Kerberos配置与ssh验证实现

snow chuai汇总、整理、撰写---2020/2/22

1. 安装及配合Krb服务端

1.1 安装Krb服务端

1) 确认NTP同步

2) 确认能够成功解析srv1.1000cc.net及client.1000cc.net的FQDN解析

3) 安装Kerberos服务端

[root@srv1 ~]# yum install krb5-server krb5-libs -y

1.2 配置Krb服务端

1) 配置kdc
[root@srv1 ~]# vim /var/kerberos/krb5kdc/kdc.conf
# 将EXMAPLE.COM改为你定义的域名(一定要大写)
[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
  1000CC.NET = {
  #master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }

2) 配置acl文件，授权账户对指定域控制
[root@srv1 ~]# vim /var/kerberos/krb5kdc/kadm5.acl
# 将EXMAPLE.COM改为你定义的域名(一定要大写)
*/admin@1000CC.NET      *

3) 配置krb5文件
[root@srv1 ~]# vim /etc/krb5.conf
# 将EXMAPLE.COM改为你定义的域名(一定要大写),将kerberos.exmaple.com改为你的krbsrv的(一定要小写)FQDN
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
 default_realm = 1000CC.NET
 default_ccache_name = KEYRING:persistent:%{uid}
[realms]
  1000CC.NET = {
  kdc = srv1.1000cc.net
  admin_server = srv1.1000cc.net
 }

[domain_realm]
 .1000cc.net = 1000CC.NET
 1000cc.net = 1000CC.NET

4) 生成kerberos数据库(注意大写域名)
[root@srv1 ~]# kdb5_util create -s -r 1000CC.NET
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm '1000CC.NET',
master key name 'K/M@1000CC.NET'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:     # 定义密码
Re-enter KDC database master key to verify: 

5) 确认数据库生成成功
[root@srv1 ~]# ls -l /var/kerberos/krb5kdc/
total 24
-rw------- 1 root root   21 Feb 22 01:00 kadm5.acl
-rw------- 1 root root  450 Feb 22 00:58 kdc.conf
-rw------- 1 root root 8192 Feb 22 01:05 principal
-rw------- 1 root root 8192 Feb 22 01:05 principal.kadm5
-rw------- 1 root root    0 Feb 22 01:05 principal.kadm5.lock
-rw------- 1 root root    0 Feb 22 01:05 principal.ok

6) 启动kerberos服务
[root@srv1 ~]# systemctl enable --now krb5kdc kadmin

7) 创建一个本地账户
[root@srv1 ~]# useradd snow
[root@srv1 ~]# passwd snow
Changing password for user snow.
New password:     # 密码为123456
BAD PASSWORD: The password is shorter than 8 characters
Retype new password: 
passwd: all authentication tokens updated successfully.

8) 添加一个kerberos管理员账户，便于远程连接
[root@srv1 ~]# kadmin.local
Authenticating as principal root/admin@1000CC.NET with password.
kadmin.local:   addprinc root/admin
Enter password for principal "root/admin@1000CC.NET":  # 定义管理员密码

Re-enter password for principal "root/admin@1000CC.NET": 
Principal "root/admin@1000CC.NET" created. 

9) 添加一个kerberos普通账户，便于远程连接
kadmin.local:  addprinc snow
Enter password for principal "snow@1000CC.NET": # snow密码为654321

Re-enter password for principal "snow@1000CC.NET": 
Principal "snow@1000CC.NET" created.

10) 添加主机至kerberos数据库中
kadmin.local:  addprinc -randkey host/srv1.1000cc.net
Principal "host/srv1.1000cc.net@1000CC.NET" created.
kadmin.local:  addprinc -randkey host/client.1000cc.net
Principal "host/client.1000cc.net@1000CC.NET" created.

11)  创建srv1.1000cc.net的秘钥
kadmin.local:  ktadd host/srv1.1000cc.net
Entry for principal host/srv1.1000cc.net with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/srv1.1000cc.net with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/srv1.1000cc.net with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/srv1.1000cc.net with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/srv1.1000cc.net with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/srv1.1000cc.net with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/srv1.1000cc.net with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/srv1.1000cc.net with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.

