本文主要是介绍快速搭建 Kerberos 环境,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
快速搭建 Kerberos 环境
- 1. 安装kerberos
- 2. 修改配置文件
- 2.1 edit krb5.conf
- 2.2 edit kdc.conf
- 3. create principle database
- 4. add administrator to the acl file. kadm5.acl
- 5. add administrator to database
- 6. start service
- 6. the log file
- 7. validation
- kinit
- klist
- 参考
1. 安装kerberos
yum -y install krb5-server krb5-lib krb5-workstation
2. 修改配置文件
Modify the configuration files, krb5.conf and kdc.conf
krb5.con location : /etc/krb5.conf
kdc.conf location : /var/kerberos/krb5kdc/kdc.conf
注意realm的大小写!
2.1 edit krb5.conf
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false default_realm = SFTP.ATANG.COM default_ccache_name = KEYRING:persistent:%{uid} [realms] SFTP.ATANG.COM = { kdc = sftp.atang.com admin_server = sftp.atang.com } [domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
2.2 edit kdc.conf
[kdcdefaults] kdc_ports = 88 kdc_tcp_ports = 88 [realms] SFTP.ATANG.COM = { #master_key_type = aes256-cts acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1
:normal des-cbc-md5:normal des-cbc-crc:normal }
3. create principle database
sh-4.2# kdb5_util create -r SFTP.ATANG.COM -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'SFTP.ATANG.COM',
master key name 'K/M@SFTP.ATANG.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
This command create files below
-rw------- 1 root root 8192 Apr 1 14:26 principal
-rw------- 1 root root 8192 Apr 1 14:26 principal.kadm5
-rw------- 1 root root 0 Apr 1 14:26 principal.kadm5.lock
-rw------- 1 root root 0 Apr 1 14:26 principal.ok
Kerberos database files: principal, principal.ok
Kerberos administrative database file: principal.kadm5
administrative database lock file: principal.kadm5.lock
4. add administrator to the acl file. kadm5.acl
*/admin@EXAMPLE.COM *
admin@SFTP.ATANG.COM
5. add administrator to database
sh-4.2# kadmin.local
Authenticating as principal root/admin@SFTP.ATANG.COM with password.
kadmin.local: addprinc admin/admin@SFTP.ATANG.COM
WARNING: no policy specified for admin/admin@SFTP.ATANG.COM; defaulting to no policy
Enter password for principal "admin/admin@SFTP.ATANG.COM":
Re-enter password for principal "admin/admin@SFTP.ATANG.COM":
Principal "admin/admin@SFTP.ATANG.COM" created.
6. start service
At this point, you are ready to start the Kerberos KDC (krb5kdc) and administrative daemons on the Master KDC. To do so, type:
# krb5kdc
# kadmind
6. the log file
sh-4.2# tail /var/log/krb5kdc.log
otp: Loaded
Apr 01 15:04:30 sftp-server-test-52005ac9 krb5kdc[99744](info): setting up network...
Apr 01 15:04:30 sftp-server-test-52005ac9 krb5kdc[99744](info): listening on fd 9: udp 0.0.0.0.88 (pktinfo)
krb5kdc: setsockopt(10,IPV6_V6ONLY,1) worked
Apr 01 15:04:30 sftp-server-test-52005ac9 krb5kdc[99744](info): listening on fd 10: udp ::.88 (pktinfo)
krb5kdc: setsockopt(11,IPV6_V6ONLY,1) worked
Apr 01 15:04:30 sftp-server-test-52005ac9 krb5kdc[99744](info): listening on fd 12: tcp 0.0.0.0.88
Apr 01 15:04:30 sftp-server-test-52005ac9 krb5kdc[99744](info): listening on fd 11: tcp ::.88
Apr 01 15:04:30 sftp-server-test-52005ac9 krb5kdc[99744](info): set up 4 sockets
Apr 01 15:04:30 sftp-server-test-52005ac9 krb5kdc[99745](info): commencing operation
sh-4.2#
sh-4.2# tail /var/log/kadmind.log
kadmind: setsockopt(11,IPV6_V6ONLY,1) worked
Apr 01 15:04:34 sftp-server-test-52005ac9 kadmind[99746](info): listening on fd 12: tcp 0.0.0.0.464
Apr 01 15:04:34 sftp-server-test-52005ac9 kadmind[99746](info): listening on fd 11: tcp ::.464
Apr 01 15:04:34 sftp-server-test-52005ac9 kadmind[99746](info): listening on fd 13: rpc 0.0.0.0.749
kadmind: setsockopt(14,IPV6_V6ONLY,1) worked
Apr 01 15:04:34 sftp-server-test-52005ac9 kadmind[99746](info): listening on fd 14: rpc ::.749
Apr 01 15:04:34 sftp-server-test-52005ac9 kadmind[99746](info): set up 6 sockets
Apr 01 15:04:34 sftp-server-test-52005ac9 kadmind[99746](Error): /var/kerberos/krb5kdc/kadm5.acl: syntax error at line 2 <admin@SFTP.ATANG.COM...>
Apr 01 15:04:34 sftp-server-test-52005ac9 kadmind[99748](info): Seeding random number generator
Apr 01 15:04:34 sftp-server-test-52005ac9 kadmind[99748](info): starting
7. validation
kinit
sh-4.2# kinit admin/admin@SFTP.ATANG.COM
kinit: Cannot contact any KDC for realm 'SFTP.ATANG.COM' while getting initial credentials
如果报上述错误,需要修改host文件,添加如下配置信息
127.0.0.1 sftp.atang.com
sh-4.2# kinit admin/admin@SFTP.ATANG.COM
Password for admin/admin@SFTP.ATANG.COM:
klist
MAC下kerberos客户端安装
(base) ZBMAC-9b3ab3c69:~ atang$ brew install krb5
将server的配置文件krb5.conf拷贝到本地 /etc/krb5.conf
(base) ZBMAC-9b3ab3c69:~ atang$ klist
Ticket cache: KCM:74F69F75-9ABC-4030-8328-AFA167CF135E
Default principal: atang@atang.localValid starting Expires Service principal
02 4 2021 09:47:58 02 4 2021 19:47:58 krbtgt/atang.local@atang.localrenew until 09 4 2021 09:47:58
(base) ZBMAC-9b3ab3c69:~ atang$ klist
Ticket cache: KCM:74F69F75-9ABC-4030-8328-AFA167CF135E
Default principal: atang@atang.localValid starting Expires Service principal
02 4 2021 09:47:58 02 4 2021 19:47:58 krbtgt/atang.local@atang.localrenew until 09 4 2021 09:47:58
(base) ZBMAC-9b3ab3c69:~ atang$
(base) ZBMAC-9b3ab3c69:~ atang$ kinit admin/admin
Password for admin/admin@SFTP.ATANG.COM:
(base) ZBMAC-9b3ab3c69:~ atang$ klist
Ticket cache: KCM:673152771:1
Default principal: admin/admin@SFTP.ATANG.COMValid starting Expires Service principal
02 4 2021 11:00:21 03 4 2021 11:00:21 krbtgt/sftp.atang.com@SFTP.ATANG.COM
(base) ZBMAC-9b3ab3c69:~ atang$
参考
LDAP概念和原理介绍
Kerberos认证原理简介
Skipping Kerberos authentication prompts with JSch [duplicate]
Replacing NIS with Kerberos and LDAP HOWTO
快速搭建Kerberos服务端及入门使用
这篇关于快速搭建 Kerberos 环境的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!