kerberos认证服务搭建、认证、常用命令
文章目录
- 安装KDC 服务器
- 修改配置
- 修改KDC的配置文件
- 配置KDC服务的权限管理文件
- 修改Kerberos的配置文件信息
- 初始化KDC数据库
- 启动KDC服务器
- 启动Kerberos服务器
- KDC 服务器上添加超级管理员账户
- 搭建Kerberos客户端环境
- 将服务端的配置文件拷贝到客户端
- 客户端配置文件和服务段同步后,进行登陆,验证是否可以成功登陆
- Kerberos 一些基本操作命令
- 使用kadmin.local命令进入本地管理员模式
- 查看已经存在的凭据
- 创建凭据
- 删除凭据
- 导出某个用户的keytab证书(使用xst命令或者ktadd命令)
- 查看当前客户端认证用户
- 删除当前的认证的缓存
- 认证用户
- 基于密钥认证
- 基于密码认证
- 修改Kerberos用户的密码
- 获取凭据信息
- 查看keytab文件中的帐号列表
Principal 是由三个部分组成:名字(name),实例(instance),REALM(域)。比如一个标准的 Kerberos 的用户是:name/instance@REALM
安装KDC 服务器
安装命令
yum -y install krb5-server krb5-libs krb5-workstation
修改配置
修改KDC的配置文件
[root@node1 ~]#cat /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
NSH.COM = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
[root@node1 ~]#
配置说明
[kdcdefaults]
#该部分包含在此文件中列出的所有通用的配置。
kdc_ports = 88 #指定KDC的默认端口
kdc_tcp_ports = 88 # 指定KDC的TCP协议默认端口。
[realms]
#该部分列出每个领域的配置。
NSH.COM = {#是设定的 realms。名字随意,推荐为大写!,但须与/etc/krb5.conf保持一致。Kerberos 可以支持多个 realms,会增加复杂度。大小写敏感。
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl #标注了 admin 的用户权限的文件,若文件不存在,需要用户自己创建。即该参数允许为具有对Kerberos数据库的管理访问权限的UPN指定ACL。
dict_file = /usr/share/dict/words #该参数指向包含潜在可猜测或可破解密码的文件。
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab #KDC 进行校验的 keytab。
max_life #该参数指定如果指定为2天。这是票据的最长存活时间。
max_renewable_life #该参数指定在多长时间内可重获取票据。
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal #指定此KDC支持的各种加密类型。
}
配置KDC服务的权限管理文件
[root@node1 ~]# cat /var/kerberos/krb5kdc/kadm5.acl
*/[email protected] *
[root@node1 ~]#
配置说明
上述参数只有两列,第一列为用户名,第二列为权限分配。
*/[email protected] #表示以"/[email protected]"结尾的用户。
* #表示UNP可以执行任何操作,因为权限为所有权限,
修改Kerberos的配置文件信息
包含KDC的位置,Kerberos的admin的realms 等。需要所有使用的Kerberos的机器上的配置文件都同步。
[root@node1 ~]# cat /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
default_realm = NSH.COM
#default_ccache_name = KEYRING:persistent:%{uid}
[realms]
NSH.COM = {
kdc = node1.nsh.com:88
admin_server = node1.nsh.com:749
default_domain = NSH.COM
}
[domain_realm]
.nsh.com = NSH.COM
nsh.com = NSH.COM
[root@node1 ~]#
配置说明
[logging]:
#Kerberos守护进程的日志记录方式。换句话说,表示 server 端的日志的打印位置。
default :默认的krb5libs.log日志文件存放路径
kdc :默认的krb5kdc.log日志文件存放路径
admin_server :默认的kadmind.log日志文件存放路径
[libdefaults]:
#Kerberos使用的默认值,当进行身份验证而未指定Kerberos域时,则使用default_realm参数指定的Kerberos域。即每种连接的默认配置,需要注意以下几个关键的配置:
