日志

Kerberos配置

已有 2277 次阅读2018-7-1 11:48 |个人分类:Kerberos|系统分类:大数据| Kerberos

写在前面：

系统是centos7 :CentOS-7-x86_64-DVD-1708.iso

1、需要关闭防火墙，或者添加防火墙访问限制，否则在客户机初始化时会报

[root@master ~]# kinit admin/admin

kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting initial credentials

1.1 查看防火墙状态

[root@slave3 ~]# service firewalld status

Redirecting to /bin/systemctl status firewalld.service

● firewalld.service - firewalld - dynamic firewall daemon

Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)

Active: active (running) since 六 2018-06-16 08:16:12 CST; 5min ago

Docs: man:firewalld(1)

Main PID: 792 (firewalld)

CGroup: /system.slice/firewalld.service

└─792 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

1.2 关闭防火墙

[root@master ~]# service firewalld stop

Redirecting to /bin/systemctl stop firewalld.service

1.3 关闭开机自动启动

[root@master ~]# systemctl disable firewalld.service

Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.

Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.

2、安装Kerberos相关软件

[root@hd153 ~]# yum install krb5-server krb5-libs krb5-auth-dialog

[root@hd153 ~]# rpm -qa|grep -i krb

krb5-auth-dialog-0.13-6.el6.x86_64

krb5-libs-1.10.3-65.el6.x86_64

pam_krb5-2.3.11-9.el6.x86_64

krb5-server-1.10.3-65.el6.x86_64

python-krbV-1.0.90-3.el6.x86_64

krb5-devel-1.10.3-65.el6.x86_64

krb5-workstation-1.10.3-65.el6.x86_64

3、配置

3.1 配置kdc.conf

默认放在 /var/kerberos/krb5kdc/kdc.conf。或者通过覆盖KRB5_KDC_PROFILE环境变量修改配置文件位置。

[root@hd153 ~]# vi /var/kerberos/krb5kdc/kdc.conf

[kdcdefaults]

kdc_ports = 88

kdc_tcp_ports = 88

[realms]

EXAMPLE.COM = {

#master_key_type = aes256-cts

acl_file = /var/kerberos/krb5kdc/kadm5.acl

dict_file = /usr/share/dict/words

admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab

supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal

}

说明：

HADOOP.COM:是设定的realms。名字随意。Kerberos可以支持多个realms，会增加复杂度。本文不探讨。大小写敏感，一般为了识别使用全部大写。这个realms跟机器的host没有大关系。

max_renewable_life = 7d 涉及到是否能进行ticket的renwe必须配置。

master_key_type:和supported_enctypes默认使用aes256-cts。由于，JAVA使用aes256-cts验证方式需要安装额外的jar包，更多参考2.2.9关于AES-256加密：。推荐不使用。

acl_file:标注了admin的用户权限。文件格式是

Kerberos_principal permissions [target_principal] [restrictions]支持通配符等。

admin_keytab:KDC进行校验的keytab。后文会提及如何创建。

supported_enctypes:支持的校验方式。注意把aes256-cts去掉。

3.2 配置krb5.conf

/etc/krb5.conf: 包含Kerberos的配置信息。例如，KDC的位置，Kerberos的admin的realms 等。需要所有使用的Kerberos的机器上的配置文件都同步。这里仅列举需要的基本配置。

[root@hd153 ~]# vi /etc/krb5.conf

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

[libdefaults]

default_realm = EXAMPLE.COM

dns_lookup_realm = false

dns_lookup_kdc = false

ticket_lifetime = 24h

renew_lifetime = 7d

forwardable = true

[realms]

EXAMPLE.COM = {

kdc = hd153 # 修改为KDC主机

admin_server = hd153 # 修改为KDC主机

}

[domain_realm]

.example.com = EXAMPLE.COM

example.com = EXAMPLE.COM

注：配置的时候需要把这几个汉字删除（修改为KDC主机），要不然会报

kadmin: Cannot resolve network address for admin server in requested realm while initializing kadmin interface

日志显示：more /var/log/krb5kdc.log

6月 16 08:32:25 slave3 krb5kdc[1202](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.137.171: SERVER_NOT_FOUND: admin/admin@EXAMPLE.COM for kadmin/slave3 # 修改为kdc主机@EXAMPLE.COM

