KerberOS为NIS提供账户认证
<!--[if !supportLists]-->一、 <!--[endif]-->环境
KDC:server1.example.com 192.168.32.31
NIS Server:station2.example.com 192.168.32.32
默认已经配置好,并有guest2001和guest2002两个用户
Client:station3.example.com 192.168.32.33
NISDOMAIN:notexample
Kerberos realm:EXAMPLE.COM
<!--[if !supportLists]-->二、 <!--[endif]-->KDC配置
<!--[if !supportLists]-->1. <!--[endif]-->软件安装
[root@server1 ~]# yum install krb5-server.i386
[root@server1 ~]# yum install krb5-libs.i386
[root@server1 ~]# yum install krb5-workstation.i386
[root@server1 ~]# yum install krb5-devel.i386
<!--[if !supportLists]-->2. <!--[endif]-->修改kerberos配置文件/etc/krb5.conf
[root@server1 ~]# vi /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.COM
# 定义kerberos区域名,可随意指定,一般和DNS域名相同
dns_lookup_realm = false
#是否支持dns解析域
dns_lookup_kdc = false
ticket_lifetime = 24h
#kerberos认证票据的有限期
forwardable = yes
[realms]
EXAMPLE.COM = {
#区域的全局参数定义
kdc = 192.168.32.31:88
#KDC服务器地址,尽量用IP地址,防止DNS解析失败带来kerberos认证失败
admin_server = 192.168.32.31:749
#指定KDC管理服务器,一般与服务器相同
default_domain = example.com
#指定DNS的域名,在dns_lookup_realm=yes是生效,可无此项
}
[domain_realm]
#区域的访问控制
.example.com = EXAMPLE.COM
#允许example.com域网段内所有主机使用此kerberos认证
example.com = EXAMPLE.COM
192.168.40.0/24 = EXAMPLE.COM
#允许192.168.40.0/24网段内所有主机使用此kerberos认证
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
validate = true #默认要求验证KDC票据的合法性
}
<!--[if !supportLists]-->3. <!--[endif]-->生成kerberos的本地数据库
[root@server1 krb5kdc]# kdb5_util create -r EXAMPLE.COM -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'EXAMPLE.COM',
master key name 'K/M@EXAMPLE.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: #输入KDC数据库管理密码
Re-enter KDC database master key to verify:
#-r realm:指定realm
#-s:一个缓存文件,本地在管理kdc时将不再需要输入密码
<!--[if !supportLists]-->4. <!--[endif]-->打开kerberos的加密算法
[kdcdefaults]
v4_mode = nopreauth
kdc_tcp_ports = 88
[realms]
EXAMPLE.COM = {
master_key_type = des3-hmac-sha1 #指定区域的加密算法
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:norma
l des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal de
s-cbc-crc:v4 des-cbc-crc:afs3
}
<!--[if !supportLists]-->5. <!--[endif]-->启动krb5kdc和kadmin服务
[root@server1 krb5kdc]# service krb5kdc start
启动 Kerberos 5 KDC: [确定]
[root@server1 krb5kdc]# service kadmin start
启动 Kerberos 5 Admin Server: [确定]
<!--[if !supportLists]-->6. <!--[endif]-->添加远程管理账户及其权限
<!--[if !supportLists]-->l <!--[endif]-->添加远程管理账户root
[root@server1 krb5kdc]# kadmin.local #本地管理
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local: listprincs #查看所有实例
K/M@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/history@EXAMPLE.COM
kadmin/localhost.localdomain@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
kadmin.local: addprinc root/admin
#添加管理员帐号root,与系统root账户无关,可随意指定
WARNING: no policy specified for root/admin@EXAMPLE.COM; defaulting to no policy
Enter password for principal "root/admin@EXAMPLE.COM":
Re-enter password for principal "root/admin@EXAMPLE.COM":
Principal "root/admin@EXAMPLE.COM" created.
<!--[if !supportLists]-->l <!--[endif]-->为管理账户root添加权限
[root@server1 krb5kdc]# vi /var/kerberos/krb5kdc/kadm5.acl
root/admin@EXAMPLE.COM aDMcIL
#root账户拥有的权限
#*/admin@EXAMPLE.COM *
#实例admin@EXAMPLE.COM上所有账户用于所有权限
#权限说明:
# a/A Allow/deny addition of principals or policies
# d/D Allow/deny deletion of principals or policies
# m/M Allow/deny modification of principals or policies
# c/C Allow/deny password changes for principals
# i/I Allow/deny database inquiries /para>
# l/L Allow/deny listing all principals or policies
# * Equivalent to admcil
<!--[if !supportLists]-->l <!--[endif]-->重启kadmin服务使权限生效
[root@server1 krb5kdc]# service kadmin restart
停止 Kerberos 5 Admin Server: [确定]
启动 Kerberos 5 Admin Server: [确定]
<!--[if !supportLists]-->7. <!--[endif]-->添加NIS认证用户(在NIS sever创建NIS用户时,不要用passwd创建密码)
[root@server1 krb5kdc]# kadmin.local
或
[root@server1 krb5kdc]# kadmin –p root/admin
Authenticating as principal root/admin with password.
