User Tools
регистрация_ключей_принципалов_в_kdc
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
|
регистрация_ключей_принципалов_в_kdc [2011/09/13 16:29] val |
регистрация_ключей_принципалов_в_kdc [2022/11/02 09:52] val [MIT Linux/(Debian/Ubuntu)] |
||
|---|---|---|---|
| Line 3: | Line 3: | ||
| ===== Регистрация принципалов пользователей в базе данных kerberos ===== | ===== Регистрация принципалов пользователей в базе данных kerberos ===== | ||
| + | ==== MIT Linux/(Debian/Ubuntu) ==== | ||
| + | <code> | ||
| + | root@server:~# kadmin.local | ||
| + | </code><code> | ||
| + | kadmin.local: addprinc user1 | ||
| + | ... | ||
| + | Enter password for principal "user1@CORPX.UN": kpassword1 | ||
| + | Re-enter password for principal "user1@CORPX.UN": kpassword1 | ||
| + | ... | ||
| + | kadmin.local: addprinc user2 | ||
| + | ... | ||
| + | kadmin.local: listprincs | ||
| + | ... | ||
| + | user1@CORPX.UN | ||
| + | ... | ||
| + | kadmin.local: quit | ||
| + | |||
| + | root@server:~# kadmin.local -q 'addprinc -pw kpassword2 user2' | ||
| + | |||
| + | root@server:~# kadmin.local -q 'change_password -pw kpassword1 user1' | ||
| + | </code> | ||
| ==== HEIMDAL (FreeBSD) ==== | ==== HEIMDAL (FreeBSD) ==== | ||
| <code> | <code> | ||
| Line 17: | Line 38: | ||
| kadmin> quit | kadmin> quit | ||
| - | </code> | ||
| - | |||
| - | ==== MIT (Linux) ==== | ||
| - | <code> | ||
| - | root@server:~# kadmin.local | ||
| - | |||
| - | kadmin.local: addprinc user1 | ||
| - | ... | ||
| - | Enter password for principal "user1@CORPX.UN": kpassword1 | ||
| - | Re-enter password for principal "user1@CORPX.UN": kpassword1 | ||
| - | ... | ||
| - | kadmin.local: addprinc user2 | ||
| - | ... | ||
| - | kadmin.local: listprincs | ||
| - | ... | ||
| - | user1@CORPX.UN | ||
| - | ... | ||
| - | kadmin.local: quit | ||
| </code> | </code> | ||
| Line 54: | Line 57: | ||
| ===== Использование протокола GSSAPI на примере sshd ===== | ===== Использование протокола GSSAPI на примере sshd ===== | ||
| - | GSSAPI Generic Security Services Application Program Interface | + | * GSSAPI Generic Security Services Application Program Interface |
| + | * [[Сервис SSH#Аутентификация с использованием протокола GSSAPI]] Сервис SSH | ||
| - | ==== Регистрация принципалов сервиса в KDC и перемещение ключа сервиса на сервер ==== | + | ===== Регистрация рабочих станций windows в KDC ===== |
| - | === HEIMDAL (FreeBSD) === | ||
| - | <code> | ||
| - | server# kadmin -l | ||
| - | kadmin> add -r host/gate.corpX.un | ||
| - | ... | ||
| - | kadmin> list * | ||
| - | kadmin> ext -k gatehost.keytab host/gate.corpX.un | ||
| - | kadmin> quit | ||
| - | |||
| - | server# scp gatehost.keytab gate: | ||
| - | </code> | ||
| - | |||
| - | === MIT (Linux) === | ||
| - | <code> | ||
| - | root@server:~# kadmin.local | ||
| - | kadmin.local: addprinc -randkey host/gate.corpX.un | ||
| - | ... | ||
| - | kadmin.local: listprincs | ||
| - | |||
| - | kadmin.local: ktadd -k gatehost.keytab host/gate.corpX.un | ||
| - | ... | ||
| - | kadmin.local: quit | ||
| - | |||
| - | server# scp gatehost.keytab gate: | ||
| - | </code> | ||
| - | |||
| - | === Microsoft Active Directory === | ||
| - | |||
| - | Добавляем пользователя в AD | ||
| - | <code> | ||
| - | Login: gatehost | ||
| - | Password: Pa$$w0rd | ||
| - | </code> | ||
| - | Пароль не меняется и не устаревает | ||
| - | |||
| - | Устанавливаем Microsoft Windows Support Tools | ||
| - | |||
| - | <code> | ||
| - | C:\>ktpass -princ host/gate.corpX.un@CORPX.UN -mapuser gatehost -pass 'Pa$$w0rd' -out gatehost.keytab | ||
| - | |||
| - | C:\>pscp gatehost.keytab gate: | ||
| - | </code> | ||
| - | |||
| - | ==== Добавление ключа в системный keytab ==== | ||
| - | |||
| - | === HEIMDAL (FreeBSD) === | ||
| - | <code> | ||
| - | gate# ktutil copy /usr/student/gatehost.keytab /etc/krb5.keytab | ||
