<b>KerberOS</b><b>為NIS</b><b>提供賬戶認證</b>
<b>一、 </b><b>環境</b>
<b></b>
KDC:server1.example.com 192.168.32.31
NIS Server:station2.example.com 192.168.32.32
預設已經配置好,并有guest2001和guest2002兩個使用者
Client:station3.example.com 192.168.32.33
NISDOMAIN:notexample
Kerberos realm:EXAMPLE.COM
<b>二、 </b><b>KDC</b><b>配置</b>
<b>1. </b><b>軟體安裝</b>
[root@server1 ~]# yum install krb5-server.i386
[root@server1 ~]# yum install krb5-libs.i386
[root@server1 ~]# yum install krb5-workstation.i386
[root@server1 ~]# yum install krb5-devel.i386
<b>2. </b><b>修改kerberos</b><b>配置檔案/etc/krb5.conf</b>
[root@server1 ~]# vi /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.COM
# 定義kerberos區域名,可随意指定,一般和DNS域名相同
dns_lookup_realm = false
#是否支援dns解析域
dns_lookup_kdc = false
ticket_lifetime = 24h
#kerberos認證票據的有限期
forwardable = yes
[realms]
EXAMPLE.COM = {
#區域的全局參數定義
kdc = 192.168.32.31:88
#KDC伺服器位址,盡量用IP位址,防止DNS解析失敗帶來kerberos認證失敗
admin_server = 192.168.32.31:749
#指定KDC管理伺服器,一般與伺服器相同
default_domain = example.com
#指定DNS的域名,在dns_lookup_realm=yes是生效,可無此項
}
[domain_realm]
#區域的通路控制
.example.com = EXAMPLE.COM
#允許example.com域網段内所有主機使用此kerberos認證
example.com = EXAMPLE.COM
192.168.40.0/24 = EXAMPLE.COM
#允許192.168.40.0/24網段内所有主機使用此kerberos認證
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
validate = true #預設要求驗證KDC票據的合法性
3. <b>生成kerberos的本地資料庫</b>
[root@server1 krb5kdc]# kdb5_util create -r EXAMPLE.COM -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'EXAMPLE.COM',
master key name 'K/[email protected]'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: #輸入KDC資料庫管理密碼
Re-enter KDC database master key to verify:
#-r realm:指定realm
#-s:一個緩存檔案,本地在管理kdc時将不再需要輸入密碼
<b>4. </b><b>打開</b><b>kerberos</b><b>的加密算法</b><b></b>
[kdcdefaults]
v4_mode = nopreauth
kdc_tcp_ports = 88
master_key_type = des3-hmac-sha1 #指定區域的加密算法
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:norma
l des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal de
s-cbc-crc:v4 des-cbc-crc:afs3
}
<b>5. </b><b>啟動krb5kdc</b><b>和kadmin</b><b>服務</b>
[root@server1 krb5kdc]# service krb5kdc start
啟動 Kerberos 5 KDC: [确定]
[root@server1 krb5kdc]# service kadmin start
啟動 Kerberos 5 Admin Server: [确定]
<b>6. </b><b>添加遠端管理賬戶及其權限</b><b></b>
l <b>添加遠端管理賬戶</b><b>root</b>
[root@server1 krb5kdc]# kadmin.local #本地管理
Authenticating as principal root/[email protected] with password.
kadmin.local: listprincs #檢視所有執行個體
kadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
krbtgt/[email protected]
kadmin.local: addprinc root/admin
#添加管理者帳号root,與系統root賬戶無關,可随意指定
WARNING: no policy specified for root/[email protected]; defaulting to no policy
Enter password for principal "root/[email protected]":
Re-enter password for principal "root/[email protected]":
Principal "root/[email protected]" created.
l <b>為管理賬戶</b><b>root</b><b>添權重限</b><b></b>
<b> </b>[root@server1 krb5kdc]# vi /var/kerberos/krb5kdc/kadm5.acl
root/[email protected] aDMcIL
#root賬戶擁有的權限
#*/[email protected] *
#權限說明:
# a/A Allow/deny addition of principals or policies
# d/D Allow/deny deletion of principals or policies
# m/M Allow/deny modification of principals or policies
# c/C Allow/deny password changes for principals
# i/I Allow/deny database inquiries /para>
# l/L Allow/deny listing all principals or policies
# * Equivalent to admcil
l <b>重新開機</b><b>kadmin</b><b>服務使權限生效</b><b></b>
[root@server1 krb5kdc]# service kadmin restart
停止 Kerberos 5 Admin Server: [确定]
啟動 Kerberos 5 Admin Server: [确定]
<b>7. </b><b>添加NIS</b><b>認證使用者(在NIS sever</b><b>建立NIS</b><b>使用者時,不要用passwd</b><b>建立密碼)</b>
[root@server1 krb5kdc]# kadmin.local
或
[root@server1 krb5kdc]# kadmin –p root/admin
Authenticating as principal root/admin with password.
