kerberos搭建基础知识

标签：taishi CN kerberos 基础知识 etc TAISHI 搭建 log

kerberos验证流程

           

           

 配置文件格式

              

              

             

服务端搭建配置

     1.yum install -y krb5-libs krb5-server krb5-workstation

# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
 default_realm = TAISHI.CN
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 TAISHI.CN = {
  kdc = esnode.taishi.cn
  admin_server = esnode.taishi.cn
 }

[domain_realm]
 .taishi.cn = TAISHI.CN
  taishi.cn = TAISHI.CN

/etc/krb5.conf

[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
 TAISHI.CN = {
  #master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }

/var/kerberos/krb5kdc/kdc.conf

*/[email protected]       *

var/kerberos/krb5kdc/kadm5.acl

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.30.129 taishi.ccscs
192.168.30.129 esnode.taish.cn

/etc/hosts

   systemctl restart krb5kdc

   systemctl restart kadmin

  2.初始化域名数据库

    kdb5_util create -s -r TAISHI.CN

  3.创建用户数据

        kadmin.local

        addprinc root/[email protected]

        listprincs

         

客户端搭建配置

     1.yum -y install krb5-libs krb5-workstation

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.30.80 taishi.ccscs
192.168.30.129 esnode.taishi.cn

/etc/hosts

# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
 default_realm = TAISHI.CN
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 TAISHI.CN = {
  kdc = esnode.taishi.cn
  admin_server = esnode.taishi.cn
 }

[domain_realm]
 .taishi.cn = TAISHI.CN
  taishi.cn = TAISHI.CN

/etc/krb5.conf

    2.客户端生成连接用户的本地票据 

      kinit root/[email protected]

      

       

  3.客户端通过本地票据连接kerberos服务端

       kadmin

       

       kerberos客户端已经成功验证登录服务端

给各个服务配置kerberos的principal

   1.principal
      principal就是kerberos中的账户概念
      account/instance@realm 格式

   2.keytab
      keytab文件的用途是当kerberos认证的时候可以免输入密码登录

   3.为kerberos账户创建keytab文件

      1. mkdir /etc/security/keytabs/

      2.登录kadmin.local命令行

        ktadd -k /etc/security/keytabs/es.service.keytab root/[email protected]

      

     

     

    4.主机认证kerberos账户

       在所有的主机上执行
       kinit -kt /etc/security/keytabs/es.service.keytab root/[email protected]
       klist

       

       

kerberos代码认证实例

        

        

 

标签：taishi,CN,kerberos,基础知识,etc,TAISHI,搭建,log
From： https://www.cnblogs.com/yxh168/p/16989659.html