====== Kerberos ====== ===== Fedora ===== ==== /etc/krb5.conf ==== [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms] EXAMPLE.COM = { kdc = kerberos.example.com:88 admin_server = kerberos.example.com:749 default_domain = example.com } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } ==== /etc/profile.d/krb5-devel.csh ==== if ( "${path}" !~ */usr/kerberos/bin* ) then set path = ( /usr/kerberos/bin $path ) endif if ( "${path}" !~ */usr/kerberos/sbin* ) then if ( `id -u` == 0 ) then set path = ( /usr/kerberos/sbin $path ) endif endif ==== /etc/profile.d/krb5-devel.sh ==== if ! echo ${PATH} | /bin/grep -q /usr/kerberos/bin ; then PATH=/usr/kerberos/bin:${PATH} fi if ! echo ${PATH} | /bin/grep -q /usr/kerberos/sbin ; then if [ `/usr/bin/id -u` = 0 ] ; then PATH=/usr/kerberos/sbin:${PATH} fi fi ==== /etc/profile.d/krb5-workstation.csh ==== if ( "${path}" !~ */usr/kerberos/bin* ) then set path = ( /usr/kerberos/bin $path ) endif if ( "${path}" !~ */usr/kerberos/sbin* ) then if ( `id -u` == 0 ) then set path = ( /usr/kerberos/sbin $path ) endif endif ==== /etc/profile.d/krb5-workstation.sh ==== if ! echo ${PATH} | /bin/grep -q /usr/kerberos/bin ; then PATH=/usr/kerberos/bin:${PATH} fi if ! echo ${PATH} | /bin/grep -q /usr/kerberos/sbin ; then if [ `/usr/bin/id -u` = 0 ] ; then PATH=/usr/kerberos/sbin:${PATH} fi fi ==== /etc/xdg/autostart/krb5-auth-dialog.desktop ==== [Desktop Entry] Name=Network Authentication Name[nb]=Nettverksautentisering Comment=Kerberos Network Authentication Dialog Exec=krb5-auth-dialog --sm-disable Encoding=UTF-8 Terminal=false Type=Application ===== Ubuntu ===== * [[http://wiki.linux-nfs.org/wiki/index.php/Main_Page]] * [[https://help.ubuntu.com/community/NFSv4Howto]] * [[http://wiki.linux-nfs.org/wiki/index.php/NFSv4_Introduction]] * [[http://wiki.linux-nfs.org/wiki/index.php/Enduser_doc_kerberos]] (Warnings: 4. Actual kerberos/NFS is not able to work with multiple network interfaces on the same machine) Zur Zeit funktioniert "Kerberos/NFS" nicht, wenn mehr als eine NIC im Rechner stecken. * [[http://www.citi.umich.edu/projects/nfsv4/linux/krb5-setup.html]] # egrep ^nfs /etc/services nfs 2049/tcp # Network File System nfs 2049/udp # Network File System Die Systemuhren müssen gleich laufen! #=> ntp In der "/etc/hosts" muss als erstes der FQDN stehen! # vi /etc/hosts 10.10.10.1 testmaster.domain.de testmaster kdc.domain.de kdc 10.10.10.2 testslave.domain.de testslave Kerberos (MIT or Heimdal) ========================= Der Kerberos-server (or KDC) und NFS-server können sich auf der selben Maschine befinden, können sich aber auch auf unterschiedliche Maschinen befinden. Als erstes brauchen wir ein funktionierendes Kerberos (MIT or Heimdal) KDC (Key Distribution Center) bevor wir weiter machen! Kerberos funktioniert ab Ubuntu 8.04. MIT --- aptitude install libpam-krb5 krb5-user Heimdal ------- aptitude install libpam-krb5 heimdal-clients modprobe rpcsec_gss_krb5 Kerberos-Server (Primary KDC) ============================= # https://help.ubuntu.com/9.04/serverguide/C/kerberos.html aptitude purge krb5-kdc krb5-admin-server krb5-user krb5-config libpam-krb5 rm -fr /var/lib/krb5kdc /etc/krb* aptitude install krb5-kdc krb5-admin-server less /usr/share/doc/krb5-kdc/README.KDC # # Realm-DB anlegen # krb5_newrealm This script should be run on the master KDC/admin server to initialize a Kerberos realm. It will ask you to type in a master key password. This password will be used to generate a key that is stored in /etc/krb5kdc/stash. You should try to remember this password, but it is