ssh单点登入-第一步配置mac和kerberos认证

基础

系统 Centos 7

目标

mac ==> Kerberos 验证权限,获取ticket

服务器端安装

安装软件

sudo yum install krb5-server krb5-libs pam_krb5 -y

修改配置文件

krb5.conf

kerberos的配置文件下面是配置文件详解
配置文件参考文档

提前设置后配置文件中用到的域名解析.
kerberos.yufuid.org ==> 10.0.12.12

sudo vim /etc/krb5.conf

includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h   \\ticket过期时间
 renew_lifetime = 7d    \\可续期的时间,时间内不需要输入权限,即可续签票证.windows,mac可在用户无感知情况下,完成续期
 forwardable = true
 rdns = false
 pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
 default_realm = YUFUID.ORG     \\ 这里需要和下方realms中相同.字段无具体意义,只需要相同即可.
 default_ccache_name = KEYRING:persistent:%{uid}

 dns_lookup_kdc = false
[realms]
 YUFUID.ORG = {    \\ 修改次字段,字段无具体意义,只需要相同即可.
  kdc = kerberos.yufuid.org    \\填写kdc的服务器地址,我们的demo中kerberos和kdc安装在一台服务器上,填写此台服务器ip或者域名.
  admin_server = kerberos.yufuid.org  \\填写此台服务器ip或者域名
 }

[domain_realm]
 .yufuid.org = YUFUID.ORG    \\ 标准写法,前方是后期需要接入kerberos认证资源的域名.例如: appservice1.yufuid.org需要通过 kerberos进行ssh认证.
 yufuid.org = YUFUID.ORG

kdc.conf

kdc是kerberos的数据库,主要存储认证信息

sudo vim /var/kerberos/krb5kdc/kdc.conf


[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
 YUFUID.ORG = {   \\ 修改次字段,字段无具体意义,只需要相同即可.
  #master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }

创建数据库

使用之前realms中的标签字段
创建时设置kdb数据库密码

$ kdb5_util create -s -r YUFUID.ORG

Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'YUFUID.COM',
master key name 'K/[email protected]'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
kdb5_util: Permission denied while creating database '/var/kerberos/krb5kdc/principal'

修改acl

设置可以访问kdb的用户和来源主机

sudo vim /var/kerberos/krb5kdc/kadm5.acl

*/[email protected]      *

初始化数据库

使用本地管理员进入kdc,创建nanzhang 的用户
kerberos常用命令

kadmin.local
Authenticating as principal root/[email protected] with password.
kadmin.local: addprinc nanzhang
WARNING: no policy specified for [email protected]; defaulting to no policy
Enter password for principal "[email protected]":
Re-enter password for principal "[email protected]":
Principal "[email protected]" created.

# 创建管理员账户

kadmin.local:  addprinc root/admin
WARNING: no policy specified for root/[email protected]; defaulting to no policy
Enter password for principal "root/[email protected]":
Re-enter password for principal "root/[email protected]":
Principal "root/[email protected]" created.

查看nanzhang和管理员用户

kadmin.local:  listprincs
K/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kiprop/[email protected]
krbtgt/[email protected]
[email protected]
root/[email protected]
kadmin.local:

启动kerberos服务

sudo systemctl restart krb5kdc.service
sudo systemctl restart kadmin.service
sudo systemctl enable krb5kdc.service
sudo systemctl enable kadmin.service

到此服务器端配置完毕

mac客户端安装

mac版本

10.14.3

修改mac下的ker配置

配置文件内容和服务器/etc/krb5.conf相同,但是没有这一行 "includedir /etc/krb5.conf.d/
"

vim /Library/Preferences/edu.mit.Kerberos


[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h   \\ticket过期时间
 renew_lifetime = 7d    \\可续期的时间,时间内不需要输入权限,即可续签票证.windows,mac可在用户无感知情况下,完成续期
 forwardable = true
 rdns = false
 pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
 default_realm = YUFUID.ORG     \\ 这里需要和下方realms中相同.字段无具体意义,只需要相同即可.
 default_ccache_name = KEYRING:persistent:%{uid}

 dns_lookup_kdc = false
[realms]
 YUFUID.ORG = {    \\ 修改次字段,字段无具体意义,只需要相同即可.
  kdc = kerberos.yufuid.org    \\填写kdc的服务器地址,我们的demo中kerberos和kdc安装在一台服务器上,填写此台服务器ip或者域名.
  admin_server = kerberos.yufuid.org  \\填写此台服务器ip或者域名
 }

[domain_realm]
 .yufuid.org = YUFUID.ORG    \\ 标准写法,前方是后期需要接入kerberos认证资源的域名.例如: appservice1.yufuid.org需要通过 kerberos进行ssh认证.
 yufuid.org = YUFUID.ORG

通过认证,测试mac端访问kerberos服务器端

通过iterm

Sam-MacBook-Air:~ Sam$ kinit nanzhang
[email protected]'s password:
Sam-MacBook-Air:~ Sam$ klist
Credentials cache: API:4C347D78-DC4B-435E-B4EC-1372A0919F46
        Principal: [email protected]

  Issued                Expires               Principal
Jun 18 14:28:51 2019  Jun 19 14:28:46 2019  krbtgt/[email protected]

参考文档

kerberos配置

安装与配置kerberos1

安装与配置kerberos2

安装与配置kerberos3

ssh单点登入-第一步 配置mac和kerberos认证

基础

系统 Centos 7

目标

服务器端安装

安装软件

修改配置文件

krb5.conf

kdc.conf

创建数据库

修改acl

初始化数据库

到此服务器端配置完毕

mac客户端安装

mac版本

修改mac下的ker配置

通过认证,测试mac端访问kerberos服务器端

参考文档

你可能感兴趣的:(ssh单点登入-第一步 配置mac和kerberos认证)

ssh单点登入-第一步配置mac和kerberos认证

你可能感兴趣的:(ssh单点登入-第一步配置mac和kerberos认证)