| - | gate# touch /etc/srvtab | ||
| - | |||
| - | gate# ktutil list | ||
| - | ... | ||
| - | |||
| - | </code> | ||
| - | |||
| - | === MIT (Linux) === | ||
| - | <code> | ||
| - | root@gate:~# ktutil | ||
| - | ktutil: rkt /usr/student/gatehost.keytab | ||
| - | ktutil: list | ||
| - | ktutil: wkt /etc/krb5.keytab | ||
| - | ktutil: quit | ||
| - | |||
| - | root@gate:~# klist -ek /etc/krb5.keytab | ||
| - | </code> | ||
| - | |||
| - | ==== Удаление ключа из системного keytab ==== | ||
| - | |||
| - | === HEIMDAL (FreeBSD) === | ||
| - | <code> | ||
| - | gate# ktutil remove -p 'HTTP/gate.CORPX.UN@CORPX.UN' | ||
| - | </code> | ||
| - | |||
| - | === MIT (Linux) === | ||
| - | <code> | ||
| - | |||
| - | </code> | ||
| - | |||
| - | ==== Настройка сервиса sshd на использование GSSAPI ==== | ||
| - | <code> | ||
| - | gate# cat /etc/ssh/sshd_config | ||
| - | ... | ||
| - | GSSAPIAuthentication yes | ||
| - | ... | ||
| - | </code> | ||
| - | |||
| - | ==== Настройка unix клиента ssh на использование GSSAPI ==== | ||
| - | <code> | ||
| - | client1# cat /etc/ssh/ssh_config | ||
| - | ... | ||
| - | GSSAPIAuthentication yes | ||
| - | ... | ||
| - | </code> | ||
| - | |||
| - | ==== Настройка windows клиента (putty) на использование GSSAPI ==== | ||
| - | <code> | ||
| - | Hostname: user1@gate.corpX.un | ||
| - | SSH->Auth-Attempt GSSAPI... | ||
| - | </code> | ||
| - | |||
| - | ===== Использование pam kerberos для сервиса login ===== | ||
| - | |||
| - | ==== Настройка pam ==== | ||
| - | |||
| - | === FreeBSD === | ||
| - | <code> | ||
| - | [client1:~] # cat /etc/pam.d/system | ||
| - | ... | ||
| - | # auth | ||
| - | ... | ||
| - | auth sufficient pam_krb5.so no_warn try_first_pass | ||
| - | #auth sufficient pam_ssh.so no_warn try_first_pass | ||
| - | auth required pam_unix.so no_warn try_first_pass nullok | ||
| - | ... | ||
| - | </code> | ||
| - | |||
| - | === Ubuntu/Debian === | ||
| - | <code> | ||
| - | root@client1:~# apt-get install libpam-krb5 | ||
| - | </code> | ||
| - | |||
| - | все настроится автоматически | ||
| - | |||
| - | <code> | ||
| - | root@client1:~# cd /etc/pam.d/ | ||
| - | root@client1:/etc/pam.d/# grep krb5 * | ||
| - | ... | ||
| - | </code> | ||
| - | |||
| - | ==== Отладка ==== | ||
| - | <code> | ||
| - | user1@client1$ ssh -vv gate.corpX.un | ||
| - | |||
| - | gate# /usr/sbin/sshd -d | ||
| - | </code> | ||
| - | |||
| - | ===== Регистрация рабочих станций windows в KDC ===== | ||
| - | |||
| - | !!! Необходимо все системы корректно прописать в прямой и реверс зоне DNS !!! ??? | ||
| ==== HEIMDAL (FreeBSD) ==== | ==== HEIMDAL (FreeBSD) ==== | ||
| Line 204: | Line 69: | ||
| kadmin> add host/client2.corpX.un | kadmin> add host/client2.corpX.un | ||
| ... | ... | ||
| - | Pa$$w0rd | + | host/client2.corpX.un@CORPX.UN's Password: 12345678 |
| ... | ... | ||
| kadmin> list * | kadmin> list * | ||
| Line 216: | Line 81: | ||
| kadmin.local: addprinc -e rc4-hmac:normal host/client2.corpX.un | kadmin.local: addprinc -e rc4-hmac:normal host/client2.corpX.un | ||
| ... | ... | ||
| - | Enter password for principal "host/client2.corpX.un@CORPX.UN": Pa$$w0rd | + | Enter password for principal "host/client2.corpX.un@CORPX.UN": 12345678 |
| ... | ... | ||
| kadmin.local: listprincs | kadmin.local: listprincs | ||
| Line 223: | Line 88: | ||
| </code> | </code> | ||
| + | ===== Удаление принципалов из базы данных kerberos ===== | ||
| + | |||
| + | ==== HEIMDAL (FreeBSD) ==== | ||
| + | <code> | ||
| + | gate# ktutil remove -p 'HTTP/gate.CORPX.UN@CORPX.UN' | ||
| + | </code> | ||
| + | |||
| + | ==== MIT (Linux) ==== | ||
| + | <code> | ||
| + | kadmin.local: delprinc HTTP/gate.CORPX.UN@CORPX.UN | ||
| + | </code> | ||
регистрация_ключей_принципалов_в_kdc.txt · Last modified: 2024/01/25 14:46 by val
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
