{"id":1540,"date":"2017-07-15T16:20:35","date_gmt":"2017-07-15T14:20:35","guid":{"rendered":"http:\/\/miroslaw.borodziuk.eu\/?p=1540"},"modified":"2017-08-18T22:15:03","modified_gmt":"2017-08-18T20:15:03","slug":"kerberos","status":"publish","type":"post","link":"http:\/\/miro.borodziuk.eu\/index.php\/2017\/07\/15\/kerberos\/","title":{"rendered":"Kerberos"},"content":{"rendered":"

Kerberos to protok\u00f3\u0142 s\u0142u\u017c\u0105cy do identyfikacji (autentykacji) stworzony w MIT w roku 1988. Klienci \u0142\u0105cz\u0105 si\u0119 do serwera KDC (Kerberos Distribution Center – Centrum Dystrybucji Kluczy<\/em>) u\u017cywaj\u0105c pewnego rodzaju loginu nazywanego principal <\/em>i otrzymuj\u0105 ticket<\/em> (bilet). Tak d\u0142ugo jak ticket jest wa\u017cny klient ma dost\u0119p do chronionych przez kerberos us\u0142ug i nie potrzebuje identyfikacji przy ka\u017cdym dost\u0119pie do zasobu. Klient i serwer KDC musz\u0105 by\u0107 w tym samym realm <\/em>(jest to zazwyczaj nazwa domeny pisana du\u017cymi literami).<\/p>\n

<\/p>\n

Wymagania wst\u0119pne.<\/span><\/p>\n

Przed uruchomieniem Kerberosa wymagane jest ustawienie synchronizacji czasu przez NTP. Je\u017celi DNS nie jest skonfigurowany w pliku \/etc\/hosts musz\u0105 by\u0107 stosowne wpisy zast\u0119puj\u0105ce DNS, np:<\/p>\n

