kerberos
Inhaltsverzeichnis
Kerberos
Fedora
/etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com:88
admin_server = kerberos.example.com:749
default_domain = example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
/etc/profile.d/krb5-devel.csh
if ( "${path}" !~ */usr/kerberos/bin* ) then
set path = ( /usr/kerberos/bin $path )
endif
if ( "${path}" !~ */usr/kerberos/sbin* ) then
if ( `id -u` == 0 ) then
set path = ( /usr/kerberos/sbin $path )
endif
endif
/etc/profile.d/krb5-devel.sh
if ! echo ${PATH} | /bin/grep -q /usr/kerberos/bin ; then
PATH=/usr/kerberos/bin:${PATH}
fi
if ! echo ${PATH} | /bin/grep -q /usr/kerberos/sbin ; then
if [ `/usr/bin/id -u` = 0 ] ; then
PATH=/usr/kerberos/sbin:${PATH}
fi
fi
/etc/profile.d/krb5-workstation.csh
if ( "${path}" !~ */usr/kerberos/bin* ) then
set path = ( /usr/kerberos/bin $path )
endif
if ( "${path}" !~ */usr/kerberos/sbin* ) then
if ( `id -u` == 0 ) then
set path = ( /usr/kerberos/sbin $path )
endif
endif
/etc/profile.d/krb5-workstation.sh
if ! echo ${PATH} | /bin/grep -q /usr/kerberos/bin ; then
PATH=/usr/kerberos/bin:${PATH}
fi
if ! echo ${PATH} | /bin/grep -q /usr/kerberos/sbin ; then
if [ `/usr/bin/id -u` = 0 ] ; then
PATH=/usr/kerberos/sbin:${PATH}
fi
fi
/etc/xdg/autostart/krb5-auth-dialog.desktop
[Desktop Entry] Name=Network Authentication Name[nb]=Nettverksautentisering Comment=Kerberos Network Authentication Dialog Exec=krb5-auth-dialog --sm-disable Encoding=UTF-8 Terminal=false Type=Application
Ubuntu
(Warnings: 4. Actual kerberos/NFS is not able to work with multiple network interfaces on the same machine) Zur Zeit funktioniert "Kerberos/NFS" nicht, wenn mehr als eine NIC im Rechner stecken.
# egrep ^nfs /etc/services nfs 2049/tcp # Network File System nfs 2049/udp # Network File System
Die Systemuhren müssen gleich laufen!
#=> ntp
In der "/etc/hosts" muss als erstes der FQDN stehen!
# vi /etc/hosts 10.10.10.1 testmaster.domain.de testmaster kdc.domain.de kdc 10.10.10.2 testslave.domain.de testslave
Kerberos (MIT or Heimdal)
=========================
Der Kerberos-server (or KDC) und NFS-server können sich auf der selben
Maschine befinden, können sich aber auch auf unterschiedliche Maschinen
befinden.
Als erstes brauchen wir ein funktionierendes Kerberos (MIT or Heimdal)
KDC (Key Distribution Center) bevor wir weiter machen!
Kerberos funktioniert ab Ubuntu 8.04.
MIT
---
aptitude install libpam-krb5 krb5-user
Heimdal
-------
aptitude install libpam-krb5 heimdal-clients
modprobe rpcsec_gss_krb5
Kerberos-Server (Primary KDC)
=============================
# https://help.ubuntu.com/9.04/serverguide/C/kerberos.html
aptitude purge krb5-kdc krb5-admin-server krb5-user krb5-config libpam-krb5
rm -fr /var/lib/krb5kdc /etc/krb*
aptitude install krb5-kdc krb5-admin-server
less /usr/share/doc/krb5-kdc/README.KDC
#
# Realm-DB anlegen
#
krb5_newrealm
This script should be run on the master KDC/admin server to initialize
a Kerberos realm. It will ask you to type in a master key password.
This password will be used to generate a key that is stored in
/etc/krb5kdc/stash. You should try to remember this password, but it
is much more important that it be a strong password than that it be
remembered. However, if you lose the password and /etc/krb5kdc/stash,
you cannot decrypt your Kerberos database.
