本文共 3656 字,大约阅读时间需要 12 分钟。
First I created three Virtualbox VMs (Debian Linux) for Kerberos server, client and ssh server.
Kerberos server - kerberos.comClient - client.comSSH server - ssh.comThen I added the following lines to the /etc/hosts files of the VMs.
10.0.0.1 kerberos.com10.0.0.2 client.com10.0.0.3 ssh.comMake sure you can ping kerberos.com, ssh.com, client.com from all VMs(To check host-names are resolving).Kerberos ServerInstalling the Kerberos server (kerberos.com)
apt-get install krb5-admin-server krb5-kdcDuring the installation it "may" ask following questions (My answers are shown in brackets) Default Kerberos version 5 realm? [KERBEROS.COM]Kerberos servers for your realm? [kerberos.com]Administrative server for your realm? [kerberos.com]Configuring Kerberos serverBefore beginning a new realm must be created krb5_newrealmEdit the /etc/krb5.conf file (enter the following lines to the file if they're not there)
[libdefaults]default_realm = KERBEROS.COM
...
......[realms]kdc = kerberos.com admin_server = kerberos.com
...
......[domain_realm]......kerberos.com = KERBEROS.COM .kerberos.com = KERBEROS.COM
Notice on cdh:
we should open tcp port by updating file /etc/krb5kdc/kdc.conf:kdc_tcp_ports = 88then restart kdc service:service krb5-admin-server restartservice krb5-kdc restartAdding users (Principles)
Use the kadmin.local tool to add/delete/modify users (principles)Type kadmin.local to use the tool
listprics will list the existing principlesTo add the root user, typeaddprinc rootIf you want to assign an admin role to a user use the following command
addprinc root/admin Then you have to uncomment the /admin line in /etc/krb5kdc/kadm.acl file.In order to check the principle has applied correctly type the following command
kinitkinit is used to get tickets from the Kerberos server.
It will prompt for password. (Enter the password given to the addprinc command) Now type the following command to see the ticket. klistClientInstalling and configuring client for Kerberos (client.com)
apt-get install krb5-userIt will ask the same questions, asked during the server installation.
[Make sure you can ping kerberos.com from your client.com machine]Testing
To get a ticket for your client machine type the following command.kinit rootor (depending on your principles in kerberos.com)kinit root/adminIf you get a ticket from kerberos.com, its working!.Services
Using SSH service with Kerberos (ssh.com)
Install open ssh server and krb5-configapt-get install openssh-server krb5-configConfigure the /etc/krb5.conf accordingly (Just like the previous ones)Configuring SSH to use with Kerberos
Edit /etc/ssh/sshd_config and enable the following linesGSSAPIAuthentication yesGSSAPICleanupCredentials yesThen restart the ssh server [/etc/init.d/ssh restart]Configuring Kerberos server (kerberos.com) to work with ssh.com
Type the following commands on the kerberos.com to add the ssh.com principlekadmin.localaddprinc -randkey host/ssh.comktadd -k /tmp/ssh.com.keytab host/ssh.comNow copy the /tmp/ssh.com.keytab file to the ssh server (ssh.com) using the command below scp /tmp/ssh.com.keytab root@ssh.com:/etc/krb5.keytabConfiguring a client machine for Kerberos authentication Edit /etc/ssh/ssh_config and enable the following linesGSSAPIAuthentication yesGSSAPIDelegateCredentials yesTesting SSH service with KerberosLog in to the client machine and get a ticketkinit root(or kinit root/admin)Then type the command below. It should log in to the ssh.com without password.ssh root@ssh.comNow type the following commands and check the differencekdestroyssh root@ssh.comSource:-
转载地址:http://cpbzx.baihongyu.com/