Ubuntu1804安装MIT Kerberos

Debian安装向导：http://techpubs.spinlocksolutions.com/dklar/kerberos.html

Ubuntu1804单机安装MIT Kerberos。

准备

修改主机名为krb.example.com

/etc/hosts配置：

127.0.0.1  localhost
10.1.25.31  krb.example.com krb

安装服务

sudo apt install krb5-{admin-server,kdc}

安装过程选项如下：

Default Kerberos version 5 realm? EXAMPLE.COM

Kerberos servers for your realm: krb1.example.com

Administrative server for your Kerberos realm: krb1.example.com

安装配置

设置REALM

执行sudo krb5_newrealm，设置REALM。

选项如下：

This script should be run on the master KDC/admin server to initialize
a Kerberos realm.  It will ask you to type in a master key password.
This password will be used to generate a key that is stored in
/etc/krb5kdc/stash.  You should try to remember this password, but it
is much more important that it be a strong password than that it be
remembered.  However, if you lose the password and /etc/krb5kdc/stash,
you cannot decrypt your Kerberos database.
Loading random data
Initializing database '/var/lib/krb5kdc/principal' for realm 'EXAMPLE.COM',
master key name 'K/[email protected]'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.

Enter KDC database master key: PASSWORD

Re-enter KDC database master key to verify: PASSWORD

配置

编辑/etc/krb5.conf

[domain_realm]
	...
	.example.com = EXAMPLE.COM
	example.com = EXAMPLE.COM
	
...

[logging]
	kdc = FILE:/var/log/kerberos/krb5kdc.log
	admin_server = FILE:/var/log/kerberos/kadmin.log
	default = FILE:/var/log/kerberos/krb5lib.log

创建目录文件：

sudo mkdir /var/log/kerberos
sudo touch /var/log/kerberos/{krb5kdc,kadmin,krb5lib}.log
sudo chmod -R 750  /var/log/kerberos

重启服务：

sudo systemctl restart krb5-kdc
sudo systemctl restart krb5-admin-server

安装测试

执行sudo kadmin.local，进入本地管理员交互程序。

如下：(listprincs命令列出所有主体；quit命令退出交互程序)

sudo kadmin.local
Authenticating as principal root/[email protected] with password.

kadmin.local:  listprincs

K/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
krbtgt/[email protected]

kadmin.local:  quit

访问权利

启用管理员用户的所有访问权利。

编辑/etc/krb5kdc/kadm5.acl，添加：

*/admin *

重启服务：

sudo systemctl restart krb5-admin-server

Kerberos策略(policies)

增加4个策略，规定最小密码长度和最少包含几种字符类型

sudo kadmin.local
Authenticating as principal root/[email protected] with password.

kadmin.local:  add_policy -minlength 8 -minclasses 3 admin
kadmin.local:  add_policy -minlength 8 -minclasses 4 host
kadmin.local:  add_policy -minlength 8 -minclasses 4 service
kadmin.local:  add_policy -minlength 8 -minclasses 2 user

kadmin.local:  quit

创建第一个特权主体(privileged principal)

策略使用admin，要求密码长度最小为8，同时至少包含3种字符类型

sudo kadmin.local
Authenticating as principal root/[email protected] with password.

kadmin.local:  addprinc -policy admin root/admin

Enter password for principal "root/[email protected]": PASSWORD
Re-enter password for principal "root/[email protected]": PASSWORD
Principal "root/[email protected]" created.

kadmin.local:  quit

kadmin测试

kadmin -p root/admin
Authenticating as principal root/[email protected] with password.

Password for root/[email protected]: PASSWORD

kadmin:  listprincs

K/[email protected]
root/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
krbtgt/[email protected]

kadmin:  quit

创建第一个无特权主体(unprivileged principal)

kadmin -p root/admin
Authenticating as principal root/[email protected] with password.

Password for root/[email protected]: PASSWORD

kadmin:  addprinc -policy user xwd

Enter password for principal "[email protected]": PASSWORD
Re-enter password for principal "[email protected]": PASSWORD
Principal "[email protected]" created.

kadmin:  quit

获取kerberos ticket

获取前

klist -f

klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)

获取

kinit xwd

Password for [email protected]: PASSWORD

获取后

klist -f

Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: [email protected]

Valid starting     Expires            Service principal
11/22/06 22:30:36  11/23/06 08:30:33  krbtgt/[email protected]
renew until 11/23/06 22:30:34, Flags: FPRIA

销毁

kdestroy

安装kerberized services

以openssh-server为例

安装

sudo apt install openssh-server

添加主体

kadmin -p root/admin
Authenticating as principal root/[email protected] with password.

kadmin.local:  addprinc -policy service -randkey host/monarch.example.com

Principal "host/[email protected]" created.

kadmin.local:  ktadd -k /etc/krb5.keytab host/monarch.example.com

Entry for principal host/monarch.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/monarch.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.

kadmin:  quit

修改/etc/ssh/sshd_config配置

GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIKeyExchange yes
UsePAM yes

重启服务

sudo systemctl restart ssh

PAM配置

使用pam，用户登录后自动生成kerberos tickets，不需要运行kinit。

安装kerberos pam

sudo apt install libpam-krb5

切换到root用户，保存pam配置副本，以备恢复：

sudo su -
cd /etc
cp -a pam.d pam.d,orig

修改pam配置：

/etc/pam.d/common-account

account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so
account requisite                       pam_deny.so
account required                        pam_permit.so
account required                        pam_krb5.so minimum_uid=1000

/etc/pam.d/common-auth

auth    [success=2 default=ignore]      pam_krb5.so minimum_uid=1000
auth    [success=1 default=ignore]      pam_unix.so nullok_secure try_first_pass
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so
autoh   optional                        pam_cap.so

/etc/pam.d/common-password

password        [success=2 default=ignore]      pam_krb5.so minimum_uid=1000
password        [success=1 default=ignore]      pam_unix.so obscure use_authtok try_first_pass sha512
password        requisite                       pam_deny.so
password        required                        pam_permit.so

/etc/pam.d/common-session

session [default=1]                     pam_permit.so
session requisite                       pam_deny.so
session required                        pam_permit.so
session optional                        pam_krb5.so minimum_uid=1000
session required        pam_unix.so

# If elogind and libpam-elogind are installed:
session optional                        pam_elogind.so

如果修改了上述配置，则重启你想要连接的服务，这里重启ssh:

sudo systemctl restart ssh

安装kerberized clients

sudo apt install openssh-client

测试连接

以xwd用户为例。

如果xwd不是系统用户，需要创建，如下：

sudo adduser --disabled-password xwd

获取kerberos ticket

kinit xwd

确认以持有kerberos ticket

klist-f

尝试连接

ssh [email protected]

不出意外的话，ssh连接成功。