测试 Kerberos 配置

现在使用 ssh 测试单点登录。

[root@client ~]# ssh kuser1@client.on-itroad.com
kuser1@client.on-itroad.com's password:

[kuser1@client ~]$ klist
Ticket cache: KEYRING:persistent:1000:krb_ccache_Ud91x2t
Default principal: kuser1@on-itroad.com
Valid starting       Expires              Service principal
06/15/2018 15:22:53  06/16/2018 15:22:52  krbtgt/on-itroad.com@on-itroad.com

[kuser1@client ~]$ ssh kuser1@kerberos.on-itroad.com
Last login: Fri Jun 15 15:02:53 2018 from kerberos.on-itroad.com

[kuser1@kerberos ~]$ klist
Ticket cache: KEYRING:persistent:1000:krb_ccache_gXNDEWJ
Default principal: kuser1@on-itroad.com
Valid starting       Expires              Service principal
06/15/2018 14:54:47  06/16/2018 14:50:54  host/kerberos.on-itroad.com@on-itroad.com
06/15/2018 14:50:54  06/16/2018 14:50:54  krbtgt/on-itroad.com@on-itroad.com

[kuser1@client ~]$ ssh kuser1@client.on-itroad.com
Last login: Fri Jun 15 15:23:45 2018 from kerberos.on-itroad.com

[kuser1@client ~]$ klist
Ticket cache: KEYRING:persistent:1000:krb_ccache_Ud91x2t
Default principal: kuser1@on-itroad.com
Valid starting       Expires              Service principal
06/15/2018 15:24:29  06/16/2018 15:22:52  host/client.on-itroad.com@on-itroad.com
06/15/2018 15:23:15  06/16/2018 15:22:52  host/kerberos.on-itroad.com@on-itroad.com
06/15/2018 15:22:53  06/16/2018 15:22:52  krbtgt/on-itroad.com@on-itroad.com

查看最后一个 klist 命令的输出。
会话获得一张TGT（Ticket Granting Ticket）和两张TGS（Ticket Granting Service）票，并且不再询问密码。
而它使用这些票证对不同的服务器进行身份验证并提供单点登录功能。

将 CentOS 7 配置为 Kerberos 客户端

现在，登录到 client.on-itroad.com 机器，将其配置为 Kerberos 身份验证。

安装必要的软件包。

[root@client ~]# yum -y install krb5-workstation sssd pam_krb5

将相应的密钥表从 kerberos 机器复制到客户端机器。
也复制 krb5.conf 以避免再次编辑它。

[root@client ~]# scp root@kerberos:/tmp/client1.keytab /etc/krb5.keytab
root@kerberos's password:
client1.keytab                                                                          100%  586     0.6KB/s   00:00
[root@client ~]# scp root@kerberos:/etc/krb5.conf /etc/krb5.conf
root@kerberos's password:
krb5.conf                                                                               100%  472     0.5KB/s   00:00

添加本地用户 kuser1 用于授权目的。

[root@client ~]# useradd kuser1

配置 Kerberos 身份验证。

[root@client ~]# authconfig --update --enablekrb5 --krb5kdc=kerberos.on-itroad.com --krb5adminserver=kerberos.on-itroad.com --krb5realm=on-itroad.com

在 CentOS 7 上配置 Kerberos

安装 Kerberos 5 软件包。
这里 krb5-server 是 Kerberos 服务器。
而 krb5-workstation 、 pam_krb5 和 sssd 包也需要配置与 Kerberos 客户端相同的机器。

[root@kerberos ~]# yum -y install krb5-server krb5-workstation pam_krb5 sssd

现在，编辑 kerberos 主配置文件。

[root@kerberos ~]# vi /etc/krb5.conf

取消所有行的注释，并将默认领域示例.COM 替换为 on-itroad.com（大写和小写）。
还要更新 kdc 和 admin-server 主机名（在我们的例子中，两台服务器使用相同的名称）。
最终配置应如下所示。

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_realm = on-itroad.com
 default_ccache_name = KEYRING:persistent:%{uid}
[realms]
 on-itroad.com = {
  kdc = kerberos.on-itroad.com
  admin_server = kerberos.on-itroad.com
 }
[domain_realm]
 .on-itroad.com = on-itroad.com
 on-itroad.com = on-itroad.com

现在，配置 KDC 服务器。

[root@kerberos ~]# vi /var/kerberos/krb5kdc/kdc.conf

取消所有行的注释并将默认领域示例.COM 替换为 on-itroad.com 。
最终配置应如下所示。

[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88
[realms]
 on-itroad.com = {
  master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal

配置 kadmin ACL。

[root@kerberos ~]# vi /var/kerberos/krb5kdc/kadm5.acl

在这里更新领域。
最终配置如下：

*/admin@on-itroad.com       *

创建 Kerberos 数据库并设置强密码。

[root@kerberos ~]# kdb5_util create -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'on-itroad.com',
master key name 'K/M@on-itroad.com'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:

启用并启动 Kerberos 服务。

[root@kerberos ~]# systemctl enable krb5kdc && systemctl start krb5kdc
Created symlink from /etc/systemd/system/multi-user.target.wants/krb5kdc.service to /usr/lib/systemd/system/krb5kdc.service.
[root@kerberos ~]# systemctl enable kadmin && systemctl start kadmin
Created symlink from /etc/systemd/system/multi-user.target.wants/kadmin.service to /usr/lib/systemd/system/kadmin.service.