, Server not found in Kerberos database

说明：

[logging]：表示server端的日志的打印位置

[libdefaults]：每种连接的默认配置，需要注意以下几个关键的小配置

default_realm = HADOOP.COM 默认的realm，必须跟要配置的realm的名称一致。

udp_preference_limit = 1 禁止使用udp可以防止一个Hadoop中的错误

oticket_lifetime表明凭证生效的时限，一般为24小时。

orenew_lifetime表明凭证最长可以被延期的时限，一般为一个礼拜。当凭证过期之后，

对安全认证的服务的后续访问则会失败。

[realms]:列举使用的realm。

kdc：代表要kdc的位置。格式是机器:端口

admin_server:代表admin的位置。格式是机器:端口

default_domain：代表默认的域名

[appdefaults]:可以设定一些针对特定应用的配置，覆盖默认配置。

4、操作

4.1 创建/初始化Kerberos database

[root@hd153 ~]# /usr/sbin/kdb5_util create -s -r EXAMPLE.COM

[root@hd153 krb5kdc]# /usr/sbin/kdb5_util create -s -r EXAMPLE.COM

Loading random data ## 当出现这个的时候，需要另开一个窗口执行：cat /dev/sda > /dev/urandom

Initializing database '/var/kerberos/krb5kdc/principal' for realm 'EXAMPLE.COM',

master key name 'K/M@EXAMPLE.COM'

You will be prompted for the database Master Password.

It is important that you NOT FORGET this password.

Enter KDC database master key: #输入密码：自己设置 123456

Re-enter KDC database master key to verify: #确认密码

完成后有台下文件生成

[root@hd153 krb5kdc]# ls -ltr

total 24

-rw------- 1 root root 405 Nov 23 2016 kdc.conf

-rw------- 1 root root 22 Nov 23 2016 kadm5.acl

-rw------- 1 root root 8192 Jun 11 21:36 principal.kadm5

-rw------- 1 root root 0 Jun 11 21:36 principal.kadm5.lock

-rw------- 1 root root 8192 Jun 11 21:36 principal

-rw------- 1 root root 0 Jun 11 21:37 principal.ok

4.2 添加database administrator

[root@hd153 krb5kdc]# kadmin.local -q "addprinc admin/admin"

Authenticating as principal root/admin@EXAMPLE.COM with password.

WARNING: no policy specified for admin/admin@EXAMPLE.COM; defaulting to no policy

Enter password for principal "admin/admin@EXAMPLE.COM": # 输入密码这个地方我设置admin

Re-enter password for principal "admin/admin@EXAMPLE.COM":

Principal "admin/admin@EXAMPLE.COM" created.

配置kadm5.acl 为database administrator设置ACL权限

[root@hd153 krb5kdc]# cat /var/kerberos/krb5kdc/kadm5.acl

*/admin@EXAMPLE.COM

代表名称匹配*/admin@HADOOP.COM 都认为是admin，权限是 *。代表全部权限。

## 这个地方可以编辑，我默认就是这样的，所以不用编辑了

在KDC上我们需要编辑acl文件来设置权限，该acl文件的默认路径是 /var/kerberos/krb5kdc/kadm5.acl（也可以在文件kdc.conf中修改）。Kerberos的kadmind daemon会使用该文件来管理对Kerberos database的访问权限。对于那些可能会对pincipal产生影响的操作，acl文件也能控制哪些principal能操作哪些其他pricipals。

4.3 在master KDC启动Kerberos daemons

[root@hd153 krb5kdc]# service krb5kdc start

Starting Kerberos 5 KDC: [ OK ]

[root@hd153 krb5kdc]# service kadmin start

Starting Kerberos 5 Admin Server: [ OK ]

