First I created three Virtualbox VMs (Debian Linux) for Kerberos server, client and ssh server.Kerberos server - kerberos.comClient - client.comSSH server - ssh.com
Then I added the following lines to the /etc/hosts files of the VMs.10.0.0.1 kerberos.com10.0.0.2 client.com10.0.0.3 ssh.comMake sure you can ping kerberos.com, ssh.com, client.com from all VMs(To check host-names are resolving).Kerberos Server
Installing the Kerberos server (kerberos.com)apt-get install krb5-admin-server krb5-kdcDuring the installation it "may" ask following questions (My answers are shown in brackets) Default Kerberos version 5 realm? [KERBEROS.COM]Kerberos servers for your realm? [kerberos.com]Administrative server for your realm? [kerberos.com]Configuring Kerberos serverBefore beginning a new realm must be created krb5_newrealm
Edit the /etc/krb5.conf file (enter the following lines to the file if they're not there)[libdefaults]
default_realm = KERBEROS.COM.........[realms]
kdc = kerberos.com admin_server = kerberos.com.........[domain_realm]......
kerberos.com = KERBEROS.COM .kerberos.com = KERBEROS.COMNotice on cdh:we should open tcp port by updating file /etc/krb5kdc/kdc.conf:kdc_tcp_ports = 88then restart kdc service:service krb5-admin-server restartservice krb5-kdc restart
Adding users (Principles)Use the kadmin.local tool to add/delete/modify users (principles)
Type kadmin.local to use the toollistprics will list the existing principlesTo add the root user, typeaddprinc root
If you want to assign an admin role to a user use the following command addprinc root/admin Then you have to uncomment the /admin line in /etc/krb5kdc/kadm.acl file.
In order to check the principle has applied correctly type the following commandkinit
kinit is used to get tickets from the Kerberos server. It will prompt for password. (Enter the password given to the addprinc command) Now type the following command to see the ticket. klistClient
Installing and configuring client for Kerberos (client.com)apt-get install krb5-user
It will ask the same questions, asked during the server installation.[Make sure you can ping kerberos.com from your client.com machine]
TestingTo get a ticket for your client machine type the following command.kinit rootor (depending on your principles in kerberos.com)kinit root/adminIf you get a ticket from kerberos.com, its working!.
Services
Using SSH service with Kerberos (ssh.com)Install open ssh server and krb5-configapt-get install openssh-server krb5-configConfigure the /etc/krb5.conf accordingly (Just like the previous ones)
Configuring SSH to use with KerberosEdit /etc/ssh/sshd_config and enable the following linesGSSAPIAuthentication yesGSSAPICleanupCredentials yesThen restart the ssh server [/etc/init.d/ssh restart]
Configuring Kerberos server (kerberos.com) to work with ssh.comType the following commands on the kerberos.com to add the ssh.com principlekadmin.localaddprinc -randkey host/ssh.comktadd -k /tmp/ssh.com.keytab host/ssh.comNow copy the /tmp/ssh.com.keytab file to the ssh server (ssh.com) using the command below scp /tmp/ssh.com.keytab root@ssh.com:/etc/krb5.keytabConfiguring a client machine for Kerberos authentication Edit /etc/ssh/ssh_config and enable the following linesGSSAPIAuthentication yesGSSAPIDelegateCredentials yesTesting SSH service with KerberosLog in to the client machine and get a ticketkinit root(or kinit root/admin)Then type the command below. It should log in to the ssh.com without password.ssh root@ssh.comNow type the following commands and check the differencekdestroyssh root@ssh.com
Source:- http://www.debian-administration.org/articles/570
相关资源:敏捷开发V1.0.pptx