測(cè)試設(shè)備名字需要寫入/etc/hosts中
192.168.2.20 centos20.test.com
192.168.2.21 centos21.test.com
環(huán)境簡(jiǎn)介:
Centos20為KDC服務(wù)器端安裝包名為:
krb5-devel krb5-server krb5-workstation pam_krb5
Centos21為Client端安裝包為:
krb5-devel krb5-workstation pam_krb5
服務(wù)端安裝過程
1.安裝所需包
Yum install krb5-libs krb5-server krb5-workstation pam_krb5
2.配置文件修改
2.1 文件/etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
?default = FILE:/var/log/krb5libs.log
?kdc = FILE:/var/log/krb5kdc.log
?admin_server = FILE:/var/log/kadmind.log
[libdefaults]
?dns_lookup_realm = false
?ticket_lifetime = 24h
?renew_lifetime = 7d
?forwardable = true
?rdns = false
?pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
# default_realm = EXAMPLE.COM
?default_ccache_name = KEYRING:persistent:%{uid}
?default_realm = TEST.COM
?dns_lookup_kdc = false
[realms]
# EXAMPLE.COM = {
#? kdc = kerberos.example.com
#? admin_server = kerberos.example.com
# }
TEST.COM = {
?? kdc = centos20.test.com
?? admin_server = centos20.test.com?
}
?TEST.COM = {
? kdc = centos20.test.com
? admin_server = centos20.test.com
?}
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
.TEST.com = TEST.COM
TEST.com = TEST.COM
?test.com = TEST.COM
?.test.com = TEST.COM
2.2 文件/var/kerberos/krb5kdc/kdc.conf?
[kdcdefaults]
?kdc_ports = 88
?kdc_tcp_ports = 88
[realms]
# EXAMPLE.COM = {
#? #master_key_type = aes256-cts
#? acl_file = /var/kerberos/krb5kdc/kadm5.acl
#? dict_file = /usr/share/dict/words
#? admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
#? supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
# }
TEST.COM = {
max_life = 24h
max_renewable_life = 7d
default_principal_flags = +renewable
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
3.創(chuàng)建KDC數(shù)據(jù)庫,需要設(shè)置管理員密碼,創(chuàng)建完成后會(huì)在/var/kerberos/krb5kdc/下生成principal.*文件,如果需要重建直接刪除principal.*類似文件即可
命令:
/usr/sbin/kdb5_util create -s
4.為數(shù)據(jù)庫管理員添加ACL權(quán)限,需要修改kadm5.acl文件,* 代表所有權(quán)限
文件/var/kerberos/krb5kdc/kadm5.acl
內(nèi)容:*/admin@TEST.COM *
5.啟動(dòng)KDC服務(wù)
systemctl restart kadmin
systemctl restart krb5kdc
6.添加數(shù)據(jù)庫管理員,kadmin.local可以直接運(yùn)行在KDC上,無需密碼認(rèn)證
命令:kadmin.local
在該命令執(zhí)行,會(huì)有輸入密碼,改密碼為后期kadmin遠(yuǎn)程登陸使用
addprinc root/admin
在該命令執(zhí)行,會(huì)有輸入密碼,創(chuàng)建一個(gè)普通的principal
addprinc? myname
7.將server的hostname或ip加到kerberos的數(shù)據(jù)庫
命令:kadmin.local
在該命令中執(zhí)行
addprinc -randkey host/centos20.test.com
ktadd host/centos20.test.com
命令:klist -k
該命令導(dǎo)出kadmin的keytab文件
8.修改/etc/ssh/ssh_config文件
?? GSSAPIAuthentication yes
?? GSSAPIDelegateCredentials yes
?? GSSAPIKeyExchange yes
? GSSAPITrustDNS yes
重啟sshd服務(wù)
systemctl reload sshd
9.配置PAM權(quán)限認(rèn)證
命令使用authconfig-tui或authconfig --enablekrb5 --update或setup
10.添加或者清除防火墻配置
10.1添加配置
添加文件/etc/firewalld/services/kerberos.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
? ? <short>Kerberos</short>
? ? <description>Kerberos network authentication protocol server</description>
? ? <port protocol="tcp" port="88"/>
? ? <port protocol="udp" port="88"/>
? ? <port protocol="tcp" port="749"/>
</service>
執(zhí)行添加
firewall-cmd --permanent --add-service=kerberos
執(zhí)行重新加載
firewall-cmd --reload
10.2清除防火墻配置
systemctl stop firewalld
systemctl disable firewalld
Iptable -F
11.添加principal信息
文件:/root/.k5login
內(nèi)容:myname@TEST.COM
Client配置
1.安裝包
yum install -y krb5-libs krb5-workstation pam_krb5
如果是ubuntu需要安裝
apt install krb5-user
2.更新配置文件/etc/krb5.conf內(nèi)容類同server機(jī)
3.向kerberos庫中添加client域名或IP
命令:
銷毀以前的憑證
kdestroy
遠(yuǎn)程登陸KDC服務(wù)
kadmin -p 'root/admin'
在該命令下添加憑證
addprinc -randkey host/centos21.test.com
Ktadd host/centos21.test.com
生產(chǎn)keytab文件
klist -k
初始化用戶
kinit myname
查看憑證
klist
測(cè)試登陸遠(yuǎn)程機(jī)器
ssh root@centos20.test.com
如果是客戶端接入免密登陸需要修改如下文件
centos修改:/etc/ssh_config
?? GSSAPIAuthentication yes
?? GSSAPIDelegateCredentials yes
?? GSSAPIKeyExchange yes
? GSSAPITrustDNS yes
ubuntu修改:/etc/sshd_config
GSSAPIAuthentication yes
然后重啟ssh服務(wù)