Home | 简体中文 | 繁体中文 | 杂文 | Github | 知乎专栏 | Facebook | Linkedin | Youtube | 打赏(Donations) | About
知乎专栏

91.3. Network Authentication

91.3.1. Network Information Service (NIS)

91.3.1.1. 安装NIS服务器

过程 91.1. 安装NIS服务器

  1. ypserv

    				
    # yum install ypserv -y
    				
    				
  2. /etc/hosts

    				
    [root@nis ~]# hostname nis.example.com				
    [root@nis ~]# echo "192.168.3.5 nis.example.com" >> /etc/hosts
    [root@nis ~]# cat /etc/hosts
    # Do not remove the following line, or various programs
    # that require network functionality will fail.
    127.0.0.1 datacenter.example.com datacenter localhost.localdomain localhost
    ::1 localhost6.localdomain6 localhost6
    127.0.0.1 kerberos.example.com
    192.168.3.5 nis.example.com
    				
    				
  3. 设置NIS域名

    				
    # nisdomainname example.com
    # nisdomainname
    example.com
    				
    				

    加入 /etc/rc.local 开机脚本

    				
    # echo '/bin/nisdomainname example.com' >> /etc/rc.local
    # echo 'NISDOMAIN=example.com' >> /etc/sysconfig/network
    				
    				
  4. 设置/etc/ypserv.conf主配置文件

    				
    # vim /etc/ypserv.conf
    
    127.0.0.0/255.255.255.0 : * : * : none
    192.168.3.0/255.255.255.0 : * : * : none
    * : * : * : deny
    				
    				
  5. 创建 /var/yp/securenets 文件

    securenets 安全配置文件

    				
    # vim /var/yp/securenets
    host 127.0.0.1
    255.255.255.0 192.168.3.0
    				
    				
  6. 启动NIS服务器

    NIS服务器需要portmap服务的支持,并且需要启动ypserv和yppasswdd两个服务

    				
    [root@nis ~]# service portmap status
    portmap (pid 2336)
    is running...
    [root@nis ~]# service ypserv start
    Starting YP
    server services: [ OK ]
    [root@nis ~]# service yppasswdd start
    Starting YP passwd service: [ OK ]
    				
    				
  7. 构建NIS数据库

    32bit: /usr/lib/yp/ypinit -m

    64bit: /usr/lib64/yp/ypinit -m

    				
    [root@nis ~]# /usr/lib64/yp/ypinit -m
    
    At this point, we have to construct a list of the hosts which will run NIS
    servers.  nis.example.com is in the list of NIS server hosts.  Please continue to add
    the names for the other hosts, one per line.  When you are done with the
    list, type a <control D>.
            next host to add:  nis.example.com
            next host to add:
            next host to add:
    The current list of NIS servers looks like this:
    
    nis.example.com
    
    
    Is this correct?  [y/n: y]
    We need a few minutes to build the databases...
    Building /var/yp/example.com/ypservers...
    Running /var/yp/Makefile...
    gmake[1]: Entering directory `/var/yp/example.com'
    Updating passwd.byname...
    Updating passwd.byuid...
    Updating group.byname...
    Updating group.bygid...
    Updating hosts.byname...
    Updating hosts.byaddr...
    Updating rpc.byname...
    Updating rpc.bynumber...
    Updating services.byname...
    Updating services.byservicename...
    Updating netid.byname...
    Updating protocols.bynumber...
    Updating protocols.byname...
    Updating mail.aliases...
    gmake[1]: Leaving directory `/var/yp/example.com'
    
    nis.example.com has been set up as a NIS master server.
    
    Now you can run ypinit -s nis.example.com on all slave server.
    
