This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
аутентификация_с_использованием_kerberos_сервера [2010/09/13 13:27] val |
аутентификация_с_использованием_kerberos_сервера [2010/09/30 15:13] val removed |
||
---|---|---|---|
Line 6: | Line 6: | ||
===== Предварительная настройка стенда ===== | ===== Предварительная настройка стенда ===== | ||
- | <code> | ||
- | # cat /etc/hosts | ||
- | ... | ||
- | #192.168.X.1 gate.corpX.un gate | ||
- | #192.168.X.10 server.corpX.un server | ||
- | ... | ||
- | </code> | ||
- | ===== Настройка DNS сервера ===== | + | ==== Настройка DNS сервера ==== |
- | ==== Инсталяция и настройка сервиса ==== | + | [[Сервис DNS]] |
=== FreeBSD === | === FreeBSD === | ||
Line 126: | Line 119: | ||
gate# cat /etc/resolv.conf | gate# cat /etc/resolv.conf | ||
+ | domain corpX.un | ||
+ | nameserver 192.168.X.10 | ||
+ | |||
+ | client1# cat /etc/resolv.conf | ||
domain corpX.un | domain corpX.un | ||
nameserver 192.168.X.10 | nameserver 192.168.X.10 | ||
</code> | </code> | ||
- | ==== Проверки (на gate и server) ==== | + | ==== Проверки (на gate client1 и server) ==== |
<code> | <code> | ||
# host ya.ru | # host ya.ru | ||
Line 141: | Line 138: | ||
</code> | </code> | ||
- | ===== Cинхронизация времени ===== | + | ===== Cинхронизация времени (может потребоваться рестарт служб NIS, NFS и RPCBIND) ===== |
==== FreeBSD ==== | ==== FreeBSD ==== | ||
Line 159: | Line 156: | ||
</code> | </code> | ||
- | ===== Перезапуск служб NIS, NFS и RPCBIND ===== | + | ===== Настройка KDC сервера ===== |
- | ==== FreeBSD ==== | + | ==== FreeBSD Heimdal ==== |
<code> | <code> | ||
- | [server:~] # /etc/rc.d/nfsd stop | + | [server:~] # cat /etc/rc.conf |
- | [server:~] # /etc/rc.d/mountd stop | + | ... |
- | [server:~] # /etc/rc.d/ypserv stop | + | kerberos5_server_enable="YES" |
- | + | ... | |
- | [server:~] # /etc/rc.d/rpcbind restart | + | |
- | + | ||
- | [server:~] # /etc/rc.d/ypserv start | + | |
- | [server:~] # /etc/rc.d/mountd start | + | |
- | [server:~] # /etc/rc.d/nfsd start | + | |
</code> | </code> | ||
- | ==== Ubuntu ==== | + | ==== FreeBSD MIT ==== |
<code> | <code> | ||
+ | [server:~] # pkg_add -r krb5-18 | ||
- | </code> | + | [server:~] # mkdir -p /usr/local/var/krb5kdc/ |
- | ===== Настройка KDC сервера ===== | + | [server:~] # kdb5_util create -s |
- | ==== FreeBSD ==== | + | [server:~] # /usr/local/sbin/krb5kdc |
- | <code> | + | |
- | [server:~] # cat /etc/rc.conf | + | [server:~] # kadmin.local |
- | ... | + | |
- | kerberos5_server_enable="YES" | + | |
- | ... | + | |
</code> | </code> | ||
- | ==== Ubuntu (8.04) ==== | + | ==== Ubuntu Heimdal (8.04) ==== |
<code> | <code> | ||
root@server:~# apt-get install heimdal-kdc | root@server:~# apt-get install heimdal-kdc | ||
Line 196: | Line 186: | ||
</code> | </code> | ||
- | ==== Ubuntu (10.04) ==== | + | ==== Ubuntu MIT (10.04) ==== |
!!! В виртуальной машине krb5_newrealm может зависать | !!! В виртуальной машине krb5_newrealm может зависать | ||
Line 230: | Line 220: | ||
</code> | </code> | ||
- | ==== Регистрация принципала пользователя в базе данных kerberos ==== | + | ===== Регистрация принципалов пользователей в базе данных kerberos ===== |
- | === FreeBSD, Ubuntu (8.04) === | + | ==== FreeBSD, Ubuntu (8.04) ==== |
<code> | <code> | ||
# kadmin -l | # kadmin -l | ||
Line 239: | Line 229: | ||
user1@CORPX.UN's Password: kpassword1 | user1@CORPX.UN's Password: kpassword1 | ||
Verifying - user@CORPX.UN's Password: kpassword1 | Verifying - user@CORPX.UN's Password: kpassword1 | ||
+ | ... | ||
+ | kadmin> add user2 | ||
+ | ... | ||
kadmin> list * | kadmin> list * | ||
Line 245: | Line 238: | ||
</code> | </code> | ||
- | === Ubuntu (10.04) === | + | ==== Ubuntu (10.04) ==== |
<code> | <code> | ||
root@server:~# kadmin.local | root@server:~# kadmin.local | ||
Line 251: | Line 244: | ||
kadmin.local: addprinc user1 | kadmin.local: addprinc user1 | ||
... | ... | ||
- | Enter password for principal "user@CORPX.UN": kpassword1 | + | Enter password for principal "user1@CORPX.UN": kpassword1 |
- | Re-enter password for principal "user@CORPX.UN": kpassword1 | + | Re-enter password for principal "user1@CORPX.UN": kpassword1 |
+ | ... | ||
+ | kadmin.local: addprinc user2 | ||
+ | ... | ||
kadmin.local: listprincs | kadmin.local: listprincs | ||
... | ... | ||
Line 276: | Line 271: | ||
</code> | </code> | ||
- | ===== Настройка Kerberos клиента ===== | + | ====== Настройка Kerberos клиента (на gate и client1) ====== |
- | ==== Инсталляция клиента ==== | + | ===== Инсталляция и настройка клиента ===== |
- | === Ubuntu (8.04) === | + | ==== Ubuntu (8.04) ==== |
<code> | <code> | ||
root@gate:~# apt-get install heimdal-clients | root@gate:~# apt-get install heimdal-clients | ||
+ | |||
+ | root@client1:~# apt-get install heimdal-clients | ||
</code> | </code> | ||
Line 288: | Line 285: | ||
<code> | <code> | ||
root@gate:~# apt-get install krb5-user | root@gate:~# apt-get install krb5-user | ||
+ | |||
+ | root@client1:~# apt-get install krb5-user | ||
</code> | </code> | ||
Line 295: | Line 294: | ||
[libdefaults] | [libdefaults] | ||
default_realm = CORPX.UN | default_realm = CORPX.UN | ||
+ | |||
+ | |||
+ | client1# cat /etc/krb5.conf | ||
+ | [libdefaults] | ||
+ | default_realm = CORPX.UN | ||
</code> | </code> | ||
Line 306: | Line 310: | ||
gate# klist | gate# klist | ||
gate# kdestroy | gate# kdestroy | ||
+ | |||
+ | client1# kinit user1 | ||
+ | client1# klist | ||
+ | client1# kdestroy | ||
</code> | </code> | ||
===== Использование протокола GSSAPI для сервиса sshd ===== | ===== Использование протокола GSSAPI для сервиса sshd ===== | ||
+ | |||
Generic Security Services Application Program Interface | Generic Security Services Application Program Interface | ||
Line 337: | Line 346: | ||
=== FreeBSD, Ubuntu (8.04) === | === FreeBSD, Ubuntu (8.04) === | ||
<code> | <code> | ||
- | kadmin> ext -k /usr/student/gate.keytab host/gate.corpX.un | + | kadmin> ext -k gatehost.keytab host/gate.corpX.un |
kadmin> quit | kadmin> quit | ||
</code> | </code> | ||
Line 343: | Line 352: | ||
=== Ubuntu (10.04) === | === Ubuntu (10.04) === | ||
