zoukankan      html  css  js  c++  java

  • install MIT Kerberos

    install MIT Kerberos

    来源 https://blog.csdn.net/xwd127429/article/details/106047036

    Debian安装向导:http://techpubs.spinlocksolutions.com/dklar/kerberos.html

    Ubuntu1804单机安装MIT Kerberos。

    准备

    修改主机名为krb.example.com

    /etc/hosts配置:

    127.0.0.1  localhost
10.1.25.31  krb.example.com krb
    • 1
    • 2

    安装服务

    sudo apt install krb5-{admin-server,kdc}

    安装过程选项如下:

    Default Kerberos version 5 realm? EXAMPLE.COM

Kerberos servers for your realm: krb1.example.com

Administrative server for your Kerberos realm: krb1.example.com

    安装配置

    设置REALM

    执行sudo krb5_newrealm,设置REALM。

    选项如下:

    This script should be run on the master KDC/admin server to initialize
a Kerberos realm.  It will ask you to type in a master key password.
This password will be used to generate a key that is stored in
/etc/krb5kdc/stash.  You should try to remember this password, but it
is much more important that it be a strong password than that it be
remembered.  However, if you lose the password and /etc/krb5kdc/stash,
you cannot decrypt your Kerberos database.
Loading random data
Initializing database '/var/lib/krb5kdc/principal' for realm 'EXAMPLE.COM',
master key name 'K/M@EXAMPLE.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.

Enter KDC database master key: PASSWORD

Re-enter KDC database master key to verify: PASSWORD

    配置

    编辑/etc/krb5.conf

    [domain_realm]
	...
	.example.com = EXAMPLE.COM
	example.com = EXAMPLE.COM
	
...

[logging]
	kdc = FILE:/var/log/kerberos/krb5kdc.log
	admin_server = FILE:/var/log/kerberos/kadmin.log
	default = FILE:/var/log/kerberos/krb5lib.log

    创建目录文件:

    sudo mkdir /var/log/kerberos
sudo touch /var/log/kerberos/{krb5kdc,kadmin,krb5lib}.log
sudo chmod -R 750  /var/log/kerberos

    重启服务:

    sudo systemctl restart krb5-kdc
sudo systemctl restart krb5-admin-server

    安装测试

    执行sudo kadmin.local,进入本地管理员交互程序。

    如下:(listprincs命令列出所有主体;quit命令退出交互程序)

    sudo kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.

kadmin.local:  listprincs

K/M@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/krb1.EXAMPLE.COM@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM

kadmin.local:  quit

    访问权利

    启用管理员用户的所有访问权利。

    编辑/etc/krb5kdc/kadm5.acl,添加:

    */admin *

    重启服务:

    sudo systemctl restart krb5-admin-server

    Kerberos策略(policies)

    增加4个策略,规定最小密码长度和最少包含几种字符类型

    sudo kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.

kadmin.local:  add_policy -minlength 8 -minclasses 3 admin
kadmin.local:  add_policy -minlength 8 -minclasses 4 host
kadmin.local:  add_policy -minlength 8 -minclasses 4 service
kadmin.local:  add_policy -minlength 8 -minclasses 2 user

kadmin.local:  quit

    创建第一个特权主体(privileged principal)

    策略使用admin,要求密码长度最小为8,同时至少包含3种字符类型

    sudo kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.

kadmin.local:  addprinc -policy admin root/admin

Enter password for principal "root/admin@EXAMPLE.COM": PASSWORD
Re-enter password for principal "root/admin@EXAMPLE.COM": PASSWORD
Principal "root/admin@EXAMPLE.COM" created.

kadmin.local:  quit

    kadmin测试

    kadmin -p root/admin
Authenticating as principal root/admin@EXAMPLE.COM with password.

