Kerberos 基本安装与配置
由于最近环境需要用到Kerberos认证,之前对Kerberos这块了解甚少,今天抽空自己手动安装一下Kerberos,以此加深对Kerberos的理解。
1 选择一台机器运行KDC,安装Kerberos相关服务
yum install -y krb5-devel krb5-server krb5-workstation
2 配置Kerberos,包括krb5.conf和kdc.conf,修改其中的realm,把默认的EXAMPLE.COM修改为自己要定义的值
[root@cent-1 ~]# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = TRAFKDC.COM --修改之处
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
TRAFKDC.COM = { --修改之处
kdc = namenode01 --修改之处
admin_server = namenode01 --修改之处
}
[domain_realm]
.TRAFKDC.com = TRAFKDC.COM --修改之处
TRAFKDC.com = TRAFKDC.COM --修改之处
[root@cent-1 ~]# cat /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
TRAFKDC.COM = { --修改之处
max_life = 24h --添加
max_renewable_life = 7d --添加
default_principal_flags = +renewable --添加
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}3 创建KDC数据库,其中需要设置管理员密码,创建完成会在/var/kerberos/krb5kdc/下面生成一系列文件,若重建数据库则需先删除/var/kerberos/krb5kdc下面principal相关文件
[root@cent-1 ~]# /usr/sbin/kdb5_util create -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'TRAFKDC.COM',
master key name 'K/[email protected]'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
[root@cent-1 ~]# ll /var/kerberos/krb5kdc/
total 24
-rw-------. 1 root root 22 Mar 9 2016 kadm5.acl
-rw-------. 1 root root 403 Jan 13 10:18 kdc.conf
-rw-------. 1 root root 8192 Jan 13 10:23 principal
-rw-------. 1 root root 8192 Jan 13 10:23 principal.kadm5
-rw-------. 1 root root 0 Jan 13 10:23 principal.kadm5.lock
-rw-------. 1 root root 0 Jan 13 10:24 principal.ok
4 给数据库管理员添加ACL权限,修改kadm5.acl文件,*代表全部权限
[root@cent-1 ~]# cat /var/kerberos/krb5kdc/kadm5.acl
*/[email protected] *5 添加数据库管理员,注意kadmin.local可以直接运行在KDC上,而无需通过Kerberos认证
[root@cent-1 ~]# /usr/sbin/kadmin.local -q "addprinc kdcadmin/admin"
Enter password for principal "kdcadmin/[email protected]":
Re-enter password for principal "kdcadmin/[email protected]":
Principal "kdcadmin/[email protected]" created.
[root@cent-1 ~]# kadmin.local
Authenticating as principal centos/[email protected] with password.
kadmin.local: listprinc
kadmin.local: Unknown request "listprinc". Type "?" for a request list.
kadmin.local: listprincs
K/[email protected]
kdcadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
krbtgt/[email protected]
6 启动Kerberos进程并设置开机启动,通过/var/log/krb5kdc.log 和 /var/log/kadmind.log查看日志,通过kinit检查Kerberos正常运行
service krb5kdc start
service kadmin start
chkconfig krb5kdc on
chkconfig kadmin on7 配置JCE,这是因为CentOS6.5及以上系统默认使用AES-256加密,因此需要所有节点安装并配置JCE,JCE下载路径: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
[root@cent-1 UnlimitedJCEPolicyJDK8]# ll
total 16
-rw-rw-r--. 1 root root 3035 Dec 21 2013 local_policy.jar
-rw-r--r--. 1 root root 7323 Dec 21 2013 README.txt
-rw-rw-r--. 1 root root 3023 Dec 21 2013 US_export_policy.jar
[root@cent-1 security]# cp /home/centos/UnlimitedJCEPolicyJDK8/ /usr/java/jdk1.8.0_11/jre/lib/security/
local_policy.jar README.txt US_export_policy.jar
[root@cent-1 security]# cp /home/centos/UnlimitedJCEPolicyJDK8/US_export_policy.jar /usr/java/jdk1.8.0_11/jre/lib/security/
cp: overwrite `/usr/java/jdk1.8.0_11/jre/lib/security/US_export_policy.jar'? y8 到此,Kerberos服务端已搭好,现在选择另外一台机器安装客户端,并配置/etc/krb5.conf与KDC相同
yum install -y krb5-workstation9 验证客户端可以访问KDC
kadmin -p 'kdcadmin/admin' -w '' -s '' -q 'list_principals'
10 kadmin生成keytab,如果是KDC上面直接运行kadmin.local,如果是在客户端先kinit再kadmin
(1)KDC
[root@cent-1 ~]# kadmin.local
Authenticating as principal trafodion/[email protected] with password.
kadmin.local: listprincs
K/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
krbtgt/[email protected]
[email protected]
kadmin.local: xst -k /opt/trafodion.keytab trafodion
Entry for principal trafodion with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/opt/trafodion.keytab.
Entry for principal trafodion with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/opt/trafodion.keytab.
Entry for principal trafodion with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/opt/trafodion.keytab.
Entry for principal trafodion with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/opt/trafodion.keytab.
Entry for principal trafodion with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/opt/trafodion.keytab.
[root@cent-1 opt]# ll /opt/trafodion.keytab
-rw-------. 1 root root 279 Jan 13 13:05 /opt/trafodion.keytab(2)Client(需先kinit)
[root@cent-2 ~]# kinit kadmin/admin
Password for kadmin/[email protected]:
[root@cent-2 ~]# kadmin
Authenticating as principal kadmin/[email protected] with password.
Password for kadmin/[email protected]:
kadmin: addprinc centos
WARNING: no policy specified for [email protected]; defaulting to no policy
Enter password for principal "[email protected]":
Re-enter password for principal "[email protected]":
Principal "[email protected]" created.
kadmin: listprincs
K/[email protected]
[email protected]
kadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
krbtgt/[email protected]
[email protected]
11 相关Kerberos命令
//添加principal
kadmin -p 'kdcadmin/admin' -w '' -s '' -q 'addprinc -randkey trafodion'
//生成keytab文件
ktadd -k /opt/trafodion.keytab trafodion
//认证用户
kinit -kt /opt/trafodion.keytab trafodion
//查看当前认证用户信息
klist 原文地址:https://blog.csdn.net/Post_Yuan/article/details/54406148