¡¡¡¡Kerberos ÊÇÒ»×鸽¼ÓµÄÍøÂçϵͳ/ÐÒ飬 ÓÃÒÔÈÃÓû§Í¨¹ýһ̨°²È«·þÎñÆ÷ÌṩµÄ·þÎñÀ´ÑéÖ¤Éí·Ý¡£ °üÀ¨Ô¶³ÌµÇ¼¡¢Ô¶³Ì¸´ÖÆ¡¢ÔÚϵͳ¼ä°²È«µØ¸´ÖÆÎļþ£¬ ÒÔ¼°ÆäËü¸ßΣÏÕÐԵIJÙ×÷£¬ ÓÉÓÚÆä´æÔÚ¶øÏÔÖøµØÌá¸ßÁ˰²È«ÐͲ¢ÇÒ¸ü¼Ó¿É¿Ø¡£
¡¡¡¡Kerberos ¿ÉÒÔÀí½âΪһÖÖÉí·ÝÑéÖ¤´úÀíϵͳ¡£ ËüÒ²±»ÃèÊöΪһÖÖÒÔÊÜÐŵÚÈý·½ÎªÖ÷µ¼µÄÉí·ÝÑé֤ϵͳ¡£ Kerberos Ö»ÌṩһÖÖ¹¦ÄÜ ©¤©¤ ÔÚÍøÂçÉϰ²È«µØÍê³ÉÓû§µÄÉí·ÝÑéÖ¤¡£ Ëü²¢²»ÌṩÊÚȨ¹¦ÄÜ (Ò²¾ÍÊÇ˵Óû§Äܹ»×öʲô²Ù×÷) »òÉ󼯹¦ÄÜ (¼Ç¼Óû§×÷ÁËʲô²Ù×÷)¡£ Ò»µ©¿Í»§ºÍ·þÎñÆ÷¶¼Ê¹ÓÃÁË Kerberos À´Ö¤Ã÷¸÷×ÔµÄÉí·ÝÖ®ºó£¬ ËûÃÇ»¹¿ÉÒÔ¼ÓÃÜÈ«²¿µÄͨѶÒÔ±£Ö¤ÒµÎñÊý¾ÝµÄ˽ÃÜÐÔºÍÍêÕûÐÔ¡£
¡¡¡¡Òò´Ë£¬ Ç¿ÁÒ½¨Ò齫 Kerberos ͬÆäËüÌṩÊÚȨºÍÉ󼯷þÎñµÄ°²È«ÊÖ¶ÎÁªÓá£
¡¡¡¡½ÓÏÂÀ´µÄ˵Ã÷¿ÉÒÔÓÃÀ´Ö¸µ¼ÈçºÎ°²×° FreeBSD Ëù¸½´øµÄ Kerberos¡£ ²»¹ý£¬ ÄúÈÔÈ»ÐèÒª²Î¿¼ÏàÓ¦µÄÁª»úÊÖ²áÒÔ»ñµÃÍêÕûµÄÃèÊö¡£
¡¡¡¡ÎªÁËչʾ Kerberos µÄ°²×°¹ý³Ì£¬ ÎÒÃÇÔ¼¶¨£º
DNS Óò (¡°zone¡±) Ϊ example.org¡£
Kerberos ÁìÓòÊÇ EXAMPLE.ORG¡£
×¢Òâ: ÔÚ°²×° Kerberos ʱÇëʹÓÃʵ¼ÊµÄÓòÃû¼´Ê¹ÄúÖ»ÊÇÏëÔÚÄÚ²¿ÍøÉÏÓÃÒ»ÓᣠÕâ¿ÉÒÔ±ÜÃâ DNS ÎÊÌâ²¢±£Ö¤ÁËͬÆäËü Kerberos Ö®¼äµÄ»¥²Ù×÷ÐÔ¡£
¡¡¡¡Kerberos ×îÔçÓÉ MIT ×÷Ϊ½â¾öÍøÂ簲ȫÎÊÌâµÄÒ»¸ö·½°¸Ìá³ö¡£ Kerberos ÐÒé²ÉÓÃÁËÇ¿¼ÓÃÜ£¬ Òò´Ë¿Í»§Äܹ»ÔÚ²»°²È«µÄÍøÂçÉÏÏò·þÎñÆ÷ (ÒÔ¼°Ïà·´µØ) ÑéÖ¤×Ô¼ºµÄÉí·Ý¡£
¡¡¡¡Kerberos ÊÇÍøÂçÑéÖ¤ÐÒéÃû×Ö£¬ ͬʱҲÊÇÓÃÒÔ±í´ïʵÏÖÁËËüµÄ³ÌÐòµÄÐÎÈÝ´Ê¡£ (ÀýÈç Kerberos telnet)¡£ Ŀǰ×îеÄÐÒé°æ±¾ÊÇ 5£¬ÔÚ RFC 1510 ÖÐÓÐËùÃèÊö¡£
