centos7配置kerberos服务，并使用JAAS登录

准备两个虚拟机：192.168.1.101、192.168.1.102，101作为kerberos的server端，102作为kerberos的client端。开启88端口。

1、安装kerberos服务server端

yum -y install krb5-libs krb5-server

1.1、配置/etc/krb5.conf

# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_realm = SNSPRJ.COM
 default_ccache_name = KEYRING:persistent:%{uid}
 # insert by xiaohb 20170824 start
 udp_preference_limit = 1
 # insert by xiaohb 20170824 end


[realms]
# EXAMPLE.COM = {
#  kdc = kerberos.example.com
#  admin_server = kerberos.example.com
# }
  SNSPRJ.COM = {
    kdc = kerberos.snsprj.com
    admin_server = kerberos.snsprj.com
  }

[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
  .snsprj.com = SNSPRJ.COM
  snsprj.com = SNSPRJ.COM

udp_preference_limit = 1 禁止使用udp

1.2、配置/var/kerberos/krb5kdc/kdc.conf

[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
 SNSPRJ.COM = {
  #master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }

1.3、创建/初始化Kerberos database

/usr/sbin/kdb5_util create -s

若出现Loading random data卡住，可以重新开启一个窗口执行cat /dev/sda > /dev/urandom命令，加快消耗CPU，增加随机数采集。

当Kerberos database创建好后，可以看到目录 /var/kerberos/krb5kdc 下生成了几个文件：

-rw-------. 1 root root   21 Aug 24 11:34 kadm5.acl
-rw-------. 1 root root  450 Aug 24 11:27 kdc.conf
-rw-------. 1 root root 8192 Aug 24 11:35 principal
-rw-------. 1 root root 8192 Aug 24 11:33 principal.kadm5
-rw-------. 1 root root    0 Aug 24 11:33 principal.kadm5.lock
-rw-------. 1 root root    0 Aug 24 11:35 principal.ok

1.4、添加database administrator

/usr/sbin/kadmin.local -q "addprinc username/admin"

1.5、为database administrator设置ACL权限，将文件/var/kerberos/krb5kdc/kadm5.acl的内容编辑为

*/[email protected]      *

1.6、启动Kerberos daemons

/bin/systemctl start  krb5kdc.service
/bin/systemctl start  kadmin.service

 

2、安装kerberos client端

yum install krb5-workstation krb5-libs

2.1、配置/etc/krb5.conf，直接把kerberos端的krb5.conf文件复制过来即可。

3、kerberos基本操作命令

4、使用JAAS登录kerberos server

package com.snsprj.jaas0822;

import javax.security.auth.*;
import javax.security.auth.callback.*;
import javax.security.auth.login.*;
import com.sun.security.auth.callback.TextCallbackHandler;

/**
 * This JaasAcn application attempts to authenticate a user
 * and reports whether or not the authentication was successful.
 *
 * Created by skh on 2017/8/22.
 */
public class JaasAcn {
    public static void main(String[] args) {

        String path = "/workspace/idea/ssm/src/test/java/com/snsprj/jaas0822/";

        System.setProperty("java.security.auth.login.config", path + "jaas.conf");

        System.setProperty("java.security.krb5.conf", path + "krb5.conf");

//        System.setProperty("java.security.krb5.realm", "SNSPRJ.COM");
//        System.setProperty("java.security.krb5.kdc", "kerberos.snsprj.com");

        // sun.security.krb5.debug
        System.setProperty("sun.security.krb5.debug", "true");

        // Obtain a LoginContext, needed for authentication. Tell it
        // to use the LoginModule implementation specified by the
        // entry named "JaasSample" in the JAAS login configuration
        // file and to also use the specified CallbackHandler.
        LoginContext lc = null;
        try {
            lc = new LoginContext("JaasSample", new TextCallbackHandler());

            // attempt authentication
            try {
                lc.login();
            } catch (LoginException le) {
                le.printStackTrace();
                System.err.println("Authentication failed:");
                System.err.println("  " + le.getMessage());
                System.exit(-1);
            }

        } catch (LoginException le) {
            System.err.println("Cannot create LoginContext. " + le.getMessage());

        } catch (SecurityException se) {
            System.err.println("Cannot create LoginContext. " + se.getMessage());
            System.exit(-1);
        }

        System.out.println("Authentication succeeded!");

    }
}

 jaas.conf

/** Login Configuration for the JaasAcn and
 ** JaasAzn Applications
 **/

JaasSample {
   com.sun.security.auth.module.Krb5LoginModule required debug=true refreshKrb5Config=true;
};

 

krb5.conf copy from kerberos server.

 

 

参考资料：

【The Kerberos 5 GSS-API Mechanism】：https://docs.oracle.com/javase/9/security/kerberos-5-gss-api-mechanism.htm#JSSEC-GUID-23D30A4B-CC38-45ED-83D5-C59ABB72762E

【javax.security.auth.login.LoginException: Receive timed out】：https://stackoverflow.com/questions/44214324/java-io-ioexception-login-failure-for-myuserexample-com-from-keytab/44228073#44228073