User Tools
аутентификация_с_использованием_kerberos_сервера
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
аутентификация_с_использованием_kerberos_сервера [2010/09/13 13:25] val |
аутентификация_с_использованием_kerberos_сервера [2010/09/30 15:13] val removed |
||
|---|---|---|---|
| Line 6: | Line 6: | ||
| ===== Предварительная настройка стенда ===== | ===== Предварительная настройка стенда ===== | ||
| - | <code> | ||
| - | # cat /etc/hosts | ||
| - | ... | ||
| - | #192.168.X.1 gate.corpX.un gate | ||
| - | #192.168.X.10 server.corpX.un server | ||
| - | ... | ||
| - | </code> | ||
| - | ===== Настройка DNS сервера ===== | + | ==== Настройка DNS сервера ==== |
| - | ==== Инсталяция и настройка сервиса ==== | + | [[Сервис DNS]] |
| === FreeBSD === | === FreeBSD === | ||
| Line 126: | Line 119: | ||
| gate# cat /etc/resolv.conf | gate# cat /etc/resolv.conf | ||
| + | domain corpX.un | ||
| + | nameserver 192.168.X.10 | ||
| + | |||
| + | client1# cat /etc/resolv.conf | ||
| domain corpX.un | domain corpX.un | ||
| nameserver 192.168.X.10 | nameserver 192.168.X.10 | ||
| </code> | </code> | ||
| - | ==== Проверки (на gate и server) ==== | + | ==== Проверки (на gate client1 и server) ==== |
| <code> | <code> | ||
| # host ya.ru | # host ya.ru | ||
| Line 141: | Line 138: | ||
| </code> | </code> | ||
| - | ===== Cинхронизация времени ===== | + | ===== Cинхронизация времени (может потребоваться рестарт служб NIS, NFS и RPCBIND) ===== |
| ==== FreeBSD ==== | ==== FreeBSD ==== | ||
| Line 159: | Line 156: | ||
| </code> | </code> | ||
| - | ===== Перезапуск служб NIS, NFS и RPCBIND ===== | + | ===== Настройка KDC сервера ===== |
| - | ==== FreeBSD ==== | + | ==== FreeBSD Heimdal ==== |
| <code> | <code> | ||
| - | [server:~] # /etc/rc.d/nfsd stop | + | [server:~] # cat /etc/rc.conf |
| - | [server:~] # /etc/rc.d/mountd stop | + | ... |
| - | [server:~] # /etc/rc.d/ypserv stop | + | kerberos5_server_enable="YES" |
| - | + | ... | |
| - | [server:~] # /etc/rc.d/rpcbind restart | + | |
| - | + | ||
| - | [server:~] # /etc/rc.d/ypserv start | + | |
| - | [server:~] # /etc/rc.d/mountd start | + | |
| - | [server:~] # /etc/rc.d/nfsd start | + | |
| </code> | </code> | ||
| - | ==== Ubuntu ==== | + | ==== FreeBSD MIT ==== |
| <code> | <code> | ||
| + | [server:~] # pkg_add -r krb5-18 | ||
| - | </code> | + | [server:~] # mkdir -p /usr/local/var/krb5kdc/ |
| - | ===== Настройка KDC сервера ===== | + | [server:~] # kdb5_util create -s |
| + | |||
| + | [server:~] # /usr/local/sbin/krb5kdc | ||
| - | ==== FreeBSD ==== | + | [server:~] # kadmin.local |
| - | <code> | + | |
| - | [server:~] # cat /etc/rc.conf | + | |
| - | ... | + | |
| - | kerberos5_server_enable="YES" | + | |
| - | ... | + | |
| </code> | </code> | ||
| - | ==== Ubuntu (8.04) ==== | + | ==== Ubuntu Heimdal (8.04) ==== |
| <code> | <code> | ||
| root@server:~# apt-get install heimdal-kdc | root@server:~# apt-get install heimdal-kdc | ||
| Line 196: | Line 186: | ||
| </code> | </code> | ||
| - | ==== Ubuntu (10.04) ==== | + | ==== Ubuntu MIT (10.04) ==== |
| !!! В виртуальной машине krb5_newrealm может зависать | !!! В виртуальной машине krb5_newrealm может зависать | ||
| Line 230: | Line 220: | ||
| </code> | </code> | ||