dns_lookup_realm :DNS查找域名,我们可以理解为DNS的正向解析,该功能我没有去验证过,默认禁用。(我猜测该功能和domain_realm配置有关)
ticket_lifetime :凭证生效的时限,设置为7天。
rdns :我理解是和dns_lookup_realm相反,即反向解析技术,该功能我也没有去验证过,默认禁用即可。(我猜测该功能和domain_realm配置有关)
pkinit_anchors :在KDC中配置pkinit的位置,该参数的具体功能我没有做进一步验证。
default_realm = NSH.COM :设置 Kerberos 应用程序的默认领域。如果您有多个领域,只需向 [realms] 节添加其他的语句。其中NSH.COM可以为任意名字,推荐为大写。必须跟要配置的realm的名称一致。
default_ccache_name: :顾名思义,默认的缓存名称,不推荐使用该参数。
renew_lifetime :凭证最长可以被延期的时限,一般为7天。当凭证过期之后,对安全认证的服务的后续访问则会失败。
forwardable :如果此参数被设置为true,则可以转发票据,这意味着如果具有TGT的用户登陆到远程系统,则KDC可以颁发新的TGT,而不需要用户再次进行身份验证。
renewable :是否允许票据延迟
[realms]:
#域特定的信息,例如域的Kerberos服务器的位置。可能有几个,每个域一个。可以为KDC和管理服务器指定一个端口。如果没有配置,则KDC使用端口88,管理服务器使用749。即列举使用的 realm域。
kdc :代表要KDC的位置。格式是 机器:端口
admin_server :代表admin的位置。格式是 机器:端口
default_domain :顾名思义,指定默认的域名。
[domain_realm]:
#指定DNS域名和Kerberos域名之间映射关系。指定服务器的FQDN,对应的domain_realm值决定了主机所属的域。
[kdc]:
#kdc的配置信息。即指定kdc.conf的位置。
profile :kdc的配置文件路径,默认值下若无文件则需要创建。
初始化KDC数据库
[root@node1 ~]# kdb5_util create -r NSH.COM -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'NSH.COM',
master key name 'K/[email protected]'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: [1]
Re-enter KDC database master key to verify:
说明
注意,-s选项指定将数据库的主节点密钥存储在文件中,从而可以在每次启动KDC时自动重新生成主节点密钥。记住主密钥,稍后回使用。
[1] 这里需要输入一个管理KDC服务器的密码!千万别忘记了,忘记的话你就只能重新初始化KDC数据库啦!(如果遇到数据库已经存在的提示,可以把/var/kerberos/krb5kdc/目录下的principal的相关文件都删除掉。默认的数据库名字都是principal。可以使用-d指定数据库名字。)
如下所示
[root@node1 ~]# kdb5_util create -r NSH.COM -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'NSH.COM',
master key name 'K/[email protected]'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
kdb5_util: Cannot open DB2 database '/var/kerberos/krb5kdc/principal': 文件已存在 while creating database '/var/kerberos/krb5kdc/principal'
[root@node1 ~]#
[root@node1 ~]#
[root@node1 ~]# ls /var/kerberos/krb5kdc/
kadm5.acl kdc.conf principal principal.kadm5 principal.kadm5.lock principal.ok
[root@node1 ~]#
[root@node1 ~]# rm -rf /var/kerberos/krb5kdc/principal*
[root@node1 ~]#
[root@node1 ~]# kdb5_util create -r NSH.COM -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'NSH.COM',
master key name 'K/[email protected]'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
[root@node1 ~]#
kerberos数据库创建完之后,默认会创建以下5个文件,红色标出
[root@node1 ~]# ll -a /var/kerberos/krb5kdc/
总用量 28
drwxr-xr-x 2 root root 146 1月 16 14:00 .