    				
    				

    检查

    				
    # ls /var/yp/
    binding example.com Makefile nicknames securenets ypservers				
    				
    				
  8. Service

    				
    [root@datacenter ~]# chkconfig --list | grep yp
    ypbind          0:off   1:off   2:off   3:off   4:off   5:off   6:off
    yppasswdd       0:off   1:off   2:off   3:off   4:off   5:off   6:off
    ypserv          0:off   1:off   2:off   3:off   4:off   5:off   6:off
    ypxfrd          0:off   1:off   2:off   3:off   4:off   5:off   6:off
    
    [root@nis ~]# chkconfig ypserv on
    [root@nis ~]# chkconfig yppasswdd on
    				
    				

91.3.1.2. Slave NIS Server

Now you can run ypinit -s nis.example.com on all slave server.

		
# ypinit -s nis.example.com		
		
		

91.3.1.3. 客户机软件安装

过程 91.2. 安装NIS客户端软件

  1. NIS客户机需要安装ypbind和yp-tools两个软件包

    				
    # yum install ypbind yp-tools -y
    				
    				
  2. NIS域名

    				
    # nisdomainname example.com
    				
    				
  3. /etc/hosts

    				
    192.168.3.5 nis.example.com
    				
    				
  4. /etc/yp.conf

    				
    # vim /etc/yp.conf
    domain example.com server nis.example.com
    				
    				
  5. /etc/nsswitch.conf

    				
    # vim /etc/nsswitch.conf
    passwd: files nis
    shadow: files nis
    group: files nis
    hosts: files nis dns
    				
    				
  6. 启动ypbind服务程序

    				
    [root@test ~]# service portmap status
    portmap is stopped
    [root@test ~]# service portmap start
    Starting portmap: [ OK ]
    [root@test ~]# service ypbind start
    Turning on allow_ypbind SELinux boolean
    Binding to the NIS domain: [ OK ]
    Listening for an NIS domain server..
    				
    				
  7. yp-tools 测试工具

    yptest 命令可对NIS服务器进行自动测试

    				
    # yptest	
    				
    				

    ypwhich 命令可显示NIS客户机所使用的NIS服务器的主机名称和数据库文件列表

    				
    # ypwhich
    # ypwhich -x			
    				
    				

    ypcat命令显示数据库文件列表和指定数据库的内容

    				
    # ypcat -x
    # ypcat passwd				
    				
    				
  8. NIS Client Service

    				
    # chkconfig ypbind on				
    				
    				

91.3.1.4. Authentication Configuration

		
# authconfig-tui		
		
		

Use NIS

		
                ┌────────────────┤ Authentication Configuration ├─────────────────┐
                │                                                                 │
                │  User Information        Authentication                         │
                │  [ ] Cache Information   [*] Use MD5 Passwords                  │
                │  [ ] Use Hesiod          [*] Use Shadow Passwords               │
                │  [ ] Use LDAP            [ ] Use LDAP Authentication            │
                │  [*] Use NIS             [ ] Use Kerberos                       │
                │  [ ] Use Winbind         [ ] Use SMB Authentication             │
                │                          [ ] Use Winbind Authentication         │
                │                          [ ] Local authorization is sufficient  │
                │                                                                 │
                │            ┌────────┐                      ┌──────┐             │
                │            │ Cancel │                      │ Next │             │
                │            └────────┘                      └──────┘             │
                │                                                                 │
                │                                                                 │
                └─────────────────────────────────────────────────────────────────┘		
		
		

NIS Settings

		
                        ┌─────────────────┤ NIS Settings ├─────────────────┐
                        │                                                  │
                        │ Domain: example.com_____________________________ │
                        │ Server: nis.example.com_________________________ │
                        │                                                  │
                        │         ┌──────┐                 ┌────┐          │
                        │         │ Back │                 │ Ok │          │
                        │         └──────┘                 └────┘          │
                        │                                                  │
                        │                                                  │
                        └──────────────────────────────────────────────────┘
		
		

91.3.1.5. application example

nis server:

在NIS服务器上创建一个test用户

		
# adduser test
# passwd test
# /usr/lib64/yp/ypinit -m
		
		

nis client

使用test用户登录到客户机

		
ssh test@client.example.com		
		
		

