环境:KDC server:hostname: yaya.example.com, ip: 192.168.0.104 ;
客户端:hostname: yaya2.example.com ip: 192.168.0.106
在KDC server上:
1.安装:
yum install krb5\*
[root@yaya log]# rpm -qa|grep -i krb5
krb5-libs-1.10.3-65.el6.x86_64
krb5-auth-dialog-0.13-6.el6.x86_64
krb5-server-1.10.3-65.el6.x86_64
krb5-appl-servers-1.0.1-7.el6_2.1.x86_64
krb5-devel-1.10.3-65.el6.x86_64
krb5-workstation-1.10.3-65.el6.x86_64
2.配置 /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = YAYA.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
YAYA.EXAMPLE.COM = {
kdc = 192.168.0.104:88
admin_server = 192.168.0.104:749
}
[domain_realm]
yaya.example.com = YAYA.EXAMPLE.COM
yaya2.example.com = YAYA.EXAMPLE.COM
3.配置/var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
YAYA.EXAMPLE.COM = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
4.配置/etc/hosts文件解析域名
192.168.0.104 yaya.example.com
192.168.0.106 yaya2.example.com
5.创建数据库,会在/var/kerberos/krb5kdc/生成principal文件,(如果想重建直接删除就ok)
kdb5_util create -s -r YAYA.EXAMPLE.COM
6.执行:kadmin.local
listprincs
addprinc root/admin
addprinc tom
ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin
ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/changepw
addprinc -randkey host/yaya.example.com
ktadd -k /etc/krb5.keytab host/yaya.example.com
8.setup配置kerberos认证参数
9.service krb5kdc start
service kadmin start
10.修改或添加/etc/ssh/ssh_config配置:
GSSAPIAuthentication yes
在客户机上:
1.安装krb5 workstations
root@rhel64-64bit Desktop]# rpm -qa|grep krb5
krb5-workstation-1.10.3-10.el6.x86_64
krb5-libs-1.10.3-10.el6.x86_64
2.scp server上的/etc/krb5.conf 到本机相同目录下
3.配置/etc/hosts文件和setup配置kerberos认证参数,同server
4.kinit root/admin 申请票据
kadmin
5.ssh [email protected] 需要密码:
6.申请tom的票据后,可以无需密码ssh到server端:
7.查看client端上有的票据:
此时tom也获得了server的ticket,完成了client到server的认证