Kerberos基本配置

◇◆丶佛笑我妖孽 提交于 2019-12-23 21:55:31

1 选择一台机器运行KDC,安装Kerberos相关服务

yum install -y krb5-devel krb5-server krb5-workstation

2 配置Kerberos,包括krb5.conf和kdc.conf,修改其中的realm,把默认的EXAMPLE.COM修改为自己要定义的值

vim /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = WANGFEI.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 WANGFEI.COM = {
 kdc = node1
 admin_server = node1
 }

[domain_realm]
 .WANGFEI.COM = WANGFEI.COM
 WANGFEI.COM = WANGFEI.COM
vim /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
 WANGFEI.COM = {
  master_key_type = aes128-cts
  max_life = 24h
  max_renewable_life = 7d  
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }

3 创建KDC数据库,其中需要设置管理员密码,创建完成会在/var/kerberos/krb5kdc/下面生成一系列文件,若重建数据库则需先删除/var/kerberos/krb5kdc下面principal相关文件

[root@node1 krb5kdc]# /usr/sbin/kdb5_util create -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'WANGFEI.COM',
master key name 'K/M@WANGFEI.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: 
Re-enter KDC database master key to verify: 

   ll /var/kerberos/krb5kdc/

4 给数据库管理员添加ACL权限,修改kadm5.acl文件,*代表全部权限

[root@node1 krb5kdc]# vim /var/kerberos/krb5kdc/kadm5.acl
*/admin@WANGFEI.COM *

对这个文件的解析会分为两列进行,第一列的具有管理员资格的principal,第二列是权限。

默认kadm5.acl的含义如下

*/admin@HADOOP.COM: 在HADOOP.COM域内任意以admin主机名认证的主体

*:所有权限

权限可选择的配置列表如下:

a: 允许增加principal或访问策略
A: 不允许增加principal或访问策略
c: 允许变更principals的密码
C: 不允许变更princials的密码
d: 允许删除principals或策略
D: 不允许删除principals或策略
i: 允许查看数据库
I: 不允许查看数据库
l: 允许列出principals或策略列表
L: 不允许列出principals或策略
m: 允许修改principals或策略
M: 不允许修改principals或策略
p: 允许传播(propagation)principal数据库
P: 不允许传播principal数据库
u: 允许创建使用PAM进行密码验证的单一组件用户principal
U: 否决u的权限
x: a,d,m,c,i,l权限的快捷方式
*: 跟x一样

所以,我们的kadm5.acl可以改的更安全一些,比如

root/admin@HADOOP.COM * 
;root/admin 可以在 kadmin 里做任何事
xianglei/master.hadoop@HADOOP.COM aml
;master.hadoop主机上的xianglei账号,可以在 kadmin 里增加,修改,查看principals列表,但不能删除,传播,查看数据库内容,变更密码等操作
list/*@HADOOP.COM l
;任意主机上的 list 用户只能看,别的啥也不能干

当然,除了管理员账号,这里不应该出现任何其他普通principal的账号。

5 添加数据库管理员,注意kadmin.local可以直接运行在KDC上,而无需通过Kerberos认证

[root@node1 krb5kdc]# /usr/sbin/kadmin.local -q "addprinc kdcadmin/admin"
Authenticating as principal root/admin@WANGFEI.COM with password.
WARNING: no policy specified for kdcadmin/admin@WANGFEI.COM; defaulting to no policy
Enter password for principal "kdcadmin/admin@WANGFEI.COM": 
Re-enter password for principal "kdcadmin/admin@WANGFEI.COM": 
Principal "kdcadmin/admin@WANGFEI.COM" created.
[root@node1 krb5kdc]# kadmin.local 
Authenticating as principal root/admin@WANGFEI.COM with password.
kadmin.local:  listprincs
K/M@WANGFEI.COM
kadmin/admin@WANGFEI.COM
kadmin/changepw@WANGFEI.COM
kadmin/node1@WANGFEI.COM
kdcadmin/admin@WANGFEI.COM
krbtgt/WANGFEI.COM@WANGFEI.COM
kadmin.local:  quit

6 启动Kerberos进程并设置开机启动,通过/var/log/krb5kdc.log 和 /var/log/kadmind.log查看日志,通过kinit检查Kerberos正常运行

service krb5kdc start
service kadmin start
chkconfig krb5kdc on
chkconfig kadmin on

