一 RedHat/CentOS安装和配置kerberos
需要在kerberos server和客户端都先安装ntp (Internet时间协议,保证服务器和客户机时间同步 )
1 kerberos 服务器端
1.1. install /start ntp
#sudo yum install ntp
#sudo service ntpd start
1.2. install kerberos server:
#yum install krb5-server krb5-libs krb5-auth-dialog
可选: install kerberos client:
# yum install krb5-workstation
1.3 Edit /etc/krb5.conf and /var/kerberos/krb5kdc/kdc.conf
# sudo vi /etc/krb5.conf
Replacing EXAMPLE.COM with your domain name.
Replace the kerberos.example.com with your kdc server.
# sudo vi /var/kerberos/krb5kdc/kdc.conf
Replacing EXAMPLE.COM with your domain name.
1.4. create the databse using kdb5_util utility.
# sudo /usr/sbin/kdb5_util create -s
1.5. Edit /var/kerberos/krb5kdc/kadm5.acl file
# sudo vi /var/kerberos/krb5kdc/kadm5.acl file
such as:将 */[email protected] * 改为*/[email protected]
1.6. use kadmin.local to add admin user:
#kadmin.local
#addprinc steve/admin
#addprinc tony/admin
1.7. start kerberos:
# /sbin/service krb5kdc start
# /sbin/service kadmin start
1.8. now you can use kadmin to manage principal:
#kadmin -q "addprinc user1/admin"
This way you actaully use client mode to connect to kdc and do admin level task
1.9. verify KDC ok.
#kinit tony/admin
#klist
2 各个客户机端
2.1. install kerberos client
#yum install krb5-workstation
2.2. edit /etc/krb5.conf
#sudo vi /etc/krb5.conf
Replace the EXAMPLE.com with your domain name
replace the kerberos.example.com with your kdc server
2.3. authenticate the admin user with kerberos
#kinit steve/admin
view the principls from client machine:
#sudo kadmin
#list_principals
3 用kerberos进行OS 级本地认证和远程登录
-----------------enable kerbose local authentication----------
1. install pAM
sudo apt-get install libpam-krb5
2. view conf file:
sudo cat /etc/pam.d/common-auth
1. create another principal such as:
service/clienthost@realm
2. add the keytab for such principal
kadmin : ktadd -k /etc/service.keytab service/clienthost@realm
save the keytab to /etc/krb5.keytab
二 Ubuntu安装和配置kerberos
1.kdc server side
1.install the krb5-kdc and krb5-admin-server packages. From a terminal enter:
sudo apt-get install krb5-kdc krb5-admin-server2.Create new realm
sudo krb5_newrealm3.reconfigure realm
sudo dpkg-reconfigure krb5-kdc4.View config files
/etc/krb5kdc/kdc.conf/etc/krb5.conf
5. create admin user:
1)in kdc server type in:sudo kadmin.local
addprinc steve/admin
quit/exit
2) edit ACL file /etc/krb5kdc/kadm5.acl like:
steve/[email protected] *
restart krb5-admin-server for ACL take affect:
sudo /etc/init.d/krb5-admin-server restart
3) check the user and ticket:
kinit steve/admin
klist
---the above 2 command canalso be performed on client machines that installed krb5 client packageAfter creating admin user (steve/admin), the admin user later can aslo login in to KDC do management stuff from client machine
2.client side
1. install client software
sudo apt-get install krb5-user libpam-krb5 libpam-ccreds auth-client-config2. configure client:
sudo dpkg-reconfigure krb5-config3.view client configuration
/etc/krb5.conf4.check user/ticket:
for admin user principal:kinit steve/admin (steve/[email protected])
Password for steve/[email protected]:
for common user principal:
kinit xxx ([email protected])
for service principal:
kinit service/host@realm
3.Enable kerbose local authentication
1. install pAMsudo apt-get install libpam-krb5
2. view conf file:
sudo cat /etc/pam.d/common-auth
4.configure serice to use kerborse
suppose service principal is service/host@realm1.create service principal
kadmin : addprinc -randkey service/host@realm
2 add keytab for service
kadmin: ktadd -k /etc/service.keytab service/host@realm
3. save the keytab to correct location for service
5. Configure the client can remote login using kerborse
1. create another principal such as:service/clienthost@realm
2. add the keytab for such principal
kadmin : ktadd -k /etc/service.keytab service/clienthost@realm
save the keytab to /etc/krb5.keytab
三 管理kerberos principal
初始化管理用户比如steve/admin后, 运行kadmin即进入管理程序(可在安装了kerberos krb5-workstation软件包的kdc或客户端)
# kinit steve/admin
#kadmin
1.创建/改变principal
1.1 创建service principal
addprinc -pw $passwd $principalname/$servicehost@realm ---add service principal with password
addprinc -randkey $principalname/$servicehost@realm ---add service principal with random key
1.2 创建普通principal
addprinc -pw $passwd $principalname ---add principal with passwd
1.3 改变principal
modprinc -pw $passwd $principalname ---change principal
改密码:
cpw -pw $passwd $principalname ---change principal password
2 查看principal
listprincs
四 管理keytab
服务principal的credential需要保存在keytab文件中。
1.获取keytab
进入kadmin
1.1 用ktadd :
ktadd -k $<keytab_file_name> service/servicehost@realm 或者 #ktadd -k $<keytab_file_name> service/servicehost
比如:
# ktadd -k /etc/myservice.keytab myservice/servicehost
1.2 用xst
xst -k $<keytab_file_name> $service/servicehost
2. 查看keytab
klist -k -t $<keytab_file_name>