much more important that it be a strong password than that it be remembered. However, if you lose the password and /etc/krb5kdc/stash, you cannot decrypt your Kerberos database. Loading random data Initializing database '/var/lib/krb5kdc/principal' for realm 'DOMAIN.DE', master key name 'K/M@DOMAIN.DE' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: ******** Re-enter KDC database master key to verify: ******** Now that your realm is set up you may wish to create an administrative principal using the addprinc subcommand of the kadmin.local program. Then, this principal can be added to /etc/krb5kdc/kadm5.acl so that you can use the kadmin program on other computers. Kerberos admin principals usually belong to a single user and end in /admin. For example, if jruser is a Kerberos administrator, then in addition to the normal jruser principal, a jruser/admin principal should be created. Don't forget to set up DNS information so your clients can find your KDC and admin servers. Doing so is documented in the administration guide. # # Kerberos-Admin anlegen # kadmin.local Authenticating as principal root/admin@DOMAIN.DE with password. kadmin.local: addprinc admin/admin WARNING: no policy specified for admin/admin@DOMAIN.DE; defaulting to no policy Enter password for principal "admin/admin@DOMAIN.DE": ******** Re-enter password for principal "admin/admin@DOMAIN.DE": ******** Principal "admin/admin@DOMAIN.DE" created. kadmin.local: quit vi /etc/krb5kdc/kadm5.acl */admin * /etc/init.d/krb5-admin-server restart kinit admin/admin Password for admin/admin@DOMAIN.DE: klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin/admin@DOMAIN.DE Valid starting Expires Service principal 12/03/09 14:49:27 12/04/09 00:49:27 krbtgt/DOMAIN.DE@DOMAIN.DE renew until 12/04/09 14:49:22 vi /etc/hosts 192.168.0.1 kdc.domain.de kdc vi /etc/bind/db.domain.de _kerberos TXT "DOMAIN.DE" _kerberos._udp SRV 0 0 88 kdc _kpasswd._udp SRV 0 0 464 kdc _kerberos-adm._tcp SRV 0 0 749 kdc # # Kerberos-User anlegen # kadmin.local addprinc fritz@DOMAIN.DE quit # # Ticket holen # kinit fritz klist # # Kerberos-Zugang für Server und Client anlegen # # Server: testmaster.domain.de # Client: testslave.domain.de # kadmin.local addprinc -randkey nfs/testmaster.domain.de@DOMAIN.DE ktadd -e des-cbc-crc:normal nfs/testmaster.domain.de@DOMAIN.DE Entry for principal nfs/testmaster.domain.de@DOMAIN.DE with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab. addprinc -randkey nfs/oqrmtestslave.domain.de@DOMAIN.DE ktadd -e des-cbc-crc:normal -k krb5.keytab nfs/oqrmtestslave.domain.de@DOMAIN.DE quit # # Clientzugang konfigurieren # #scp /etc/krb5.keytab root@oqrmtestslave.domain.de:/etc/krb5.keytab scp krb5.keytab sysop@oqrmtestslave.domain.de: ssh sysop@oqrmtestslave.domain.de sudo su - cp /home/sysop/krb5.keytab /etc/krb5.keytab Kerberos-Server (Secondary KDC) ------------------------------- # https://help.ubuntu.com/9.04/serverguide/C/kerberos.html Kerberos-Client (MIT or Heimdal) ================================ # installieren aptitude install krb5-user libpam-krb5 libpam-ccreds auth-client-config # konfigurieren dpkg-reconfigure krb5-config vi /etc/krb5.conf [libdefaults] default_realm = DOMAIN.DE [realms] DOMAIN.DE = { kdc = 192.168.0.1 kdc = testmaster admin_server = 192.168.0.1 } [domain_realm] idstein.domain.de = DOMAIN.DE .idstein.domain.de = DOMAIN.DE [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log # # Kerberos-Tiket erstellen # kinit admin/admin # # Kerberos-Tiket anzeigen # klist ################################################################################ ==== Kerberos-Client auf Ubuntu 16.04.4 LTS (xenial) installieren ==== Quelle: [[https://serverfault.com/questions/422778/how-to-automate-kinit-process-to-obtain-tgt-for-kerberos]] den Kerberos-Client installieren: > apt install krb5-user === mit Base64 das Passwort verschleiert abspeichern === das passwort (verschleiert) abspeichern: > touch geheim.cfg > chmod 0600 geheim.cfg > echo "geheimesPasswort" | base64 > geheim.cfg __Kerberos-Tiket holen:__ > cat geheim.cfg | base64 -d | kinit fritz@RELM Kerberos-Tikets anzeigen: > klist === mit SSL das Passwort verschlüsselt abspeichern === das SSL-Zertifikat erzeugen (das ist nur EINMAL nötig - für eine Gültigkeitsdauer von 7000 Tagen): > openssl req -rand /dev/urandom -new -x509 -newkey rsa:4096 -sha512 -nodes -keyout pwd_RELM.key -keyform PEM -out pwd_RELM.crt -outform PEM -days 7000 -subj /emailAddress=email@adresse.de/C=DE/ST=Hessen/L=Frankfurt/O=Firma/OU=Abteilung/CN=Hostname das passwort verschlüsselt abspeichern: > touch geheim.cfg > chmod 0600 geheim.cfg > echo "geheimesPasswort" | openssl smime -encrypt -aes256 -out geheim.cfg pwd_RELM.crt __Kerberos-Tiket holen:__ > openssl smime -decrypt -in geheim.cfg -inkey pwd_RELM.key pwd_RELM.crt | kinit fritz@RELM Kerberos-Tikets anzeigen: > klist ==== NFSv4 ==== http://wiki.linux-nfs.org/wiki/index.php/Main_Page https://help.ubuntu.com/community/NFSv4Howto http://wiki.linux-nfs.org/wiki/index.php/NFSv4_Introduction http://wiki.linux-nfs.org/wiki/index.php/Enduser_doc_kerberos Zur Zeit funktioniert "Kerberos/NFS" nicht, wenn mehr als eine NIC im Rechner stecken. ################################################################################ # http://www.citi.umich.edu/projects/nfsv4/linux/krb5-setup.html # egrep ^nfs /etc/services nfs 2049/tcp # Network File System nfs 2049/udp # Network File System Die Systemuhren müssen gleich laufen! #=> ntp In der Host muss als erstes der FQDN stehen! # vi /etc/hosts 10.10.10.1 oqrmtestmaster.domain.de oqrmtestmaster kdc.domain.de kdc 10.10.10.2 oqrmtestslave.domain.de oqrmtestslave ################################################################################ NFSv4-Server mit Kerberos (MIT or Heimdal) ========================================== Wir haben es hier mit drei unterschiedlichen Entitäten zu tun: - Kerberos-server - NFS-server - NFS-client Der Kerberos-server (or KDC) und NFS-server können sich auf der selben Maschine befinden, können sich aber auch auf unterschiedliche Maschinen befinden. Als erstes brauchen wir ein funktionierendes Kerberos (MIT or Heimdal) KDC (Key Distribution Center) bevor wir weiter machen! Kerberos funktioniert ab Ubuntu 8.04. MIT --- aptitude install libpam-krb5 krb5-user Heimdal ------- aptitude install libpam-krb5 heimdal-clients modprobe rpcsec_gss_krb5 Kerberos-Server (Primary KDC) ----------------------------- # https://help.ubuntu.com/9.04/serverguide/C/kerberos.html aptitude install krb5-kdc krb5-admin-server # # Realm-DB anlegen # krb5_newrealm This script should be run on the master KDC/admin server to initialize a Kerberos realm. It will ask you to type in a master key password. This password will be used to generate a key that is stored in /etc/krb5kdc/stash. You should try to remember this password, but it is much more important that it be a strong password than that it be remembered. However, if you lose the password and /etc/krb5kdc/stash, you cannot decrypt your Kerberos database. Loading random data Initializing database '/var/lib/krb5kdc/principal' for realm 'DOMAIN.DE', master key