Kerberos认证实验
来源:互联网 发布:js escape html 编辑:程序博客网 时间:2024/05/16 07:05
Kerberos认证实验
实验目的
1.了解身份认证的原理及其重要意义
2.学习Kerberos身份认证全过程
3.学会在Linux下配置Kerberos身份认证系统
系统环境
Kerberos的实验同样需要3台机器,分别扮演不同的角色:(服务器为linux6.2)
192.168.71.134 kdc.example.com Kerberos服务器和NIS服务器
192.168.71.131 server.example.com应用服务器,如ssh,ftp,krb5-telnet等
192.168.71.137 client.example.com客户机
Kerberos版本:kerberosv5 1.63
192.168.71.134kdc的配置:
步骤一:安装kerberos:
[root@localhost~]# rpm -qa |grep krb5*
krb5-libs-1.9-22.el6.i686
krb5-auth-dialog-0.13-3.el6.i686
krb5-workstation-1.9-22.el6.i686
krb5-server-ldap-1.9-22.el6.i686
krb5-server-1.9-22.el6.i686
pam_krb5-2.3.11-9.el6.i686
#useradd-u 6001 user1创建一普通用户
步骤二:时间同步服务器NTP的安装:
注意:kerberos对时间同步要求严格,所以需要配置ntp服务。
[root@localhost~]# rpm -qa |grep ntp
ntpdate-4.2.4p8-2.el6.i686
fontpackages-filesystem-1.41-1.1.el6.noarch
ntp-4.2.4p8-2.el6.i686
以上是ntp所需的rpm包,查看系统是否安装,没有安装需要安装ntp-4.2.4p8-2.el6.i686
即可。
通过ntpd可以同步Kerberos系统中各台主机的时间。修改/etc/ntp.conf,然后添加一行。
restrict192.168.71.0 mask 255.255.255.0 nomodify notrap表示对192.168.71.0网内主机提供时间同步服务。
然后重启ntp服务:[root@localhost~]# service ntpd restart
步骤三:.配置NIS(network information service)
目的是将kdc.example.com配置成NIS和Kerberos的服务器,NIS提供用户信息(UserInfomation),Kerberos提供认证信息(Authentication)。
1、NIS服务器的安装(服务名ypserv:)
[root@localhost~]# rpm -qa |grep ypserv
[root@localhost~]# cd /mnt/cdrom
[root@localhostcdrom]# cd Packages/
[root@localhostPackages]# ls yp*
ypbind-1.20.4-29.el6.i686.rpm yp-tools-2.9-12.el6.i686.rpm
ypserv-2.19-22.el6.i686.rpm
[root@localhostPackages]# rpm -ivh ypserv-2.19-22.el6.i686.rpm( #yum-y install ypserv)
warning:ypserv-2.19-22.el6.i686.rpm: Header V3 RSA/SHA256 Signature, key IDfd431d51: NOKEY
Preparing... ########################################### [100%]
1:ypserv ########################################### [100%]
配置ypserv,增加NIS域,NISDOMAIN=hebau
#vim/etc/sysconfig/network
#nisdomainnamehebau
固定ypserv的端口,在vim/etc/sysconfig/network添加参数YPSERV_ARGS=808
2、[root@localhostyp]# nisdomainname hebau
编辑 /etc/rc.d/rc.local文件
#!/bin/sh
#
#This script will be executed *after* all the other init scripts.
#You can put your own initialization stuff in here if you don't
#want to do the full Sys V style init stuff.
touch/var/lock/subsys/local
/bin/nisdomainnamehebau
生成NIS库:
[root@localhost~]# /usr/lib/yp/ypinit -m
Atthis point, we have to construct a list of the hosts which will runNIS
servers. localhost is in the list of NIS server hosts. Please continue toadd
thenames for the other hosts, one per line. When you are done with the
list,type a <control D>.
nexthost to add: localhost
nexthost to add:
Thecurrent list of NIS servers looks like this:
localhost
Isthis correct? [y/n: y] y
Weneed a few minutes to build the databases...
Building/var/yp/(none)/ypservers...
Running/var/yp/Makefile...
Domainname cannot be (none)
localhosthas been set up as a NIS master server.
Nowyou can run ypinit -s localhost on all slave server
编辑/etc/hosts文件
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6localhost6.localdomain6
192.168.71.134 kerberos kerberos.example.com
192.168.71.134 kdc kerberos.example.com
配置KDC
修改krb5的配置文件/etc/krb5.conf
[logging]段是日志,可以不动
[libdefaults]是默认配置,其中default_realm指出了默认的realm,即认证的范围,一般是全大写字母
default_realm= KDC.EXAMPLE.COM
[realms]段是范围的配置。
[realms]
KDC.EXAMPLE.COM= {
kdc= Kerberos.example.com:88
admin_server= Kerberos.example.com:749
}
[domain_realm]域和realm的关系,即哪些机器可以在哪个realm里认证
.example.com= KDC.EXAMPLE.COM #所有example.com域的用户和机器都可以在KDC.EXAMPLE.COM上认证
[appdefaults]段指出pam的一些参数,如票据的存活时间等等。
修改/etc/krb5.conf结果如下:
forwardable= true
[realms]
EXAMPLE.COM= {
kdc=kerberos.example.com:88
admin_server=kerberos.example.com:749
default_domain=example.com
}
[domain_realm]
.example.com=EXAMPLE.COM
example.com=EXAMPLE.COM
[kdc]
profile=/var/krb5kdc/kdc.conf
[appdefaults]
pam= {
debug=false
ticket_lifetime=36000
renew_lifetime=36000
forwardable=true
krb4_convert=false
}
配置/var/kerberos/krb5kdc/kdc.conf,这个配置文件是专门为kdc定义的参数
[kdcdefaults]
kdc_ports= 88
kdc_tcp_ports= 88
[realms]
EXAMPLE.COM= {
master_key_type= aes256-cts
acl_file= /var/kerberos/krb5kdc/kadm5.acl
dict_file= /usr/share/dict/words
admin_keytab= /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes= aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normalarcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normaldes-cbc-crc:normal
}
修改/var/kerberos/krb5kdc/kadm5.acl,此文件为kadmin的访问控制文件改成如下内容。
*/admin@KDC.EXAMPLE.COM*
生成本地KDC的数据库,-s表示通过kadmin登录本机不需要密码。
#kdb5_utilcreate -r KDC.EXAMPLE.COM -s
[root@localhostetc]# kdb5_util create -r KDC.EXAMPLE.COM(Kerberos.example.com) -s
Loadingrandom data
Initializingdatabase '/var/kerberos/krb5kdc/principal' for realm'KDC.EXAMPLE.COM',
masterkey name 'K/M@KDC.EXAMPLE.COM'
Youwill be prompted for the database Master Password.
Itis important that you NOT FORGET this password.
EnterKDC database master key:
Re-enterKDC database master key to verify:
注意:记住KDCmaster的口令
该命令将创建如下文件(缺省目录是:/usr/local/var/krb5kdc.)
这个命令用来生成kerberos的本地数据库,
principal.db:Kerberosdatabase files, 存放principal(和索引文件)
principal.ok:Kerberosdatabase lock files.
principal.kadm5:theKerberos administrative database file,
principal.kadm5.lock:theadministrative database lock file;
.k5stash:thestash file,存储KDCmaster key
-r指定realm(kerberos术语),我们随便取一个叫EXAMPLE.COM.principal拥有名字和密码,需要通过KDC来认证身份,它和KDC之间共享密钥,principal有两类,一类是普通用户,需要通过KDC认证身份并获取服务票据,另一类是服务提供者,它需要通过对KDC提供给用户的票据进行确认以信任用户并为用户提供服务。第一类principal在登录系统手动输入密码。第二类principal解密KDC发的票据时需要用到自己的密钥,这个密钥存放在某个.keytab文件里。Keytab文件是通过KDC上的一个工具ktadd来生成的。该文件一般位于/etc下。
Kerberos库中缺省具有下列用户票据;
#Kadmin.local
#kadmin.local: listprincs
K/M@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/history@EXAMPLE.COM
kadmin/kerberos.example.com@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
登录KDC,添加管理员和一般用户的principal:
root@kerberoskrb5kdc]# kadmin.local
Authenticatingas principal root/admin@EXAMPLE.COM with password.