¡¡¡¡¸ÃÐÒéÓÐÐí¶àÃâ·ÑµÄʵÏÖ£¬ ÕâЩʵÏÖº¸ÇÁËÐí¶àÖÖ²»Í¬µÄ²Ù×÷ϵͳ¡£ ×î³õÑÐÖÆ Kerberos µÄÂéÊ¡Àí¹¤Ñ§Ôº (MIT) Ò²ÈÔÈ»ÔÚ¼ÌÐø¿ª·¢ËûÃÇµÄ Kerberos Èí¼þ°ü¡£ ÔÚ US Ëü±»×÷ΪһÖÖ¼ÓÃܲúƷʹÓ㬠Òò¶øÀúÊ·ÉÏÔø¾Êܵ½ US ³ö¿Ú¹ÜÖÆ¡£ MIT Kerberos ¿ÉÒÔͨ¹ý port (security/krb5) À´°²×°ºÍʹÓᣠHeimdal Kerberos ÊÇÁíÒ»ÖÖµÚ 5 °æÊµÏÖ£¬ ²¢ÇÒÃ÷È·µØÔÚ US Ö®ÍâµÄµØÇø¿ª·¢£¬ ÒÔ±ÜÃâ³ö¿Ú¹ÜÖÆ (Òò´ËÔÚÐí¶à·ÇÉÌÒµµÄÀà UNIX® ϵͳÖзdz£³£ÓᣠHeimdal Kerberos Èí¼þ°ü¿ÉÒÔͨ¹ý port (security/heimdal) °²×°£¬ ×îÐ嵀 FreeBSD µÄ×îС°²×°Ò²»á°üº¬Ëü¡£
¡¡¡¡ÎªÊ¹¾¡¿ÉÄܶàµÄ¶ÁÕß´ÓÖÐÊÜÒæ£¬ Õâ·Ý˵Ã÷ÒÔ FreeBSD ¸½´øµÄ Heimdal Èí¼þ°üΪ׼¡£
¡¡¡¡ÃÜÔ¿·Ö·¢ÖÐÐÄ (KDC) ÊÇ Kerberos ÌṩµÄ¼¯ÖÐʽÑéÖ¤·þÎñ ©¤©¤ ËüÊÇÇ©·¢ Kerberos tickets µÄÄÇ̨¼ÆËã»ú¡£ KDC ÔÚ Kerberos ÁìÓòÖÐµÄÆäËü»úÆ÷¿´À´ÊÇ ¡°ÊÜÐŵġ±£¬ Òò´Ë±ØÐë¸ñÍâ×¢ÒâÆä°²È«ÐÔ¡£
¡¡¡¡ÐèҪ˵Ã÷ Kerberos ·þÎñÆ÷Ö»ÐèÒª·Ç³£ÉٵļÆËã×ÊÔ´£¬ ¾¡¹ÜÈç´Ë£¬ »ùÓÚ°²È«ÀíÓÉÈÔÈ»ÍÆ¼öʹÓöÀÕ¼µÄ»úÆ÷À´°çÑÝ KDC µÄ½ÇÉ«¡£
¡¡¡¡Òª¿ªÊ¼ÅäÖà KDC£¬ Ê×ÏÈÇëÈ·ÈÏÄúµÄ /etc/rc.conf Îļþ°üº¬ÁË×÷Ϊһ¸ö KDC ËùÐèµÄÉèÖà (Äú¿ÉÄÜÐèÒªÊʵ±µØµ÷Õû·¾¶ÒÔÊÊÓ¦×Ô¼ºÏµÍ³µÄÇé¿ö)£º
kerberos5_server_enable="YES" kadmind5_server_enable="YES"
¡¡¡¡½ÓÏÂÀ´ÐèÒªÐÞ¸Ä Kerberos µÄÅäÖÃÎļþ£¬ /etc/krb5.conf£º
[libdefaults] default_realm = EXAMPLE.ORG [realms] EXAMPLE.ORG = { kdc = kerberos.example.org admin_server = kerberos.example.org } [domain_realm] .example.org = EXAMPLE.ORG
¡¡¡¡Çë×¢ÒâÕâ¸ö /etc/krb5.conf Îļþ¼Ù¶¨ÄúµÄ KDC ÓÐÒ»¸öÍêÕûµÄÖ÷»úÃû£¬ ¼´ kerberos.example.org¡£ Èç¹ûÄúµÄ KDC Ö÷»úÃûÓëËü²»Í¬£¬ ÔòÓ¦Ìí¼ÓÒ»Ìõ CNAME (±ðÃû) Ïîµ½ zone ÖÐÈ¥¡£
