Wissen

Benutzer-Werkzeuge

Webseiten-Werkzeuge

Sie befinden sich hier: Start » kerberos
Zuletzt angesehen: cut
kerberos

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

Nächste Überarbeitung		Vorhergehende Überarbeitung
kerberos [2016-04-12 22:49:59] – Externe Bearbeitung 127.0.0.1kerberos [2018-05-08 12:59:12] (aktuell) – [mit Base64 das Passwort verschleiert abspeichern] manfred
Zeile 1: Zeile 1:
 +====== Kerberos ======
 +
 +===== Fedora =====
 +
 +==== /etc/krb5.conf ====
 +
 +  [logging]
 +   default = FILE:/var/log/krb5libs.log
 +   kdc = FILE:/var/log/krb5kdc.log
 +   admin_server = FILE:/var/log/kadmind.log
 +  
 +  [libdefaults]
 +   default_realm = EXAMPLE.COM
 +   dns_lookup_realm = false
 +   dns_lookup_kdc = false
 +   ticket_lifetime = 24h
 +   forwardable = yes
 +  
 +  [realms]
 +   EXAMPLE.COM = {
 +    kdc = kerberos.example.com:88
 +    admin_server = kerberos.example.com:749
 +    default_domain = example.com
 +   }
 +  
 +  [domain_realm]
 +   .example.com = EXAMPLE.COM
 +   example.com = EXAMPLE.COM
 +  
 +  [appdefaults]
 +   pam = {
 +     debug = false
 +     ticket_lifetime = 36000
 +     renew_lifetime = 36000
 +     forwardable = true
 +     krb4_convert = false
 +   }
 +
 +
 +==== /etc/profile.d/krb5-devel.csh ====
 +
 +  if ( "${path}" !~ */usr/kerberos/bin* ) then
 +        set path = ( /usr/kerberos/bin $path )
 +  endif
 +  if ( "${path}" !~ */usr/kerberos/sbin* ) then
 +        if ( `id -u` == 0 ) then
 +                set path = ( /usr/kerberos/sbin $path )
 +        endif
 +  endif
 +
 +
 +==== /etc/profile.d/krb5-devel.sh ====
 +
 +  if ! echo ${PATH} | /bin/grep -q /usr/kerberos/bin ; then
 +        PATH=/usr/kerberos/bin:${PATH}
 +  fi
 +  if ! echo ${PATH} | /bin/grep -q /usr/kerberos/sbin ; then
 +        if [ `/usr/bin/id -u` = 0 ] ; then
 +                PATH=/usr/kerberos/sbin:${PATH}
 +        fi
 +  fi
 +
 +
 +==== /etc/profile.d/krb5-workstation.csh ====
 +
 +  if ( "${path}" !~ */usr/kerberos/bin* ) then
 +        set path = ( /usr/kerberos/bin $path )
 +  endif
 +  if ( "${path}" !~ */usr/kerberos/sbin* ) then
 +        if ( `id -u` == 0 ) then
 +                set path = ( /usr/kerberos/sbin $path )
 +        endif
 +  endif
 +
 +
 +==== /etc/profile.d/krb5-workstation.sh ====
 +
 +  if ! echo ${PATH} | /bin/grep -q /usr/kerberos/bin ; then
 +        PATH=/usr/kerberos/bin:${PATH}
 +  fi
 +  if ! echo ${PATH} | /bin/grep -q /usr/kerberos/sbin ; then
 +        if [ `/usr/bin/id -u` = 0 ] ; then
 +                PATH=/usr/kerberos/sbin:${PATH}
 +        fi
 +  fi
 +
 +
 +==== /etc/xdg/autostart/krb5-auth-dialog.desktop ====
 +
 +  [Desktop Entry]
 +  Name=Network Authentication
 +  Name[nb]=Nettverksautentisering
 +  Comment=Kerberos Network Authentication Dialog
 +  Exec=krb5-auth-dialog --sm-disable
 +  Encoding=UTF-8
 +  Terminal=false
 +  Type=Application
 +
 +
 +===== Ubuntu =====
 +
 +  * [[http://wiki.linux-nfs.org/wiki/index.php/Main_Page]]
 +  * [[https://help.ubuntu.com/community/NFSv4Howto]]
 +  * [[http://wiki.linux-nfs.org/wiki/index.php/NFSv4_Introduction]]
 +
 +  * [[http://wiki.linux-nfs.org/wiki/index.php/Enduser_doc_kerberos]]
 +
 +  (Warnings: 4. Actual kerberos/NFS is not able to work with multiple network interfaces on the same machine)
 +  Zur Zeit funktioniert "Kerberos/NFS" nicht, wenn mehr als eine NIC im Rechner stecken.