允许 Kerberos 服务通过 Linux 防火墙。

[root@kerberos ~]# firewall-cmd --permanent --add-service=kerberos
success
[root@kerberos ~]# firewall-cmd --reload
success

让我们在 Kerberos 数据库中添加条目。

[root@kerberos ~]# kadmin.local
Authenticating as principal root/admin@on-itroad.com with password.
kadmin.local: listprincs
K/M@on-itroad.com
kadmin/admin@on-itroad.com
kadmin/changepw@on-itroad.com
kadmin/kerberos.on-itroad.com@on-itroad.com
kiprop/kerberos.on-itroad.com@on-itroad.com
krbtgt/on-itroad.com@on-itroad.com

在我们的 Kerberos 数据库中添加 Kerberized 主机并生成相关的密钥表。

kadmin.local:  addprinc -randkey host/kerberos.on-itroad.com
WARNING: no policy specified for host/kerberos.on-itroad.com@on-itroad.com; defaulting to no policy
Principal "host/kerberos.on-itroad.com@on-itroad.com" created.
kadmin.local:  ktadd host/kerberos.on-itroad.com
Entry for principal host/kerberos.on-itroad.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kerberos.on-itroad.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kerberos.on-itroad.com with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kerberos.on-itroad.com with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kerberos.on-itroad.com with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kerberos.on-itroad.com with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kerberos.on-itroad.com with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kerberos.on-itroad.com with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.

将客户端主机添加到 Kerberos 数据库中，并生成 keytab 文件，放置在客户端机器的 /etc 目录中。

kadmin.local:  addprinc -randkey host/client.on-itroad.com
WARNING: no policy specified for host/client.on-itroad.com@on-itroad.com; defaulting to no policy
Principal "host/client.on-itroad.com@on-itroad.com" created.
kadmin.local:  ktadd -k /tmp/client1.keytab host/client.on-itroad.com
Entry for principal host/client.on-itroad.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/client1.keytab.
Entry for principal host/client.on-itroad.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/client1.keytab.
Entry for principal host/client.on-itroad.com with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/tmp/client1.keytab.
Entry for principal host/client.on-itroad.com with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/tmp/client1.keytab.
Entry for principal host/client.on-itroad.com with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/tmp/client1.keytab.
Entry for principal host/client.on-itroad.com with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/tmp/client1.keytab.
Entry for principal host/client.on-itroad.com with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/tmp/client1.keytab.
Entry for principal host/client.on-itroad.com with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/tmp/client1.keytab.

在 Kerberos 数据库中添加一个用户，用于登录到 kerberos 主机。

kadmin.local:  addprinc kuser1
WARNING: no policy specified for kuser1@on-itroad.com; defaulting to no policy
Enter password for principal "kuser1@on-itroad.com":
Re-enter password for principal "kuser1@on-itroad.com":
Principal "kuser1@on-itroad.com" created.

为授权目的创建一个操作系统用户。
如果我们使用的是 LDAP 目录，则不需要此步骤。

在这种情况下，应将用户添加到 LDAP 目录。

[root@kerberos ~]# useradd kuser1

配置 Kerberos 身份验证。

[root@kerberos ~]# authconfig --update --enablekrb5 --krb5kdc=kerberos.on-itroad.com --krb5adminserver=kerberos.on-itroad.com --krb5realm=on-itroad.com

现在使用 kuser1 登录到使用 ssh 的 kerberos 服务器。

[kuser1@kerberos ~]$ ssh kuser1@kerberos
The authenticity of host 'kerberos (192.168.1.101)' can't be established.
ECDSA key fingerprint is 22:fa:59:75:3e:fa:24:73:a2:c3:cc:8f:24:bd:11:db.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'kerberos,192.168.1.101' (ECDSA) to the list of known hosts.
Last login: Fri Jun 15 14:50:54 2018

检查提供给 kuser1 的票证。

[kuser1@kerberos ~]$ klist
Ticket cache: KEYRING:persistent:1000:krb_ccache_gXNDEWJ
Default principal: kuser1@on-itroad.com
Valid starting       Expires              Service principal
06/15/2018 14:54:47  06/16/2018 14:50:54  host/kerberos.on-itroad.com@on-itroad.com
06/15/2018 14:50:54  06/16/2018 14:50:54  krbtgt/on-itroad.com@on-itroad.com

配置环境

服务端

主机名：kerberos.on-itroad.com
IP地址： 192.168.1.101
操作系统： CentOS 7.0

客户端

主机名：client.on-itroad.com
IP地址： 192.168.1.102
操作系统： CentOS 7.0

Kerberos 是使用最广泛的身份验证协议。
它为用户和其他网络服务提供认证服务。
Kerberos 的独特之处在于，它从不以纯文本或者加密形式通过网络传输用户的密码。
相反，它使用票证来验证用户和服务。
这些票证使用唯一的用户和服务密钥进行加密。
这种安排可以保护系统免受窃听和重放攻击。

基于票证的系统还为用户提供 SSO（单点登录）功能。
Kerberos 被各种著名的远程认证软件使用，例如 Microsoft Active Directory、FreeIPA 等。

在这篇文章中，我们将在 CentOS 7 上配置 Kerberos 密钥分发中心 (KDC)。
稍后，我们将配置客户端以使用服务器的单点登录功能。