测试

		
[root@test ~]# yptest
Test 1: domainname
Configured domainname is "example.com"

Test 2: ypbind
Used NIS server:
nis.example.com

Test 3: yp_match
WARNING: No such key in map (Map
passwd.byname, key nobody)

Test 4: yp_first
neo
neo:$1$e1nd3pts$s7NikMnKwpL4vUp2LM/N9.:500:500::/home/neo:/bin/bash

Test 5: yp_next
test
test:$1$g4.VCB7i$I/N5W/imakprFdtP02i8/.:502:502::/home/test:/bin/bash
svnroot svnroot:!!:501:501::/home/svnroot:/bin/bash

Test 6: yp_master
nis.example.com

Test 7: yp_order
1271936660

Test 8: yp_maplist
rpc.byname
protocols.bynumber
ypservers
passwd.byname
hosts.byname
rpc.bynumber
group.bygid
services.byservicename
mail.aliases
passwd.byuid
services.byname
netid.byname
protocols.byname
group.byname
hosts.byaddr

Test 9: yp_all
neo
neo:$1$e1nd3pts$s7NikMnKwpL4vUp2LM/N9.:500:500::/home/neo:/bin/bash
test
test:$1$g4.VCB7i$I/N5W/imakprFdtP02i8/.:502:502::/home/test:/bin/bash
svnroot svnroot:!!:501:501::/home/svnroot:/bin/bash
1 tests failed		
		
		

更改密码

		
$ yppasswd
Changing NIS account information for test on nis.example.com.
Please enter old password:
Changing NIS password for test on
nis.example.com.
Please enter new password:
Please retype new password:

The NIS password has been changed on nis.example.com.		
		
		
		
-bash-3.2$ ypcat hosts 
127.0.0.1 localhost.localdomain localhost 
127.0.0.1 kerberos.example.com
192.168.3.5 nis.example.com

-bash-3.2$ ypcat passwd
neo:$1$e1nd3pts$s7NikMnKwpL4vUp2LM/N9.:500:500::/home/neo:/bin/bash
test:$1$g4.VCB7i$I/N5W/imakprFdtP02i8/.:502:502::/home/test:/bin/bash
svnroot:!!:501:501::/home/svnroot:/bin/bash
		
		
		
-bash-3.2$
ypwhich
nis.example.com

ypwhich -x
Use "ethers" for map "ethers.byname"
Use "aliases" for map "mail.aliases"
Use "services" for map "services.byname"
Use "protocols" for map "protocols.bynumber"
Use "hosts" for map "hosts.byname"
Use "networks" for map "networks.byaddr"
Use "group" for map "group.byname"
Use "passwd" for map "passwd.byname"
		
		

91.3.1.6. Mount /home volume from NFS

在NIS服务器中将“/home”输出为NFS共享目录

		
# vi /etc/exports
/home 192.168.3.0/24(sync,rw,no_root_squash)		
		
		

重启NFS服务

		
# service nfs restart
		
		

在NIS客户端中挂载“/home”目录

		
		# vi /etc/fstab
192.168.1.10:/home/ /home nfs 	defaults 0 0		
		
		

mount home volume

		
# mount /home
		
		

91.3.2. OpenLDAP

91.3.2.1. Server

  1. First, install the OpenLDAP server daemon slapd and ldap-utils, a package containing LDAP management utilities:

    sudo apt-get install slapd ldap-utils				
    				

    By default the directory suffix will match the domain name of the server. For example, if the machine's Fully Qualified Domain Name (FQDN) is ldap.example.com, the default suffix will be dc=example,dc=com. If you require a different suffix, the directory can be reconfigured using dpkg-reconfigure. Enter the following in a terminal prompt:

    sudo dpkg-reconfigure slapd				
    				
  2. example.com.ldif

    dn: ou=people,dc=example,dc=com
    objectClass: organizationalUnit
    ou: people
    