 +
 +
 +  * [[http://www.citi.umich.edu/projects/nfsv4/linux/krb5-setup.html]]
 +
 +  # egrep ^nfs /etc/services
 +  nfs           2049/tcp                        # Network File System
 +  nfs           2049/udp                        # Network File System
 +
 +Die Systemuhren müssen gleich laufen!
 +  #=> ntp
 +
 +In der "/etc/hosts" muss als erstes der FQDN stehen!
 +  # vi /etc/hosts
 +  10.10.10.1      testmaster.domain.de    testmaster  kdc.domain.de       kdc
 +  10.10.10.2      testslave.domain.de     testslave
 +
 +
 +  Kerberos (MIT or Heimdal)
 +  =========================
 +  
 +  Der Kerberos-server (or KDC) und NFS-server können sich auf der selben
 +  Maschine befinden, können sich aber auch auf unterschiedliche Maschinen
 +  befinden.
 +  
 +  Als erstes brauchen wir ein funktionierendes Kerberos (MIT or Heimdal)
 +  KDC (Key Distribution Center) bevor wir weiter machen!
 +  Kerberos funktioniert ab Ubuntu 8.04.
 +  
 +  
 +  MIT
 +  ---
 +  aptitude install libpam-krb5 krb5-user
 +  
 +  
 +  Heimdal
 +  -------
 +  aptitude install libpam-krb5 heimdal-clients
 +  
 +  modprobe rpcsec_gss_krb5
 +  
 +  
 +  
 +  Kerberos-Server (Primary KDC)
 +  =============================
 +  # https://help.ubuntu.com/9.04/serverguide/C/kerberos.html
 +  aptitude purge krb5-kdc krb5-admin-server krb5-user krb5-config libpam-krb5
 +  rm -fr /var/lib/krb5kdc /etc/krb*
 +  aptitude install krb5-kdc krb5-admin-server
 +  less /usr/share/doc/krb5-kdc/README.KDC
 +  
 +  
 +  #
 +  # Realm-DB anlegen
 +  #
 +  krb5_newrealm
 +        This script should be run on the master KDC/admin server to initialize
 +        a Kerberos realm.  It will ask you to type in a master key password.
 +        This password will be used to generate a key that is stored in
 +        /etc/krb5kdc/stash.  You should try to remember this password, but it
 +        is much more important that it be a strong password than that it be
 +        remembered.  However, if you lose the password and /etc/krb5kdc/stash,
 +        you cannot decrypt your Kerberos database.
 +        Loading random data
 +        Initializing database '/var/lib/krb5kdc/principal' for realm 'DOMAIN.DE',
 +        master key name 'K/M@DOMAIN.DE'
 +        You will be prompted for the database Master Password.
 +        It is important that you NOT FORGET this password.
 +        Enter KDC database master key:
 +  ********
 +        Re-enter KDC database master key to verify:
 +  ********
 +  
 +  
 +        Now that your realm is set up you may wish to create an administrative
 +        principal using the addprinc subcommand of the kadmin.local program.
 +        Then, this principal can be added to /etc/krb5kdc/kadm5.acl so that
 +        you can use the kadmin program on other computers.  Kerberos admin
 +        principals usually belong to a single user and end in /admin.  For
 +        example, if jruser is a Kerberos administrator, then in addition to
 +        the normal jruser principal, a jruser/admin principal should be
 +        created.
