(原創推薦文章)kerberos服務器端與客戶端
#環境html
兩臺裝centos7的虛擬機便可。數據庫
kerberos服務器端與客戶端各一臺centos
(本文檔推薦使用Typora軟件觀看)緩存
# 1.kerberos服務器端配置安全
## 1.1安裝配置Kerberos Serverbash
```bash
[root@localhost ~]# yum install krb5-server krb5-libs krb5-auth-dialog -y
[root@localhost ~]# vi /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88服務器
[realms]
EXAMPLE.COM = {
#master_key_type = aes256-cts #因爲,JAVA使用aes256-cts驗證方式須要安裝額外的jar包,更多參考2.2.9關於AES-256加密:。推薦不使用。
acl_file = /var/kerberos/krb5kdc/kadm5.acl #標註了admin的用戶權限。文件格式是Kerberos_principal permissions [target_principal] [restrictions]支持通配符等。
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab #KDC進行校驗的keytab(密鑰表)。後文會說起如何建立。
max_renewable_life = 7d
supported_enctypes = aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
#supported_enctypes表示支持的校驗方式。注意把aes256-cts去掉。
}
```網絡
```bash
[root@localhost ~]# vi /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/oracle
[logging]
default = FILE:/var/log/krb5libs.log #表示server端的日誌的打印位置
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.logdom
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h #代表憑證生效的時限,通常爲24小時。
renew_lifetime = 7d #代表憑證最長能夠被延期的時限,通常爲一個禮拜。當憑證過時以後,對安全認證的服務的後續訪問則會失敗。
forwardable = true
rdns = false
default_realm = EXAMPLE.COM #默認的realm,必須跟要配置的realm的名稱一致。
default_ccache_name = KEYRING:persistent:%{uid}
# udp_preference_limit = 1 禁止使用udp能夠防止一個Hadoop中的錯誤
[realms] #列舉使用的realm。
EXAMPLE.COM = {
kdc = kerberos.example.com #表明要kdc的位置。格式是 機器:端口
admin_server = kerberos.example.com #表明admin的位置。格式是機器:端口
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
```
## 1.2建立/初始化Kerberos database
```bash
[root@localhost ~]# /usr/sbin/kdb5_util create -s -r EXAMPLE.COM
[root@localhost krb5kdc]# ll /var/kerberos/krb5kdc
總用量 24
-rw-------. 1 root root 22 12月 7 2016 kadm5.acl
-rw-------. 1 root root 459 8月 23 10:45 kdc.conf
-rw-------. 1 root root 8192 8月 23 10:46 principal
-rw-------. 1 root root 8192 8月 23 10:42 principal.kadm5
-rw-------. 1 root root 0 8月 23 10:42 principal.kadm5.lock
-rw-------. 1 root root 0 8月 23 10:46 principal.ok
[-s]表示生成stash file,並在其中存儲master server key(krb5kdc);還能夠用[-r]來指定一個realm name —— 當krb5.conf中定義了多個realm時纔是必要的。
若是須要重建數據庫,將該目錄下的principal相關的文件刪除便可,其它兩個不要刪除
在此過程當中,咱們會輸入database的管理密碼。這裏設置的密碼必定要記住,若是忘記了,就沒法管理Kerberos server,密碼是test
```
## 1.3 添加database administrator數據庫管理員
咱們須要爲Kerberos database添加administrative principals (即可以管理database的principals安全個體) —— 至少要添加1個principal來使得Kerberos的管理進程kadmind可以在網絡上與程序kadmin進行通信。
```bash
[root@localhost ~]# /usr/sbin/kadmin.local -q "addprinc admin/admin"
Authenticating as principal root/admin@EXAMPLE.COM with password.
WARNING: no policy specified for admin/admin@EXAMPLE.COM; defaulting to no policy
Enter password for principal "admin/admin@EXAMPLE.COM": testtest
Re-enter password for principal "admin/admin@EXAMPLE.COM": testtest
Principal "admin/admin@EXAMPLE.COM" created.