×¢Òâ: ¶ÔÓÚÓÐÕýÈ·µØÅäÖùýµÄ BIND DNS ·þÎñÆ÷µÄ´óÐÍÍøÂ磬 ÉÏÊöÀý×Ó¿ÉÒÔ¾«¼òΪ£º
[libdefaults] default_realm = EXAMPLE.ORG½«ÏÂÃæµÄÄÚÈݼÓÈëµ½ example.org zone Êý¾ÝÎļþÖУº
_kerberos._udp IN SRV 01 00 88 kerberos.example.org. _kerberos._tcp IN SRV 01 00 88 kerberos.example.org. _kpasswd._udp IN SRV 01 00 464 kerberos.example.org. _kerberos-adm._tcp IN SRV 01 00 749 kerberos.example.org. _kerberos IN TXT EXAMPLE.ORG
×¢Òâ: ÒªÈÿͻ§»úÄܹ»ÕÒµ½ Kerberos ·þÎñ£¬ ¾Í ±ØÐë Ê×ÏÈÅäÖÃÍêÕû»ò×îСÅäÖÃµÄ /etc/krb5.conf ²¢ÇÒ ÕýÈ·µØÅäÖà DNS ·þÎñÆ÷¡£
¡¡¡¡½ÓÏÂÀ´ÐèÒª´´½¨ Kerberos Êý¾Ý¿â¡£ Õâ¸öÊý¾Ý¿â°üÀ¨ÁËʹÓÃÖ÷ÃÜÂë¼ÓÃܵÄËùÓÐʵÌåµÄÃÜÔ¿¡£ Äú²¢²»ÐèÒª¼ÇסÕâ¸öÃÜÂ룬 Ëü»á±£´æÔÚÒ»¸öÎļþ (/var/heimdal/m-key) ÖС£ Òª´´½¨Ö÷ÃÜÔ¿£¬ ÐèÒªÖ´ÐÐ kstash ²¢ÊäÈëÒ»¸ö¿ÚÁî¡£
¡¡¡¡Ö÷ÃÜÔ¿Ò»µ©½¨Á¢£¬ Äú¾Í¿ÉÒÔÓà kadmin ³ÌÐòµÄ -l ²ÎÊý (±íʾ ¡°local¡±) À´³õʼ»¯Êý¾Ý¿âÁË¡£ Õâ¸öÑ¡ÏîÈà kadmin Ö±½ÓµØÐÞ¸ÄÊý¾Ý¿âÎļþ¶ø²»ÊÇͨ¹ý kadmind µÄÍøÂç·þÎñ¡£ Õâ½â¾öÁËÔÚÊý¾Ý¿â´´½¨Ö®Ç°Á¬½ÓËüµÄ¼¦Éúµ°µÄÎÊÌâ¡£ ½øÈë kadmin Ìáʾ·ûÖ®ºó£¬ Óà init ÃüÁîÀ´´´½¨ÁìÓòµÄ³õʼÊý¾Ý¿â¡£
¡¡¡¡×îºó£¬ ÈÔÈ»ÔÚ kadmin ÖУ¬ ʹÓà add ÃüÁîÀ´´´½¨µÚÒ»¸ö principal¡£ ÔÝʱʹÓÃÈ«²¿µÄĬÈÏÉèÖã¬ Ëæºó¿ÉÒÔÔÚÈκÎʱºòʹÓà modify ÃüÁîÀ´ÐÞ¸ÄÕâЩÉèÖᣠÁíÍ⣬ Ò²¿ÉÒÔÓà ? ÃüÁîÀ´Á˽â¿ÉÓõÄÑ¡Ïî¡£
¡¡¡¡µäÐ͵ÄÊý¾Ý¿â´´½¨¹ý³ÌÈçÏ£º