 +  
 +        Don't forget to set up DNS information so your clients can find your
 +        KDC and admin servers.  Doing so is documented in the administration
 +        guide.
 +  
 +  
 +  #
 +  # Kerberos-Admin anlegen
 +  #
 +  kadmin.local 
 +        Authenticating as principal root/admin@DOMAIN.DE with password.
 +        kadmin.local:
 +  addprinc admin/admin
 +        WARNING: no policy specified for admin/admin@DOMAIN.DE; defaulting to no policy
 +        Enter password for principal "admin/admin@DOMAIN.DE": 
 +  ********
 +        Re-enter password for principal "admin/admin@DOMAIN.DE":
 +  ********
 +        Principal "admin/admin@DOMAIN.DE" created.
 +        kadmin.local:
 +  quit
 +  
 +  
 +  vi /etc/krb5kdc/kadm5.acl
 +        */admin *
 +  
 +  
 +  /etc/init.d/krb5-admin-server restart
 +  
 +  
 +  kinit admin/admin
 +        Password for admin/admin@DOMAIN.DE: 
 +  
 +  
 +  klist 
 +        Ticket cache: FILE:/tmp/krb5cc_0
 +        Default principal: admin/admin@DOMAIN.DE
 +  
 +        Valid starting     Expires            Service principal
 +        12/03/09 14:49:27  12/04/09 00:49:27  krbtgt/DOMAIN.DE@DOMAIN.DE
 +                renew until 12/04/09 14:49:22
 +  
 +  
 +  vi /etc/hosts
 +        192.168.0.1     kdc.domain.de       kdc
 +  
 +  
 +  vi /etc/bind/db.domain.de
 +        _kerberos               TXT     "DOMAIN.DE"
 +        _kerberos._udp          SRV     0 0 88  kdc
 +        _kpasswd._udp           SRV     0 0 464 kdc
 +        _kerberos-adm._tcp      SRV     0 0 749 kdc
 +  
 +  
 +  #
 +  # Kerberos-User anlegen
 +  #
 +  kadmin.local
 +        addprinc fritz@DOMAIN.DE
 +        quit
 +  
 +  
 +  #
 +  # Ticket holen
 +  #
 +  kinit fritz
 +  klist
 +  
 +  
 +  #
 +  # Kerberos-Zugang für Server und Client anlegen
 +  #
 +  # Server: testmaster.domain.de
 +  # Client: testslave.domain.de
 +  #
 +  kadmin.local
 +        addprinc -randkey nfs/testmaster.domain.de@DOMAIN.DE
 +        ktadd -e des-cbc-crc:normal nfs/testmaster.domain.de@DOMAIN.DE
 +                Entry for principal nfs/testmaster.domain.de@DOMAIN.DE with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
 +        addprinc -randkey nfs/oqrmtestslave.domain.de@DOMAIN.DE
 +        ktadd -e des-cbc-crc:normal -k krb5.keytab nfs/oqrmtestslave.domain.de@DOMAIN.DE
 +        quit
 +  
 +  
 +  #
 +  # Clientzugang konfigurieren
 +  #
 +  #scp /etc/krb5.keytab root@oqrmtestslave.domain.de:/etc/krb5.keytab
 +  scp krb5.keytab sysop@oqrmtestslave.domain.de:
 +  ssh sysop@oqrmtestslave.domain.de
 +  sudo su -
 +  cp /home/sysop/krb5.keytab /etc/krb5.keytab
 +  
 +  
 +  
 +  
 +  Kerberos-Server (Secondary KDC)
 +  -------------------------------
 +  # https://help.ubuntu.com/9.04/serverguide/C/kerberos.html
 +  
 +  
 +  
 +  
 +  Kerberos-Client (MIT or Heimdal)
 +  ================================
 +  
 +  # installieren
 +  aptitude install krb5-user libpam-krb5 libpam-ccreds auth-client-config
 +  
 +  # konfigurieren