<code> | <code> | ||
- | kadmin.local: ktadd -k /usr/student/gate.keytab host/gate.corpX.un | + | kadmin.local: ktadd -k gatehost.keytab host/gate.corpX.un |
- | ... | + | |
- | ... | + | |
... | ... | ||
+ | |||
kadmin.local: quit | kadmin.local: quit | ||
</code> | </code> | ||
Line 352: | Line 360: | ||
=== FreeBSD, Ubuntu === | === FreeBSD, Ubuntu === | ||
<code> | <code> | ||
- | server# chown student ~student/gate.keytab | + | server# scp gatehost.keytab student@gate: |
- | + | ||
- | gate# scp student@server:gate.keytab . | + | |
</code> | </code> | ||
=== FreeBSD, Ubuntu (8.04) === | === FreeBSD, Ubuntu (8.04) === | ||
<code> | <code> | ||
- | gate# ktutil copy gate.keytab /etc/krb5.keytab | + | gate# ktutil copy /usr/student/gatehost.keytab /etc/krb5.keytab |
gate# touch /etc/srvtab | gate# touch /etc/srvtab | ||
+ | |||
gate# ktutil list | gate# ktutil list | ||
... | ... | ||
Line 369: | Line 376: | ||
<code> | <code> | ||
root@gate:~# ktutil | root@gate:~# ktutil | ||
- | ktutil: rkt gate.keytab | + | ktutil: rkt /usr/student/gatehost.keytab |
ktutil: list | ktutil: list | ||
ktutil: wkt /etc/krb5.keytab | ktutil: wkt /etc/krb5.keytab | ||
ktutil: quit | ktutil: quit | ||
+ | |||
+ | root@gate:~# klist -ek /etc/krb5.keytab | ||
</code> | </code> | ||
Line 385: | Line 394: | ||
==== Настройка клиента ssh на использование GSSAPI ==== | ==== Настройка клиента ssh на использование GSSAPI ==== | ||
<code> | <code> | ||
- | server# cat /etc/ssh/ssh_config | + | client1# cat /etc/ssh/ssh_config |
... | ... | ||
GSSAPIAuthentication yes | GSSAPIAuthentication yes | ||
Line 391: | Line 400: | ||
</code> | </code> | ||
- | ===== Использование pam kerberos для сервиса sshd ===== | + | ===== Использование pam kerberos для сервиса login ===== |
==== Настройка pam ==== | ==== Настройка pam ==== | ||
Line 397: | Line 406: | ||
=== FreeBSD === | === FreeBSD === | ||
<code> | <code> | ||
- | [server:~] # cat /etc/pam.d/system | + | [client1:~] # cat /etc/pam.d/system |
... | ... | ||
# auth | # auth | ||
Line 409: | Line 418: | ||
=== Ubuntu (8.04) === | === Ubuntu (8.04) === | ||
<code> | <code> | ||
- | root@server:~# apt-get install libpam-heimdal | + | root@client1:~# apt-get install libpam-heimdal |
</code> | </code> | ||
=== Ubuntu (10.04) === | === Ubuntu (10.04) === | ||
<code> | <code> | ||
- | root@server:~# apt-get install libpam-krb5 | + | root@client1:~# apt-get install libpam-krb5 |
</code> | </code> | ||
- | === Ubuntu === | + | === Ubuntu (все настроится автоматически) === |
<code> | <code> | ||
- | root@server:~# cat /etc/pam.d/sshd | + | root@client1:~# cd /etc/pam.d/ |
- | ... | + | root@client1:/etc/pam.d/# grep krb5 * |
- | auth sufficient pam_krb5.so | + | |
- | # Standard Un*x authentication. | + | |
... | ... | ||
</code> | </code> | ||
Line 428: | Line 435: | ||
===== Отладка ===== | ===== Отладка ===== | ||
<code> | <code> | ||
- | user@server$ ssh -vv gate.corpX.un | + | user1@client1$ ssh -vv gate.corpX.un |
gate# /usr/sbin/sshd -d | gate# /usr/sbin/sshd -d | ||
</code> | </code> | ||
+ |