Password for root/admin@EXAMPLE.COM:
kadmin: addprinc guest2001 #添加NIS认证账户guest2001密码
WARNING: no policy specified for guest2001@EXAMPLE.COM; defaulting to no policy
Enter password for principal "guest2001@EXAMPLE.COM":
Re-enter password for principal "guest2001@EXAMPLE.COM":
Principal "guest2001@EXAMPLE.COM" created.
kadmin: addprinc guest2002 #添加NIS认证账户guest2002密码
WARNING: no policy specified for guest2002@EXAMPLE.COM; defaulting to no policy
Enter password for principal "guest2002@EXAMPLE.COM":
Re-enter password for principal "guest2002@EXAMPLE.COM":
Principal "guest2002@EXAMPLE.COM" created.
<!--[if !supportLists]-->三、 <!--[endif]-->客户端配置
<!--[if !supportLists]-->1. <!--[endif]-->配置授权认证加入kerberos认证
[root@server1 krb5kdc]#scp /etc/krb5.conf 192.168.32.32:/etc/krb5.conf
[root@server1 krb5kdc]#scp /etc/krb5.conf 192.168.32.33:/etc/krb5.conf
#将kdc的/etc/krb5.conf复制到客户端/etc/krb5.conf即可将客户端加入到kerberos的认证中。
<!--[if !supportLists]-->2. <!--[endif]-->客户端测试
[netsword@station2 ~]$ su - guest2001
口令: #此处输入的口令即为kerberos添加认证账户时输入的密码
[guest2001@station2 ~]$ klist #查看票据,下面的显示表示已经获得票据
Ticket cache: FILE:/tmp/krb5cc_2001_SbPhMC
Default principal: guest2001@EXAMPLE.COM
Valid starting Expires Service principal
03/21/11 00:30:04 03/21/11 10:30:03 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 03/21/11 00:30:04
Kerberos 4 ticket cache: /tmp/tkt2001
klist: You have no tickets cached
<!--[if !supportLists]-->四、<!--[endif]-->配置station2和station3之间互相ssh到对方通过kerberos认证无需输入密码
<!--[if !supportLists]-->1. <!--[endif]-->kdc中添加两服务器ssh服务的实例(princ)
[root@station2 etc]# kadmin
Authenticating as principal root/admin@EXAMPLE.COM with password.
Password for root/admin@EXAMPLE.COM:
kadmin: addprinc -randkey host/station2.example.com
#添加station2的ssh的princ,密码随机
WARNING: no policy specified for host/station2.example.com@EXAMPLE.COM; defaulting to no policy
Principal "host/station2.example.com@EXAMPLE.COM" created.
kadmin: addprinc -randkey host/station3.example.com
#添加station3的ssh的princ,密码随机
WARNING: no policy specified for host/station3.example.com@EXAMPLE.COM; defaulting to no policy
Principal "host/station3.example.com@EXAMPLE.COM" created.
#注:The krb5-workstation package includes a number of Kerberos-enabled services #executable by xinetd:
#xinetd config daemon port principal client
#eklogin klogind 2105/tcp host/* /usr/kerberos/bin/rlogin
#kshell kshd 544/tcp host/* /usr/kerberos/bin/rsh
#gssftp ftpd 21/tcp ftp/* /usr/kerberos/bin/ftp
#krb5-telnet telnetd 23/tcp host/* /usr/kerberos/bin/telnet
#These services provide Kerberos authentication, and can provide encryption with the shared session key. Other
services in the distribution may also support authentication with Kerberos tickets. These services include sshd,
slapd, and httpd, among others.
<!--[if !supportLists]-->2. <!--[endif]-->导出彼此的密钥,并分别复制给对方的客户端
[root@server1 ~]# kadmin
kadmin: ktadd -k /etc/station2.keytab host/station2.example.com
kadmin: ktadd -k /etc/station3.keytab host/station3.example.com
[root@server1 ~]#scp /etc/station2.keytab 192.168.32.32:/etc/krb5.keytab
[root@server1 ~]#scp /etc/station3.keytab 192.168.32.33:/etc/krb5.keytab
#只需服务器端有keytab,客户端登陆时kerberos给其分配的票,无需keytab
<!--[if !supportLists]-->3. <!--[endif]-->测试
[root@station3 etc]# su - netsword
[netsword@station3 ~]$ su - guest2001
-bash-3.2$ ssh 192.168.32.32
Could not create directory '/home/guest2001/.ssh'.
The authenticity of host '192.168.32.32 (192.168.32.32)' can't be established.
RSA key fingerprint is d6:61:e8:8d:68:2b:29:5f:2e:e7:a8:16:f5:fd:f9:d4.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/guest2001/.ssh/known_hosts).
Address 192.168.32.32 maps to station2.example.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Last login: Mon Mar 21 01:40:43 2011 from station3.example.com
[guest2001@station2 ~]$
#因为切换到guest2001账户时已经从kdc上获取票据,所以ssh登陆到station2是直接通过此票据认证,无需在输入guest2001的密码