 +  dpkg-reconfigure krb5-config
 +  
 +  vi /etc/krb5.conf
 +        [libdefaults]
 +                default_realm = DOMAIN.DE
 +  
 +        [realms]
 +        DOMAIN.DE = {
 +                kdc = 192.168.0.1
 +                kdc = testmaster
 +                admin_server = 192.168.0.1
 +        }
 +  
 +  [domain_realm]
 +        idstein.domain.de = DOMAIN.DE
 +        .idstein.domain.de = DOMAIN.DE
 +  
 +  [logging]
 +        kdc = FILE:/var/log/krb5kdc.log
 +        admin_server = FILE:/var/log/kadmin.log
 +        default = FILE:/var/log/krb5lib.log
 +  
 +  
 +  #
 +  # Kerberos-Tiket erstellen
 +  #
 +  kinit admin/admin
 +  
 +  
 +  #
 +  # Kerberos-Tiket anzeigen
 +  #
 +  klist
 +  
 +  ################################################################################
 +
 +
 +==== Kerberos-Client auf Ubuntu 16.04.4 LTS (xenial) installieren ====
 +
 +Quelle: [[https://serverfault.com/questions/422778/how-to-automate-kinit-process-to-obtain-tgt-for-kerberos]]
 +
 +den Kerberos-Client installieren:
 +  > apt install krb5-user
 +
 +
 +=== mit Base64 das Passwort verschleiert abspeichern ===
 +
 +das passwort (verschleiert) abspeichern:
 +  > touch geheim.cfg
 +  > chmod 0600 geheim.cfg
 +  > echo "geheimesPasswort" | base64 > geheim.cfg
 +
 +__Kerberos-Tiket holen:__
 +  > cat geheim.cfg | base64 -d | kinit fritz@RELM
 +
 +Kerberos-Tikets anzeigen:
 +  > klist
 +
 +
 +=== mit SSL das Passwort verschlüsselt abspeichern ===
 +
 +das SSL-Zertifikat erzeugen (das ist nur EINMAL nötig - für eine Gültigkeitsdauer von 7000 Tagen):
 +  > openssl req -rand /dev/urandom -new -x509 -newkey rsa:4096 -sha512 -nodes -keyout pwd_RELM.key -keyform PEM -out pwd_RELM.crt -outform PEM -days 7000 -subj /emailAddress=email@adresse.de/C=DE/ST=Hessen/L=Frankfurt/O=Firma/OU=Abteilung/CN=Hostname
 +
 +das passwort verschlüsselt abspeichern:
 +  > touch geheim.cfg
 +  > chmod 0600 geheim.cfg
 +  > echo "geheimesPasswort" | openssl smime -encrypt -aes256 -out geheim.cfg pwd_RELM.crt
 +
 +__Kerberos-Tiket holen:__
 +  > openssl smime -decrypt -in geheim.cfg -inkey pwd_RELM.key pwd_RELM.crt | kinit fritz@RELM
 +
 +Kerberos-Tikets anzeigen:
 +  > klist
 +
 +
 +==== NFSv4 ====
 +
 +  http://wiki.linux-nfs.org/wiki/index.php/Main_Page
 +  https://help.ubuntu.com/community/NFSv4Howto
 +  http://wiki.linux-nfs.org/wiki/index.php/NFSv4_Introduction
 +  
 +  http://wiki.linux-nfs.org/wiki/index.php/Enduser_doc_kerberos
 +  Zur Zeit funktioniert "Kerberos/NFS" nicht, wenn mehr als eine NIC im Rechner stecken.
 +  
 +  ################################################################################
 +  # http://www.citi.umich.edu/projects/nfsv4/linux/krb5-setup.html
 +  
 +  # egrep ^nfs /etc/services
 +  nfs           2049/tcp                        # Network File System
 +  nfs           2049/udp                        # Network File System
 +  
 +  Die Systemuhren müssen gleich laufen!
 +  #=> ntp
 +  
 +  In der Host muss als erstes der FQDN stehen!