Loading random data
Initializing database '/var/lib/krb5kdc/principal' for realm 'DOMAIN.DE',
master key name 'K/M@DOMAIN.DE'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
********
Re-enter KDC database master key to verify:
********
Now that your realm is set up you may wish to create an administrative
principal using the addprinc subcommand of the kadmin.local program.
Then, this principal can be added to /etc/krb5kdc/kadm5.acl so that
you can use the kadmin program on other computers. Kerberos admin
principals usually belong to a single user and end in /admin. For
example, if jruser is a Kerberos administrator, then in addition to
the normal jruser principal, a jruser/admin principal should be
created.
Don't forget to set up DNS information so your clients can find your
KDC and admin servers. Doing so is documented in the administration
guide.
#
# Kerberos-Admin anlegen
#
kadmin.local
Authenticating as principal root/admin@DOMAIN.DE with password.
kadmin.local:
addprinc admin/admin
WARNING: no policy specified for admin/admin@DOMAIN.DE; defaulting to no policy
Enter password for principal "admin/admin@DOMAIN.DE":
********
Re-enter password for principal "admin/admin@DOMAIN.DE":
********
Principal "admin/admin@DOMAIN.DE" created.
kadmin.local:
quit
vi /etc/krb5kdc/kadm5.acl
*/admin *
/etc/init.d/krb5-admin-server restart
kinit admin/admin
Password for admin/admin@DOMAIN.DE:
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin/admin@DOMAIN.DE
Valid starting Expires Service principal
12/03/09 14:49:27 12/04/09 00:49:27 krbtgt/DOMAIN.DE@DOMAIN.DE
renew until 12/04/09 14:49:22
vi /etc/hosts
192.168.0.1 kdc.domain.de kdc
vi /etc/bind/db.domain.de
_kerberos TXT "DOMAIN.DE"
_kerberos._udp SRV 0 0 88 kdc
_kpasswd._udp SRV 0 0 464 kdc
_kerberos-adm._tcp SRV 0 0 749 kdc
#
# Kerberos-User anlegen
#
kadmin.local
addprinc fritz@DOMAIN.DE
quit
#
# Ticket holen
#
kinit fritz
klist
#
# Kerberos-Zugang für Server und Client anlegen
#
# Server: testmaster.domain.de
# Client: testslave.domain.de
#
kadmin.local
addprinc -randkey nfs/testmaster.domain.de@DOMAIN.DE
ktadd -e des-cbc-crc:normal nfs/testmaster.domain.de@DOMAIN.DE
Entry for principal nfs/testmaster.domain.de@DOMAIN.DE with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
addprinc -randkey nfs/oqrmtestslave.domain.de@DOMAIN.DE
ktadd -e des-cbc-crc:normal -k krb5.keytab nfs/oqrmtestslave.domain.de@DOMAIN.DE
quit
#
# Clientzugang konfigurieren
#
#scp /etc/krb5.keytab root@oqrmtestslave.domain.de:/etc/krb5.keytab
scp krb5.keytab sysop@oqrmtestslave.domain.de:
ssh sysop@oqrmtestslave.domain.de
sudo su -
cp /home/sysop/krb5.keytab /etc/krb5.keytab
Kerberos-Server (Secondary KDC)
-------------------------------
# https://help.ubuntu.com/9.04/serverguide/C/kerberos.html
Kerberos-Client (MIT or Heimdal)
================================
# installieren
aptitude install krb5-user libpam-krb5 libpam-ccreds auth-client-config
# konfigurieren
dpkg-reconfigure krb5-config
vi /etc/krb5.conf
[libdefaults]
default_realm = DOMAIN.DE
[realms]
DOMAIN.DE = {
kdc = 192.168.0.1
kdc = testmaster
admin_server = 192.168.0.1
}
[domain_realm]
idstein.domain.de = DOMAIN.DE
.idstein.domain.de = DOMAIN.DE
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
#
# Kerberos-Tiket erstellen
#
kinit admin/admin
#
# Kerberos-Tiket anzeigen
#
klist
################################################################################
Kerberos-Client auf Ubuntu 16.04.4 LTS (xenial) installieren
Quelle: https://serverfault.com/questions/422778/how-to-automate-kinit-process-to-obtain-tgt-for-kerberos
