一、kdc ssh 服务结构
image.png
二、机器环境准备
(1)
#/etc/hosts文件
192.168.19.11 node1
192.168.19.12 node2
192.168.19.13 node3
192.168.19.14 node4
192.168.19.15 node5
//用node5做为kdc 服务器,node1 作为跳板机,node2,node3,node4作为ssh服务端
// 不管是跳板机,还是ssh服务端,都是kdc 的客户端
(2) 时间同步五台机器都要同步
date -s "2020-09-17 12:20:20"
三、kdc服务器搭建
(1) yum install krb5-server krb5-libs krb5-auth-dialog -y
(2)修改配置文件/etc/krb5.conf
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
default_realm = HADOOP.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
HADOOP.COM= {
kdc = node5
admin_server = node5
}
[domain_realm]
.hadoop.com = HADOOP.COM
hadoop.com = HADOOP.COM
(3)修改/var/kerberos/krb5kdc/kdc.conf, 如果不存在则创建
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
HADOOP.COM = {
#master_key_type = aes256-cts 注意要去掉aes256加密方式
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
(4)配置数据库访问权限修改 /var/kerberos/krb5kdc/kadm5.acl
#任何带admin 的都任务是管理员,给所有权限
*/admin@HADOOP.COM *
(5)创建数据库、添加管理员账户、启动kdc服务器
kdb5_util create -r HADOOP.COM -s
执行 kadmin.local进入数据库管理
addprinc root/admin #会输入密码,后面会用到注意保存,这个与mysql 相似
ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin //添加管理
ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/changepw
image.png
启动kdc 服务器
systemctl start krb5kdc
systemctl start kadmin
备注:服务端登录 用kadmin.local,客户端登录kadmin -p "root/admin"
四、kdc 客户端搭建
(1)安装yum install krb5-workstation krb5-devel krb5-libs -y
(2)同步配置文件/etc/krb5.conf到kdc客户端,这里是node1,node2,node3,node4
五、在kdc 服务端注册服务,注册用户
(1)在kdc服务端执行
kadmin.local
addprinc tom
addprinc -randkey host/node1
addprinc -randkey host/node2
addprinc -randkey host/node3
addprinc -randkey host/node4
(2)分发密钥、分别在kdc客户端上执行;
先登录使用kadmin -p 'root/admin'
在node1上
ktadd -k /etc/krb5.keytab tom
exit
kinit -kt /etc/krb5.keytab tom tom //添加账户
在node2-4上分别对应
ktadd -k /etc/krb5.keytab host/node2
exit
useradd tom
(3)修改/etc/ssh/sshd_config,并重启sshd服务。
//node2,node3,node4,node5配置文件中开启kerberos认证
KerberosAuthentication yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
//重启服务命令
systemctl restart sshd
(4)ssh client端修改配置文件 /etc/ssh/ssh_config
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
(5) 验证
初始化tom 账户
kinit -kt /etc/krb5.keytab tom
ssh tom@node2 -vvv 查看调试信息
ssh tom@node3
ssh tom@node4
网友评论