192.168.1.1 kdc.example.com     kdc\r\n192.168.1.2 server.example.com  server\r\n192.168.1.3 client.example.com  client<\/pre>\n
Po adresie IP zawsze musi by\u0107 wpisana nazwa hosta w wersji pe\u0142nej tj. wraz z ddomen\u0105 (FQDN), a po\u017aniej dopiero mo\u017ce by\u0107 nazwa skr\u00f3cona. W przeciwnym wypadku autentykacja Kerberos nie b\u0119dzie dzia\u0142a\u0107.<\/span><\/p>\n
 <\/p>\n
Instalacja i konfiguracja serwera.<\/span><\/p>\n
Instalacja pakiet\u00f3w Kerberos:<\/p>\n
# yum install -y krb5-server krb5-workstation pam_krb5<\/pre>\n
Edycja pliku \/var\/kerberos\/krb5kdc\/kdc.conf<\/code> i zast\u0105pienie EXAMPLE.COM<\/code> swoim w\u0142asnym realm.<\/p>\n
# vim \/var\/kerberos\/krb5kdc\/kdc.conf\r\n\r\n[kdcdefaults]\r\nkdc_ports = 88\r\nkdc_tcp_ports = 88\r\n\r\n[realms]\r\nEXAMPLE.COM = {\r\n#master_key_type = aes256-cts\r\nacl_file = \/var\/kerberos\/krb5kdc\/kadm5.acl\r\ndict_file = \/usr\/share\/dict\/words\r\nadmin_keytab = \/var\/kerberos\/krb5kdc\/kadm5.keytab\r\nsupported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal\r\n}<\/pre>\n
Opcjonalnie mo\u017cna odkomentowa\u0107 lini\u0119 master_key_type = aes256-cts<\/code> i doda\u0107 wpis w bloku [realms]: default_principal_flags = +preauth.\u00a0<\/code>Usunie to kompatybilno\u015b\u0107 z Kerberos 4 ale zwi\u0119kszy bezpiecze\u0144stwo.<\/p>\n
[kdcdefaults]\r\nkdc_ports = 88\r\nkdc_tcp_ports = 88\r\n\r\n[realms]\r\nEXAMPLE.LOCAL = {\r\nmaster_key_type = aes256-cts\r\ndefault_principal_flags = +preauth\r\nacl_file = \/var\/kerberos\/krb5kdc\/kadm5.acl\r\ndict_file = \/usr\/share\/dict\/words\r\nadmin_keytab = \/var\/kerberos\/krb5kdc\/kadm5.keytab\r\nsupported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal\r\n}<\/pre>\n
Teraz edycja pliku \/etc\/krb5.conf.<\/code> Odkomentowa\u0107 nale\u017cy wszystkie linie, EXAMPLE.COM<\/code> zast\u0119pujemy swoim realmem, example.com<\/code> swoj\u0105 domen\u0105\u00a0 (np. EXAMPLE.COM = NAZWA.PL, example.com = nazwa.pl<\/code>), kerberos.example.com<\/code> zast\u0119pujemy swoim w\u0142asnym serwerem KDC (np. kdc.example.com<\/code>):<\/p>\n
# vim krb5.conf\r\n\r\nConfiguration snippets may be placed in this directory as well\r\nincludedir \/etc\/krb5.conf.d\/\r\n\r\n[logging]\r\ndefault = FILE:\/var\/log\/krb5libs.log\r\nkdc = FILE:\/var\/log\/krb5kdc.log\r\nadmin_server = FILE:\/var\/log\/kadmind.log\r\n\r\n[libdefaults]\r\ndns_lookup_realm = false\r\nticket_lifetime = 24h\r\nrenew_lifetime = 7d\r\nforwardable = true\r\nrdns = false\r\ndefault_realm = EXAMPLE.COM\r\ndefault_ccache_name = KEYRING:persistent:%{uid}\r\n\r\n[realms]\r\nEXAMPLE.COM = {\r\nkdc = kdc.example.com\r\nadmin_server = kdc.example.com\r\n}\r\n\r\n[domain_realm]\r\n.example.com = EXAMPLE.COM\r\nexample.com = EXAMPLE.COM<\/pre>\n
Edytujemy plik \/var\/kerberos\/krb5kdc\/kadm5.acl<\/code> i zast\u0119pujemy EXAMPLE.COM<\/code> swoim realm.<\/p>\n
# vim \/var\/kerberos\/krb5kdc\/kadm5.acl\r\n*\/admin@EXAMPLE.COM *<\/pre>\n
Tworzymy baz\u0119 Kerberos (zst\u0119pujemy EXAMPLE.COM<\/code> swoim realm):<\/p>\n
# kdb5_util create -s -r EXAMPLE.COM\r\nLoading random data\r\nInitializing database '\/var\/kerberos\/krb5kdc\/principal' for realm 'EXAMPLE.COM',\r\nmaster key name 'K\/M@EXAMPLE.COM'\r\nYou will be prompted for the database Master Password.\r\nIt is important that you NOT FORGET this password.\r\nEnter KDC database master key: example\r\nRe-enter KDC database master key to verify: example<\/pre>\n
Generowanie bazy trwa nawet kilka minut. Mo\u017ce by\u0107 potrzeba napisania pewnej ilo\u015bci znak\u00f3w na klawiaturze aby zwi\u0119kszy\u0107 entropie potrzebn\u0105 do generowania danych.<\/p>\n
Uruchomienie, autostart us\u0142ugi Kerberos:<\/p>\n
# systemctl start krb5kdc kadmin\r\n# systemctl enable krb5kdc kadmin<\/pre>\n
Utworzenie u\u017cytkownika user01<\/em> na testy. Na klientach serwera kerberos (server.example.com<\/em> i desktop.example.com<\/em> wg opis\u00f3w\u00a0 z linku na samym dole artyku\u0142u) user01<\/em> musi mie\u0107 to samo uid.<\/p>\n
# useradd -u 3001 user01<\/pre>\n
Uruchomienie narz\u0119dzia administracji Kerberosem:<\/p>\n
# kadmin.local\r\nAuthenticating as principal root\/admin@EXAMPLE.COM with password.<\/pre>\n
Dodanie administatora:<\/p>\n
kadmin.local: addprinc root\/admin\r\nAuthenticating as principal root\/admin@EXAMPLE.COM with password.\r\nWARNING: no policy specified for root\/admin@EXAMPLE.COM; defaulting to no policy\r\nEnter password for principal \"root\/admin@EXAMPLE.COM\": kerberos\r\nRe-enter password for principal \"root\/admin@EXAMPLE.COM\": kerberos\r\nPrincipal \"root\/admin@EXAMPLE.COM\" created.<\/pre>\n
