在 CentOS 7 上安装、配置 Kerberos

公司有个新项目要部署在新的服务器上,几台服务器之间要用 Kerberos 来做身份验证,并由我来安装和配置。期间翻阅了不少网上的文章,也遇到了几个坑,故总结了一下其安装配置的过程,以作笔记。

Kerberos 简介:它是一个身份验证协议,提供一个在客户端跟服务器端之间或者服务器与服务器之间的身份验证机制 (并且是相互的身份验证机制)。

环境配置:

OS 版本: CentOS 7
Kerberos 版本: krb5-1.12.2
Server:grape.jie.hn
Client:peach.jie.hn

配置 DNS 解析和 NTP 服务

Kerberos 要求参与通信的主机的时钟同步。票据具有一定有效期,因此,如果主机的时钟与 Kerberos 服务器的时钟不同步,认证会失败。默认设置要求时钟的时间相差不超过 10 分钟。

配置 Kerberos Server

安装相关模块

krb5-libs、krb5-server、krb5-workstation、pam_krb5

yum install -y krb5-libs krb5-server krb5-workstation pam_krb5

如果无法从 yum 安装以上模块,也可以直接下载 source 编译安装

$ .confirgure && make && make install

PAM

wget http://www.linux-pam.org/library/Linux-PAM-1.2.0.tar.gz
tar -zxvf Linux-PAM-1.2.0.tar.gz
cd Linux-PAM-1.2.0
./configure --prefix=/usr --libdir=/lib64  --disable-static --enable-shared && make && make install

pam_krb5

tar -xf pam_krb5-2.3.1-3+ldap.tgz
cd pam_krb5-2.3.1-3+ldap
./configure --prefix=/usr --libdir=/lib64; make; make install

注:可以先不安装和配置 pam_krb5,等 Kerberos 安装完成后先测试一下在无 pam_krb5 的环境下是否能正常运行

编辑krb5.confkdc.conf

/etc/krb5.conf

[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

[libdefaults]
    default_realm = EXAMPLE.COM
    dns_lookup_realm = true
    dns_lookup_kdc = true
    ticket_lifetime = 24h
    forwardable = yes

[realms]
    EXAMPLE.COM = {
        kdc = kerberos.d.example.com:88
        admin_server = kerberos.d.example.com:749
        default_domain = example.com
    }

[domain_realm]
    .example.com = EXAMPLE.COM
    example.com = EXAMPLE.COM #所有example.com域的用户和机器都可以在EXAMPLE.COM上认证
    .jie.hn = EXAMPLE.COM
    jie.hn = EXAMPLE.COM

[appdefaults]
    pam = {
        debug = true
        ticket_lifetime = 36000
        renew_lifetime = 36000
        forwardable = true
        krb4_convert = false
    }

/var/kerberos/krb5kdc/kdc.conf

[kdcdefaults]
    v4_mode = nopreauth
    kdc_tcp_ports = 88

[realms]
    EXAMPLE.COM = {
        #master_key_type = des3-hmac-sha1
        acl_file = /var/kerberos/krb5kdc/kadm5.acl
        dict_file = /usr/share/dict/words
        admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
        supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
    }

创建 KDC 数据库

kdb5_util create -s -r EXAMPLE.COM

-s表示通过 kadmin 登录本机不需要密码
Loading random data 的时间可能会有点长。之后会让设置一个密码。

编辑kadm5.acl

编辑 kadmin 的访问控制文件/var/kerberos/krb5kdc/kadm5.acl,添加内容如下:

*/[email protected]    *

启动 Kerberos 服务

systemctl start krb5kdc
systemctl start kadmin

并设置开启启动

systemctl enable krb5kdc
systemctl enable kadmin

添加 principal

登录 KDC,添加管理员和一般用户的 principal。
首先创建一个有管理权限的 principal:

$ kadmin.local
Authenticating as principal root/[email protected] with password.
kadmin.local:  addprinc root/admin
Authenticating as principal root/[email protected] with password.
WARNING: no policy specified for root/[email protected]; defaulting to no policy
Enter password for principal "root/[email protected]": root
Re-enter password for principal "root/[email protected]": root
Principal "root/[email protected]" created.

创建一个普通的 principal:

kadmin.local:  addprinc yibo
Enter password for principal "[email protected]": yourpassword
Re-enter password for principal "[email protected]": yourpassword
Principal "[email protected]" created.

说明:kadminkadmin.local都是 KDB 的管理接口,区别在于kadmin.local只能在 Server 上使用,无需密码;kadmin在 Server 和 Client 上都能使用,需要密码——当然,需要在 Server 上启动 Kadmin 服务。

将 KDC 的域名加入到 Kerberos 的数据库

kadmin.local:  addprinc -randkey host/grape.jie.hn
Authenticating as principal root/[email protected] with password.
WARNING: no policy specified for host/[email protected]; defaulting to no policy
Principal "host/[email protected]" created.