| - | ==== Регистрация принципала пользователя в базе данных kerberos ==== | + | ===== Регистрация принципалов пользователей в базе данных kerberos ===== |
| - | === FreeBSD, Ubuntu (8.04) === | + | ==== FreeBSD, Ubuntu (8.04) ==== |
| <code> | <code> | ||
| # kadmin -l | # kadmin -l | ||
| Line 239: | Line 229: | ||
| user1@CORPX.UN's Password: kpassword1 | user1@CORPX.UN's Password: kpassword1 | ||
| Verifying - user@CORPX.UN's Password: kpassword1 | Verifying - user@CORPX.UN's Password: kpassword1 | ||
| + | ... | ||
| + | kadmin> add user2 | ||
| + | ... | ||
| kadmin> list * | kadmin> list * | ||
| Line 245: | Line 238: | ||
| </code> | </code> | ||
| - | === Ubuntu (10.04) === | + | ==== Ubuntu (10.04) ==== |
| <code> | <code> | ||
| root@server:~# kadmin.local | root@server:~# kadmin.local | ||
| Line 251: | Line 244: | ||
| kadmin.local: addprinc user1 | kadmin.local: addprinc user1 | ||
| ... | ... | ||
| - | Enter password for principal "user@CORPX.UN": kpassword1 | + | Enter password for principal "user1@CORPX.UN": kpassword1 |
| - | Re-enter password for principal "user@CORPX.UN": kpassword1 | + | Re-enter password for principal "user1@CORPX.UN": kpassword1 |
| + | ... | ||
| + | kadmin.local: addprinc user2 | ||
| + | ... | ||
| kadmin.local: listprincs | kadmin.local: listprincs | ||
| ... | ... | ||
| Line 276: | Line 271: | ||
| </code> | </code> | ||
| - | ===== Настройка Kerberos клиента ===== | + | ====== Настройка Kerberos клиента (на gate и client1) ====== |
| - | ==== Инсталляция клиента ==== | + | ===== Инсталляция и настройка клиента ===== |
| - | === Ubuntu (8.04) === | + | ==== Ubuntu (8.04) ==== |
| <code> | <code> | ||
| root@gate:~# apt-get install heimdal-clients | root@gate:~# apt-get install heimdal-clients | ||
| + | |||
| + | root@client1:~# apt-get install heimdal-clients | ||
| </code> | </code> | ||
| Line 288: | Line 285: | ||
| <code> | <code> | ||
| root@gate:~# apt-get install krb5-user | root@gate:~# apt-get install krb5-user | ||
| + | |||
| + | root@client1:~# apt-get install krb5-user | ||
| </code> | </code> | ||
| Line 295: | Line 294: | ||
| [libdefaults] | [libdefaults] | ||
| default_realm = CORPX.UN | default_realm = CORPX.UN | ||
| + | |||
| + | |||
| + | client1# cat /etc/krb5.conf | ||
| + | [libdefaults] | ||
| + | default_realm = CORPX.UN | ||
| </code> | </code> | ||
| Line 306: | Line 310: | ||
| gate# klist | gate# klist | ||
| gate# kdestroy | gate# kdestroy | ||
| + | |||
| + | client1# kinit user1 | ||
| + | client1# klist | ||
| + | client1# kdestroy | ||
| </code> | </code> | ||
| ===== Использование протокола GSSAPI для сервиса sshd ===== | ===== Использование протокола GSSAPI для сервиса sshd ===== | ||
| + | |||
| Generic Security Services Application Program Interface | Generic Security Services Application Program Interface | ||
| Line 337: | Line 346: | ||
| === FreeBSD, Ubuntu (8.04) === | === FreeBSD, Ubuntu (8.04) === | ||
| <code> | <code> | ||
| - | kadmin> ext -k /usr/student/gate.keytab host/gate.corpX.un | + | kadmin> ext -k gatehost.keytab host/gate.corpX.un |
| kadmin> quit | kadmin> quit | ||
| </code> | </code> | ||
| Line 343: | Line 352: | ||
| === Ubuntu (10.04) === | === Ubuntu (10.04) === | ||