[root@localhost ~]#
添加傭有管理員權限的管理員ryan密碼爲123456
[root@localhost ~]# kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local: addprinc ryan/admin #添加ryan/admin
WARNING: no policy specified for ryan/admin@EXAMPLE.COM; defaulting to no policy
Enter password for principal "ryan/admin@EXAMPLE.COM": 123456
Re-enter password for principal "ryan/admin@EXAMPLE.COM": 123456
Principal "ryan/admin@EXAMPLE.COM" created.
kadmin.local: listprincs #查看有多少
K/M@EXAMPLE.COM
admin/admin@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/localhost@EXAMPLE.COM
kiprop/localhost@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
ryan/admin@EXAMPLE.COM
kadmin.local: delprinc ryan/admin #刪除ryan/admin 不能只是ryan
Are you sure you want to delete the principal "ryan/admin@EXAMPLE.COM"? (yes/no): yes
Principal "ryan/admin@EXAMPLE.COM" deleted.
Make sure that you have removed this principal from all ACLs before reusing.
kadmin.local: modprinc -maxrenewlife 1week ryan/admin@EXAMPLE.COM #修改renewlife爲7天
Principal "ryan/admin@EXAMPLE.COM" modified.
kadmin.local: exit
如下命令還不能使用:
[root@localhost ~]# kadmin
-bash: kadmin: 未找到命令
```
## 1.4 爲database administrator設置ACL權限
```bash
[root@localhost krb5kdc]# cat /var/kerberos/krb5kdc/kadm5.acl
*/admin@EXAMPLE.COM *
# 表明名稱匹配*/admin@EXAMPLE.COM的,都認爲是admin,權限是 *。表明所有權限。
在KDC上咱們須要編輯acl文件來設置權限,該acl文件的默認路徑是 /var/kerberos/krb5kdc/kadm5.acl(也能夠在文件kdc.conf中修改)。Kerberos的kadmind daemon會使用該文件來管理對Kerberos database的訪問權限。對於那些可能會對pincipal產生影響的操做,acl文件也能控制哪些principal能操做哪些其餘pricipals。
```
# 1.5 在master KDC啓動Kerberos daemons
```bash
[root@localhost krb5kdc]# systemctl status krb5kdc
● krb5kdc.service - Kerberos 5 KDC
Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; vendor preset: disabled)
Active: inactive (dead)
[root@localhost krb5kdc]# systemctl start krb5kdc
[root@localhost krb5kdc]# systemctl enable krb5kdc
[root@localhost krb5kdc]# systemctl status kadmin
● kadmin.service - Kerberos 5 Password-changing and Administration
Loaded: loaded (/usr/lib/systemd/system/kadmin.service; disabled; vendor preset: disabled)
Active: inactive (dead)
[root@localhost krb5kdc]# systemctl start kadmin
[root@localhost krb5kdc]# systemctl enable kadmin
[root@localhost krb5kdc]# tail -f /var/log/krb5kdc.log
otp: Loaded
8月 23 11:17:20 localhost.localdomain krb5kdc[4914](info): setting up network...
8月 23 11:17:20 localhost.localdomain krb5kdc[4914](info): listening on fd 9: udp 0.0.0.0.88 (pktinfo)
krb5kdc: setsockopt(10,IPV6_V6ONLY,1) worked
8月 23 11:17:20 localhost.localdomain krb5kdc[4914](info): listening on fd 10: udp ::.88 (pktinfo)
krb5kdc: setsockopt(11,IPV6_V6ONLY,1) worked
8月 23 11:17:20 localhost.localdomain krb5kdc[4914](info): listening on fd 12: tcp 0.0.0.0.88
8月 23 11:17:20 localhost.localdomain krb5kdc[4914](info): listening on fd 11: tcp ::.88
8月 23 11:17:20 localhost.localdomain krb5kdc[4914](info): set up 4 sockets
8月 23 11:17:20 localhost.localdomain krb5kdc[4915](info): commencing operation
[root@localhost krb5kdc]# tail -f /var/log/kadmind.log
8月 23 11:17:32 localhost.localdomain kadmind[4940](info): listening on fd 10: udp ::.464 (pktinfo)
kadmind: setsockopt(11,IPV6_V6ONLY,1) worked
8月 23 11:17:32 localhost.localdomain kadmind[4940](info): listening on fd 12: tcp 0.0.0.0.464
8月 23 11:17:32 localhost.localdomain kadmind[4940](info): listening on fd 11: tcp ::.464
8月 23 11:17:32 localhost.localdomain kadmind[4940](info): listening on fd 13: rpc 0.0.0.0.749
kadmind: setsockopt(14,IPV6_V6ONLY,1) worked
8月 23 11:17:32 localhost.localdomain kadmind[4940](info): listening on fd 14: rpc ::.749
8月 23 11:17:32 localhost.localdomain kadmind[4940](info): set up 6 sockets
8月 23 11:17:32 localhost.localdomain kadmind[4941](info): Seeding random number generator
8月 23 11:17:32 localhost.localdomain kadmind[4941](info): starting