7 到此,Kerberos服务端已搭好,现在选择另外一台机器安装客户端,并配置/etc/krb5.conf与KDC相同

yum install -y krb5-workstation


8 验证客户端可以访问KDC

kadmin -p 'kdcadmin/admin' -w '<kdcadmin/admin password>' -s '<kdc server ip>' -q 'list_principals'

9kadmin生成keytab,如果是KDC上面直接运行kadmin.local,如果是在客户端先kinit再kadmin

客户端
kinit kadmin/admin
kadmin

KDC服务上
kadmin.local

10相关Kerberos命令

//添加principal
kadmin -p 'kdcadmin/admin' -w '<kdc password>' -s '<kdc server>' -q 'addprinc -randkey principal_test'
//生成keytab文件(在客户端)
ktadd -k /opt/trafodion.keytab principal_test
//认证用户 (在shell)
kinit -kt /opt/trafodion.keytab principal_test
//查看当前认证用户信息(在shell)
klist

11给zookeeper添加认证

vim zoo.cfg

authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
jaasLoginRenew=3600000
kerberos.removeHostFromPrincipal=true
kerberos.removeRealmFromPrincipal=true

vim jaas.conf

Server {
  com.sun.security.auth.module.Krb5LoginModule required
  useKeyTab=true
  keyTab="/usr/local/zookeeper/conf/zk.keytab"
  storeKey=true
  useTicketCache=false
  principal="zk/node1@WANGFEI.COM";
};

vim java.env


export JVMFLAGS="-Djava.security.auth.login.config=/usr/local/zookeeper/conf/jaas.conf"
[root@node1 krb5kdc]# kdb5_util create -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'WANGFEI.COM',
master key name 'K/M@WANGFEI.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: 
Re-enter KDC database master key to verify: 
[root@node1 krb5kdc]# ll
总用量 20
-rw-r--r-- 1 root root  431 3月  29 17:40 kdc.conf
-rw------- 1 root root 8192 3月  29 20:47 principal
-rw------- 1 root root 8192 3月  29 20:47 principal.kadm5
-rw------- 1 root root    0 3月  29 20:47 principal.kadm5.lock
-rw------- 1 root root    0 3月  29 2019 principal.ok
[root@node1 krb5kdc]# kadmin.local
Authenticating as principal zookeeper/admin@WANGFEI.COM with password.
kadmin.local:  add_principal zk/node1@WANGFEI.COM
WARNING: no policy specified for zk/node1@WANGFEI.COM; defaulting to no policy
Enter password for principal "zk/node1@WANGFEI.COM": 
Re-enter password for principal "zk/node1@WANGFEI.COM": 
Principal "zk/node1@WANGFEI.COM" created.
kadmin.local:  xst -k /usr/local/zookeeper/conf/zk.keytab zk/node1@WANGFEI.COM
Entry for principal zk/node1@WANGFEI.COM with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/usr/local/zookeeper/conf/zk.keytab.
Entry for principal zk/node1@WANGFEI.COM with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/usr/local/zookeeper/conf/zk.keytab.
Entry for principal zk/node1@WANGFEI.COM with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/usr/local/zookeeper/conf/zk.keytab.
Entry for principal zk/node1@WANGFEI.COM with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/usr/local/zookeeper/conf/zk.keytab.
Entry for principal zk/node1@WANGFEI.COM with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/usr/local/zookeeper/conf/zk.keytab.
kadmin.local:  

 

 

创建数据库和principal
使用kdb5_util创建数据库,从而可以存放principal相关的信息(输入两次password)
kdb5_util create -r EXAMPLE.COM -s
1
使用kadmin.local来添加principal
kadmin.local
# 创建一个新用户(输入两次密码)
add_principal test-server/@EXAMPLE.COM
# 导出用户加密配置到krb5.keytab中(先生成一下keytab文件)
xst -k ~/krb5.keytab test-server/admin@EXAMPLE.COM

原文:https://blog.csdn.net/lyflyyvip/article/details/85715801 
 

  1. 用kinit验证KDC是否启动成功
kinit -k -t krb5.keytab test-server/admin@EXAMPLE.COM
klist


参考:https://blog.csdn.net/Post_Yuan/article/details/54406148 

https://blog.csdn.net/lyflyyvip/article/details/85715801

 

 

 

 

 

 

 

 

 

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!