[root@hd153 krb5kdc]# chkconfig krb5kdc on # 设置为开机启动

[root@hd153 krb5kdc]# chkconfig kadmin on

日志在 /var/log/krb5kdc.log 和 /var/log/kadmind.log

查看启动后的状态

[root@hd153 ~]# netstat -anpl|grep kadmin

tcp 0 0 0.0.0.0:749 0.0.0.0:* LISTEN 2477/kadmind

tcp 0 0 0.0.0.0:464 0.0.0.0:* LISTEN 2477/kadmind

tcp 0 0 192.168.137.153:749 192.168.137.150:57152 ESTABLISHED 2477/kadmind

tcp 0 0 :::749 :::* LISTEN 2477/kadmind

tcp 0 0 :::464 :::* LISTEN 2477/kadmind

udp 0 0 0.0.0.0:464 0.0.0.0:* 2477/kadmind

udp 0 0 fe80::20c:29ff:fe29:25f9:464 :::* 2477/kadmind

[root@hd153 ~]# netstat -anpl|grep kdc

tcp 0 0 0.0.0.0:88 0.0.0.0:* LISTEN 2462/krb5kdc

tcp 0 0 :::88 :::* LISTEN 2462/krb5kdc

udp 0 0 0.0.0.0:88 0.0.0.0:* 2462/krb5kdc

udp 0 0 fe80::20c:29ff:fe29:25f9:88 :::* 2462/krb5kdc

------------------------

5、***配置客户端***

Configuring Kerberos Clients

从master上拷贝配置文件过来

[root@hd150 ~]# scp root@hd153:/etc/krb5.conf /etc/krb5.conf

***日常使用***

登陆

管理员在master登陆

[root@hd153 krb5kdc]# kadmin.local # 不需要输入密码即进入命令行

Authenticating as principal root/admin@EXAMPLE.COM with password.

kadmin.local:

在其他主机登陆，需要先初始化，然后再用kadmin进入命令行管理

[root@hd150 ~]# kinit admin/admin

Password for admin/admin@EXAMPLE.COM: #输入密码 admin

[root@hd150 ~]# kadmin

Authenticating as principal admin/admin@EXAMPLE.COM with password.

Password for admin/admin@EXAMPLE.COM: #输入密码 admin

kadmin:

6、增删改查账户

在管理员的状态下使用addprinc,delprinc,modprinc,listprincs命令。使用?可以列出所有的命令。

kadmin: ?

Available kadmin requests:

add_principal, addprinc, ank

Add principal

delete_principal, delprinc

Delete principal

modify_principal, modprinc

Modify principal

rename_principal, renprinc

Rename principal

change_password, cpw Change password

get_principal, getprinc Get principal

list_principals, listprincs, get_principals, getprincs

List principals

add_policy, addpol Add policy

modify_policy, modpol Modify policy

delete_policy, delpol Delete policy

get_policy, getpol Get policy

list_policies, listpols, get_policies, getpols

List policies

get_privs, getprivs Get privileges

ktadd, xst Add entry(s) to a keytab

ktremove, ktrem Remove entry(s) from a keytab

lock Lock database exclusively (use with extreme caution!)

unlock Release exclusive database lock

purgekeys Purge previously retained old keys from a principal

get_strings, getstrs Show string attributes on a principal

set_string, setstr Set a string attribute on a principal

del_string, delstr Delete a string attribute on a principal

list_requests, lr, ? List available requests.

quit, exit, q Exit program.

6.1 列出用户：

kadmin.local: list_principals

K/M@EXAMPLE.COM

admin/admin@EXAMPLE.COM

kadmin/admin@EXAMPLE.COM

kadmin/changepw@EXAMPLE.COM

kadmin/hd153@EXAMPLE.COM

krbtgt/EXAMPLE.COM@EXAMPLE.COM

6.2 添加用户：

kadmin.local: addprinc test

WARNING: no policy specified for test@EXAMPLE.COM; defaulting to no policy

Enter password for principal "test@EXAMPLE.COM":

Re-enter password for principal "test@EXAMPLE.COM":

Principal "test@EXAMPLE.COM" created.

6.3 删除用户：

kadmin.local: delpol test

Are you sure you want to delete the policy "test"? (yes/no): yes

delete_policy:: Policy does not exist while deleting policy "test"

6.4 不使用交互窗口进行操作

kadmin -p admin/admin -q "list_principals"

[root@hd153 ~]# kadmin -p admin/admin -q "list_principals"

Authenticating as principal admin/admin with password.

Password for admin/admin@EXAMPLE.COM: 输入密码后展示以下结果

K/M@EXAMPLE.COM

admin/admin@EXAMPLE.COM

kadmin/admin@EXAMPLE.COM

kadmin/changepw@EXAMPLE.COM

kadmin/hd153@EXAMPLE.COM

krbtgt/EXAMPLE.COM@EXAMPLE.COM

test@EXAMPLE.COM

7、keytab

可以理解为密钥cache。Keytab一般给service使用，这样service在认证自己或者给客户端认证的时候，不用输入密钥。该文件是加密的，存储在服务器的本地磁盘上。Keytab文件的默认路径是/etc/krb5.keytab。

7.1 在命令行下生成

kadmin.local: ktadd test@EXAMPLE.COM

Entry for principal test@EXAMPLE.COM with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.