导出 kadmin 服务的 keytab 文件:

kadmin.local:  ktadd host/grape.jie.hn
Authenticating as principal root/[email protected] with password.
Entry for principal host/grape.jie.hn with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/grape.jie.hn with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/grape.jie.hn with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/grape.jie.hn with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/grape.jie.hn with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/grape.jie.hn with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/grape.jie.hn with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/grape.jie.hn with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/krb5.keytab.
kadmin.local:  quit
# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
    8 host/[email protected]
    8 host/[email protected]
    8 host/[email protected]
    8 host/[email protected]
    8 host/[email protected]
    8 host/[email protected]

修改/etc/ssh/ssh_config

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
GSSAPITrustDNS yes

重启 sshd

systemctl reload sshd

配置 PAM

authconfig-tui

选择“[*] Use Kerberos”并选择Next,确定 Realm、KDC 和 Admin Server 是否正确,并选择“[*] Use DNS to resolve hosts to realms”“[*] Use DNS to locate KDCs for realms”,选择 OK 保存。

authconfig --enablekrb5 --update

或者

setup

进入 Authentication configuration 设置,设置同上。

配置 firewall(如果开启了的话)

创建/etc/firewalld/services/kerberos.xml文件并写入:

<?xml version="1.0" encoding="utf-8"?>
<service>
    <short>Kerberos</short>
    <description>Kerberos network authentication protocol server</description>
    <port protocol="tcp" port="88"/>
    <port protocol="udp" port="88"/>
    <port protocol="tcp" port="749"/>
</service>

向 firewall 中添加 service

firewall-cmd --permanent --add-service=kerberos

重新加载 firewall 配置

firewall-cmd --reload

/root/.k5login添加 principal

[email protected]

配置 Kerberos Client

安装相关模块

yum install -y krb5-libs krb5-workstation pam_krb5

配置文件

将 Server 上的/etc/krb5.conf直接 copy 过来即可

向 Kerberos 数据库中添加 Client 的域名

$ kdestroy
$ kadmin
Authenticating as principal root/[email protected] with password.
Password for root/[email protected]: root
kadmin:  addprinc -randkey host/peach.jie.hn
NOTICE: no policy specified for host/[email protected]; assigning "default"
Principal "host/[email protected]" created.
kadmin:  ktadd host/peach.jie.hn
Entry for principal host/peach.jie.hn with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/peach.jie.hn with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/peach.jie.hn with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/peach.jie.hn with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/peach.jie.hn with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/peach.jie.hn with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.

测试

$ klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
    2 host/[email protected]
    2 host/[email protected]
    2 host/[email protected]
    2 host/[email protected]
    2 host/[email protected]
    2 host/[email protected]

$ kinit yibo
Password for [email protected]:
$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]

Valid starting       Expires              Service principal
05/15/2015 13:51:45  05/16/2015 13:51:45  krbtgt/[email protected]

$ ssh grape.jie.hn

到这里应该就不需要密码能直接登陆了。如果还需要密码,请查看是否漏了哪个步骤,并检查防火墙和 selinux。

一些补充

Principal:在 Kerberos 中,Principal 是参加认证的基本实体。一般来说有两种,一种用来表示 Kerberos 数据库中的用户,另一种用来代表某一特定主机,也就是说 Principal 是用来表示客户端和服务端身份的实体, Principal 的格式采用 ASN.1 标准,即 Abstract Syntax Notation One,来准确定义),Principal 是由三个部分组成:名字(name),实例(instance),REALM(域)。比如一个标准的 Kerberos 的用户是:name/[email protected]
Name:第一部分。在代表客户方的情况,它是一个用户名;在代表主机的情况,它是写成 host。
Instance:第二部分。对 name 的进一步描述,例如 name 所在的主机名或 name 的类型等,可省略。它与第一部分之间用‘ / ’分隔,但是作为主机的描述时写成 host/Instance。
Realm:第三部分。是 Kerberos 在管理上的划分,在 KDC 中所负责的一个域数据库称作为 Realm。这个数据库中存放有该网络范围内的所有 Principal 和它们的密钥,数据库的内容被 Kerberos 的认证服务器 AS 和票据授权服务器 TGS 所使用。Realm 通常是永远是大写的字符,并且在大多数 Kerberos 系统的配置中,一般 Realm 和该网络环境的 DNS 域是一致的。与第二部分之间用‘@’分隔,缺省为本地的 Realm。
KDC:密钥分配中心(起到分发密钥的作用)
Client:客户端(被服务的对象)
Server:服务端(提供服务的主机)

参考

MIT Kerberos Documentation
Oracle Solaris 10 8/11 Information Library