den Kerberos-Client installieren:
> apt install krb5-user
mit Base64 das Passwort verschleiert abspeichern
das passwort (verschleiert) abspeichern:
> touch geheim.cfg > chmod 0600 geheim.cfg > echo "geheimesPasswort" | base64 > geheim.cfg
Kerberos-Tiket holen:
> cat geheim.cfg | base64 -d | kinit fritz@RELM
Kerberos-Tikets anzeigen:
> klist
mit SSL das Passwort verschlüsselt abspeichern
das SSL-Zertifikat erzeugen (das ist nur EINMAL nötig - für eine Gültigkeitsdauer von 7000 Tagen):
> openssl req -rand /dev/urandom -new -x509 -newkey rsa:4096 -sha512 -nodes -keyout pwd_RELM.key -keyform PEM -out pwd_RELM.crt -outform PEM -days 7000 -subj /emailAddress=email@adresse.de/C=DE/ST=Hessen/L=Frankfurt/O=Firma/OU=Abteilung/CN=Hostname
das passwort verschlüsselt abspeichern:
> touch geheim.cfg > chmod 0600 geheim.cfg > echo "geheimesPasswort" | openssl smime -encrypt -aes256 -out geheim.cfg pwd_RELM.crt
Kerberos-Tiket holen:
> openssl smime -decrypt -in geheim.cfg -inkey pwd_RELM.key pwd_RELM.crt | kinit fritz@RELM
Kerberos-Tikets anzeigen:
> klist
NFSv4
http://wiki.linux-nfs.org/wiki/index.php/Main_Page
https://help.ubuntu.com/community/NFSv4Howto
http://wiki.linux-nfs.org/wiki/index.php/NFSv4_Introduction
http://wiki.linux-nfs.org/wiki/index.php/Enduser_doc_kerberos
Zur Zeit funktioniert "Kerberos/NFS" nicht, wenn mehr als eine NIC im Rechner stecken.
################################################################################
# http://www.citi.umich.edu/projects/nfsv4/linux/krb5-setup.html
# egrep ^nfs /etc/services
nfs 2049/tcp # Network File System
nfs 2049/udp # Network File System
Die Systemuhren müssen gleich laufen!
#=> ntp
In der Host muss als erstes der FQDN stehen!
# vi /etc/hosts
10.10.10.1 oqrmtestmaster.domain.de oqrmtestmaster kdc.domain.de kdc
10.10.10.2 oqrmtestslave.domain.de oqrmtestslave
################################################################################
NFSv4-Server mit Kerberos (MIT or Heimdal)
==========================================
Wir haben es hier mit drei unterschiedlichen Entitäten zu tun:
- Kerberos-server
- NFS-server
- NFS-client
Der Kerberos-server (or KDC) und NFS-server können sich auf der selben
Maschine befinden, können sich aber auch auf unterschiedliche Maschinen
befinden.
Als erstes brauchen wir ein funktionierendes Kerberos (MIT or Heimdal)
KDC (Key Distribution Center) bevor wir weiter machen!
Kerberos funktioniert ab Ubuntu 8.04.
MIT
---
aptitude install libpam-krb5 krb5-user
Heimdal
-------
aptitude install libpam-krb5 heimdal-clients
modprobe rpcsec_gss_krb5
Kerberos-Server (Primary KDC)
-----------------------------
# https://help.ubuntu.com/9.04/serverguide/C/kerberos.html
aptitude install krb5-kdc krb5-admin-server
#
# Realm-DB anlegen
#
krb5_newrealm
This script should be run on the master KDC/admin server to initialize
a Kerberos realm. It will ask you to type in a master key password.
This password will be used to generate a key that is stored in
/etc/krb5kdc/stash. You should try to remember this password, but it
is much more important that it be a strong password than that it be
remembered. However, if you lose the password and /etc/krb5kdc/stash,
you cannot decrypt your Kerberos database.
Loading random data
Initializing database '/var/lib/krb5kdc/principal' for realm 'DOMAIN.DE',
master key name 'K/M@DOMAIN.DE'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
********
Re-enter KDC database master key to verify:
********
Now that your realm is set up you may wish to create an administrative
principal using the addprinc subcommand of the kadmin.local program.