# kstash Master key: xxxxxxxx Verifying password - Master key: xxxxxxxx # kadmin -l kadmin> init EXAMPLE.ORG Realm max ticket life [unlimited]: kadmin> add tillman Max ticket life [unlimited]: Max renewable life [unlimited]: Attributes []: Password: xxxxxxxx Verifying password - Password: xxxxxxxx
¡¡¡¡ÏÖÔÚÊÇÆô¶¯ KDC ·þÎñµÄʱºòÁË¡£ ÔËÐÐ /etc/rc.d/kerberos start ÒÔ¼° /etc/rc.d/kadmind start À´Æô¶¯ÕâЩ·þÎñ¡£ ¾¡¹Ü´Ëʱ»¹Ã»ÓÐÈκÎÕýÔÚÔËÐÐµÄ Kerberos ·þÎñ£¬ µ«ÄúÈÔÈ»¿ÉÒÔͨ¹ý»ñÈ¡²¢ÁгöÄú¸Õ¸Õ´´½¨µÄÄǸö principal (Óû§) µÄ ticket À´ÑéÖ¤ KDC ȷʵÔÚÕý³£¹¤×÷£¬ ʹÓà KDC ±¾ÉíµÄ¹¦ÄÜ£º
% kinit tillman tillman@EXAMPLE.ORG's Password: % klist Credentials cache: FILE:/tmp/krb5cc_500 Principal: tillman@EXAMPLE.ORG Issued Expires Principal Aug 27 15:37:58 Aug 28 01:37:58 krbtgt/EXAMPLE.ORG@EXAMPLE.ORG
¡¡¡¡Íê³ÉËùÐèµÄ²Ù×÷Ö®ºó£¬ ¿ÉÒÔ³·ÏûÕâÒ» ticket£º
% kdestroy
¡¡¡¡Ê×ÏÈÎÒÃÇÐèÒªÒ»·Ý Kerberos ÅäÖÃÎļþ /etc/krb5.conf µÄ¸±±¾¡£ Ö»Ðè¼òµ¥µØÓð²È«µÄ·½Ê½ (ʹÓÃÀàËÆ scp(1) µÄÍøÂ繤¾ß£¬ »òͨ¹ýÈíÅÌ) ¸´ÖÆ KDC Éϵİ汾£¬ ²¢¸²¸Çµô¿Í»§»úÉϵĶÔÓ¦Îļþ¾Í¿ÉÒÔÁË¡£
¡¡¡¡½ÓÏÂÀ´ÐèÒªÒ»¸ö /etc/krb5.keytab Îļþ¡£ ÕâÊÇÌṩ Kerberos ·þÎñµÄ·þÎñÆ÷ºÍ¹¤×÷Õ¾µÄÒ»¸öÖ÷񻂿±ð ©¤©¤ ·þÎñÆ÷±ØÐëÓÐ keytab Îļþ¡£ Õâ¸öÎļþ°üÀ¨ÁË·þÎñÆ÷µÄÖ÷»úÃÜÔ¿£¬ ÕâʹµÃ KDC µÃÒÔÑéÖ¤ËüÃǵÄÉí·Ý¡£ ´ËÎļþ±ØÐëÒÔ°²È«µÄ·½Ê½´«µ½·þÎñÆ÷ÉÏ£¬ ÒòΪÈç¹ûÃÜÔ¿±»¹«Ö®ÓÚÖÚ£¬ Ôò°²È«Ò²¾Í»ÙÓÚÒ»µ©¡£ Ò²¾ÍÊÇ˵£¬ ͨ¹ýÃ÷ÎĵÄͨµÀ£¬ ÀýÈç FTP ÊǷdz£Ôã¸âµÄÏë·¨¡£
¡¡¡¡Ò»°ãÀ´Ëµ£¬ Äú»áÏ£ÍûʹÓà kadmin ³ÌÐòÀ´°Ñ keytab ´«µ½·þÎñÆ÷ÉÏ¡£ ÓÉÓÚÒ²ÐèҪʹÓà kadmin À´ÎªÖ÷»ú½¨Á¢ principal (KDC Ò»¶ËµÄ krb5.keytab)£¬ Òò´ËÕâ²¢²»¸´ÔÓ¡£
