kerberos验证流程
配置文件格式
服务端搭建配置
1.yum install -y krb5-libs krb5-server krb5-workstation
# Configuration snippets may be placed in this directory as well includedir /etc/krb5.conf.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt default_realm = TAISHI.CN default_ccache_name = KEYRING:persistent:%{uid} [realms] TAISHI.CN = { kdc = esnode.taishi.cn admin_server = esnode.taishi.cn } [domain_realm] .taishi.cn = TAISHI.CN taishi.cn = TAISHI.CN/etc/krb5.conf
[kdcdefaults] kdc_ports = 88 kdc_tcp_ports = 88 [realms] TAISHI.CN = { #master_key_type = aes256-cts acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal }/var/kerberos/krb5kdc/kdc.conf
*/[email protected] *var/kerberos/krb5kdc/kadm5.acl
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.30.129 taishi.ccscs 192.168.30.129 esnode.taish.cn/etc/hosts
systemctl restart krb5kdc
systemctl restart kadmin
2.初始化域名数据库
kdb5_util create -s -r TAISHI.CN
3.创建用户数据
kadmin.local
addprinc root/[email protected]
listprincs
客户端搭建配置
1.yum -y install krb5-libs krb5-workstation
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.30.80 taishi.ccscs 192.168.30.129 esnode.taishi.cn/etc/hosts
# Configuration snippets may be placed in this directory as well includedir /etc/krb5.conf.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt default_realm = TAISHI.CN default_ccache_name = KEYRING:persistent:%{uid} [realms] TAISHI.CN = { kdc = esnode.taishi.cn admin_server = esnode.taishi.cn } [domain_realm] .taishi.cn = TAISHI.CN taishi.cn = TAISHI.CN/etc/krb5.conf
2.客户端生成连接用户的本地票据
kinit root/[email protected]
3.客户端通过本地票据连接kerberos服务端
kadmin
kerberos客户端已经成功验证登录服务端
给各个服务配置kerberos的principal
1.principal
principal就是kerberos中的账户概念
account/instance@realm 格式
2.keytab
keytab文件的用途是当kerberos认证的时候可以免输入密码登录
3.为kerberos账户创建keytab文件
1. mkdir /etc/security/keytabs/
2.登录kadmin.local命令行
ktadd -k /etc/security/keytabs/es.service.keytab root/[email protected]
4.主机认证kerberos账户
在所有的主机上执行
kinit -kt /etc/security/keytabs/es.service.keytab root/[email protected]
klist
kerberos代码认证实例
标签:taishi,CN,kerberos,基础知识,etc,TAISHI,搭建,log From: https://www.cnblogs.com/yxh168/p/16989659.html