drwxr-xr-x. 4 root root 33 1月 16 11:42 …
-rw------- 1 root root 72 1月 16 14:00 .k5.NSH.COM
-rw------- 1 root root 18 1月 16 11:47 kadm5.acl
-rw------- 1 root root 447 1月 16 11:44 kdc.conf
-rw------- 1 root root 8192 1月 16 14:00 principal
-rw------- 1 root root 8192 1月 16 14:00 principal.kadm5
-rw------- 1 root root 0 1月 16 14:00 principal.kadm5.lock
-rw------- 1 root root 0 1月 16 14:00 principal.ok
[root@node1 ~]#
启动KDC服务器
[root@node1 ~]# systemctl status krb5kdc
● krb5kdc.service - Kerberos 5 KDC
Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; vendor preset: disabled)
Active: inactive (dead)
[root@node1 ~]# systemctl start krb5kdc
[root@node1 ~]# systemctl status krb5kdc
● krb5kdc.service - Kerberos 5 KDC
Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; vendor preset: disabled)
Active: active (running) since 四 2020-01-16 14:10:23 CST; 3s ago
Process: 25314 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=0/SUCCESS)
Main PID: 25315 (krb5kdc)
CGroup: /system.slice/krb5kdc.service
└─25315 /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid
1月 16 14:10:23 node1.nsh.com systemd[1]: Starting Kerberos 5 KDC…
1月 16 14:10:23 node1.nsh.com systemd[1]: Can’t open PID file/var/run/krb5kdc.pid (yet?) after start: No such file or directory
1月 16 14:10:23 node1.nsh.com systemd[1]: Started Kerberos 5 KDC.
[root@node1 ~]#
启动Kerberos服务器
[root@node1 ~]# systemctl status kadmin
● kadmin.service - Kerberos 5 Password-changing and Administration
Loaded: loaded (/usr/lib/systemd/system/kadmin.service; disabled; vendor preset: disabled)
Active: inactive (dead)
[root@node1 ~]# systemctl start kadmin
[root@node1 ~]# systemctl status kadmin
● kadmin.service - Kerberos 5 Password-changing and Administration
Loaded: loaded (/usr/lib/systemd/system/kadmin.service; disabled; vendor preset: disabled)
Active: active (running) since 四 2020-01-16 14:19:50 CST; 1s ago
Process: 25778 ExecStart=/usr/sbin/_kadmind -P /var/run/kadmind.pid $KADMIND_ARGS (code=exited, status=0/SUCCESS)
Main PID: 25779 (kadmind)
CGroup: /system.slice/kadmin.service
└─25779 /usr/sbin/kadmind -P /var/run/kadmind.pid
1月 16 14:19:50 node1.nsh.com systemd[1]: Starting Kerberos 5 Password-changing and Administration…
1月 16 14:19:50 node1.nsh.com systemd[1]: Can’t open PID file /var/run/kadmind.pid (yet?) after start: No such file or directory
1月 16 14:19:50 node1.nsh.com systemd[1]: Started Kerberos 5 Password-changing and Administration.
[root@node1 ~]#
KDC 服务器上添加超级管理员账户
[root@node1 ~]# cat /var/kerberos/krb5kdc/kadm5.acl
*/[email protected] *
[root@node1 ~]# kadmin.local
Authenticating as principal root/[email protected] with password.
kadmin.local: addprinc root/admin
WARNING: no policy specified for root/[email protected]; defaulting to no policy
Enter password for principal “root/[email protected]”:
Re-enter password for principal “root/[email protected]”:
Principal “root/[email protected]” created.