 +  # vi /etc/hosts
 +  10.10.10.1      oqrmtestmaster.domain.de    oqrmtestmaster  kdc.domain.de       kdc
 +  10.10.10.2      oqrmtestslave.domain.de     oqrmtestslave
 +  ################################################################################
 +  
 +  
 +  NFSv4-Server mit Kerberos (MIT or Heimdal)
 +  ==========================================
 +  
 +  Wir haben es hier mit drei unterschiedlichen Entitäten zu tun:
 +   - Kerberos-server
 +   - NFS-server
 +   - NFS-client
 +  
 +  Der Kerberos-server (or KDC) und NFS-server können sich auf der selben
 +  Maschine befinden, können sich aber auch auf unterschiedliche Maschinen
 +  befinden.
 +  
 +  Als erstes brauchen wir ein funktionierendes Kerberos (MIT or Heimdal)
 +  KDC (Key Distribution Center) bevor wir weiter machen!
 +  Kerberos funktioniert ab Ubuntu 8.04.
 +  
 +  
 +  MIT
 +  ---
 +  aptitude install libpam-krb5 krb5-user
 +  
 +  
 +  Heimdal
 +  -------
 +  aptitude install libpam-krb5 heimdal-clients
 +  
 +  modprobe rpcsec_gss_krb5
 +  
 +  
 +  
 +  Kerberos-Server (Primary KDC)
 +  -----------------------------
 +  # https://help.ubuntu.com/9.04/serverguide/C/kerberos.html
 +  aptitude install krb5-kdc krb5-admin-server
 +  
 +  
 +  #
 +  # Realm-DB anlegen
 +  #
 +  krb5_newrealm
 +        This script should be run on the master KDC/admin server to initialize
 +        a Kerberos realm.  It will ask you to type in a master key password.
 +        This password will be used to generate a key that is stored in
 +        /etc/krb5kdc/stash.  You should try to remember this password, but it
 +        is much more important that it be a strong password than that it be
 +        remembered.  However, if you lose the password and /etc/krb5kdc/stash,
 +        you cannot decrypt your Kerberos database.
 +        Loading random data
 +        Initializing database '/var/lib/krb5kdc/principal' for realm 'DOMAIN.DE',
 +        master key name 'K/M@DOMAIN.DE'
 +        You will be prompted for the database Master Password.
 +        It is important that you NOT FORGET this password.
 +        Enter KDC database master key:
 +  ********
 +        Re-enter KDC database master key to verify:
 +  ********
 +  
 +  
 +        Now that your realm is set up you may wish to create an administrative
 +        principal using the addprinc subcommand of the kadmin.local program.
 +        Then, this principal can be added to /etc/krb5kdc/kadm5.acl so that
 +        you can use the kadmin program on other computers.  Kerberos admin
 +        principals usually belong to a single user and end in /admin.  For
 +        example, if jruser is a Kerberos administrator, then in addition to
 +        the normal jruser principal, a jruser/admin principal should be
 +        created.
 +  
 +        Don't forget to set up DNS information so your clients can find your
 +        KDC and admin servers.  Doing so is documented in the administration
 +        guide.
 +  
 +  
 +  #
 +  # Kerberos-Admin anlegen
 +  #
 +  kadmin.local 
 +        Authenticating as principal root/admin@DOMAIN.DE with password.
 +        kadmin.local:
 +  addprinc admin/admin
 +        WARNING: no policy specified for admin/admin@DOMAIN.DE; defaulting to no policy
 +        Enter password for principal "admin/admin@DOMAIN.DE": 
 +  ********
 +        Re-enter password for principal "admin/admin@DOMAIN.DE":
 +  ********
 +        Principal "admin/admin@DOMAIN.DE" created.