    dn: ou=groups,dc=example,dc=com
    objectClass: organizationalUnit
    ou: groups
    
    dn: uid=john,ou=people,dc=example,dc=com
    objectClass: inetOrgPerson
    objectClass: posixAccount
    objectClass: shadowAccount
    uid: john
    sn: Doe
    givenName: John
    cn: John Doe
    displayName: John Doe
    uidNumber: 1000
    gidNumber: 10000
    userPassword: password
    gecos: John Doe
    loginShell: /bin/bash
    homeDirectory: /home/john
    shadowExpire: -1
    shadowFlag: 0
    shadowWarning: 7
    shadowMin: 8
    shadowMax: 999999
    shadowLastChange: 10877
    mail: john.doe@example.com
    postalCode: 31000
    l: Toulouse
    o: Example
    mobile: +33 (0)6 xx xx xx xx
    homePhone: +33 (0)5 xx xx xx xx
    title: System Administrator
    postalAddress: 
    initials: JD
    
    dn: cn=example,ou=groups,dc=example,dc=com
    objectClass: posixGroup
    cn: example
    gidNumber: 10000
    				
  3. To add the entries to the LDAP directory use the ldapadd utility:

    ldapadd -x -D cn=admin,dc=example,dc=com -W -f example.com.ldif
    				

    We can check that the content has been correctly added with the tools from the ldap-utils package. In order to execute a search of the LDAP directory:

    ldapsearch -xLLL -b "dc=example,dc=com" uid=john sn givenName cn
    
    dn: uid=john,ou=people,dc=example,dc=com
    cn: John Doe
    sn: Doe
    givenName: John				
    				

Just a quick explanation:

-x: will not use SASL authentication method, which is the default.

-LLL: disable printing LDIF schema information.

91.3.2.2. Client

  1. libnss-ldap

    sudo apt-get install libnss-ldap
    				
  2. reconfigure ldap-auth-config

    sudo dpkg-reconfigure ldap-auth-config
    				
  3. auth-client-config

    sudo auth-client-config -t nss -p lac_ldap				
    				
  4. pam-auth-update.

    sudo pam-auth-update
    				

91.3.2.3. User and Group Management

sudo apt-get install ldapscripts
		

/etc/ldapscripts/ldapscripts.conf

SERVER=localhost
BINDDN='cn=admin,dc=example,dc=com'
BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
SUFFIX='dc=example,dc=com'
GSUFFIX='ou=Groups'
USUFFIX='ou=People'
MSUFFIX='ou=Computers'
GIDSTART=10000
UIDSTART=10000
MIDSTART=10000		
		

Now, create the ldapscripts.passwd file to allow authenticated access to the directory:

sudo sh -c "echo -n 'secret' > /etc/ldapscripts/ldapscripts.passwd"
sudo chmod 400 /etc/ldapscripts/ldapscripts.passwd		
		

91.3.3. Kerberos

(Kerberos: Network Authentication Protocol)

http://web.mit.edu/Kerberos/

kerberos是由MIT开发的提供网络认证服务的系统,很早就听说过它的大名,但一直没有使用过它。 它可用来为网络上的各种server提供认证服务,使得口令不再是以明文方式在网络上传输,并且联接之间通讯是加密的; 它和PKI认证的原理不一样,PKI使用公钥体制(不对称密码体制),kerberos基于私钥体制(对称密码体制)。

91.3.3.1. Kerberos 安装

CentOS 安装

获得krb5的安装包

yum search krb5
[root@centos ~]# yum search krb5
========================================== Matched: krb5 ===========================================
krb5-auth-dialog.x86_64 : Kerberos 5 authentication dialog
krb5-devel.i386 : Development files needed to compile Kerberos 5 programs.
krb5-devel.x86_64 : Development files needed to compile Kerberos 5 programs.
krb5-libs.i386 : The shared libraries used by Kerberos 5.
krb5-libs.x86_64 : The shared libraries used by Kerberos 5.
krb5-server.x86_64 : The KDC and related programs for Kerberos 5.
krb5-workstation.x86_64 : Kerberos 5 programs for use on workstations.
pam_krb5.i386 : A Pluggable Authentication Module for Kerberos 5.
pam_krb5.x86_64 : A Pluggable Authentication Module for Kerberos 5.
		