kadmin.local: listprincs
K/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kiprop/[email protected]
krbtgt/[email protected]
root/[email protected]
kadmin.local:
kadmin.local: q
[root@node1 ~]#
我们为KDC添加一个管理员用户,关于管理员规则我们以及在"/var/kerberos/krb5kdc/kadm5.acl"中定义的。细心的小伙伴发现,我们写的是"root/admin",但是创建用户却显示的是"root@[email protected]"
搭建Kerberos客户端环境
yum install -y krb5-lib krb5-workstation
将服务端的配置文件拷贝到客户端
scp /etc/krb5.conf node2.nsh.com:/etc/
客户端配置文件和服务段同步后,进行登陆,验证是否可以成功登陆
这是验证成功的提示
[root@node1 ~]# kinit root/admin
Password for root/[email protected]:
[root@node1 ~]# kinit root/[email protected]
Password for root/[email protected]:
[root@node1 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root/[email protected]
Valid starting Expires Service principal
2020-01-16T14:43:16 2020-01-17T14:43:16 krbtgt/[email protected]
[root@node1 ~]#
这是输错密码的提示
[root@node1 ~]# kinit root/[email protected]
Password for root/[email protected]:
kinit: Password incorrect while getting initial credentials
[root@node1 ~]#
Kerberos 一些基本操作命令
使用kadmin.local命令进入本地管理员模式
kadmin.local
[root@node1 ~]# kadmin.local
Authenticating as principal root/[email protected] with password.
kadmin.local: ?
Available kadmin.local requests:
add_principal, addprinc, ank
#Add principal
delete_principal, delprinc
#Delete principal
modify_principal, modprinc
#Modify principal
rename_principal, renprinc
#Rename principal
change_password, cpw #Change password
get_principal, getprinc #Get principal
list_principals, listprincs, get_principals, getprincs
#List principals
add_policy, addpol #Add policy
modify_policy, modpol #Modify policy
delete_policy, delpol #Delete policy
get_policy, getpol #Get policy
list_policies, listpols, get_policies, getpols
#List policies
get_privs, getprivs #Get privileges
ktadd, xst #Add entry(s) to a keytab
ktremove, ktrem #Remove entry(s) from a keytab
lock #Lock database exclusively (use with extreme caution!)
unlock #Release exclusive database lock
purgekeys #Purge previously retained old keys from a principal
get_strings, getstrs #Show string attributes on a principal
set_string, setstr #Set a string attribute on a principal
del_string, delstr #Delete a string attribute on a principal
list_requests, lr, ? #List available requests.
quit, exit, q #Exit program.
kadmin.local:
查看已经存在的凭据
listprincs
kadmin.local: listprincs
K/[email protected]
admin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kiprop/[email protected]
krbtgt/[email protected]
kadmin.local:
创建凭据
addprinc -randkey hdfs/node3
addprinc -pw 123456 jack/node4
kadmin.local: listprincs
K/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kiprop/[email protected]
krbtgt/[email protected]
root/[email protected]
kadmin.local:
kadmin.local: addprinc -randkey hdfs/node3 ##生成随机key的凭据
WARNING: no policy specified for hdfs/[email protected]; defaulting to no policy
Principal "hdfs/[email protected]" created.
kadmin.local: listprincs
K/[email protected]
hdfs/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kiprop/[email protected]
krbtgt/[email protected]
root/[email protected]
kadmin.local:
kadmin.local: addprinc -pw 123456 jack/node4 ###生成指定key的凭据
WARNING: no policy specified for jack/[email protected]; defaulting to no policy
Principal "jack/[email protected]" created.
kadmin.local: listprincs
K/[email protected]
hdfs/[email protected]
jack/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kiprop/[email protected]
krbtgt/[email protected]
root/[email protected]
kadmin.local:
注意:这里生成的jack/node4是指定key,如果通过
ktadd -k /root/node4.keytab jack/node4导出密钥后,创建时指定的key失效,
原因:每次生成秘钥文件时,密码可能会进行随机改变,后续再通过指定key进行认证时会报
kinit: Password incorrect while getting initial credentials
生成密钥时,添加"-norandkey"即可解决问题
删除凭据
delprinc nsh/111
kadmin.local: addprinc -pw 111 nsh/111
WARNING: no policy specified for nsh/[email protected]; defaulting to no policy
Principal "nsh/[email protected]" created.
kadmin.local: listprincs
K/[email protected]
hdfs/[email protected]
jack/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kiprop/[email protected]
krbtgt/[email protected]
nsh/[email protected]
root/[email protected]
kadmin.local: delprinc nsh/111 ##删除凭据
Are you sure you want to delete the principal "nsh/[email protected]"? (yes/no): yes
Principal "nsh/[email protected]" deleted.