name 'K/M@DOMAIN.DE' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: ******** Re-enter KDC database master key to verify: ******** Now that your realm is set up you may wish to create an administrative principal using the addprinc subcommand of the kadmin.local program. Then, this principal can be added to /etc/krb5kdc/kadm5.acl so that you can use the kadmin program on other computers. Kerberos admin principals usually belong to a single user and end in /admin. For example, if jruser is a Kerberos administrator, then in addition to the normal jruser principal, a jruser/admin principal should be created. Don't forget to set up DNS information so your clients can find your KDC and admin servers. Doing so is documented in the administration guide. # # Kerberos-Admin anlegen # kadmin.local Authenticating as principal root/admin@DOMAIN.DE with password. kadmin.local: addprinc admin/admin WARNING: no policy specified for admin/admin@DOMAIN.DE; defaulting to no policy Enter password for principal "admin/admin@DOMAIN.DE": ******** Re-enter password for principal "admin/admin@DOMAIN.DE": ******** Principal "admin/admin@DOMAIN.DE" created. kadmin.local: quit vi /etc/krb5kdc/kadm5.acl admin/admin@DOMAIN.DE * /etc/init.d/krb5-admin-server restart kinit admin/admin Password for admin/admin@DOMAIN.DE: klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin/admin@DOMAIN.DE Valid starting Expires Service principal 12/03/09 14:49:27 12/04/09 00:49:27 krbtgt/DOMAIN.DE@DOMAIN.DE renew until 12/04/09 14:49:22 vi /etc/hosts 192.168.0.1 kdc01.domain.de kdc01 vi /etc/bind/db.domain.de _kerberos._udp.DOMAIN.DE. IN SRV 1 0 88 kdc01.domain.de. _kerberos._tcp.DOMAIN.DE. IN SRV 1 0 88 kdc01.domain.de. _kerberos._udp.DOMAIN.DE. IN SRV 10 0 88 kdc02.domain.de. _kerberos._tcp.DOMAIN.DE. IN SRV 10 0 88 kdc02.domain.de. _kerberos-adm._tcp.DOMAIN.DE. IN SRV 1 0 749 kdc01.domain.de. _kpasswd._udp.DOMAIN.DE. IN SRV 1 0 464 kdc01.domain.de. # # Kerberos-User anlegen # kadmin.local addprinc fritz@DOMAIN.DE quit # # Ticket holen # kinit fritz klist # # Kerberos-Zugang für Server und Client anlegen # # Server: oqrmtestmaster.domain.de # Client: oqrmtestslave.domain.de # kadmin.local addprinc -randkey nfs/oqrmtestmaster.domain.de@DOMAIN.DE ktadd -e des-cbc-crc:normal nfs/oqrmtestmaster.domain.de@DOMAIN.DE Entry for principal nfs/oqrmtestmaster.domain.de@DOMAIN.DE with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab. addprinc -randkey nfs/oqrmtestslave.domain.de@DOMAIN.DE ktadd -e des-cbc-crc:normal -k krb5.keytab nfs/oqrmtestslave.domain.de@DOMAIN.DE quit # # Clientzugang konfigurieren # #scp /etc/krb5.keytab root@oqrmtestslave.domain.de:/etc/krb5.keytab scp krb5.keytab sysop@oqrmtestslave.domain.de: ssh sysop@oqrmtestslave.domain.de sudo su - cp /home/sysop/krb5.keytab /etc/krb5.keytab # # mounten # mount -t nfs4 -o proto=tcp,port=2049,rw,sec=krb5i 10.10.10.1:/user /home/user Kerberos-Server (Secondary KDC) ------------------------------- # https://help.ubuntu.com/9.04/serverguide/C/kerberos.html NFSv4-Client mit Kerberos (MIT or Heimdal) ========================================== # installieren aptitude install krb5-user libpam-krb5 libpam-ccreds auth-client-config # konfigurieren dpkg-reconfigure krb5-config vi /etc/krb5.conf [libdefaults] default_realm = DOMAIN.DE .... [realms] DOMAIN.DE = { kdc = 192.168.0.1 kdc = oqrmtestmaster admin_server = 192.168.0.1 } # # Kerberos-Tiket erstellen # kinit admin/admin # # Kerberos-Tiket anzeigen # klist ################################################################################