¡¡¡¡×¢ÒâÄú±ØÐëÒѾ»ñµÃÁËÒ»¸ö ticket ¶øÇÒÕâ¸ö ticket ±ØÐëÐí¿ÉʹÓà kadmind.acl ÖÐµÄ kadmin ½Ó¿Ú¡£ Çë²Î¿¼ Heimdal info ÖÐµÄ ¡°Remote administration(Ô¶³Ì¹ÜÀí)¡± Ò»½Ú (info heimdal) ÒÔÁ˽âÈçºÎÉè¼Æ·ÃÎÊ¿ØÖÆ±í¡£ Èç¹û²»Ï£ÍûÆôÓÃÔ¶³ÌµÄ kadmin ²Ù×÷£¬ Ôò¿ÉÒÔ¼òµ¥µØ²ÉÓð²È«µÄ·½Ê½Á¬½Ó KDC (ͨ¹ý±¾»ú¿ØÖÆÌ¨£¬ ssh(1) »ò Kerberos telnet(1)) ²¢Ê¹Óà kadmin -l ÔÚ±¾µØÖ´ÐйÜÀí²Ù×÷¡£
¡¡¡¡°²×°ÁË /etc/krb5.conf ÎļþÖ®ºó£¬ Äú¾Í¿ÉÒÔʹÓà Kerberos É쵀 kadmin ÁË¡£ add --random-key ÃüÁî¿ÉÒÔÓÃÓÚÌí¼ÓÖ÷»ú principal£¬ ¶ø ext ÃüÁîÔòÔÊÐíµ¼³ö·þÎñÆ÷µÄÖ÷»ú principal µ½ËüµÄ keytab ÖС£ ÀýÈ磺
# kadmin kadmin> add --random-key host/myserver.example.org Max ticket life [unlimited]: Max renewable life [unlimited]: Attributes []: kadmin> ext host/myserver.example.org kadmin> exit
¡¡¡¡×¢Òâ ext ÃüÁî (ÕâÊÇ ¡°extract¡± µÄ¼òд) ĬÈÏ»á°Ñµ¼³öµÄÃÜÔ¿·Åµ½ /etc/krb5.keytab ÖС£
¡¡¡¡Èç¹ûÄúÓÉÓÚûÓÐÔÚ KDC ÉÏÔËÐÐ kadmind (ÀýÈç»ùÓÚ°²È«ÀíÓÉ) Òò¶øÎÞ·¨Ô¶³ÌµØÊ¹Óà kadmin Äú¿ÉÒÔÖ±½ÓÔÚ KDC ÉÏÌí¼ÓÖ÷»ú principal (host/myserver.EXAMPLE.ORG) Ëæºó½«Æäµ¼³öµ½Ò»¸öÁÙʱÎļþÖÐ (ÒÔÃ⸲¸Ç KDC É쵀 /etc/krb5.keytab)£¬ ·½·¨ÊÇʹÓÃÏÂÃæµÄÃüÁ
# kadmin kadmin> ext --keytab=/tmp/example.keytab host/myserver.example.org kadmin> exit
¡¡¡¡ËæºóÐèÒª°Ñ keytab ¸´ÖƵ½·þÎñÆ÷ÉÏ (ÀýÈçʹÓà scp »òÈíÅÌ)¡£ Ò»¶¨ÒªÖ¸¶¨Ò»¸ö²»Í¬ÓÚĬÈ쵀 keytab Ãû×ÖÒÔÃ⸲¸Ç KDC É쵀 keytab¡£