安装

yum install krb5-server.i386
[root@centos ~]# yum install krb5-server
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package krb5-server.x86_64 0:1.6.1-36.el5_4.1 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

====================================================================================================
 Package                 Arch               Version                       Repository           Size
====================================================================================================
Installing:
 krb5-server             x86_64             1.6.1-36.el5_4.1              updates             914 k

Transaction Summary
====================================================================================================
Install      1 Package(s)
Update       0 Package(s)
Remove       0 Package(s)

Total download size: 914 k
Is this ok [y/N]: y
Downloading Packages:
krb5-server-1.6.1-36.el5_4.1.x86_64.rpm                                      | 914 kB     00:01
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing     : krb5-server                                                                  1/1

Installed:
  krb5-server.x86_64 0:1.6.1-36.el5_4.1

Complete!
[root@datacenter ~]#Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package krb5-server.x86_64 0:1.6.1-36.el5_4.1 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

====================================================================================================
 Package                 Arch               Version                       Repository           Size
====================================================================================================
Installing:
 krb5-server             x86_64             1.6.1-36.el5_4.1              updates             914 k

Transaction Summary
====================================================================================================
Install      1 Package(s)
Update       0 Package(s)
Remove       0 Package(s)

Total download size: 914 k
Is this ok [y/N]: y
Downloading Packages:
krb5-server-1.6.1-36.el5_4.1.x86_64.rpm                                      | 914 kB     00:01
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing     : krb5-server                                                                  1/1

Installed:
  krb5-server.x86_64 0:1.6.1-36.el5_4.1

Complete!
		
yum install krb5-workstation
[root@centos ~]# yum install krb5-workstation
		
yum install krb5-libs
		
		
Install by apt-get

过程 91.3. installation

  1. $ sudo apt-get install krb5-admin-server		
    				
  2. Configuring

    				
      ┌──────────────────────────────┤ Configuring krb5-admin-server ├───────────────────────────────┐
      │                                                                                              │
      │ Setting up a Kerberos Realm                                                                  │
      │                                                                                              │
      │ This package contains the administrative tools required to run the Kerberos master server.   │
      │                                                                                              │
      │ However, installing this package does not automatically set up a Kerberos realm.  This can   │
      │ be done later by running the "krb5_newrealm" command.                                        │
      │                                                                                              │
      │ Please also read the /usr/share/doc/krb5-kdc/README.KDC file and the administration guide    │
      │ found in the krb5-doc package.                                                               │
      │                                                                                              │
      │                                            <Ok>                                              │
      │                                                                                              │
      └──────────────────────────────────────────────────────────────────────────────────────────────┘
    				
    				

    OK

    				
     ┌───────────────────────────────┤ Configuring krb5-admin-server ├───────────────────────────────┐
     │                                                                                               │
     │ Kadmind serves requests to add/modify/remove principals in the Kerberos database.             │
     │                                                                                               │
     │ It is required by the kpasswd program, used to change passwords. With standard setups, this   │
     │ daemon should run on the master KDC.                                                          │
     │                                                                                               │
     │ Run the Kerberos V5 administration daemon (kadmind)?                                          │
     │                                                                                               │
     │                           <Yes>                              <No>                             │
     │                                                                                               │
     └───────────────────────────────────────────────────────────────────────────────────────────────┘				
    				
    				