Password for root/[email protected]:
kadmin: addprinc guest2001 #添加NIS認證賬戶guest2001密碼
WARNING: no policy specified for [email protected]; defaulting to no policy
Enter password for principal "[email protected]":
Re-enter password for principal "[email protected]":
Principal "[email protected]" created.
kadmin: addprinc guest2002 #添加NIS認證賬戶guest2002密碼
WARNING: no policy specified for [email protected]; defaulting to no policy
Enter password for principal "[email protected]":
Re-enter password for principal "[email protected]":
Principal "[email protected]" created.
<b>三、 </b><b>用戶端配置</b>
<b>1. </b><b>配置授權認證加入</b><b>kerberos</b><b>認證</b><b></b>
[root@server1 krb5kdc]#scp /etc/krb5.conf 192.168.32.32:/etc/krb5.conf
[root@server1 krb5kdc]#scp /etc/krb5.conf 192.168.32.33:/etc/krb5.conf
#将kdc的/etc/krb5.conf複制到用戶端/etc/krb5.conf即可将用戶端加入到kerberos的認證中。
<b>2. </b><b>用戶端測試</b><b></b>
[netsword@station2 ~]$ su - guest2001
密碼: #此處輸入的密碼即為kerberos添加認證賬戶時輸入的密碼
[guest2001@station2 ~]$ klist #檢視票據,下面的顯示表示已經獲得票據
Ticket cache: FILE:/tmp/krb5cc_2001_SbPhMC
Default principal: [email protected]
Valid starting Expires Service principal
03/21/11 00:30:04 03/21/11 10:30:03 krbtgt/[email protected]
renew until 03/21/11 00:30:04
Kerberos 4 ticket cache: /tmp/tkt2001
klist: You have no tickets cached
四、配置station2和station3之間互相ssh到對方通過kerberos認證無需輸入密碼
1. kdc中添加兩伺服器ssh服務的執行個體(princ)
[root@station2 etc]# kadmin
kadmin: addprinc -randkey host/station2.example.com
#添加station2的ssh的princ,密碼随機
WARNING: no policy specified for host/[email protected]; defaulting to no policy
Principal "host/[email protected]" created.
kadmin: addprinc -randkey host/station3.example.com
#添加station3的ssh的princ,密碼随機
WARNING: no policy specified for host/[email protected]; defaulting to no policy
Principal "host/[email protected]" created.
#注:The krb5-workstation package includes a number of Kerberos-enabled services #executable by xinetd:
#xinetd config daemon port principal client
#eklogin klogind 2105/tcp host/* /usr/kerberos/bin/rlogin
#kshell kshd 544/tcp host/* /usr/kerberos/bin/rsh
#gssftp ftpd 21/tcp ftp/* /usr/kerberos/bin/ftp
#krb5-telnet telnetd 23/tcp host/* /usr/kerberos/bin/telnet
#These services provide Kerberos authentication, and can provide encryption with the shared session key. Other
services in the distribution may also support authentication with Kerberos tickets. These services include sshd,
slapd, and httpd, among others.
2. 導出彼此的密鑰,并分别複制給對方的用戶端
[root@server1 ~]# kadmin
kadmin: ktadd -k /etc/station2.keytab host/station2.example.com
kadmin: ktadd -k /etc/station3.keytab host/station3.example.com
[root@server1 ~]#scp /etc/station2.keytab 192.168.32.32:/etc/krb5.keytab
[root@server1 ~]#scp /etc/station3.keytab 192.168.32.33:/etc/krb5.keytab
#隻需伺服器端有keytab,用戶端登陸時kerberos給其配置設定的票,無需keytab
3. 測試
[root@station3 etc]# su - netsword
[netsword@station3 ~]$ su - guest2001
-bash-3.2$ ssh 192.168.32.32
Could not create directory '/home/guest2001/.ssh'.
The authenticity of host '192.168.32.32 (192.168.32.32)' can't be established.
RSA key fingerprint is d6:61:e8:8d:68:2b:29:5f:2e:e7:a8:16:f5:fd:f9:d4.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/guest2001/.ssh/known_hosts).
Address 192.168.32.32 maps to station2.example.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Last login: Mon Mar 21 01:40:43 2011 from station3.example.com
[guest2001@station2 ~]$
#因為切換到guest2001賬戶時已經從kdc上擷取票據,是以ssh登陸到station2是直接通過此票據認證,無需在輸入guest2001的密碼
本文轉自netsword 51CTO部落格,原文連結:http://blog.51cto.com/netsword/520964
![【MySQL資料庫】資料庫索引事務1.索引2.事務[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)