Password for root/admin@EXAMPLE.COM: PASSWORD

kadmin:  listprincs

K/M@EXAMPLE.COM
root/admin@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/history@EXAMPLE.COM
kadmin/krb1.EXAMPLE.COM@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM

kadmin:  quit

    创建第一个无特权主体(unprivileged principal)

    kadmin -p root/admin
Authenticating as principal root/admin@EXAMPLE.COM with password.

Password for root/admin@EXAMPLE.COM: PASSWORD

kadmin:  addprinc -policy user xwd

Enter password for principal "xwd@EXAMPLE.COM": PASSWORD
Re-enter password for principal "xwd@EXAMPLE.COM": PASSWORD
Principal "xwd@EXAMPLE.COM" created.

kadmin:  quit

    获取kerberos ticket

    获取前

    klist -f

klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)

    获取

    kinit xwd

Password for xwd@EXAMPLE.COM: PASSWORD

    获取后

    klist -f

Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: xwd@EXAMPLE.COM

Valid starting     Expires            Service principal
11/22/06 22:30:36  11/23/06 08:30:33  krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 11/23/06 22:30:34, Flags: FPRIA

    销毁

    kdestroy

    安装kerberized services

    openssh-server为例

    安装

    sudo apt install openssh-server

    添加主体

    kadmin -p root/admin
Authenticating as principal root/admin@EXAMPLE.COM with password.

kadmin.local:  addprinc -policy service -randkey host/monarch.example.com

Principal "host/monarch.example.com@EXAMPLE.COM" created.

kadmin.local:  ktadd -k /etc/krb5.keytab host/monarch.example.com

Entry for principal host/monarch.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/monarch.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.

kadmin:  quit

    修改/etc/ssh/sshd_config配置

    GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIKeyExchange yes
UsePAM yes

    重启服务

    sudo systemctl restart ssh

    PAM配置

    使用pam,用户登录后自动生成kerberos tickets,不需要运行kinit

    安装kerberos pam

    sudo apt install libpam-krb5

    切换到root用户,保存pam配置副本,以备恢复:

    sudo su -
cd /etc
cp -a pam.d pam.d,orig

    修改pam配置:

    /etc/pam.d/common-account

    account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so
account requisite                       pam_deny.so
account required                        pam_permit.so
account required                        pam_krb5.so minimum_uid=1000

    /etc/pam.d/common-auth

    auth    [success=2 default=ignore]      pam_krb5.so minimum_uid=1000
auth    [success=1 default=ignore]      pam_unix.so nullok_secure try_first_pass
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so
autoh   optional                        pam_cap.so

    /etc/pam.d/common-password

    password        [success=2 default=ignore]      pam_krb5.so minimum_uid=1000
password        [success=1 default=ignore]      pam_unix.so obscure use_authtok try_first_pass sha512
password        requisite                       pam_deny.so
password        required                        pam_permit.so

    /etc/pam.d/common-session

    session [default=1]                     pam_permit.so
session requisite                       pam_deny.so
session required                        pam_permit.so
session optional                        pam_krb5.so minimum_uid=1000
session required        pam_unix.so

# If elogind and libpam-elogind are installed:
session optional                        pam_elogind.so

    如果修改了上述配置,则重启你想要连接的服务,这里重启ssh:

    sudo systemctl restart ssh

    安装kerberized clients

    sudo apt install openssh-client

    测试连接

    xwd用户为例。

    如果xwd不是系统用户,需要创建,如下:

    sudo adduser --disabled-password xwd

    获取kerberos ticket

    kinit xwd

    确认以持有kerberos ticket

    klist-f

    尝试连接

    ssh xwd@krb1.example.com

    不出意外的话,ssh连接成功。

    ========== End
  • 相关阅读:
    git操作说明书
    python之routes入门
    python inspect库
    Python SMTP发送邮件
    Python深入:setuptools进阶
    Python打包之setuptools
    python graphviz的使用(画图工具)
    pathlib的使用
    python tempfile 创建临时目录
    python flake8 代码扫描
  • 原文地址:https://www.cnblogs.com/lsgxeva/p/14249080.html
Copyright © 2011-2022 走看看