kadmin.local:  quit

2. 配置客户端

1) 确认NTP同步及FQDN能够正常解析

2) 安装客户端工具
[root@client ~]# yum install krb5-workstation pam_krb5 -y

3) 配置krb5
[root@client ~]# vim /etc/krb5.conf
# 将EXMAPLE.COM改为你定义的域名(一定要大写),将kerberos.exmaple.com改为你的krbsrv的(一定要小写)FQDN
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
 default_realm = 1000CC.NET
 default_ccache_name = KEYRING:persistent:%{uid}
[realms]
 1000CC.NET = {
  kdc = srv1.1000cc.net
  admin_server = srv1.1000cc.net
 }

[domain_realm]
 .1000cc.net = 1000CC.NET
 1000cc.net = 1000CC.NET

 4) 生成客户端秘钥
 (1) 连接至kerberos服务端
[root@client ~]# kadmin
Authenticating as principal root/admin@1000CC.NET with password.
Password for root/admin@1000CC.NET:   # 输入root/admin的密码
kadmin:  

(2) 生成客户端秘钥
kadmin:  ktadd host/client.1000cc.net
Entry for principal host/client.1000cc.net with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/client.1000cc.net with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/client.1000cc.net with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/client.1000cc.net with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/client.1000cc.net with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/client.1000cc.net with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/client.1000cc.net with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for princ
kadmin:  quit

5) 客户端开启kerberos验证
[root@client ~]# authconfig --enablekrb5 --update

6) 查看当前key
[root@client ~]# ktutil
ktutil:  rkt /etc/krb5.keytab 
ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    2        host/client.1000cc.net@1000CC.NET
   2    2        host/client.1000cc.net@1000CC.NET
   3    2        host/client.1000cc.net@1000CC.NET
   4    2        host/client.1000cc.net@1000CC.NET
   5    2        host/client.1000cc.net@1000CC.NET
   6    2        host/client.1000cc.net@1000CC.NET
   7    2        host/client.1000cc.net@1000CC.NET
   8    2        host/client.1000cc.net@1000CC.NET
ktutil:  quit

7) 获取kerberos授权
[root@client ~]#  kinit snow
Password for snow@1000CC.NET: # 输入kerberos定义的密码654321

[root@client ~]#  klist
Ticket cache: KEYRING:persistent:0:0
Default principal: snow@1000CC.NET

Valid starting       Expires              Service principal
02/22/2020 01:31:40  02/23/2020 01:31:40  krbtgt/1000CC.NET@1000CC.NET

3.SSH配置及测试

1) 更改ssh服务端配置
[root@srv1 ~]# vim /etc/ssh/sshd_config
......
......
# 将79-80行的值改为yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
......
......

[root@srv1 ~]# systemctl restart sshd

2) 更改ssh客户端配置
[root@client ~]# vim /etc/ssh/ssh_config
......
......
# 将27-28行的值改为yes
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
......
......

[root@client ~]# systemctl restart sshd

3) 客户端ssh测试(测试结果是ssh自动连接进入远程服务器，不需要密码)
[root@client ~]# ssh snow@srv1.1000cc.net
Last login: Sat Feb 22 01:38:26 2020 from 192.168.10.13
[snow@srv1 ~]$   # 自动连入

4. OpenLDAP+Kerberos解释说明

1) 三方说明
              |---Kerberos认证账户(LDAPC)
              |
LDAPS管理账户--+
              |
              |---Client(由LDAPS得到账户,SSH登陆时有kerberos进行验证)

2) LDAP工作说明
    LDAP Server负责所有的账户管理,将账户信息保存在自己的数据上,但需要到KrbSrv服务上将自己的信息进行注册(addprinc -randkey host/LDAP Server).从而可以与KrbSrv取得合法的联系。

    因此LDAP属于Kerberos客户端,便于认证/会话。
3) Kerveros工作说明
    KrbSrv作为LDAP Client可以得到LDAP的账户信息,并可以将这些账户直接进行addprinc并进行认证而不需要另行建立

  Kerberos server
	1. Kerberos属于LDAP客户端
	2. 所有的账户全部由LDAP Server提供
	3. Kerberos Server在添加账户时,直接通过LDAP的账户直接添加即可

4) 客户端说明
    从LDAP Server处得到真实有效的账户，可以进行LDAP方式的登陆,由此客户端必须是LDAP客户端

    某服务(如ssh)与kerberos集成，客户端则需要请krbsrv来认证。由此客户端必然也是krb客户端(必须addprinc,否则无法通信)

    客户端
    1. 属于kerberos客户端,也属于LDAP客户端
    2. krb及ldap客户端软件缺一不可。
    3. 必须使用authconfig同时指定LDAP验证及kerberos验证。

如对您有帮助，请随缘打个赏。^-^

gold