Make sure that you have removed this principal from all ACLs before reusing.
kadmin.local: listprincs
K/[email protected]
hdfs/[email protected]
jack/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kiprop/[email protected]
krbtgt/[email protected]
root/[email protected]
kadmin.local:
导出某个用户的keytab证书(使用xst命令或者ktadd命令)
ktadd -k /root/node3.keytab hdfs/node3
xst -k /root/node4.keytab jack/node4
xst -norandkey -k /root/node34.keytab hdfs/node3 jack/node4
kadmin.local: listprincs
K/[email protected]
hdfs/[email protected]
jack/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kiprop/[email protected]
krbtgt/[email protected]
root/[email protected]
kadmin.local:
kadmin.local:
kadmin.local: ktadd -k /root/node3.keytab hdfs/node3 ##导出凭据
Entry for principal hdfs/node3 with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/root/node3.keytab.
Entry for principal hdfs/node3 with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/root/node3.keytab.
Entry for principal hdfs/node3 with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/root/node3.keytab.
Entry for principal hdfs/node3 with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/root/node3.keytab.
Entry for principal hdfs/node3 with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/root/node3.keytab.
Entry for principal hdfs/node3 with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/root/node3.keytab.
Entry for principal hdfs/node3 with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/root/node3.keytab.
Entry for principal hdfs/node3 with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/root/node3.keytab.
kadmin.local:
kadmin.local: xst -k /root/node4.keytab jack/node4 ##导出凭据
Entry for principal jack/node4 with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/root/node4.keytab.
Entry for principal jack/node4 with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/root/node4.keytab.
Entry for principal jack/node4 with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/root/node4.keytab.
Entry for principal jack/node4 with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/root/node4.keytab.
Entry for principal jack/node4 with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/root/node4.keytab.
Entry for principal jack/node4 with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/root/node4.keytab.
Entry for principal jack/node4 with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/root/node4.keytab.
Entry for principal jack/node4 with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/root/node4.keytab.
kadmin.local:
kadmin.local: xst -norandkey -k /root/node34.keytab hdfs/node3 jack/node4 ###将多个principal生产一个keytab
Entry for principal hdfs/node3 with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/root/node34.keytab.
Entry for principal hdfs/node3 with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/root/node34.keytab.
Entry for principal hdfs/node3 with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/root/node34.keytab.
Entry for principal hdfs/node3 with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/root/node34.keytab.
Entry for principal hdfs/node3 with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/root/node34.keytab.
Entry for principal hdfs/node3 with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/root/node34.keytab.
Entry for principal hdfs/node3 with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/root/node34.keytab.
Entry for principal hdfs/node3 with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/root/node34.keytab.
Entry for principal jack/node4 with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/root/node34.keytab.
Entry for principal jack/node4 with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/root/node34.keytab.
Entry for principal jack/node4 with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/root/node34.keytab.
Entry for principal jack/node4 with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/root/node34.keytab.
Entry for principal jack/node4 with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/root/node34.keytab.
Entry for principal jack/node4 with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/root/node34.keytab.
Entry for principal jack/node4 with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/root/node34.keytab.
Entry for principal jack/node4 with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/root/node34.keytab.
kadmin.local:
查看当前客户端认证用户
[root@node1 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root/[email protected]
Valid starting Expires Service principal
2020-01-16T14:43:16 2020-01-17T14:43:16 krbtgt/[email protected]
[root@node1 ~]#
删除当前的认证的缓存
[root@node1 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root/[email protected]
Valid starting Expires Service principal
2020-01-16T14:43:16 2020-01-17T14:43:16 krbtgt/[email protected]
[root@node1 ~]#
[root@node1 ~]#
[root@node1 ~]# kdestroy
[root@node1 ~]#
[root@node1 ~]# klist
klist: No credentials cache found (filename: /tmp/krb5cc_0)
[root@node1 ~]#
认证用户
基于密钥认证
[root@node1 ~]# kadmin.local
Authenticating as principal root/[email protected] with password.