| <code> | <code> | ||
| - | kadmin.local: ktadd -k /usr/student/gate.keytab host/gate.corpX.un | + | kadmin.local: ktadd -k gatehost.keytab host/gate.corpX.un |
| + | ... | ||
| kadmin.local: quit | kadmin.local: quit | ||
| </code> | </code> | ||
| Line 349: | Line 360: | ||
| === FreeBSD, Ubuntu === | === FreeBSD, Ubuntu === | ||
| <code> | <code> | ||
| - | server# chown student ~student/gate.keytab | + | server# scp gatehost.keytab student@gate: |
| - | + | ||
| - | gate# scp student@server:gate.keytab . | + | |
| </code> | </code> | ||
| === FreeBSD, Ubuntu (8.04) === | === FreeBSD, Ubuntu (8.04) === | ||
| <code> | <code> | ||
| - | gate# ktutil copy gate.keytab /etc/krb5.keytab | + | gate# ktutil copy /usr/student/gatehost.keytab /etc/krb5.keytab |
| gate# touch /etc/srvtab | gate# touch /etc/srvtab | ||
| + | |||
| gate# ktutil list | gate# ktutil list | ||
| ... | ... | ||
| Line 366: | Line 376: | ||
| <code> | <code> | ||
| root@gate:~# ktutil | root@gate:~# ktutil | ||
| - | ktutil: rkt gate.keytab | + | ktutil: rkt /usr/student/gatehost.keytab |
| ktutil: list | ktutil: list | ||
| ktutil: wkt /etc/krb5.keytab | ktutil: wkt /etc/krb5.keytab | ||
| ktutil: quit | ktutil: quit | ||
| + | |||
| + | root@gate:~# klist -ek /etc/krb5.keytab | ||
| </code> | </code> | ||
| Line 382: | Line 394: | ||
| ==== Настройка клиента ssh на использование GSSAPI ==== | ==== Настройка клиента ssh на использование GSSAPI ==== | ||
| <code> | <code> | ||
| - | server# cat /etc/ssh/ssh_config | + | client1# cat /etc/ssh/ssh_config |
| ... | ... | ||
| GSSAPIAuthentication yes | GSSAPIAuthentication yes | ||
| Line 388: | Line 400: | ||
| </code> | </code> | ||
| - | ===== Использование pam kerberos для сервиса sshd ===== | + | ===== Использование pam kerberos для сервиса login ===== |
| ==== Настройка pam ==== | ==== Настройка pam ==== | ||
| Line 394: | Line 406: | ||
| === FreeBSD === | === FreeBSD === | ||
| <code> | <code> | ||
| - | [server:~] # cat /etc/pam.d/system | + | [client1:~] # cat /etc/pam.d/system |
| ... | ... | ||
| # auth | # auth | ||
| Line 406: | Line 418: | ||
| === Ubuntu (8.04) === | === Ubuntu (8.04) === | ||
| <code> | <code> | ||
| - | root@server:~# apt-get install libpam-heimdal | + | root@client1:~# apt-get install libpam-heimdal |
| </code> | </code> | ||
| === Ubuntu (10.04) === | === Ubuntu (10.04) === | ||
| <code> | <code> | ||
| - | root@server:~# apt-get install libpam-krb5 | + | root@client1:~# apt-get install libpam-krb5 |
| </code> | </code> | ||
| - | === Ubuntu === | + | === Ubuntu (все настроится автоматически) === |
| <code> | <code> | ||
| - | root@server:~# cat /etc/pam.d/sshd | + | root@client1:~# cd /etc/pam.d/ |
| - | ... | + | root@client1:/etc/pam.d/# grep krb5 * |
| - | auth sufficient pam_krb5.so | + | |
| - | # Standard Un*x authentication. | + | |
| ... | ... | ||
| </code> | </code> | ||
| Line 425: | Line 435: | ||
| ===== Отладка ===== | ===== Отладка ===== | ||
| <code> | <code> | ||
| - | user@server$ ssh -vv gate.corpX.un | + | user1@client1$ ssh -vv gate.corpX.un |
| gate# /usr/sbin/sshd -d | gate# /usr/sbin/sshd -d | ||
| </code> | </code> | ||
| + | |||
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