¡¡¡¡µ½ÏÖÔÚÄúµÄ·þÎñÆ÷ÒѾ¿ÉÒÔͬ KDC ͨѶÁË (ÒòΪÒѾÅäÖÃÁË krb5.conf Îļþ)£¬ ¶øÇÒËü»¹Äܹ»Ö¤Ã÷×Ô¼ºµÄÉí·Ý (ÓÉÓÚÅäÖÃÁË krb5.keytab Îļþ)¡£ ÏÖÔÚ¿ÉÒÔÆôÓÃһЩ Kerberos ·þÎñ¡£ ÔÚÕâ¸öÀý×ÓÖУ¬ ÎÒÃǽ«ÔÚ /etc/inetd.conf ÖÐÌí¼ÓÏÂÃæµÄÐÐÀ´ÆôÓà telnet ·þÎñ£¬ ËæºóÓà /etc/rc.d/inetd restart ÖØÆô inetd(8) ·þÎñÀ´Ê¹ÉèÖÃÉúЧ£º
telnet stream tcp nowait root /usr/libexec/telnetd telnetd -a user
¡¡¡¡¹Ø¼üµÄ²¿·ÖÊÇ -a (±íʾÑéÖ¤) ÀàÐÍÉèÖÃΪÓû§ (user)¡£ Çë²Î¿¼ telnetd(8) Áª»úÊÖ²áÒÔÁ˽âϸ½Ú¡£
¡¡¡¡ÉèÖÿͻ§»úÊǷdz£¼òµ¥µÄ¡£ ÔÚÕýÈ·ÅäÖÃÁË Kerberos µÄÍøÂçÖУ¬ Ö»ÐèÒª½«Î»ÓÚ /etc/krb5.conf µÄÅäÖÃÎļþ½øÐÐÒ»ÏÂÉèÖþͿÉÒÔÁË¡£ ÕâÒ»²½Öè¿ÉÒÔ¼òµ¥µØÍ¨¹ý°²È«µÄ·½Ê½½«Îļþ´Ó KDC ¸´ÖƵ½¿Í»§»úÉÏÀ´Íê³É¡£
¡¡¡¡³¢ÊÔÔÚ¿Í»§»úÉÏÖ´ÐÐ kinit¡¢ klist£¬ ÒÔ¼° kdestroy À´²âÊÔ»ñÈ¡¡¢ ÏÔʾ²¢É¾³ý ¸Õ¸ÕΪ principal ½¨Á¢µÄ ticket ÊÇ·ñÄܹ»Õý³£½øÐУ¬ Èç¹ûÄÜ£¬ ÔòÓÃÆäËüµÄ Kerberos Ó¦ÓóÌÐòÀ´Á¬½ÓÆôÓÃÁË Kerberos µÄ·þÎñ¡£ Èç¹ûÓ¦ÓóÌÐò²»ÄÜÕý³£¹¤×÷¶ø»ñÈ¡ ticket Õý³££¬ Ôòͨ³£ÊÇ·þÎñ±¾Éí£¬ ¶ø·Ç¿Í»§»ú»ò KDC ÓÐÎÊÌâ¡£
¡¡¡¡ÔÚ²âÊÔÀàËÆ telnet µÄÓ¦ÓóÌÐòʱ£¬ Ó¦¿¼ÂÇʹÓÃ×¥°ü³ÌÐò (ÀýÈç tcpdump(1)) À´È·ÈÏÄúµÄ¿ÚÁîûÓÐÒÔÃ÷ÎÄ·½Ê½´«Êä¡£ ³¢ÊÔʹÓà telnet µÄ -x ²ÎÊý£¬ Ëü½«¼ÓÃÜÕû¸öÊý¾ÝÁ÷ (ÀàËÆ ssh)¡£
¡¡¡¡Ðí¶à·ÇºËÐÄµÄ Kerberos ¿Í»§Ó¦ÓóÌÐòÒ²ÊÇĬÈϰ²×°µÄ¡£ ÔÚ Hemidal µÄ ¡°×îС¡± °²×°ÀíÄîÏ£¬ telnet ÊÇΨһһ¸ö²ÉÓÃÁË Kerberos µÄ·þÎñ¡£
¡¡¡¡Heimdal port ÔòÌṩÁËһЩĬÈϲ»°²×°µÄ¿Í»§Ó¦ÓóÌÐò£¬ ÀýÈçÆôÓÃÁË Kerberos °æ±¾µÄ ftp¡¢ rsh¡¢ rcp¡¢ rlogin ÒÔ¼°Ò»Ð©¸ü²»³£ÓõijÌÐò¡£ MIT port Ò²°üÀ¨ÁËÒ»ÕûÌ× Kerberos ¿Í»§Ó¦ÓóÌÐò¡£
