KerberOSNIS提供账户认证

<!--[if !supportLists]-->一、           <!--[endif]-->环境

KDCserver1.example.com   192.168.32.31

NIS Serverstation2.example.com  192.168.32.32 

默认已经配置好,并有guest2001guest2002两个用户

Clientstation3.example.com  192.168.32.33

NISDOMAINnotexample

Kerberos realmEXAMPLE.COM

<!--[if !supportLists]-->二、           <!--[endif]-->KDC配置

<!--[if !supportLists]-->1.      <!--[endif]-->软件安装

[root@server1 ~]# yum install krb5-server.i386

[root@server1 ~]# yum install krb5-libs.i386

[root@server1 ~]# yum install krb5-workstation.i386

[root@server1 ~]# yum install krb5-devel.i386

<!--[if !supportLists]-->2.      <!--[endif]-->修改kerberos配置文件/etc/krb5.conf

[root@server1 ~]# vi /etc/krb5.conf

[logging]

 default = FILE:/var/log/krb5libs.log

 kdc = FILE:/var/log/krb5kdc.log

 admin_server = FILE:/var/log/kadmind.log 

[libdefaults]

 default_realm = EXAMPLE.COM    

# 定义kerberos区域名,可随意指定,一般和DNS域名相同

 dns_lookup_realm = false

#是否支持dns解析域

 dns_lookup_kdc = false

 ticket_lifetime = 24h

#kerberos认证票据的有限期

 forwardable = yes 

[realms]

 EXAMPLE.COM = {

  #区域的全局参数定义

  kdc = 192.168.32.31:88           

#KDC服务器地址,尽量用IP地址,防止DNS解析失败带来kerberos认证失败

  admin_server = 192.168.32.31:749 

#指定KDC管理服务器,一般与服务器相同

  default_domain = example.com    

#指定DNS的域名,在dns_lookup_realm=yes是生效,可无此项

 } 

[domain_realm]  

#区域的访问控制

 .example.com = EXAMPLE.COM

#允许example.com域网段内所有主机使用此kerberos认证

 example.com = EXAMPLE.COM

 192.168.40.0/24 = EXAMPLE.COM 

#允许192.168.40.0/24网段内所有主机使用此kerberos认证 

[appdefaults]

 pam = {

   debug = false

   ticket_lifetime = 36000

   renew_lifetime = 36000

   forwardable = true

   krb4_convert = false

   validate = true           #默认要求验证KDC票据的合法性

 } 

<!--[if !supportLists]-->3.      <!--[endif]-->生成kerberos的本地数据库

[root@server1 krb5kdc]# kdb5_util create -r EXAMPLE.COM -s

Loading random data

Initializing database '/var/kerberos/krb5kdc/principal' for realm 'EXAMPLE.COM',

master key name 'K/M@EXAMPLE.COM'

You will be prompted for the database Master Password.

It is important that you NOT FORGET this password.

Enter KDC database master key:                    #输入KDC数据库管理密码

Re-enter KDC database master key to verify:

#-r realm:指定realm

#-s:一个缓存文件,本地在管理kdc时将不再需要输入密码 

<!--[if !supportLists]-->4.      <!--[endif]-->打开kerberos的加密算法

[kdcdefaults]

 v4_mode = nopreauth

 kdc_tcp_ports = 88 

[realms]

 EXAMPLE.COM = {

  master_key_type = des3-hmac-sha1     #指定区域的加密算法

  acl_file = /var/kerberos/krb5kdc/kadm5.acl

  dict_file = /usr/share/dict/words

  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab

  supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:norma

l des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal de

s-cbc-crc:v4 des-cbc-crc:afs3

 } 

<!--[if !supportLists]-->5.      <!--[endif]-->启动krb5kdckadmin服务

[root@server1 krb5kdc]# service krb5kdc start

启动 Kerberos 5 KDC                                      [确定]