kadmin.local:
kadmin.local:
kadmin.local: listprincs
K/[email protected]
hdfs/[email protected]
jack/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kiprop/[email protected]
krbtgt/[email protected]
root/[email protected]
kadmin.local: q
[root@node1 ~]#
[root@node1 ~]# kinit -kt node3.keytab hdfs/node3 ##基于密钥进行认证
[root@node1 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hdfs/[email protected]
Valid starting Expires Service principal
2020-01-16T15:12:10 2020-01-17T15:12:10 krbtgt/[email protected]
[root@node1 ~]# kinit -kt node3.keytab hdfs/[email protected] ##基于密钥进行认证
[root@node1 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hdfs/[email protected]
Valid starting Expires Service principal
2020-01-16T15:12:48 2020-01-17T15:12:48 krbtgt/[email protected]
[root@node1 ~]#
基于密码认证
要求
- 导出密钥时,需要指定-norandkey参数
- 创建凭据时,需要指定key
[root@node1 ~]# klist
klist: No credentials cache found (filename: /tmp/krb5cc_0)
[root@node1 ~]# kinit tom/node5
Password for tom/[email protected]:
[root@node1 ~]#
[root@node1 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: tom/[email protected]
Valid starting Expires Service principal
2020-01-16T15:29:15 2020-01-17T15:29:15 krbtgt/[email protected]
[root@node1 ~]#
修改Kerberos用户的密码
[root@node1 ~]# kpasswd tom/node5
Password for tom/[email protected]:
Enter new password:
Enter it again:
Password changed.
下面这种方式不需要知道旧密码
[root@node1 ~]# kadmin.local
Authenticating as principal tom/[email protected] with password.
kadmin.local:
kadmin.local: change_password tom/node5
Enter password for principal "tom/[email protected]":
Re-enter password for principal "tom/[email protected]":
Password for "tom/[email protected]" changed.
kadmin.local:
获取凭据信息
kadmin.local: getprinc tom/node5
Principal: tom/[email protected]
Expiration date: [never]
Last password change: 四 1月 16 15:40:12 CST 2020
Password expiration date: [never]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 0 days 00:00:00
Last modified: 四 1月 16 15:40:12 CST 2020 (tom/[email protected])
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 8
Key: vno 3, aes256-cts-hmac-sha1-96
Key: vno 3, aes128-cts-hmac-sha1-96
Key: vno 3, des3-cbc-sha1
Key: vno 3, arcfour-hmac
Key: vno 3, camellia256-cts-cmac
Key: vno 3, camellia128-cts-cmac
Key: vno 3, des-hmac-sha1
Key: vno 3, des-cbc-md5
MKey: vno 1
Attributes:
Policy: [none]
kadmin.local:
查看keytab文件中的帐号列表
[root@node1 ~]# klist -kt node34.keytab
Keytab name: FILE:node34.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
2 2020-01-16T15:05:53 hdfs/[email protected]
2 2020-01-16T15:05:53 hdfs/[email protected]
2 2020-01-16T15:05:53 hdfs/[email protected]
2 2020-01-16T15:05:53 hdfs/[email protected]
2 2020-01-16T15:05:53 hdfs/[email protected]
2 2020-01-16T15:05:53 hdfs/[email protected]
2 2020-01-16T15:05:53 hdfs/[email protected]
2 2020-01-16T15:05:53 hdfs/[email protected]
2 2020-01-16T15:05:53 jack/[email protected]
2 2020-01-16T15:05:53 jack/[email protected]
2 2020-01-16T15:05:53 jack/[email protected]
2 2020-01-16T15:05:53 jack/[email protected]
2 2020-01-16T15:05:53 jack/[email protected]
2 2020-01-16T15:05:53 jack/[email protected]
2 2020-01-16T15:05:53 jack/[email protected]
2 2020-01-16T15:05:53 jack/[email protected]
[root@node1 ~]#