This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
регистрация_ключей_принципалов_в_kdc [2012/07/16 16:15] val |
регистрация_ключей_принципалов_в_kdc [2024/01/25 14:46] val [MIT Linux/(Debian/Ubuntu)] |
||
---|---|---|---|
Line 3: | Line 3: | ||
===== Регистрация принципалов пользователей в базе данных kerberos ===== | ===== Регистрация принципалов пользователей в базе данных kerberos ===== | ||
+ | ==== MIT Linux/(Debian/Ubuntu) ==== | ||
+ | <code> | ||
+ | root@server:~# kadmin.local | ||
+ | </code><code> | ||
+ | kadmin.local: addprinc user1 | ||
+ | ... | ||
+ | Enter password for principal "user1@CORPX.UN": kpassword1 | ||
+ | Re-enter password for principal "user1@CORPX.UN": kpassword1 | ||
+ | ... | ||
+ | kadmin.local: addprinc user2 | ||
+ | ... | ||
+ | kadmin.local: listprincs | ||
+ | ... | ||
+ | user1@CORPX.UN | ||
+ | ... | ||
+ | kadmin.local: quit | ||
+ | |||
+ | root@server:~# | ||
+ | kadmin.local -q 'addprinc -pw kpassword2 user2' | ||
+ | kadmin.local -q 'addprinc -pw kpassword3 user3' | ||
+ | kadmin.local -q 'addprinc -pw kpassword4 user4' | ||
+ | |||
+ | root@server:~# kadmin.local -q 'change_password -pw kpassword1 user1' | ||
+ | </code> | ||
==== HEIMDAL (FreeBSD) ==== | ==== HEIMDAL (FreeBSD) ==== | ||
<code> | <code> | ||
Line 17: | Line 41: | ||
kadmin> quit | kadmin> quit | ||
- | </code> | ||
- | |||
- | ==== MIT (Linux) ==== | ||
- | <code> | ||
- | root@server:~# kadmin.local | ||
- | |||
- | kadmin.local: addprinc user1 | ||
- | ... | ||
- | Enter password for principal "user1@CORPX.UN": kpassword1 | ||
- | Re-enter password for principal "user1@CORPX.UN": kpassword1 | ||
- | ... | ||
- | kadmin.local: addprinc user2 | ||
- | ... | ||
- | kadmin.local: listprincs | ||
- | ... | ||
- | user1@CORPX.UN | ||
- | ... | ||
- | kadmin.local: quit | ||
</code> | </code> | ||
Line 54: | Line 60: | ||
===== Использование протокола GSSAPI на примере sshd ===== | ===== Использование протокола GSSAPI на примере sshd ===== | ||
- | GSSAPI Generic Security Services Application Program Interface | + | * GSSAPI Generic Security Services Application Program Interface |
+ | * [[Сервис SSH#Аутентификация с использованием протокола GSSAPI]] Сервис SSH | ||
+ | |||
+ | ===== Регистрация рабочих станций windows в KDC ===== | ||
- | ==== Регистрация принципалов сервиса в KDC и перемещение ключа сервиса на сервер ==== | ||
- | === HEIMDAL (FreeBSD) === | + | |
+ | ==== HEIMDAL (FreeBSD) ==== | ||
<code> | <code> | ||
server# kadmin -l | server# kadmin -l | ||
- | kadmin> add -r host/gate.corpX.un | + | kadmin> add host/client2.corpX.un |
+ | ... | ||
+ | host/client2.corpX.un@CORPX.UN's Password: 12345678 | ||
... | ... | ||
kadmin> list * | kadmin> list * | ||
- | kadmin> ext -k gatehost.keytab host/gate.corpX.un | + | kadmin> |
- | kadmin> quit | + | |
- | + | ||
- | server# scp gatehost.keytab gate: | + | |
</code> | </code> | ||
- | === MIT (Linux) === | + | ==== MIT (Linux) ==== |
<code> | <code> | ||
root@server:~# kadmin.local | root@server:~# kadmin.local | ||
- | kadmin.local: addprinc -randkey host/gate.corpX.un | + | kadmin.local: addprinc -e rc4-hmac:normal host/client2.corpX.un |
+ | ... | ||
+ | Enter password for principal "host/client2.corpX.un@CORPX.UN": 12345678 | ||
... | ... | ||
kadmin.local: listprincs | kadmin.local: listprincs | ||
- | kadmin.local: ktadd -k gatehost.keytab host/gate.corpX.un | + | или |
- | ... | + | |