 +        kadmin.local:
 +  quit
 +  
 +  
 +  vi /etc/krb5kdc/kadm5.acl
 +        admin/admin@DOMAIN.DE         *
 +  
 +  
 +  /etc/init.d/krb5-admin-server restart
 +  
 +  
 +  kinit admin/admin
 +        Password for admin/admin@DOMAIN.DE: 
 +  
 +  
 +  klist 
 +        Ticket cache: FILE:/tmp/krb5cc_0
 +        Default principal: admin/admin@DOMAIN.DE
 +  
 +        Valid starting     Expires            Service principal
 +        12/03/09 14:49:27  12/04/09 00:49:27  krbtgt/DOMAIN.DE@DOMAIN.DE
 +                renew until 12/04/09 14:49:22
 +  
 +  
 +  vi /etc/hosts
 +        192.168.0.1     kdc01.domain.de     kdc01
 +  
 +  
 +  vi /etc/bind/db.domain.de
 +        _kerberos._udp.DOMAIN.DE.     IN SRV 1  0 88  kdc01.domain.de.
 +        _kerberos._tcp.DOMAIN.DE.     IN SRV 1  0 88  kdc01.domain.de.
 +        _kerberos._udp.DOMAIN.DE.     IN SRV 10 0 88  kdc02.domain.de. 
 +        _kerberos._tcp.DOMAIN.DE.     IN SRV 10 0 88  kdc02.domain.de. 
 +        _kerberos-adm._tcp.DOMAIN.DE. IN SRV 1  0 749 kdc01.domain.de.
 +        _kpasswd._udp.DOMAIN.DE.      IN SRV 1  0 464 kdc01.domain.de.
 +  
 +  
 +  #
 +  # Kerberos-User anlegen
 +  #
 +  kadmin.local
 +        addprinc fritz@DOMAIN.DE
 +        quit
 +  
 +  
 +  #
 +  # Ticket holen
 +  #
 +  kinit fritz
 +  klist
 +  
 +  
 +  #
 +  # Kerberos-Zugang für Server und Client anlegen
 +  #
 +  # Server: oqrmtestmaster.domain.de
 +  # Client: oqrmtestslave.domain.de
 +  #
 +  kadmin.local
 +        addprinc -randkey nfs/oqrmtestmaster.domain.de@DOMAIN.DE
 +        ktadd -e des-cbc-crc:normal nfs/oqrmtestmaster.domain.de@DOMAIN.DE
 +                Entry for principal nfs/oqrmtestmaster.domain.de@DOMAIN.DE with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
 +        addprinc -randkey nfs/oqrmtestslave.domain.de@DOMAIN.DE
 +        ktadd -e des-cbc-crc:normal -k krb5.keytab nfs/oqrmtestslave.domain.de@DOMAIN.DE
 +        quit
 +  
 +  
 +  #
 +  # Clientzugang konfigurieren
 +  #
 +  #scp /etc/krb5.keytab root@oqrmtestslave.domain.de:/etc/krb5.keytab
 +  scp krb5.keytab sysop@oqrmtestslave.domain.de:
 +  ssh sysop@oqrmtestslave.domain.de
 +  sudo su -
 +  cp /home/sysop/krb5.keytab /etc/krb5.keytab
 +  
 +  
 +  #
 +  # mounten
 +  #
 +  mount -t nfs4 -o proto=tcp,port=2049,rw,sec=krb5i 10.10.10.1:/user /home/user
 +  
 +  
 +  
 +  Kerberos-Server (Secondary KDC)
 +  -------------------------------
 +  # https://help.ubuntu.com/9.04/serverguide/C/kerberos.html
 +  
 +  
 +  
 +  
 +  NFSv4-Client mit Kerberos (MIT or Heimdal)
 +  ==========================================
 +  
 +  # installieren
 +  aptitude install krb5-user libpam-krb5 libpam-ccreds auth-client-config
 +  
 +  # konfigurieren
 +  dpkg-reconfigure krb5-config
 +  
 +  vi /etc/krb5.conf
 +        [libdefaults]
 +                default_realm = DOMAIN.DE
 +  ....
 +        [realms]
 +        DOMAIN.DE = {
 +                kdc = 192.168.0.1
 +                kdc = oqrmtestmaster
 +                admin_server = 192.168.0.1
 +        }
 +  
 +  
 +  #
 +  # Kerberos-Tiket erstellen
 +  #
 +  kinit admin/admin
 +  
 +  
 +  #
 +  # Kerberos-Tiket anzeigen
 +  #
 +  klist
 +  
 +  ################################################################################