    Yes

91.3.3.2. Kerberos Server

过程 91.4. Kerberos Server 配置步骤

  1. Create the Database

    创建Kerberos的本地数据库

    kdb5_util create -r EXAMPLE.COM -s
    [root@datacenter ~]# kdb5_util create -r EXAMPLE.COM -s
    Loading random data
    Initializing database '/var/kerberos/krb5kdc/principal' for realm 'EXAMPLE.COM',
    master key name 'K/M@EXAMPLE.COM'
    You will be prompted for the database Master Password.
    It is important that you NOT FORGET this password.
    Enter KDC database master key:
    Re-enter KDC database master key to verify:		
    				
  2. /etc/krb5.conf

    # cp /etc/krb5.conf /etc/krb5.conf.old
    # vim /etc/krb5.conf
    [logging]
     default = FILE:/var/log/krb5libs.log
     kdc = FILE:/var/log/krb5kdc.log
     admin_server = FILE:/var/log/kadmind.log
    
    [libdefaults]
     default_realm = EXAMPLE.COM
     dns_lookup_realm = false
     dns_lookup_kdc = false
     ticket_lifetime = 24h
     forwardable = yes
    
    [realms]
     EXAMPLE.COM = {
      kdc = kerberos.example.com:88
      admin_server = kerberos.example.com:749
      default_domain = example.com
     }
    
    [domain_realm]
     .example.com = EXAMPLE.COM
     example.com = EXAMPLE.COM
    
    [appdefaults]
     pam = {
       debug = false
       ticket_lifetime = 36000
       renew_lifetime = 36000
       forwardable = true
       krb4_convert = false
     }
    				

    检查下面配置文件 /var/kerberos/krb5kdc/kadm5.acl

    [root@datacenter ~]# cat /var/kerberos/krb5kdc/kadm5.acl
    */admin@EXAMPLE.COM     *
    				

    格式

    The format of the file is:
    
         Kerberos_principal      permissions     [target_principal]	[restrictions]
    				
  3. Add Administrators to the Kerberos Database

    创建账号

    [root@datacenter ~]# kadmin.local
    Authenticating as principal root/admin@EXAMPLE.COM with password.
    kadmin.local:  addprinc admin/admin@EXAMPLE.COM
    WARNING: no policy specified for admin/admin@EXAMPLE.COM; defaulting to no policy
    Enter password for principal "admin/admin@EXAMPLE.COM":
    Re-enter password for principal "admin/admin@EXAMPLE.COM":
    Principal "admin/admin@EXAMPLE.COM" created.
    kadmin.local:
    				

    也同样可以使用下面命令

    kadmin.local -q "addprinc username/admin"
    [root@datacenter ~]# kadmin.local -q "addprinc krbuser"
    Authenticating as principal admin/admin@EXAMPLE.COM with password.
    WARNING: no policy specified for krbuser@EXAMPLE.COM; defaulting to no policy
    Enter password for principal "krbuser@EXAMPLE.COM":
    Re-enter password for principal "krbuser@EXAMPLE.COM":
    Principal "krbuser@EXAMPLE.COM" created.
    				
  4. Create a kadmind Keytab

    				
    [root@datacenter ~]# kadmin.local -q  "ktadd -k /var/kerberos/krb5kdc/kadm5.keytab => kadmin/admin kadmin/changepw"
    Authenticating as principal admin/admin@EXAMPLE.COM with password.
    kadmin.local: Principal => does not exist.
    Entry for principal kadmin/admin with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
    Entry for principal kadmin/admin with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
    Entry for principal kadmin/changepw with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
    Entry for principal kadmin/changepw with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.				
    				