- | kadmin.local: quit | + | |
- | server# scp gatehost.keytab gate: | + | root@server:~# kadmin.local -q 'addprinc -e rc4-hmac:normal -pw 12345678 host/client2.corpX.un' |
</code> | </code> | ||
- | === Microsoft Active Directory === | + | ===== Удаление принципалов из базы данных kerberos ===== |
- | Добавляем пользователя в AD | + | ==== HEIMDAL (FreeBSD) ==== |
- | <code> | + | |
- | Login: gatehost | + | |
- | Password: Pa$$w0rd | + | |
- | </code> | + | |
- | Пароль не меняется и не устаревает | + | |
- | + | ||
- | Устанавливаем Microsoft Windows Support Tools | + | |
- | + | ||
- | <code> | + | |
- | C:\>ktpass -princ host/gate.corpX.un@CORPX.UN -mapuser gatehost -pass 'Pa$$w0rd' -out gatehost.keytab | + | |
- | + | ||
- | C:\>pscp gatehost.keytab gate: | + | |
- | </code> | + | |
- | + | ||
- | ==== Добавление ключа в системный keytab ==== | + | |
- | + | ||
- | === HEIMDAL (FreeBSD) === | + | |
- | <code> | + | |
- | gate# ktutil copy /root/gatehost.keytab /etc/krb5.keytab | + | |
- | gate# touch /etc/srvtab | + | |
- | + | ||
- | gate# ktutil list | + | |
- | ... | + | |
- | </code> | + | |
- | + | ||
- | === MIT (Linux) === | + | |
- | <code> | + | |
- | root@gate:~# ktutil | + | |
- | ktutil: rkt /root/gatehost.keytab | + | |
- | ktutil: list | + | |
- | ktutil: wkt /etc/krb5.keytab | + | |
- | ktutil: quit | + | |
- | + | ||
- | root@gate:~# klist -ek /etc/krb5.keytab | + | |
- | </code> | + | |
- | + | ||
- | ==== Удаление ключа из системного keytab ==== | + | |
- | + | ||
- | === HEIMDAL (FreeBSD) === | + | |
<code> | <code> | ||
gate# ktutil remove -p 'HTTP/gate.CORPX.UN@CORPX.UN' | gate# ktutil remove -p 'HTTP/gate.CORPX.UN@CORPX.UN' | ||
- | </code> | ||
- | |||
- | === MIT (Linux) === | ||
- | <code> | ||
- | |||
- | </code> | ||
- | |||
- | ==== Настройка сервиса sshd на использование GSSAPI ==== | ||
- | <code> | ||
- | gate# cat /etc/ssh/sshd_config | ||
- | ... | ||
- | GSSAPIAuthentication yes | ||
- | ... | ||
- | </code> | ||
- | |||
- | ==== Настройка unix клиента ssh на использование GSSAPI ==== | ||
- | <code> | ||
- | client1# cat /etc/ssh/ssh_config | ||
- | ... | ||
- | GSSAPIAuthentication yes | ||
- | ... | ||
- | </code> | ||
- | |||
- | ==== Настройка windows клиента (putty) на использование GSSAPI ==== | ||
- | <code> | ||
- | Hostname: user1@gate.corpX.un | ||
- | SSH->Auth-Attempt GSSAPI... | ||
- | </code> | ||
- | |||
- | ==== Отладка ==== | ||
- | <code> | ||
- | user1@client1$ ssh -vv gate.corpX.un | ||
- | |||
- | gate# /usr/sbin/sshd -d | ||
- | </code> | ||
- | |||
- | ===== Регистрация рабочих станций windows в KDC ===== | ||
- | |||
- | !!! Необходимо все системы корректно прописать в прямой и реверс зоне DNS !!! | ||
- | |||
- | ==== HEIMDAL (FreeBSD) ==== | ||
- | <code> | ||
- | server# kadmin -l | ||
- | kadmin> add host/client2.corpX.un | ||
- | ... | ||
- | Pa$$w0rd | ||
- | ... | ||
- | kadmin> list * | ||
- | |||
- | kadmin> | ||
</code> | </code> | ||
==== MIT (Linux) ==== | ==== MIT (Linux) ==== | ||
<code> | <code> | ||
- | root@server:~# kadmin.local | + | kadmin.local: delprinc HTTP/gate.CORPX.UN@CORPX.UN |
- | kadmin.local: addprinc -e rc4-hmac:normal host/client2.corpX.un | + | |
- | ... | + | |
- | Enter password for principal "host/client2.corpX.un@CORPX.UN": Pa$$w0rd | + | |
- | ... | + | |
- | kadmin.local: listprincs | + | |
- | + | ||
- | kadmin.local: | + | |
</code> | </code> | ||
- |