kadmin.local: addprinc root/admin
WARNING:no policy specified for root/admin@EXAMPLE.COM; defaulting to nopolicy
Enterpassword for principal "root/admin@EXAMPLE.COM":
Re-enterpassword for principal "root/admin@EXAMPLE.COM":
Principal"root/admin@EXAMPLE.COM" created.
kadmin.local: addprinc user1(可用student替代)
WARNING:no policy specified for user1@EXAMPLE.COM; defaulting to no policy
Enterpassword for principal "user1@EXAMPLE.COM":
Re-enterpassword for principal "user1@EXAMPLE.COM":
Principal"user1@EXAMPLE.COM" create
([root@kerberoskrb5kdc]# kadmin
Authenticatingas principal root/admin@EXAMPLE.COM with password.
Passwordfor root/admin@EXAMPLE.COM:
kadmin: addprinc admin/admin
WARNING:no policy specified for admin/admin@EXAMPLE.COM; defaulting to nopolicy
Enterpassword for principal "admin/admin@EXAMPLE.COM":
Re-enterpassword for principal "admin/admin@EXAMPLE.COM":
Principal"admin/admin@EXAMPLE.COM" created.)
kadmin.local:ps.addprinc会要求输入密码,root/admin的密码一定不能泄漏,否则就完了,user1的密码就是指登录密码。
运行kinit和klist命令,检查admin/admin账号是否正常。
[root@kerberoskrb5kdc]# kinit root/admin
Passwordfor root/admin@EXAMPLE.COM:
[root@kerberoskrb5kdc]# klist
Ticketcache: FILE:/tmp/krb5cc_0
Defaultprincipal: root/admin@EXAMPLE.COM
Validstarting Expires Service principal
05/02/1504:01:33 05/03/15 04:01:33 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renewuntil 05/02/15 04:01:33
查看,删除已有的principal的命令:
kadmin.local: listprincs
K/M@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/kerberos.example.com@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
root/admin@EXAMPLE.COM
user1@EXAMPLE.COM
kadmin.local:getprincuser1
kadmin.local:delprincuser1(删除principal命令下面还要用到,不用实际操作)
导出kadmin服务的keytab文件,退出kadmin
kadmin.local:ktadd -k /var/kerberos/krb5kdc/kadm5.keytabroot/admin
Entryfor principal kadmin/admin with kvno 3, encryption typeaes256-cts-hmac-sha1-96 added to keytabWRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entryfor principal kadmin/admin with kvno 3, encryption typeaes128-cts-hmac-sha1-96 added to keytabWRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entryfor principal kadmin/admin with kvno 3, encryption type des3-cbc-sha1added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entryfor principal kadmin/admin with kvno 3, encryption type arcfour-hmacadded to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entryfor principal kadmin/admin with kvno 3, encryption type des-hmac-sha1added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entryfor principal kadmin/admin with kvno 3, encryption type des-cbc-md5added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
kadmin.local:ktadd-k /var/kerberos/krb5kdc/kadm5.keytab kadmin/changepw