Entry for principal test@EXAMPLE.COM with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.

Entry for principal test@EXAMPLE.COM with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.

Entry for principal test@EXAMPLE.COM with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.

Entry for principal test@EXAMPLE.COM with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.

Entry for principal test@EXAMPLE.COM with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.

7.2 生成路径：

[root@hd153 ~]# ll /etc/krb5.keytab

-rw------- 1 root root 334 Jun 11 22:03 /etc/krb5.keytab

生成keytab的另一种方式：

kadmin: xst -k /home/hadoop/kerberos.keytab test@EXAMPLE.COM

Entry for principal test@EXAMPLE.COM with kvno 7, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/home/hadoop/kerberos.keytab.

Entry for principal test@EXAMPLE.COM with kvno 7, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/home/hadoop/kerberos.keytab.

Entry for principal test@EXAMPLE.COM with kvno 7, encryption type des3-cbc-sha1 added to keytab WRFILE:/home/hadoop/kerberos.keytab.

Entry for principal test@EXAMPLE.COM with kvno 7, encryption type arcfour-hmac added to keytab WRFILE:/home/hadoop/kerberos.keytab.

Entry for principal test@EXAMPLE.COM with kvno 7, encryption type des-hmac-sha1 added to keytab WRFILE:/home/hadoop/kerberos.keytab.

Entry for principal test@EXAMPLE.COM with kvno 7, encryption type des-cbc-md5 added to keytab WRFILE:/home/hadoop/kerberos.keytab.

7.3 查看使用keytab登录

[root@hd150 ~]# kinit -k -t /etc/krb5.keytab test@EXAMPLE.COM ## 这个需要先用 ktadd 添加keytab，才可以使用

[root@hd150 ~]# klist

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: test@EXAMPLE.COM

Valid starting Expires Service principal

06/11/18 22:12:21 06/12/18 22:12:21 krbtgt/EXAMPLE.COM@EXAMPLE.COM

renew until 06/11/18 22:12:21

7.4 使用第二种方式创建的keytab登陆

kinit -k -t /home/hadoop/kerberos.keytab test@EXAMPLE.COM

[root@hd151 ~]# kinit -k -t /home/hadoop/kerberos.keytab test@EXAMPLE.COM

[root@hd151 ~]# klist

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: test@EXAMPLE.COM

8、更新ticket

Valid starting Expires Service principal

06/11/18 22:17:45 06/12/18 22:17:45 krbtgt/EXAMPLE.COM@EXAMPLE.COM

renew until 06/11/18 22:17:45

如果Valid starting的值与renew until的值相同，则表示该principal的ticket 不是 renwable。

如果过了Expires,可以通过命令kinit –R来更新ticket

Ticket无法更新

如果过了Expires,可以通过命令kinit –R来更新ticket

但如果ticket无法更新

查看：

kadmin: getprinc test@EXAMPLE.COM

Principal: test@EXAMPLE.COM

Expiration date: [never]

Last password change: Mon Jun 11 22:16:11 CST 2018

Password expiration date: [none]

Maximum ticket life: 1 day 00:00:00

Maximum renewable life: 0 days 00:00:00 # renewable 的天数可以修改

Last modified: Mon Jun 11 22:16:11 CST 2018 (admin/admin@EXAMPLE.COM)

Last successful authentication: [never]

Last failed authentication: [never]

Failed password attempts: 0

Number of keys: 6

Key: vno 7, aes256-cts-hmac-sha1-96, no salt

Key: vno 7, aes128-cts-hmac-sha1-96, no salt

Key: vno 7, des3-cbc-sha1, no salt

Key: vno 7, arcfour-hmac, no salt

Key: vno 7, des-hmac-sha1, no salt

Key: vno 7, des-cbc-md5, no salt

MKey: vno 1

Attributes:

Policy: [none]

修改renewable的天数

kadmin: modprinc -maxrenewlife 1week test@EXAMPLE.COM 修改

Principal "test@EXAMPLE.COM" modified.