /usr/sbin/kadmin.local -q "addprinc kdcadmin/admin"
Enter password for principal "kdcadmin/admin@TRAFKDC.COM":
Re-enter password for principal "kdcadmin/admin@TRAFKDC.COM":
Principal "kdcadmin/admin@TRAFKDC.COM" created.
[root@cent-1 ~]# kadmin.local
Authenticating as principal centos/admin@TRAFKDC.COM with password.
kadmin.local:  listprinc
kadmin.local: Unknown request "listprinc".  Type "?" for a request list.
kadmin.local:  listprincs
K/M@TRAFKDC.COM
kdcadmin/admin@TRAFKDC.COM
kadmin/admin@TRAFKDC.COM
kadmin/cent-1.novalocal@TRAFKDC.COM
kadmin/changepw@TRAFKDC.COM
krbtgt/TRAFKDC.COM@TRAFKDC.COM

6 启动Kerberos进程并设置开机启动,通过/var/log/krb5kdc.log 和 /var/log/kadmind.log查看日志,通过kinit检查Kerberos正常运行

service krb5kdc start
service kadmin start
chkconfig krb5kdc on
chkconfig kadmin on

7 配置JCE,这是因为CentOS6.5及以上系统默认使用AES-256加密,因此需要所有节点安装并配置JCE,JCE下载路径: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html

[root@cent-1 UnlimitedJCEPolicyJDK8]# ll
total 16
-rw-rw-r--. 1 root root 3035 Dec 21  2013 local_policy.jar
-rw-r--r--. 1 root root 7323 Dec 21  2013 README.txt
-rw-rw-r--. 1 root root 3023 Dec 21  2013 US_export_policy.jar
[root@cent-1 security]# cp /home/centos/UnlimitedJCEPolicyJDK8/ /usr/java/jdk1.8.0_11/jre/lib/security/
local_policy.jar      README.txt            US_export_policy.jar
[root@cent-1 security]# cp /home/centos/UnlimitedJCEPolicyJDK8/US_export_policy.jar /usr/java/jdk1.8.0_11/jre/lib/security/
cp: overwrite `/usr/java/jdk1.8.0_11/jre/lib/security/US_export_policy.jar'? y

8 到此,Kerberos服务端已搭好,现在选择另外一台机器安装客户端,并配置/etc/krb5.conf与KDC相同

yum install -y krb5-workstation

9 验证客户端可以访问KDC

kadmin -p 'kdcadmin/admin' -w '<kdcadmin/admin password>' -s '<kdc server ip>' -q 'list_principals'

10 kadmin生成keytab,如果是KDC上面直接运行kadmin.local,如果是在客户端先kinit再kadmin

(1)KDC

[root@cent-1 ~]# kadmin.local
Authenticating as principal trafodion/admin@TRAFKDC.COM with password.
kadmin.local:  listprincs
K/M@TRAFKDC.COM
kadmin/admin@TRAFKDC.COM
kadmin/cent-1.novalocal@TRAFKDC.COM
kadmin/changepw@TRAFKDC.COM
krbtgt/TRAFKDC.COM@TRAFKDC.COM
trafodion@TRAFKDC.COM
kadmin.local:  xst -k /opt/trafodion.keytab trafodion
Entry for principal trafodion with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/opt/trafodion.keytab.
Entry for principal trafodion with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/opt/trafodion.keytab.
Entry for principal trafodion with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/opt/trafodion.keytab.
Entry for principal trafodion with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/opt/trafodion.keytab.
Entry for principal trafodion with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/opt/trafodion.keytab.

[root@cent-1 opt]# ll /opt/trafodion.keytab
-rw-------. 1 root root 279 Jan 13 13:05 /opt/trafodion.keytab

(2)Client(需先kinit)

[root@cent-2 ~]# kinit kadmin/admin
Password for kadmin/admin@TRAFKDC.COM:
[root@cent-2 ~]# kadmin
Authenticating as principal kadmin/admin@TRAFKDC.COM with password.
Password for kadmin/admin@TRAFKDC.COM:
kadmin:  addprinc centos
WARNING: no policy specified for centos@TRAFKDC.COM; defaulting to no policy
Enter password for principal "centos@TRAFKDC.COM":
Re-enter password for principal "centos@TRAFKDC.COM":
Principal "centos@TRAFKDC.COM" created.
kadmin:  listprincs
K/M@TRAFKDC.COM
centos@TRAFKDC.COM
kadmin/admin@TRAFKDC.COM
kadmin/cent-1.novalocal@TRAFKDC.COM
kadmin/changepw@TRAFKDC.COM
krbtgt/TRAFKDC.COM@TRAFKDC.COM
trafodion@TRAFKDC.COM

11 相关Kerberos命令

//添加principal
kadmin -p 'kdcadmin/admin' -w '<kdc password>' -s '<kdc server>' -q 'addprinc -randkey trafodion'
//生成keytab文件
ktadd -k /opt/trafodion.keytab trafodion
//认证用户
kinit -kt /opt/trafodion.keytab trafodion
//查看当前认证用户信息
klist
阅读更多
想对作者说点什么? 我来说一句
相关热词

没有更多推荐了,返回首页