Dodanie u\u017cytkownika user01<\/em>:<\/p>\n
kadmin.local: addprinc user01\r\nEnter password for principal \"user01@EXAMPLE.COM\": user01\r\nRe-enter password for principal \"user01@EXAMPLE.COM\": user01\r\nPrincipal \"user01@EXAMPLE.COM\" created.<\/pre>\n
Dodanie hosta:<\/p>\n
kadmin.local: addprinc -randkey host\/kdc.example.com\r\nAuthenticating as principal root\/admin@EXAMPLE.COM with password.\r\nWARNING: no policy specified for host\/kdc.example.com@EXAMPLE.COM; defaulting to no policy\r\nPrincipal \"host\/kdc.example.com@EXAMPLE.COM\" created.<\/pre>\n
Utworzenie lokalnej kopii bazy w pliku \/etc\/krb5.keytab<\/code>:<\/p>\n
kadmin.local: ktadd host\/kdc.example.com\r\nAuthenticating as principal root\/admin@EXAMPLE.COM with password.\r\nEntry for principal host\/kdc.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:\/etc\/krb5.keytab.\r\nEntry for principal host\/kdc.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:\/etc\/krb5.keytab.\r\nEntry for principal host\/kdc.example.com with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:\/etc\/krb5.keytab.\r\nEntry for principal host\/kdc.example.com with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:\/etc\/krb5.keytab.\r\nEntry for principal host\/kdc.example.com with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:\/etc\/krb5.keytab.\r\nEntry for principal host\/kdc.example.com with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:\/etc\/krb5.keytab.\r\nEntry for principal host\/kdc.example.com with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:\/etc\/krb5.keytab.\r\nEntry for principal host\/kdc.example.com with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:\/etc\/krb5.keytab.<\/pre>\n
Wyj\u015bcie z administracji Kerberosem:<\/p>\n
kadmin.local: quit<\/pre>\n
Edycja pliku \/etc\/ssh\/ssh_config<\/code>\u00a0 i dodanie\/odkomentowanie linii:<\/p>\n
GSSAPIAuthentication yes\r\nGSSAPIDelegateCredentials yes<\/pre>\n
Prze\u0142adowanie demona ssh<\/em>:<\/p>\n
# systemctl reload sshd<\/pre>\n
Konfiguracja komponentu PAM z linii komend:<\/p>\n
# authconfig --enablekrb5 --update<\/pre>\n
Odblokowanie na firewallu portu dla us\u0142ugi Kerberos (udp\/tcp 88) oraz portu tcp 749 dla kadmin.<\/p>\n
# firewall-cmd --permanent --add-service=kerberos\r\n# firewall-cmd --permanent --add-port=749\/tcp\r\n# firewall-cmd --reload<\/pre>\n
Test konfiguracji:<\/p>\n
# su - user01\r\n\r\n$ kinit\r\nPassword for user01@EXAMPLE.COM: user01\r\n\r\n$ klist\r\nTicket cache: KEYRING:persistent:1000:1000\r\nDefault principal: user01@EXAMPLE.COM\r\nValid starting Expires Service principal\r\n07\/22\/2014 16:48:35 07\/23\/2014 16:48:11 krbtgt\/EXAMPLE.COM@EXAMPLE.COM\r\nrenew until 07\/22\/2014 16:48:11\r\n\r\n$ klist -l<\/pre>\n
Teraz powinna by\u0107 mo\u017cliwo\u015b\u0107 wyj\u015bcia z konsoli ssh<\/em> i ponownego zalogowania bez podawania has\u0142a:<\/p>\n
$ ssh kdc.example.com<\/pre>\n
Aby usun\u0105\u0107 ticket u\u017cywamy komendy:<\/p>\n
# kdestroy<\/pre>\n
 <\/p>\n
Konfiguracja serwera us\u0142ugi NFS i klienta NFS korzystaj\u0105cych z Kerberosa opisana jest w artykule o Network File System:<\/p>\n
http:\/\/miroslaw.borodziuk.eu\/index.php\/2017\/07\/25\/network-file-system\/<\/a><\/p>\n
 <\/p>\n","protected":false},"excerpt":{"rendered":"
Kerberos to protok\u00f3\u0142 s\u0142u\u017c\u0105cy do identyfikacji (autentykacji) stworzony w MIT w roku 1988. Klienci \u0142\u0105cz\u0105 si\u0119 do serwera KDC (Kerberos Distribution Center – Centrum Dystrybucji Kluczy) u\u017cywaj\u0105c pewnego rodzaju loginu nazywanego principal i otrzymuj\u0105 ticket (bilet). Tak d\u0142ugo jak ticket jest wa\u017cny klient ma dost\u0119p do chronionych przez kerberos us\u0142ug i nie potrzebuje identyfikacji przy … <\/p>\n
Continue reading “Kerberos”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":1541,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[46,49],"tags":[],"_links":{"self":[{"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/posts\/1540"}],"collection":[{"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/comments?post=1540"}],"version-history":[{"count":11,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/posts\/1540\/revisions"}],"predecessor-version":[{"id":1807,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/posts\/1540\/revisions\/1807"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/media\/1541"}],"wp:attachment":[{"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/media?parent=1540"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/categories?post=1540"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/tags?post=1540"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}