Then, this principal can be added to /etc/krb5kdc/kadm5.acl so that
you can use the kadmin program on other computers. Kerberos admin
principals usually belong to a single user and end in /admin. For
example, if jruser is a Kerberos administrator, then in addition to
the normal jruser principal, a jruser/admin principal should be
created.
Don't forget to set up DNS information so your clients can find your
KDC and admin servers. Doing so is documented in the administration
guide.
#
# Kerberos-Admin anlegen
#
kadmin.local
Authenticating as principal root/admin@DOMAIN.DE with password.
kadmin.local:
addprinc admin/admin
WARNING: no policy specified for admin/admin@DOMAIN.DE; defaulting to no policy
Enter password for principal "admin/admin@DOMAIN.DE":
********
Re-enter password for principal "admin/admin@DOMAIN.DE":
********
Principal "admin/admin@DOMAIN.DE" created.
kadmin.local:
quit
vi /etc/krb5kdc/kadm5.acl
admin/admin@DOMAIN.DE *
/etc/init.d/krb5-admin-server restart
kinit admin/admin
Password for admin/admin@DOMAIN.DE:
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin/admin@DOMAIN.DE
Valid starting Expires Service principal
12/03/09 14:49:27 12/04/09 00:49:27 krbtgt/DOMAIN.DE@DOMAIN.DE
renew until 12/04/09 14:49:22
vi /etc/hosts
192.168.0.1 kdc01.domain.de kdc01
vi /etc/bind/db.domain.de
_kerberos._udp.DOMAIN.DE. IN SRV 1 0 88 kdc01.domain.de.
_kerberos._tcp.DOMAIN.DE. IN SRV 1 0 88 kdc01.domain.de.
_kerberos._udp.DOMAIN.DE. IN SRV 10 0 88 kdc02.domain.de.
_kerberos._tcp.DOMAIN.DE. IN SRV 10 0 88 kdc02.domain.de.
_kerberos-adm._tcp.DOMAIN.DE. IN SRV 1 0 749 kdc01.domain.de.
_kpasswd._udp.DOMAIN.DE. IN SRV 1 0 464 kdc01.domain.de.
#
# Kerberos-User anlegen
#
kadmin.local
addprinc fritz@DOMAIN.DE
quit
#
# Ticket holen
#
kinit fritz
klist
#
# Kerberos-Zugang für Server und Client anlegen
#
# Server: oqrmtestmaster.domain.de
# Client: oqrmtestslave.domain.de
#
kadmin.local
addprinc -randkey nfs/oqrmtestmaster.domain.de@DOMAIN.DE
ktadd -e des-cbc-crc:normal nfs/oqrmtestmaster.domain.de@DOMAIN.DE
Entry for principal nfs/oqrmtestmaster.domain.de@DOMAIN.DE with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
addprinc -randkey nfs/oqrmtestslave.domain.de@DOMAIN.DE
ktadd -e des-cbc-crc:normal -k krb5.keytab nfs/oqrmtestslave.domain.de@DOMAIN.DE
quit
#
# Clientzugang konfigurieren
#
#scp /etc/krb5.keytab root@oqrmtestslave.domain.de:/etc/krb5.keytab
scp krb5.keytab sysop@oqrmtestslave.domain.de:
ssh sysop@oqrmtestslave.domain.de
sudo su -
cp /home/sysop/krb5.keytab /etc/krb5.keytab
#
# mounten
#
mount -t nfs4 -o proto=tcp,port=2049,rw,sec=krb5i 10.10.10.1:/user /home/user
Kerberos-Server (Secondary KDC)
-------------------------------
# https://help.ubuntu.com/9.04/serverguide/C/kerberos.html
NFSv4-Client mit Kerberos (MIT or Heimdal)
==========================================
# installieren
aptitude install krb5-user libpam-krb5 libpam-ccreds auth-client-config
# konfigurieren
dpkg-reconfigure krb5-config
vi /etc/krb5.conf
[libdefaults]
default_realm = DOMAIN.DE
....
[realms]
DOMAIN.DE = {
kdc = 192.168.0.1
kdc = oqrmtestmaster
admin_server = 192.168.0.1
}
#
# Kerberos-Tiket erstellen
#
kinit admin/admin
#
# Kerberos-Tiket anzeigen
#
klist
################################################################################
/home/http/wiki/data/pages/kerberos.txt · Zuletzt geändert: von manfred