【Kerberos】kerberos单节点安装及卸载
栾英资
1. Kerberos主kdc安装
KDC (Key Distribution Center)密匙分配中心, 其在kerberos中通常提供两种服务:
- Authentication Service (AS):认证服务
- Ticket-Granting Service (TGS):授予票据服务
1.1 安装kerberos服务
yum -y install krb5-libs krb5-server krb5-workstation krb5-auth-dialog
#其它都安装成功了,但是No package krb5-auth-dialog available.先不管它
1.2 配置kerberos服务
安装完成会在kdc主机上生成配置文件/etc/krb5.conf和/var/kerberos/krb5kdc/kdc.conf
1.2.1 配置krb5.con
# Other applications require this directory to perform krb5 configuration.
includedir /etc/krb5.conf.d/
[libdefaults] # 每种连接的默认配置,需要注意以下几个关键的小配置
renew_lifetime = 7d #表明凭证最长可以被延期的时限,一般为7天。当凭证过期之后, 对安全认证的服务的后续访问则会失败。
forwardable = true
default_realm = HONEY.COM # 默认的realm,必须跟要配置的realm的名称一致
ticket_lifetime = 24h #表明凭证生效的时限,一般为24小时。
dns_lookup_realm = false
dns_lookup_kdc = false
default_ccache_name = /tmp/krb5cc_%{uid}
#default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
#default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
[domain_realm]
#10.211.55.60 = HONEY.COM #可不配置
[logging] #表示server端的日志的打印位置
default = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
kdc = FILE:/var/log/krb5kdc.log
[realms] #列举使用的realm
HONEY.COM = {
admin_server = 10.211.55.60 #代表安装 admin server的机器。格式是机器ip或者主机名
kdc = 10.211.55.60 #代表安装 kdc server的机器。格式是机器ip或者主机名
}
# HONEY.COM是设定的realm。名字随意。Kerberos可以支持多个realms
# 大小写敏感,一般为了识别使用全部大写。这个realm跟机器的hostname没有关系
1.2.2 配置kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
HONEY.COM = { #与上面配置中名称一致
#master_key_type和 supported_enctypes默认使用 aes256-cts。
#JAVA 使用 aes256-cts 验证方式需要安装 JCE 包。
#master_key_type = aes256-cts
#标注文件路径,用于设置 principal的权限,需要用户自己创建。
#文件格式:Kerberos_principalpermissions[target_principal][restrictions]
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
#KDC 进行校验的 keytab
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
#支持的校验方式
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
1.2.43 创建kadm5.acl
vim /var/kerberos/krb5kdc/kadm5.acl
*/admin@HONEY.COM *
文件格式 :principal permissions[target_principal][restrictions
- principal: */admin@HONEY.COM
- permissions:* # *代表所有权限
- target_principal:选填
- restrictions:选填
该文件可扩展,扩展链接:https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/kadm5_acl.html
1.3 创建kerberos数据库
[root@host-10-211-55-60 ~]# kdb5_util create -s -r HONEY.COM
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'JIAZZ.COM',
master key name 'K/M@JIAZZ.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: #admin
Re-enter KDC database master key to verify: #admin
命令参数说明:
-
其中,[-s]表示生成stash file,并在其中存储master server key(krb5kdc);还可以用[-r]来指定一个krb5.conf 文件中存在的realm name
-
保存路径为/var/kerberos/krb5kdc 如果需要重建数据库,将该目录下的principal相关的文件删除即可
-
在此过程中,我们会输入database的管理密码。这里设置的密码一定要记住,如果忘记了,就无法管理Kerberos server。
-
当Kerberos database创建好后,可以看到目录 /var/kerberos/krb5kdc 下生成了几个文件:
[root@host-10-211-55-60 ~]# ll /var/kerberos/krb5kdc/ total 24 -rw------- 1 root root 22 Sep 14 00:40 kadm5.acl -rw------- 1 root root 449 Feb 29 16:56 kdc.conf -rw------- 1 root root 8192 Feb 29 17:16 principal -rw------- 1 root root 8192 Feb 29 17:16 principal.kadm5 -rw------- 1 root root 0 Feb 29 17:16 principal.kadm5.lock -rw------- 1 root root 0 Feb 29 17:16 principal.ok
1.4 创建管理员(admin/admin@HONEY.COM)(*注:根据提示输入密码)
kadmin.local可以直接运行在master KDC上,而不需要首先通过Kerberos的认证,实际上它只需要对本地文件的读写权限。
[root@host-10-211-55-60 ~]# kadmin.local
Authenticating as principal root/admin@HONEY.COM with password.
kadmin.local: addprinc honey
WARNING: no policy specified for honey@HONEY.COM; defaulting to no policy
Enter password for principal "honey@HONEY.COM":
Re-enter password for principal "honey@HONEY.COM":
Principal "honey@HONEY.COM" created.
#exit退出
#或者这样添加kadmin.local -q "addprinc admin/admin"
1.5 在master KDC上启动Kerberos daemons
在KDC server上必须运行的daemons是krb5kdc 和kadmin
[root@host-10-211-55-60 ~]# krb5kdc start
[root@host-10-211-55-60 ~]# kadmin start
kadmin: Missing parameters in krb5.conf required for kadmin client while initializing kadmin interface
[root@host-10-211-55-60 ~]# chkconfig krb5kdc on
[root@host-10-211-55-60 ~]# chkconfig kadmin on
2. 备kdc
由于我只有一个节点,备就先不搭建了
3. 如何卸载kerberos
# Firstly you need to delete packages you installed for kerberos(version 5 we're talking about)
yum remove krb5-server
yum remove krb5-libs
yum remove krb5-workstation
# This won't remove the folders. You have to remove them manually. So
rm -rf /var/kerberos/
rm /etc/krb5.conf
rm -rf /usr/lib64/krb5
# And you can install the packages again.
参考链接:
https://www.zybuluo.com/xtccc/note/175999
基于ambari的kerberos安装
https://web.mit.edu/kerberos/krb5-1.12/doc/admin/install_kdc.html
类似资料: