Kerberos
===================================================
На Virtualbox при выполнении команды
# kdb5_util create -s
Выводится строчка:
Loading random data
И процесс может выполняться оч. долго.
Проблема решается, если подключиться к консоли виртуальной машины.
===================================================
• AS (Authentication Server) = Сервер аутентификации
• TGS (Ticket Granting Server) = Сервер предоставления билетов
• SS (Service Server) = Ресурс, предоставляющий некий сервис, к которому требуется
получить доступ
• TGT (Ticket Granting Ticket) = Билет для получения билета
В двух словах клиент авторизируется на AS, используя свой долгосрочный секретный ключ,
и получает билет от AS. Позже клиент может использовать этот билет для получения
дополнительных билетов на доступ к ресурсам SS без необходимости прибегать к
использованию своего секретного ключа.
Server
[root@server ~]# yum install -y \
krb5-server \
krb5-libs \
krb5-workstation
[root@server ~]# chkconfig --level 345 kadmin on
[root@server ~]# chkconfig --level 345 krb5kdc on
[root@server ~]# cp /etc/krb5.conf /etc/krb5.conf.orig
Внимание!!! Имя домена Kerberos (Kerberos realm) необходимо указывать в ВЕРХНЕМ РЕГИСТРЕ!!!!
[root@server ~]# cat > /etc/krb5.conf << EOF
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = LOCALNET
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
LOCALNET = {
kdc = server.localdomain
admin_server = server.localdomain
}
[domain_realm]
.localdomain = LOCALNET
localdomain = LOCALNET
EOF
[root@server ~]# cp /var/kerberos/krb5kdc/kdc.conf /var/kerberos/krb5kdc/kdc.conf.orig
[root@server ~]# cat > /var/kerberos/krb5kdc/kdc.conf << EOF
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
LOCALNET = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
EOF
Create the Database
[root@server ~]# kdb5_util create -s
Update /var/kerberos/krb5kdc/kadm5.acl for principals who have administrative access to the Kerberos database
[root@server ~]# cat > /var/kerberos/krb5kdc/kadm5.acl << EOF
*/admin@LOCALNET *
EOF
[root@centos ~]# service kadmin restart
====================================
Kerberos Client
[root@client ~]# yum install -y \
krb5-libs \
krb5-workstation
[root@client ~]# cp /etc/krb5.conf /etc/krb5.conf.orig
[root@client ~]# cat > /etc/krb5.conf << EOF
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = LOCALNET
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
LOCALNET = {
kdc = server.localdomain
admin_server = server.localdomain
}
[domain_realm]
.localdomain = LOCALNET
localdomain = LOCALNET
EOF
=====================================================
Server и Client
# vi /etc/ssh/sshd_config
GSSAPIAuthentication no
на
GSSAPIAuthentication yes
# service sshd restart
====================
Server
[root@server ~]# useradd user1
[root@server ~]# passwd user1
Create the first administrator principal
[root@server ~]# kadmin.local -q "addprinc user1"
[root@server ~]# kadmin.local -q "listprincs"
[root@server ~]# kadmin.local -q "addprinc -randkey host/client.localdomain"
[root@server ~]# kadmin.local -q "ktadd -k /home/user1/server.keytab host/client.localdomain"
[root@server ~]# chown user1 ~user1/server.keytab
[root@server ~]# service krb5kdc restart
=====================
Client
[root@server ~]# useradd user1
[root@client ~]# scp [email protected]:server.keytab .
[root@client /]# cat /root/server.keytab
SLOCALNEThostclient.localdomainS�� J ��v��gE֭����&�.Фà��CLOCALNEThostclient.localdomainS��C�cS"���y� ���KLOCALNEThostclient.localdomainS��%R�]CLOCALNEThostclient.localdomainS����;�5hfn�;LOCALNEThostclient.localdomainS�nJ� F�);LOCALNEThostclient.localdomainS�����[root@client /]#
[root@client ~]# ktutil
ktutil: rkt /root/server.keytab
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 2 host/client.localdomain@LOCALNET
2 2 host/client.localdomain@LOCALNET
3 2 host/client.localdomain@LOCALNET
4 2 host/client.localdomain@LOCALNET
5 2 host/client.localdomain@LOCALNET
6 2 host/client.localdomain@LOCALNET
ktutil: wkt /etc/krb5.keytab
ktutil: quit
===============
Server
[root@server ~]# su - user1
[user1@server ~]$ kinit user1
[user1@server ~]$ klist
-- Подключаемся к client с какой-нибудь другой машин в локальной сети
user1@notebook:~$ ssh client.localdomain
-- При необходимости с debug
user1@notebook:~$ ssh -vv client.localdomain
http://beginlinux.com/blog/2010/02/kerberos-server-set-up/
http://www.linuxproblems.org/wiki/Set_up_kerberos_on_Centos_6
https://www.centos.org/docs/5/html/5.1/Deployment_Guide/s1-kerberos-server.html