    				
  5. Start the Kerberos Daemons on the Master KDC

    启动 Kerberos进程

    [root@datacenter ~]# sudo /etc/init.d/krb524 start
    Starting Kerberos 5-to-4 Server:                           [  OK  ]
    
    [root@datacenter ~]# sudo /etc/init.d/krb5kdc restart
    Stopping Kerberos 5 KDC:                                   [  OK  ]
    Starting Kerberos 5 KDC:                                   [  OK  ]
    
    [root@datacenter ~]# sudo /etc/init.d/kadmin start
    Starting Kerberos 5 Admin Server:                          [  OK  ]
    				
  6. Log 文件

    [root@datacenter ~]# cat /var/log/krb5kdc.log
    
    [root@datacenter ~]# cat /var/log/krb5libs.log
    
    [root@datacenter ~]# cat /var/log/kadmind.log
    				

91.3.3.3. Kerberos Client

过程 91.5. Kerberos Client 配置步骤

  1. Ticket Management

    1. Obtaining Tickets with kinit

      [root@datacenter ~]# kinit admin/admin
      Password for admin/admin@EXAMPLE.COM:				
      				
    2. Viewing Your Tickets with klist

      [root@datacenter ~]# klist
      Ticket cache: FILE:/tmp/krb5cc_0
      Default principal: admin/admin@EXAMPLE.COM
      
      Valid starting     Expires            Service principal
      03/25/10 16:15:18  03/26/10 16:15:18  krbtgt/EXAMPLE.COM@ZEXAMPLECOM
      
      
      Kerberos 4 ticket cache: /tmp/tkt0
      klist: You have no tickets cached
      				
    3. Destroying Your Tickets with kdestroy

      [root@datacenter ~]# kdestroy
      [root@datacenter ~]# klist
      klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
      
      
      Kerberos 4 ticket cache: /tmp/tkt0
      klist: You have no tickets cached
      				
  2. Password Management

    Changing Your Password

     
    				   
    [root@datacenter ~]# kpasswd
    Password for admin/admin@EXAMPLE.COM:
    Enter new password:
    Enter it again:
    Password changed.
    				
    				

91.3.3.4. Kerberos Management

ktutil - Kerberos keytab file maintenance utility
[root@datacenter ~]# ktutil
ktutil: rkt /var/kerberos/krb5kdc/kadm5.keytab
ktutil:  l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    3                  kadmin/admin@EXAMPLE.COM
   2    3                  kadmin/admin@EXAMPLE.COM
   3    3               kadmin/changepw@EXAMPLE.COM
   4    3               kadmin/changepw@EXAMPLE.COM
ktutil: q
			
klist - list cached Kerberos tickets
[root@datacenter ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin/admin@EXAMPLE.COM

Valid starting     Expires            Service principal
03/25/10 16:53:02  03/26/10 16:53:02  krbtgt/EXAMPLE.COM@EXAMPLE.COM
03/25/10 17:02:10  03/26/10 16:53:02  host/172.16.0.8@


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
			

91.3.3.5. OpenSSH Authentications

Configuring the Application server system
[root@datacenter ~]# kinit   admin/admin
Password for admin/admin@EXAMPLE.COM:

[root@datacenter ~]# kadmin.local -q "addprinc -randkey host/172.16.0.8"
Authenticating as principal admin/admin@EXAMPLE.COM with password.
WARNING: no policy specified for host/172.16.0.8@EXAMPLE.COM; defaulting to no policy
Principal "host/172.16.0.8@EXAMPLE.COM" created.

[root@datacenter ~]# kadmin.local -q " ktadd -k /var/kerberos/krb5kdc/kadm5.keytab host/172.16.0.8"
Authenticating as principal admin/admin@EXAMPLE.COM with password.
Entry for principal host/172.16.0.8 with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal host/172.16.0.8 with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
[root@datacenter ~]# ktutil
ktutil:  rkt /var/kerberos/krb5kdc/kadm5.keytab
ktutil:  l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    3                  kadmin/admin@EXAMPLE.COM
   2    3                  kadmin/admin@EXAMPLE.COM
   3    3               kadmin/changepw@EXAMPLE.COM
   4    3               kadmin/changepw@EXAMPLE.COM
   5    3               host/172.16.0.8@EXAMPLE.COM
   6    3               host/172.16.0.8@EXAMPLE.COM
ktutil:  q
[root@datacenter ~]#
			
