Kerberos 基本安装与配置

由于最近环境需要用到Kerberos认证，之前对Kerberos这块了解甚少，今天抽空自己手动安装一下Kerberos，以此加深对Kerberos的理解。

1 选择一台机器运行KDC，安装Kerberos相关服务

yum install -y krb5-devel krb5-server krb5-workstation

2 配置Kerberos，包括和，修改其中的realm，把默认的修改为自己要定义的值

[root@cent-1 ~]# cat /etc/
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = TRAFKDC.COM  --修改之处
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 TRAFKDC.COM = {  --修改之处
  kdc = namenode01  --修改之处
  admin_server = namenode01  --修改之处
 }

[domain_realm]
 .TRAFKDC.com = TRAFKDC.COM  --修改之处
 TRAFKDC.com = TRAFKDC.COM  --修改之处

[root@cent-1 ~]# cat /var/kerberos/krb5kdc/
[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
 TRAFKDC.COM = {  --修改之处
  max_life = 24h  --添加
  max_renewable_life = 7d  --添加
  default_principal_flags = +renewable --添加
  #master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm
  supported_enctypes = aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }

3 创建KDC数据库，其中需要设置管理员密码，创建完成会在/var/kerberos/krb5kdc/下面生成一系列文件，若重建数据库则需先删除/var/kerberos/krb5kdc下面principal相关文件

[root@cent-1 ~]# /usr/sbin/kdb5_util create -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm '',
master key name 'K/M@'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:

[root@cent-1 ~]# ll /var/kerberos/krb5kdc/
total 24
-rw-------. 1 root root   22 Mar  9  2016 
-rw-------. 1 root root  403 Jan 13 10:18 
-rw-------. 1 root root 8192 Jan 13 10:23 principal
-rw-------. 1 root root 8192 Jan 13 10:23 principal.kadm5
-rw-------. 1 root root    0 Jan 13 10:23 principal.kadm5.lock
-rw-------. 1 root root    0 Jan 13 10:24

4 给数据库管理员添加ACL权限，修改文件，*代表全部权限

[root@cent-1 ~]# cat /var/kerberos/krb5kdc/
*/admin@TRAFKDC.COM *

5 添加数据库管理员，注意可以直接运行在KDC上，而无需通过Kerberos认证

[root@cent-1 ~]# /usr/sbin/ -q "addprinc kdcadmin/admin"
Enter password for principal "kdcadmin/admin@TRAFKDC.COM":
Re-enter password for principal "kdcadmin/admin@TRAFKDC.COM":
Principal "kdcadmin/admin@TRAFKDC.COM" created.
[root@cent-1 ~]# 
Authenticating as principal centos/admin@TRAFKDC.COM with password.
kadmin.local:  listprinc
kadmin.local: Unknown request "listprinc".  Type "?" for a request list.
kadmin.local:  listprincs
K/M@TRAFKDC.COM
kdcadmin/admin@TRAFKDC.COM
kadmin/admin@TRAFKDC.COM
kadmin/cent-1.novalocal@TRAFKDC.COM
kadmin/changepw@TRAFKDC.COM
krbtgt/@TRAFKDC.COM

6 启动Kerberos进程并设置开机启动，通过/var/log/ 和 /var/log/查看日志，通过kinit检查Kerberos正常运行

service krb5kdc start
service kadmin start
chkconfig krb5kdc on
chkconfig kadmin on

7 配置JCE，这是因为CentOS6.5及以上系统默认使用AES-256加密，因此需要所有节点安装并配置JCE，JCE下载路径: /technetwork/java/javase/downloads/

[root@cent-1 UnlimitedJCEPolicyJDK8]# ll
total 16
-rw-rw-r--. 1 root root 3035 Dec 21  2013 local_policy.jar
-rw-r--r--. 1 root root 7323 Dec 21  2013 
-rw-rw-r--. 1 root root 3023 Dec 21  2013 US_export_policy.jar
[root@cent-1 security]# cp /home/centos/UnlimitedJCEPolicyJDK8/ /usr/java/jdk1.8.0_11/jre/lib/security/
local_policy.jar                  US_export_policy.jar
[root@cent-1 security]# cp /home/centos/UnlimitedJCEPolicyJDK8/US_export_policy.jar /usr/java/jdk1.8.0_11/jre/lib/security/
cp: overwrite `/usr/java/jdk1.8.0_11/jre/lib/security/US_export_policy.jar'? y

8 到此，Kerberos服务端已搭好，现在选择另外一台机器安装客户端，并配置/etc/与KDC相同

yum install -y krb5-workstation

9 验证客户端可以访问KDC

kadmin -p 'kdcadmin/admin' -w '<kdcadmin/admin password>' -s '<kdc server ip>' -q 'list_principals'

10 kadmin生成keytab，如果是KDC上面直接运行,如果是在客户端先kinit再kadmin

(1)KDC

[root@cent-1 ~]# 
Authenticating as principal trafodion/admin@TRAFKDC.COM with password.
kadmin.local:  listprincs
K/M@TRAFKDC.COM
kadmin/admin@TRAFKDC.COM
kadmin/cent-1.novalocal@TRAFKDC.COM
kadmin/changepw@TRAFKDC.COM
krbtgt/TRAFKDC.COM@TRAFKDC.COM
trafodion@TRAFKDC.COM
kadmin.local:  xst -k /opt/ trafodion
Entry for principal trafodion with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/opt/trafodion.keytab.
Entry for principal trafodion with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/opt/trafodion.keytab.
Entry for principal trafodion with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/opt/trafodion.keytab.
Entry for principal trafodion with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/opt/trafodion.keytab.
Entry for principal trafodion with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/opt/trafodion.keytab.

[root@cent-1 opt]# ll /opt/
-rw-------. 1 root root 279 Jan 13 13:05 /opt/

(2)Client(需先kinit)

[root@cent-2 ~]# kinit kadmin/admin
Password for kadmin/admin@TRAFKDC.COM:
[root@cent-2 ~]# kadmin
Authenticating as principal kadmin/admin@TRAFKDC.COM with password.
Password for kadmin/admin@TRAFKDC.COM:
kadmin:  addprinc centos
WARNING: no policy specified for centos@TRAFKDC.COM; defaulting to no policy
Enter password for principal "centos@TRAFKDC.COM":
Re-enter password for principal "centos@TRAFKDC.COM":
Principal "centos@TRAFKDC.COM" created.
kadmin:  listprincs
K/M@TRAFKDC.COM
centos@TRAFKDC.COM
kadmin/admin@TRAFKDC.COM
kadmin/cent-1.novalocal@TRAFKDC.COM
kadmin/changepw@TRAFKDC.COM
krbtgt/@TRAFKDC.COM
trafodion@TRAFKDC.COM

11 相关Kerberos命令

//添加principal
kadmin -p 'kdcadmin/admin' -w '<kdc password>' -s '<kdc server>' -q 'addprinc -randkey trafodion'
//生成keytab文件
ktadd -k /opt/trafodion.keytab trafodion
//认证用户
kinit -kt /opt/trafodion.keytab trafodion
//查看当前认证用户信息
klist

秒客网

Kerberos 基本安装与配置

相关文章