[root@server1 krb5kdc]# service kadmin start

启动 Kerberos 5 Admin Server                              [确定] 

<!--[if !supportLists]-->6.      <!--[endif]-->添加远程管理账户及其权限

<!--[if !supportLists]-->l  <!--[endif]-->添加远程管理账户root

[root@server1 krb5kdc]# kadmin.local           #本地管理

Authenticating as principal root/admin@EXAMPLE.COM with password.

kadmin.local:  listprincs           #查看所有实例

K/M@EXAMPLE.COM

kadmin/admin@EXAMPLE.COM

kadmin/changepw@EXAMPLE.COM

kadmin/history@EXAMPLE.COM

kadmin/localhost.localdomain@EXAMPLE.COM

krbtgt/EXAMPLE.COM@EXAMPLE.COM

kadmin.local:  addprinc root/admin  

 #添加管理员帐号root,与系统root账户无关,可随意指定

WARNING: no policy specified for root/admin@EXAMPLE.COM; defaulting to no policy

Enter password for principal "root/admin@EXAMPLE.COM":

Re-enter password for principal "root/admin@EXAMPLE.COM":

Principal "root/admin@EXAMPLE.COM" created.

<!--[if !supportLists]-->l  <!--[endif]-->为管理账户root添加权限

 [root@server1 krb5kdc]# vi /var/kerberos/krb5kdc/kadm5.acl

root/admin@EXAMPLE.COM aDMcIL

#root账户拥有的权限

#*/admin@EXAMPLE.COM    * 

#实例admin@EXAMPLE.COM上所有账户用于所有权限

 #权限说明:

# a/A Allow/deny addition of principals or policies

# d/D Allow/deny deletion of principals or policies

# m/M Allow/deny modification of principals or policies

# c/C Allow/deny password changes for principals

# i/I Allow/deny database inquiries /para>

# l/L Allow/deny listing all principals or policies

# * Equivalent to admcil

<!--[if !supportLists]-->l  <!--[endif]-->重启kadmin服务使权限生效

[root@server1 krb5kdc]# service kadmin restart

停止 Kerberos 5 Admin Server                             [确定]

启动 Kerberos 5 Admin Server                             [确定] 

<!--[if !supportLists]-->7.      <!--[endif]-->添加NIS认证用户(在NIS sever创建NIS用户时,不要用passwd创建密码)

[root@server1 krb5kdc]# kadmin.local

[root@server1 krb5kdc]# kadmin –p root/admin

Authenticating as principal root/admin with password.

Password for root/admin@EXAMPLE.COM:

kadmin:  addprinc guest2001             #添加NIS认证账户guest2001密码

WARNING: no policy specified for guest2001@EXAMPLE.COM; defaulting to no policy

Enter password for principal "guest2001@EXAMPLE.COM":

Re-enter password for principal "guest2001@EXAMPLE.COM":

Principal "guest2001@EXAMPLE.COM" created.

kadmin:  addprinc guest2002             #添加NIS认证账户guest2002密码

WARNING: no policy specified for guest2002@EXAMPLE.COM; defaulting to no policy

Enter password for principal "guest2002@EXAMPLE.COM":

Re-enter password for principal "guest2002@EXAMPLE.COM":

Principal "guest2002@EXAMPLE.COM" created.

 

 

<!--[if !supportLists]-->三、          <!--[endif]-->客户端配置

<!--[if !supportLists]-->1.      <!--[endif]-->配置授权认证加入kerberos认证

[root@server1 krb5kdc]#scp /etc/krb5.conf 192.168.32.32:/etc/krb5.conf

[root@server1 krb5kdc]#scp /etc/krb5.conf 192.168.32.33:/etc/krb5.conf

#kdc/etc/krb5.conf复制到客户端/etc/krb5.conf即可将客户端加入到kerberos的认证中。

<!--[if !supportLists]-->2.      <!--[endif]-->客户端测试

[netsword@station2 ~]$ su - guest2001

口令:               #此处输入的口令即为kerberos添加认证账户时输入的密码

[guest2001@station2 ~]$ klist        #查看票据,下面的显示表示已经获得票据

Ticket cache: FILE:/tmp/krb5cc_2001_SbPhMC

Default principal: guest2001@EXAMPLE.COM

 