Configuring the Application client system

/etc/ssh/sshd_config

KerberosAuthentication yes
			

91.3.4. FreeRADIUS (Remote Authentication Dial In User Service)

radiusd - Authentication, Authorization and Accounting server

I want to authorize Wi-Fi Protected Access with freeradius for Wi-Fi Route.

http://freeradius.org/

  • debian/ubuntu

  • FreeRADIUS

  • D-Link DI-624+A

91.3.4.1. 安装 FreeRADIUS

Ubuntu

some package of freeradius.

netkiller@shenzhen:~$ apt-cache search freeradius

freeradius - a high-performance and highly configurable RADIUS server
freeradius-dialupadmin - set of PHP scripts for administering a FreeRADIUS server
freeradius-iodbc - iODBC module for FreeRADIUS server
freeradius-krb5 - kerberos module for FreeRADIUS server
freeradius-ldap - LDAP module for FreeRADIUS server
freeradius-mysql - MySQL module for FreeRADIUS server
			

install

netkiller@shenzhen:~$ sudo apt-get install freeradius
			

OK, we have installed let's quickly test it. the '******' is your password.

netkiller@shenzhen:~$ radtest netkiller ****** localhost 0 testing123
Sending Access-Request of id 237 to 127.0.0.1 port 1812
        User-Name = "netkiller"
        User-Password = "******"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=237, length=20
			

if you can see 'Access-Accept', you have succeed

let me to input an incorrect password.

netkiller@shenzhen:~$ radtest netkiller ****** localhost 0 testing123
Sending Access-Request of id 241 to 127.0.0.1 port 1812
        User-Name = "netkiller"
        User-Password = "******"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 0
Re-sending Access-Request of id 241 to 127.0.0.1 port 1812
        User-Name = "netkiller"
        User-Password = "******"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 0
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=241, length=20
			

you will see 'Access-Reject'.

默认你只能通过localhost访问radius, 如需其他网络访问需要在配置文件中添加类似下面配置,配置文件在 /etc/freeradius/clients.conf

# vim /etc/freeradius/clients.conf

client 172.16.0.0/24 {
       secret          = testing123
       shortname       = freeradius.example.com
}
			
安装 radiusd

CentOS与Ubuntu安装包有所不同,配置文件在 /etc/raddb下面

过程 91.6. 安装步骤

  1. yum 安装

    yum install -y freeradius
    					
    # yum install freeradius freeradius-utils			
    					
  2. 设置启动文件

    chkconfig radiusd on
    service radiusd start
    					
  3. 配置 radiusd

    cp /etc/raddb/clients.conf{,.original}
    cp /etc/raddb/users{,.original}
    cp /etc/raddb/sites-enabled/default{,.original}
    					
    					
    cat >> /etc/raddb/clients.conf <<EOF
    
    client 192.168.0.0/16 {
           secret          = testing123
           shortname       = freeradius.example.com
    }
    EOF				
    					
    					

    /etc/raddb/users

    guest Cleartext-Password := "test"
    					

    /etc/raddb/sites-enabled/default

    					
  4. 测试 radiusd

    $ radtest guest test 192.168.2.1 1812 testing123
    Sending Access-Request of id 223 to 192.168.2.1 port 1812
    	User-Name = "guest"
    	User-Password = "test"
    	NAS-IP-Address = 127.0.1.1
    	NAS-Port = 1812
    	Message-Authenticator = 0x00000000000000000000000000000000
    rad_recv: Access-Accept packet from host 192.168.2.1 port 1812, id=223, length=20
    					

91.3.4.2. ldap

91.3.4.3. mysql

91.3.4.4. WAP2 Enterprise

WRT54G

91.3.5. SASL (Simple Authentication and Security Layer)

91.3.6. GSSAPI (Generic Security Services Application Program Interface)