Entryfor principal kadmin/changepw with kvno 3, encryption typeaes256-cts-hmac-sha1-96 added to keytabWRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entryfor principal kadmin/changepw with kvno 3, encryption typeaes128-cts-hmac-sha1-96 added to keytabWRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entryfor principal kadmin/changepw with kvno 3, encryption typedes3-cbc-sha1 added to keytabWRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entryfor principal kadmin/changepw with kvno 3, encryption typearcfour-hmac added to keytabWRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entryfor principal kadmin/changepw with kvno 3, encryption typedes-hmac-sha1 added to keytabWRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entryfor principal kadmin/changepw with kvno 3, encryption typedes-cbc-md5 added to keytabWRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
为管理员账号admin/admin指定权限
现在为管理账号指定权限,它由文件/usr/local/var/krb5kdc/kadm5.acl中的条目决定。为了给账号admin/admin授予“管理所有委托人”的权限,通过添加下面这样一行到/usr/local/var/krb5kdc/kadm5.acl中,并使用通配符实现:
admin/admin@EXAMPLE.COM *
修正前面的相关文件的SELINUX设置
[root@kerberoskrb5kdc]# restorecon -R -v /var/kerberos/krb5kdc/
[root@kerberoskrb5kdc]# restorecon -R -v /var/log/
[root@kerberoskrb5kdc]# restorecon -R -v /etc/krb5.conf
启动服务
[root@kerberoskrb5kdc]# service krb5kdc restart(第一次服务是start)
[root@kerberoskrb5kdc]# service kadmin restart(第一次服务是start)
以上是kerberos服务器的配置过程。
192.168.71.131应用服务器的配置:
1、首先安装Krb5同kdc
2、复制kdc.example.com的/etc/krb5.conf文件过来,省得再配了
#scproot@kdc.example.com:/etc/krb5.conf/etc/krb5.conf
Theauthenticity of host 'kdc.example.com (192.168.71.131)' can't beestablished.
RSAkey fingerprint is c3:e8:b9:b8:5a:ad:63:e7:51:29:57:50:2b:a3:f9:6a.
Areyou sure you want to continue connecting (yes/no)? yes
Warning:Permanently added 'kdc.example.com,192.168.71.131' (RSA) to the listof known hosts.
root@kdc.example.com'spassword:
krb5.conf 100% 449 0.4KB/s 00:00
#restorecon-R -v /etc/krb5.conf
安装所有相关软件。Vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6localhost6.localdomain6
192.168.71.134 kerberos kerberos.example.com
192.168.71.134 kdc kdc.example.com
192.168.71.131 telnet server.example.com
kinit-k -t /etc/krb5.keytab host/server.example.com
配置服务器为NIS的客户端,并且使用Kerberos认证
#authconfig-tui,修改相应的NIS信息就行
在KDC增加服务的principal,并且导出生成server自己的钥匙
server#kadmin
kadmin:addprinc-randkey host/server.example.com #krb5-telnet和ssh的principal都是host
kadmin:addprinc-randkey ftp/server.example.com #gssftp的principal是ftp
导出到本地
kadmin:ktadd -k/etc/krb5.keytab host/server.example.com
kadmin:ktadd -k/etc/krb5.keytab ftp/server.example.com
检查防火墙和selinux
- Kerberos认证实验
- Kerberos认证
- Kerberos认证
- Kerberos认证
- kerberos 认证方式-主机认证
- 企业认证机制(kerberos)
- kerberos认证过程概述
- kerberos认证过程
- kerberos认证过程
- hadoop 添加kerberos认证
- kerberos认证协议浅析
- Kerberos认证流程详解
- hadoop 添加kerberos认证
- 用户认证与Kerberos
- 【网络安全】Kerberos认证浅析
- HDFS配置Kerberos认证
- hadoop的kerberos认证
- HDFS配置Kerberos认证
- 2014.4新版uboot启动流程分析
- leetcode--Contains Duplicate
- 《数据结构学习与实验指导》3-7求前缀表达式的值/3-8堆栈模拟队列
- 如何学习Linux
- [LeetCode]Maximal Square
- Kerberos认证实验
- 闭包——藏在代码中的“房间”,用于和外界沟通的桥梁
- hdu 1465 不容易系列之一(错位排序)
- 【Struts2】文件的上传与上传权限的控制
- Win8 解决错误 1406。安装程序无法将值OSE.exe写入注册表项。无法保存对main权限所作的更改
- 【ActionScript】ActionScript2.0的Helloworld
- 勾股定理
- 文件与目录的默认权限与隐藏权限
- Android 学习之路(一) —— WebSiteDoor
