快速搭建 Kerberos 环境
1. 安装kerberos
yum -y install krb5-server krb5-lib krb5-workstation
2. 修改配置文件
Modify the configuration files, krb5.conf and kdc.conf
krb5.con location : /etc/krb5.conf
kdc.conf location : /var/kerberos/krb5kdc/kdc.conf
注意realm的大小写!
2.1 edit krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = SFTP.ATANG.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
SFTP.ATANG.COM = {
kdc = sftp.atang.com
admin_server = sftp.atang.com
}
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
2.2 edit kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
SFTP.ATANG.COM = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1
:normal des-cbc-md5:normal des-cbc-crc:normal
}
3. create principle database
sh-4.2# kdb5_util create -r SFTP.ATANG.COM -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'SFTP.ATANG.COM',
master key name 'K/M@SFTP.ATANG.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
This command create files below
-rw------- 1 root root 8192 Apr 1 14:26 principal
-rw------- 1 root root 8192 Apr 1 14:26 principal.kadm5
-rw------- 1 root root 0 Apr 1 14:26 principal.kadm5.lock
-rw------- 1 root root 0 Apr 1 14:26 principal.ok
Kerberos database files: principal, principal.ok
Kerberos administrative database file: principal.kadm5
administrative database lock file: principal.kadm5.lock
4. add administrator to the acl file. kadm5.acl
*/admin@EXAMPLE.COM *
admin@SFTP.ATANG.COM
5. add administrator to database
sh-4.2# kadmin.local
Authenticating as principal root/admin@SFTP.ATANG.COM with password.
kadmin.local: addprinc admin/admin@SFTP.ATANG.COM
WARNING: no policy specified for admin/admin@SFTP.ATANG.COM; defaulting to no policy
Enter password for principal "admin/admin@SFTP.ATANG.COM":
Re-enter password for principal "admin/admin@SFTP.ATANG.COM":
Principal "admin/admin@SFTP.ATANG.COM" created.
6. start service
At this point, you are ready to start the Kerberos KDC (krb5kdc) and administrative daemons on the Master KDC. To do so, type:
# krb5kdc
# kadmind
6. the log file
sh-4.2# tail /var/log/krb5kdc.log
otp: Loaded
Apr 01 15:04:30 sftp-server-test-52005ac9 krb5kdc[99744](info): setting up network...
Apr 01 15:04:30 sftp-server-test-52005ac9 krb5kdc[99744](info): listening on fd 9: udp 0.0.0.0.88 (pktinfo)
krb5kdc: setsockopt(10,IPV6_V6ONLY,1) worked
Apr 01 15:04:30 sftp-server-test-52005ac9 krb5kdc[99744](info): listening on fd 10: udp ::.88 (pktinfo)
krb5kdc: setsockopt(11,IPV6_V6ONLY,1) worked
Apr 01 15:04:30 sftp-server-test-52005ac9 krb5kdc[99744](info): listening on fd 12: tcp 0.0.0.0.88
Apr 01 15:04:30 sftp-server-test-52005ac9 krb5kdc[99744](info): listening on fd 11: tcp ::.88
Apr 01 15:04:30 sftp-server-test-52005ac9 krb5kdc[99744](info): set up 4 sockets
Apr 01 15:04:30 sftp-server-test-52005ac9 krb5kdc[99745](info): commencing operation
sh-4.2#
sh-4.2# tail /var/log/kadmind.log
kadmind: setsockopt(11,IPV6_V6ONLY,1) worked
Apr 01 15:04:34 sftp-server-test-52005ac9 kadmind[99746](info): listening on fd 12: tcp 0.0.0.0.464
Apr 01 15:04:34 sftp-server-test-52005ac9 kadmind[99746](info): listening on fd 11: tcp ::.464
Apr 01 15:04:34 sftp-server-test-52005ac9 kadmind[99746](info): listening on fd 13: rpc 0.0.0.0.749
kadmind: setsockopt(14,IPV6_V6ONLY,1) worked
Apr 01 15:04:34 sftp-server-test-52005ac9 kadmind[99746](info): listening on fd 14: rpc ::.749
Apr 01 15:04:34 sftp-server-test-52005ac9 kadmind[99746](info): set up 6 sockets
Apr 01 15:04:34 sftp-server-test-52005ac9 kadmind[99746](Error): /var/kerberos/krb5kdc/kadm5.acl: syntax error at line 2 <admin@SFTP.ATANG.COM...>
Apr 01 15:04:34 sftp-server-test-52005ac9 kadmind[99748](info): Seeding random number generator
Apr 01 15:04:34 sftp-server-test-52005ac9 kadmind[99748](info): starting
7. validation
kinit
sh-4.2# kinit admin/admin@SFTP.ATANG.COM
kinit: Cannot contact any KDC for realm 'SFTP.ATANG.COM' while getting initial credentials
如果报上述错误,需要修改host文件,添加如下配置信息
127.0.0.1 sftp.atang.com
sh-4.2# kinit admin/admin@SFTP.ATANG.COM
Password for admin/admin@SFTP.ATANG.COM:
klist
MAC下kerberos客户端安装
(base) ZBMAC-9b3ab3c69:~ atang$ brew install krb5
将server的配置文件krb5.conf拷贝到本地 /etc/krb5.conf
(base) ZBMAC-9b3ab3c69:~ atang$ klist
Ticket cache: KCM:74F69F75-9ABC-4030-8328-AFA167CF135E
Default principal: atang@atang.local
Valid starting Expires Service principal
02 4 2021 09:47:58 02 4 2021 19:47:58 krbtgt/atang.local@atang.local
renew until 09 4 2021 09:47:58
(base) ZBMAC-9b3ab3c69:~ atang$ klist
Ticket cache: KCM:74F69F75-9ABC-4030-8328-AFA167CF135E
Default principal: atang@atang.local
Valid starting Expires Service principal
02 4 2021 09:47:58 02 4 2021 19:47:58 krbtgt/atang.local@atang.local
renew until 09 4 2021 09:47:58
(base) ZBMAC-9b3ab3c69:~ atang$
(base) ZBMAC-9b3ab3c69:~ atang$ kinit admin/admin
Password for admin/admin@SFTP.ATANG.COM:
(base) ZBMAC-9b3ab3c69:~ atang$ klist
Ticket cache: KCM:673152771:1
Default principal: admin/admin@SFTP.ATANG.COM
Valid starting Expires Service principal
02 4 2021 11:00:21 03 4 2021 11:00:21 krbtgt/sftp.atang.com@SFTP.ATANG.COM
(base) ZBMAC-9b3ab3c69:~ atang$
参考
LDAP概念和原理介绍
Kerberos认证原理简介
Skipping Kerberos authentication prompts with JSch [duplicate]
Replacing NIS with Kerberos and LDAP HOWTO
快速搭建Kerberos服务端及入门使用
扫一扫
1088
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
