内容简介:本文风哥教程参考Linux官方文档、Red Hat Enterprise Linux官方文档、Ansible Automation Platform官方文档、Docker官方文档、Kubernetes官方文档和Podman官方文档等内容,详细介绍了相关技术的配置和使用方法。
本文档详细介
风哥提示:
绍Kerberos认证系统的配置和使用方法。
Part01-Kerberos基础
1.1 Kerberos概念
1. KDC (Key Distribution Center)
– 认证服务器
– 票据授予服务器
2.学习交流加群风哥微信: itpux-com TGT (Ticket Granting Ticket)
– 票据授予票据
– 用于获取服务票据
3. Service Ticket
– 服务票据
– 用于访问特定学习交流加群风哥QQ113257174服务
# Kerberos认证流程
1. 用户向KDC请求TGT
2. KDC返回加密的TGT
3. 用户使用TGT请求服务票据
4. KDC返回服务票据
5. 用户使用服务票据访问服务
# 安装Kerberos
$ sudo dnf install -y krb5-server krb5-workstation
# 配置Kerberos
$ sudo tee /etc/krb5.conf << 'EOF'
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
spake_preauth_groups = edwards25519
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
EXAMPLE.COM = {
kdc = kdc.fgedu.net.cn
admin_server = kdc.fgedu.net.cn
default_domain = fgedu.net.cn
}
[domain_realm]
.fgedu.net.cn = EXAMPLE.COM
fgedu.net.cn = EXAMPLE.COM
EOF
Part02-KDC配置
2.1 配置KDC服务器
$ sudo kdb5_util create -r EXAMPLE.COM -s
Loading random data
Initializing database ‘/var/kerberos/krb5kdc/principal’ for realm ‘EXAMPLE.COM’,
master key name ‘K/M@EXAMPLE.COM’
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
# 创建管理员用户
$ sudo kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local: addprinc admin/admin@EXAMPLE.COM
Enter password for principal “admin/admin@EXAMPLE.COM”:
Re-enter password for principal “admin/admin@EXAMPLE.COM”:
Principal “admin/admin@EXAMPLE.COM” created.
kadmin.local: quit
# 配置ACL
$ sudo tee /var/kerberos/krb5kdc/kadm5.acl << 'EOF'
admin/admin@EXAMPLE.COM *
EOF
# 启动KDC服务
$ sudo systemctl start krb5kdc
$ sudo systemctl start kadmin
$ sudo systemctl enable krb5kdc
$ sudo systemctl enable kadmin
# 配置防火墙
$ sudo firewall-cmd --permanent --add-service=kerberos
$ sudo firewall-cmd --permanent --add-service=kadmin
$ sudo firewall-cmd --reload
Part03-主体管理
3.1 管理Kerberos主体
$ kadmin -p admin/admin@EXAMPLE.COM
Authenticating as principal admin/admin@EXAMPLE.COM with password.
Password for admin/admin@EXAMPLE.COM:
# 创建用户主体
kadmin: addprinc user1@EXAMPLE.COM
Enter password for principal “user1@EXAMPLE.COM”:
Re-enter password for principal “user1@EXAMPLE.COM”:
Principal “user1@EXAMPLE.COM” created.
# 创建服务主体
kadmin: addprinc -randkey HTTP/webserver.fgedu.net.cn@EXAMPLE.COM
Principal “HTTP/webserver.fgedu.net.cn@EXAMPLE.COM” created.
# 导出服务密钥
kadmin: ktadd -k /tmp/http.keytab HTTP/webserfrom PG视频:www.itpux.comver.fgedu.net.cn
Entry for principal HTTP/webserver.fgedu.net.cn with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/http.keytab.
# 查看主体
kadmin: listprincs
K/M@EXAMPLE.COM
admin/admin@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/kdc.fgedu.net.cn@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
user1@EXAMPLE.COM
# 修改密码
kadmin: cpw user1@EXAMPLE.COM
Enter password for principal “user1@EXAMPLE.COM”:
Re-enter password for principal “user1@EXAMPLE.COM”:
# 删除主体
kadmin: delprinc user1@EXAMPLE.COM
Are you sure you want to delete the principal “user1@EXAMPLE.COM”? (yes/no): yes
Principal “user1@EXAMPLE.COM” deleted.
kadmin: quit
Part04-票据管理
4.1 管理Kerberos票据
$ kinit user1@EXAMPLE.COM
Password for user1@EXAMPLE.COM:
# 查看票据
$ klist
Ticket cache: KEYRING:persistent:1000:1000
Default principal: user1@EXAMPLE.COM
Valid starting Expires Service principal
04/04/2026 10:00:00 04/05/2026 10:00:00 krbtgt/EXAMPLE.COM@EXAMPLE.COM
# 获取服务票据
$ kvno HTTP/webserver.fgedu.更多视频教程www.fgedu.net.cnnet.cn
HTTP/webserver.fgedu.net.cn@EXAMPLE.COM: kvno = 2
# 查看详细票据
$ klist -e
Ticket cache: KEYRING:persistent:1000:1000
Default principal: user1@EXAMPLE.COM
Valid starting Expires Service principal
04/04/2026 10:00:00 04/05/2026 10:00:00 krbtgt/EXAMPLE.COM@EXAMPLE.COM
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
# 续订票据
$ kinit -R
# 销毁票据
$ kdestroy
# 使用密钥表认证
$ kinit -k -t /etc/httpd/conf/http.keytab HTTP/webserver.fgedu.net.cn@EXAMPLE.COM
# 配置SSH Kerberos认证
$ sudo tee /etc/ssh/sshd_config.d/kerberos.conf << 'EOF'
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIKeyExchange yes
EOF
$ sudo systemctl restart sshd
1. 使用强密码
2. 定期更换密钥
3. 配置时间同步
4. 保护密钥表文件
5. 监控票据使用
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