Valid starting     Expires            Service principal

03/21/11 00:30:04  03/21/11 10:30:03  krbtgt/EXAMPLE.COM@EXAMPLE.COM

        renew until 03/21/11 00:30:04

Kerberos 4 ticket cache: /tmp/tkt2001

klist: You have no tickets cached 

<!--[if !supportLists]-->四、<!--[endif]-->配置station2station3之间互相ssh到对方通过kerberos认证无需输入密码

<!--[if !supportLists]-->1.      <!--[endif]-->kdc中添加两服务器ssh服务的实例(princ

[root@station2 etc]# kadmin

Authenticating as principal root/admin@EXAMPLE.COM with password.

Password for root/admin@EXAMPLE.COM:

kadmin:  addprinc -randkey host/station2.example.com

#添加station2sshprinc,密码随机

WARNING: no policy specified for host/station2.example.com@EXAMPLE.COM; defaulting to no policy

Principal "host/station2.example.com@EXAMPLE.COM" created.

kadmin:  addprinc -randkey host/station3.example.com 

#添加station3sshprinc,密码随机

WARNING: no policy specified for host/station3.example.com@EXAMPLE.COM; defaulting to no policy

Principal "host/station3.example.com@EXAMPLE.COM" created.

#注:The krb5-workstation package includes a number of Kerberos-enabled services #executable by xinetd:

#xinetd config   daemon  port     principal   client

#eklogin        klogind  2105/tcp  host/*   /usr/kerberos/bin/rlogin

#kshell         kshd    544/tcp    host/*   /usr/kerberos/bin/rsh

#gssftp         ftpd    21/tcp     ftp/*     /usr/kerberos/bin/ftp

#krb5-telnet     telnetd  23/tcp    host/*    /usr/kerberos/bin/telnet

#These services provide Kerberos authentication, and can provide encryption with the shared session key. Other

services in the distribution may also support authentication with Kerberos tickets. These services include sshd,

slapd, and httpd, among others.

<!--[if !supportLists]-->2.      <!--[endif]-->导出彼此的密钥,并分别复制给对方的客户端

[root@server1 ~]# kadmin

kadmin:  ktadd -k /etc/station2.keytab host/station2.example.com

kadmin:  ktadd -k /etc/station3.keytab host/station3.example.com

[root@server1 ~]#scp /etc/station2.keytab 192.168.32.32:/etc/krb5.keytab

[root@server1 ~]#scp /etc/station3.keytab 192.168.32.33:/etc/krb5.keytab

#只需服务器端有keytab,客户端登陆时kerberos给其分配的票,无需keytab

<!--[if !supportLists]-->3.      <!--[endif]-->测试

[root@station3 etc]# su - netsword

[netsword@station3 ~]$ su - guest2001

-bash-3.2$ ssh 192.168.32.32

Could not create directory '/home/guest2001/.ssh'.

The authenticity of host '192.168.32.32 (192.168.32.32)' can't be established.

RSA key fingerprint is d6:61:e8:8d:68:2b:29:5f:2e:e7:a8:16:f5:fd:f9:d4.

Are you sure you want to continue connecting (yes/no)? yes

Failed to add the host to the list of known hosts (/home/guest2001/.ssh/known_hosts).

Address 192.168.32.32 maps to station2.example.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

Last login: Mon Mar 21 01:40:43 2011 from station3.example.com

[guest2001@station2 ~]$

#因为切换到guest2001账户时已经从kdc上获取票据,所以ssh登陆到station2是直接通过此票据认证,无需在输入guest2001的密码