```
如今KDC已經在工做了。這兩個daemons將會在後臺運行,能夠查看它們的日誌文件(/var/log/krb5kdc.log 和 /var/log/kadmind.log)。
能夠經過客戶端命令kinit來檢查這兩個daemons是否正常工做。
# 2.客戶端操做
## 2.1安裝客戶端
```bash
[root@localhost ~]# yum install -y krb5-workstation krb5-libs krb5-auth-dialog
```
## 2.2 配置krb5.conf
配置這些主機上的/etc/krb5.conf,這個文件的內容與KDC服務器中的文件保持一致便可。
## 2.3驗證後登陸
登陸到管理員帳戶: 若是在本機上,能夠經過kadmin.local直接登陸。其它機器的,先使用kinit進行驗證。
```bash
驗證:
[root@localhost ~]# kinit ryan/admin@EXAMPLE.COM
Password for ryan/admin@EXAMPLE.COM: 123456
登陸:
[root@localhost ~]# kadmin
Authenticating as principal ryan/admin@EXAMPLE.COM with password.
Password for ryan/admin@EXAMPLE.COM:
kadmin: list_principals #列出全部賬戶
K/M@EXAMPLE.COM
admin/admin@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/localhost@EXAMPLE.COM
kiprop/localhost@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
ryan/admin@EXAMPLE.COM
kadmin:
查看當前的認證用戶:
[root@localhost ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: ryan/admin@EXAMPLE.COM
Valid starting Expires Service principal
2017-08-23T14:01:32 2017-08-24T14:01:32 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 2017-08-30T14:01:32
[root@localhost ~]#
```
## 2.4 建立keytab
```bash
[root@localhost tmp]# mkdir -p /var/kerberos/krb5kdc/
[root@localhost tmp]# kinit ryan/admin@EXAMPLE.COM
[root@localhost tmp]# kadmin
#建立key table(密鑰表)命令(第一種)
kadmin: xst -k /var/kerberos/krb5kdc/kadm5.keytab ryan/admin@EXAMPLE.COM
Entry for principal ryan/admin@EXAMPLE.COM with kvno 25, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal ryan/admin@EXAMPLE.COM with kvno 25, encryption type des3-cbc-sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal ryan/admin@EXAMPLE.COM with kvno 25, encryption type arcfour-hmac added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal ryan/admin@EXAMPLE.COM with kvno 25, encryption type camellia256-cts-cmac added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal ryan/admin@EXAMPLE.COM with kvno 25, encryption type camellia128-cts-cmac added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal ryan/admin@EXAMPLE.COM with kvno 25, encryption type des-hmac-sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal ryan/admin@EXAMPLE.COM with kvno 25, encryption type des-cbc-md5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
#建立key table(密鑰表)命令(第二種)
kadmin: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab ryan/admin@EXAMPLE.COM
Entry for principal ryan/admin@EXAMPLE.COM with kvno 24, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal ryan/admin@EXAMPLE.COM with kvno 24, encryption type des3-cbc-sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal ryan/admin@EXAMPLE.COM with kvno 24, encryption type arcfour-hmac added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal ryan/admin@EXAMPLE.COM with kvno 24, encryption type camellia256-cts-cmac added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal ryan/admin@EXAMPLE.COM with kvno 24, encryption type camellia128-cts-cmac added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal ryan/admin@EXAMPLE.COM with kvno 24, encryption type des-hmac-sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal ryan/admin@EXAMPLE.COM with kvno 24, encryption type des-cbc-md5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
kadmin:
查看keytab裏添加了哪些密鑰(每一個賬戶有不一樣類型的)
[root@localhost ~]# klist -e -k -t /var/kerberos/krb5kdc/kadm5.keytab
```
## 2.5使用密鑰表的方式登陸(無需輸入密碼)
```bash
使用以前的密碼方式登陸,會報密碼錯誤,由於生成密鑰表的時候,會從新生成一個隨機密鑰,而後再寫入keytab密鑰表文件中。如下kinit驗證步驟可省略:
[root@localhost ~]# kinit -kt /var/kerberos/krb5kdc/kadm5.keytab ryan/admin@EXAMPLE.COM
[root@localhost ~]# kadmin -kt /var/kerberos/krb5kdc/kadm5.keytab -p ryan/admin@EXAMPLE.COM
Authenticating as principal ryan/admin@EXAMPLE.COM with keytab /var/kerberos/krb5kdc/kadm5.keytab.
kadmin: ?
