自动生成Kerberos的keytab文件

隶属于文章系列：大数据安全实战 https://www.jianshu.com/p/76627fd8399c

---

场景：

根据服务请求，自动生成keytab文件
功能：
1、生成principle
2、生成keytab文件
2、接口返回principle 和 keytab

阅读并从ambari的源码中抽出来的Kerberos相关的代码

思路：

• 找到相关单元测试，验证功能。

• 把测试代码抽取出来，自己建新项目并调通。调通的过程中需要添加各种依赖和新的代码文件，抽出的代码的包结构跟原来项目的包结构最好一致。

  
  
  

  image

• ambari的创建Kerberos的keytab文件的入口代码：

package kbds.auth.keytab;


import org.apache.ambari.server.security.credential.PrincipalKeyCredential;
import org.apache.ambari.server.serveraction.kerberos
        .KerberosOperationException;
import org.apache.ambari.server.serveraction.kerberos.KerberosOperationHandler;
import org.apache.directory.server.kerberos.shared.keytab.Keytab;
import org.apache.directory.server.kerberos.shared.keytab.KeytabEntry;

import java.io.File;
import java.io.IOException;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;

public class AuthMain {
    public static void main(String[] args) throws KerberosOperationException, IOException {
        KerberosOperationHandler handler = createHandler();
        File file = new File("D:\\am.keytab");
        final String principal1 = "[email protected]";
        final String principal2 = "[email protected]";
        Set seenEntries = new HashSet();

    handler.createKeytabFile(principal1, "some password", 0, file);
        handler.createKeytabFile(principal2, "some password", 0, file);

        // Attempt to add duplicate entries
    handler.createKeytabFile(principal2, "some password", 0, file);

        Keytab keytab = Keytab.read(file);
//      Assert.assertNotNull(keytab);

        List entries = keytab.getEntries();
//      Assert.assertNotNull(entries);
//      Assert.assertFalse(entries.isEmpty());

        for (KeytabEntry entry : entries) {
            String seenEntry = String.format("%s|%s", entry.getPrincipalName(), entry.getKey().getKeyType().toString());
            //Assert.assertFalse(seenEntries.contains(seenEntry));
            seenEntries.add(seenEntry);
        }
    }

    public static  KerberosOperationHandler createHandler() throws KerberosOperationException {
        KerberosOperationHandler handler = new KerberosOperationHandler() {

            @Override
            public void open(PrincipalKeyCredential administratorCredentials, String defaultRealm, Map kerberosConfiguration) throws KerberosOperationException {
                setAdministratorCredential(administratorCredentials);
                setDefaultRealm(defaultRealm);
                setExecutableSearchPaths("/usr/bin, /usr/kerberos/bin, /usr/sbin");
            }

            @Override
            public void close() throws KerberosOperationException {

            }

            @Override
            public boolean principalExists(String principal) throws KerberosOperationException {
                return false;
            }

            @Override
            public Integer createPrincipal(String principal, String password, boolean service) throws KerberosOperationException {
                return 0;
            }

            @Override
            public Integer setPrincipalPassword(String principal, String password) throws KerberosOperationException {
                return 0;
            }

            @Override
            public boolean removePrincipal(String principal) throws KerberosOperationException {
                return false;
            }
        };

        handler.open(new PrincipalKeyCredential("me/admin", "me"), "TT.COM", null);
        return handler;
    }

}

• 新项目的pom文件

    4.0.0

    kbds
    auth-keytab
    1.0
    
        
            com.google.code.gson
            gson
            2.2.2
        

        
            org.slf4j
            slf4j-api
            1.7.6
        

        
            org.slf4j
            slf4j-log4j12
            1.7.5
        


        
        
            junit
            junit
            4.11
            test
        
        
            org.easymock
            easymock
            test
            3.4
        

        
        
            org.apache.directory.server
            apacheds-kerberos-codec
           
            2.0.0-M19
        

        
            org.springframework.security.kerberos
            spring-security-kerberos-core
            1.0.1.RELEASE
        
        
            org.springframework.security.kerberos
            spring-security-kerberos-web
            1.0.1.RELEASE
        
        
            org.springframework.security.kerberos
            spring-security-kerberos-client
            1.0.1.RELEASE
        


        
            com.google.code.findbugs
            jsr305
            1.3.9
        
        
            com.google.inject
            guice
            3.0
        
        
            com.google.inject.extensions
            guice-persist
            3.0
        

        
            commons-io
            commons-io
            2.3
        
    

验证生成的keytab文件

• 上传ketytab文件
• 显示文件内容

 klist -ket [email protected]
Keytab name: FILE:[email protected]
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   0 04/17/18 17:08:30 [email protected] (des-cbc-md5)
   0 04/17/18 17:08:30 [email protected] (des3-cbc-sha1)
   0 04/17/18 17:08:30 [email protected] (aes128-cts-hmac-sha1-96)
   0 04/17/18 17:08:30 [email protected] (arcfour-hmac)

• 第一次尝试获取凭证

# 销毁当前已有凭证
kdestroy

kinit  -kt [email protected]   xf
kinit: Client not found in Kerberos database while getting initial credentials

报错：在kdc上没有创建当前principal

• 在kdc创建principal

kadmin.local:  addprinc xf
WARNING: no policy specified for [email protected]; defaulting to no policy
Enter password for principal "[email protected]":
Re-enter password for principal "[email protected]":
Principal "[email protected]" created.

• 再尝试获取凭证

 kinit  -kt [email protected]   xf

• 验证

 klist -e
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: [email protected]

Valid starting     Expires            Service principal
04/17/18 17:13:35  04/18/18 17:13:35  krbtgt/[email protected]
        renew until 04/24/18 17:13:35, Etype (skey, tkt): aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96

发现创建keytab是可以跟kdc分离的.直接在kdc之外生成的keytab文件，也能通过kdc的验证。