- KDC:Key Distribution Center, 密钥分发中心
- KAdmin:
ubuntu
1
| $ apt install krb5-server krb5-user
|
centos
1
| $ yum install -y krb5-server krb5-workstation
|
/etc/krb5.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
| [logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = BIGDATA.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
clockskew = 120
udp_preference_limit = 1
[realms]
BIGDATA.COM = {
kdc = bd-ops-test-74
admin_server = bd-ops-test-74
}
[domain_realm]
.bigdata.com = BIGDATA.COM
bigdata.com = BIGDATA.COM
|
/var/lib/kerberos/krb5kdc/kadm5.acl
/var/kerberos/krb5kdc/kdc.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| [kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
BIGDATA.COM = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
default_principal_flags = +renewable, +forwardable
max_renewable_life = 10d
}
|
krb5kdc
kadmin
kdb5_util: kerberos database 工具
kadmin
kinit
klist
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| # kadmin.local 命令
$ echo -e "pass\npass" | kadmin.local -q "addprinc user1/group1" # 创建用户
$ kadmin.local -q "listprincs" # 查看用户
$ kadmin.local -q "xst -k /tmp/user1.keytab user1/group1" # 生成keytab文件
$ kadmin.local -q "delprinc -force user1/group1" #删除用户
# kadmin 命令
$ echo -e "mypass" | kadmin -q "listprincs"
# 客户端认证相关命令
$ kinit user1/group1 # 获取kerberos票据,需输入密码
$ kinit -k -t /tmp/user1.keytab user1/group1 # 使用 keytab 文件获取票据,无需输入密码
$ klist # 查看缓存票据
$ kdestory # 销毁票据
# ktutil 创建principal 和 keytab 文件命令
#
|
- https://my.oschina.net/Yumikio/blog/741619