```
## 2.6刪除當前認證緩存
```bash
[root@localhost ~]# kdestroy
```
## 2.7延長憑證過時時間
```bash
[root@localhost ~]# kinit -kt /var/kerberos/krb5kdc/kadm5.keytab ryan/admin@EXAMPLE.COM
[root@localhost ~]# kinit -R #延長憑證過時時間
kinit: KDC can't fulfill requested option while renewing credentials
注:提示沒法延長憑證過時時間,多是由於renewlife參數設置爲0day了。
[root@localhost ~]# kadmin.local
kadmin.local: modprinc -maxrenewlife 1week ryan/admin@EXAMPLE.COM
Principal "ryan/admin@EXAMPLE.COM" modified.
[root@localhost ~]# kinit -kt /var/kerberos/krb5kdc/kadm5.keytab ryan/admin@EXAMPLE.COM
[root@localhost ~]# kinit -R
[root@localhost ~]# #沒有返回信息,說明已經成功延長憑證過時時間了
```
# 3.常見錯誤
```bash
[root@localhost ~]# /usr/sbin/kdb5_util create -s -r EXAMPLE.COM
kdb5_util: Required parameters in kdc.conf missing while initializing the Kerberos admin interface
配置文件中的supported_enctypes的某個加密類型不可用。
```
```bash
[root@localhost ~]# /usr/sbin/kadmin.local -q "addprinc admin/admin"
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local: Cannot find master key record in database while initializing kadmin.local interface
須要從新運行建立kerberos數據庫的命令,即/usr/sbin/kdb5_util create -s -r EXAMPLE.COM
```
```bash
[root@localhost ~]# kinit ryan/admin@EXAMPLE.COM
kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting initial credentials
KDC服務器的防火牆沒關,或者KDC服務器服務沒啓動
```
```bash
[root@localhost ~]# kinit ryan/admin@EXAMPLE.COM
Password for ryan/admin@EXAMPLE.COM:
kinit: Password incorrect while getting initial credentials
提示密碼錯誤,或者是由於執行建立密鑰表的操做,從新生成隨機密鑰,寫入密鑰表文件中。
```
4.參考文章
```bash
http://dongxicheng.org/mapreduce/hadoop-kerberos-introduction/
http://blog.csdn.net/wulantian/article/details/42418231
http://idior.cnblogs.com/archive/2006/03/20/354027.html
```
```bashhttp://docs.oracle.com/cd/E24847_01/html/819-7061/setup-9.htmlhttp://www.cnblogs.com/xiaodf/p/5968178.html```
- 1. 安裝Kerberos服務端和客戶端
- 2. 客戶端推送服務
- 3. 極光推送JPush客戶端與服務器端的集成
- 4. 客戶端與服務器端創建鏈接的過程
- 5. 極簡的Restful框架推薦->Resty(服務端+客戶端)
- 6. zookeeper原理解析-客戶端與服務器端交互
- 7. UDP服務器客戶端
- 8. socket 客戶端 服務器
- 9. 5.10TCP客戶端服務器
- 10. C#服務器客戶端
- 更多相關文章...
- • MySQL客戶端和服務器端工具集 - MySQL教程
- • XSLT - 在客戶端 - XSLT 教程
- • Spring Cloud 微服務實戰(三) - 服務註冊與發現
- • Docker容器實戰(一) - 封神Server端技術
-
每一个你不满意的现在,都有一个你没有努力的曾经。
- 1. 安裝Kerberos服務端和客戶端
- 2. 客戶端推送服務
- 3. 極光推送JPush客戶端與服務器端的集成
- 4. 客戶端與服務器端創建鏈接的過程
- 5. 極簡的Restful框架推薦->Resty(服務端+客戶端)
- 6. zookeeper原理解析-客戶端與服務器端交互
- 7. UDP服務器客戶端
- 8. socket 客戶端 服務器
- 9. 5.10TCP客戶端服務器
- 10. C#服務器客戶端