Kerberos 基于centos7的ssh認(rèn)證登陸

測(cè)試設(shè)備名字需要寫入/etc/hosts中

192.168.2.20 centos20.test.com

192.168.2.21 centos21.test.com

環(huán)境簡(jiǎn)介:

Centos20為KDC服務(wù)器端安裝包名為:

krb5-devel krb5-server krb5-workstation pam_krb5

Centos21為Client端安裝包為:

krb5-devel krb5-workstation pam_krb5

服務(wù)端安裝過程

1.安裝所需包

Yum install krb5-libs krb5-server krb5-workstation pam_krb5

2.配置文件修改

2.1 文件/etc/krb5.conf

# Configuration snippets may be placed in this directory as well

includedir /etc/krb5.conf.d/

[logging]

?default = FILE:/var/log/krb5libs.log

?kdc = FILE:/var/log/krb5kdc.log

?admin_server = FILE:/var/log/kadmind.log

[libdefaults]

?dns_lookup_realm = false

?ticket_lifetime = 24h

?renew_lifetime = 7d

?forwardable = true

?rdns = false

?pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt

# default_realm = EXAMPLE.COM

?default_ccache_name = KEYRING:persistent:%{uid}

?default_realm = TEST.COM

?dns_lookup_kdc = false

[realms]

# EXAMPLE.COM = {

#? kdc = kerberos.example.com

#? admin_server = kerberos.example.com

# }

TEST.COM = {

?? kdc = centos20.test.com

?? admin_server = centos20.test.com?

}

?TEST.COM = {

? kdc = centos20.test.com

? admin_server = centos20.test.com

?}

[domain_realm]

# .example.com = EXAMPLE.COM

# example.com = EXAMPLE.COM

.TEST.com = TEST.COM

TEST.com = TEST.COM

?test.com = TEST.COM

?.test.com = TEST.COM

2.2 文件/var/kerberos/krb5kdc/kdc.conf?

[kdcdefaults]

?kdc_ports = 88

?kdc_tcp_ports = 88

[realms]

# EXAMPLE.COM = {

#? #master_key_type = aes256-cts

#? acl_file = /var/kerberos/krb5kdc/kadm5.acl

#? dict_file = /usr/share/dict/words

#? admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab

#? supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal

# }

TEST.COM = {

max_life = 24h

max_renewable_life = 7d

default_principal_flags = +renewable

acl_file = /var/kerberos/krb5kdc/kadm5.acl

dict_file = /usr/share/dict/words

admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab

supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal

}

3.創(chuàng)建KDC數(shù)據(jù)庫,需要設(shè)置管理員密碼,創(chuàng)建完成后會(huì)在/var/kerberos/krb5kdc/下生成principal.*文件,如果需要重建直接刪除principal.*類似文件即可

命令:

/usr/sbin/kdb5_util create -s

4.為數(shù)據(jù)庫管理員添加ACL權(quán)限,需要修改kadm5.acl文件,* 代表所有權(quán)限

文件/var/kerberos/krb5kdc/kadm5.acl

內(nèi)容:*/admin@TEST.COM *

5.啟動(dòng)KDC服務(wù)

systemctl restart kadmin

systemctl restart krb5kdc

6.添加數(shù)據(jù)庫管理員,kadmin.local可以直接運(yùn)行在KDC上,無需密碼認(rèn)證

命令:kadmin.local

在該命令執(zhí)行,會(huì)有輸入密碼,改密碼為后期kadmin遠(yuǎn)程登陸使用

addprinc root/admin

在該命令執(zhí)行,會(huì)有輸入密碼,創(chuàng)建一個(gè)普通的principal

addprinc? myname

7.將server的hostname或ip加到kerberos的數(shù)據(jù)庫

命令:kadmin.local

在該命令中執(zhí)行

addprinc -randkey host/centos20.test.com

ktadd host/centos20.test.com

命令:klist -k

該命令導(dǎo)出kadmin的keytab文件

8.修改/etc/ssh/ssh_config文件

?? GSSAPIAuthentication yes

?? GSSAPIDelegateCredentials yes

?? GSSAPIKeyExchange yes

? GSSAPITrustDNS yes

重啟sshd服務(wù)

systemctl reload sshd

9.配置PAM權(quán)限認(rèn)證

命令使用authconfig-tui或authconfig --enablekrb5 --update或setup

10.添加或者清除防火墻配置

10.1添加配置

添加文件/etc/firewalld/services/kerberos.xml

<?xml version="1.0" encoding="utf-8"?>

<service>

? ? <short>Kerberos</short>

? ? <description>Kerberos network authentication protocol server</description>

? ? <port protocol="tcp" port="88"/>

? ? <port protocol="udp" port="88"/>

? ? <port protocol="tcp" port="749"/>

</service>

執(zhí)行添加

firewall-cmd --permanent --add-service=kerberos

執(zhí)行重新加載

firewall-cmd --reload

10.2清除防火墻配置

systemctl stop firewalld

systemctl disable firewalld

Iptable -F

11.添加principal信息

文件:/root/.k5login

內(nèi)容:myname@TEST.COM

Client配置

1.安裝包

yum install -y krb5-libs krb5-workstation pam_krb5

如果是ubuntu需要安裝

apt install krb5-user

2.更新配置文件/etc/krb5.conf內(nèi)容類同server機(jī)

3.向kerberos庫中添加client域名或IP

命令:

銷毀以前的憑證

kdestroy

遠(yuǎn)程登陸KDC服務(wù)

kadmin -p 'root/admin'

在該命令下添加憑證

addprinc -randkey host/centos21.test.com

Ktadd host/centos21.test.com

生產(chǎn)keytab文件

klist -k

初始化用戶

kinit myname

查看憑證

klist

測(cè)試登陸遠(yuǎn)程機(jī)器

ssh root@centos20.test.com

如果是客戶端接入免密登陸需要修改如下文件

centos修改:/etc/ssh_config

?? GSSAPIAuthentication yes

?? GSSAPIDelegateCredentials yes

?? GSSAPIKeyExchange yes

? GSSAPITrustDNS yes

ubuntu修改:/etc/sshd_config

GSSAPIAuthentication yes

然后重啟ssh服務(wù)

最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡(jiǎn)書系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。

推薦閱讀更多精彩內(nèi)容