¡¡¡¡ÔÚij¸öÁìÓòÖеÄÓû§ÍùÍù¶¼ÓÐ×Ô¼ºµÄ Kerberos principal (ÀýÈç tillman@EXAMPLE.ORG) ²¢Ó³Éäµ½±¾»úÓû§ÕÊ»§ (ÀýÈç±¾»úÉÏÃûΪ tillman µÄÕÊ»§)¡£ ¿Í»§¶ËÓ¦ÓóÌÐò£¬ Èç telnet ͨ³£²¢²»ÐèÒªÓû§Ãû»ò principal¡£
¡¡¡¡²»¹ý, ÓÐʱÄú¿ÉÄÜ»áÐèÒª¸³ÓèijЩûÓÐÆ¥Åä Kerberos principal µÄÈËʹÓñ¾µØÓû§ÕÊ»§µÄȨÏÞ¡£ ÀýÈç tillman@EXAMPLE.ORG ¿ÉÄÜÐèÒª·ÃÎʱ¾µØµÄ webdevelopers Óû§Õʺ𣠯äËü principal ¿ÉÄÜÒ²»áÐèÒª·ÃÎÊÕâ¸ö±¾µØÕʺš£
¡¡¡¡Óû§ home Ŀ¼ÖÐµÄ .k5login ºÍ .k5users ÕâÁ½¸öÎļþ¿ÉÒÔÅäºÏ .hosts ºÍ .rhosts À´ÓÐЧµØ½â¾öÕâ¸öÎÊÌâ¡£ ÀýÈ磬 Èç¹û .k5login ÖÐÓÐÈçÏÂÄÚÈÝ£º
tillman@example.org jdoe@example.org
¡¡¡¡²¢·Åµ½Á˱¾µØÓû§ webdevelopers µÄ home Ŀ¼ÖУ¬ ÔòÁгöµÄÁ½¸ö principals ¶¼¿ÉÒÔʹÓÃÄǸöÕʺţ¬ ¶øÎÞÐë¹²Ïí¿ÚÁî¡£
¡¡¡¡½¨ÒéÄúÔÚ¿ªÊ¼ÊµÊ©Ö®Ç°Ê×ÏÈÔĶÁÕâЩÃüÁîµÄÁª»ú°ïÖú¡£ ÌØ±ðµØ£¬ ksu µÄÁª»úÊÖ²á°üÀ¨ÁË .k5users µÄÏà¹ØÄÚÈÝ¡£
µ±Ê¹Óà Heimdal »ò MIT Kerberos ports ʱ£¬ ÐèҪȷÈÏ PATH »·¾³±äÁ¿°Ñ Kerberos ¿Í»§Ó¦ÓÃÁÐÔÚϵͳ×Ô´øµÄ°æ±¾Ö®Ç°¡£
ͬһÁìÓòÄÚµÄËùÓмÆËã»úµÄʱ¼äÉèÖÃÊÇ·ñͬ²½£¿ Èç¹û²»Êǵϰ£¬ ÔòÉí·ÝÑéÖ¤¿ÉÄÜ»áʧ°Ü¡£ µÚ 29.10 ½Ú ÃèÊöÁËÈçºÎʹÓà NTP À´Í¬²½Ê±ÖÓ¡£
MIT ºÍ Heimdal Äܹ»ºÜºÃµØ»¥²Ù×÷¡£ Ò»¸öÀýÍâÊÇ kadmin£¬ ÒòΪÕâ¸öÐÒéûÓб»±ê×¼»¯¡£
Èç¹ûÄú¸Ä±äÁËÖ÷»úÃû£¬ Äú»¹ÐèÒªÐÞ¸ÄÄúµÄ host/ principal ²¢¸üРkeytab¡£ ÕâÒ»¹æÂÉÒ²ÊÊÓÃÓÚÀàËÆ Apache µÄ www/mod_auth_kerb ËùʹÓÃµÄ www/ principal ÕâÑùµÄÌØÊâ keytab Ïî¡£
ÄúµÄÁìÓòÖеÄÿһ̨Ö÷»ú±ØÐëÔÚ DNS (»òÖÁÉÙÔÚ /etc/hosts ÖÐ) ¿ÉÒÔ½âÎö (ͬʱ°üÀ¨ÕýÏòºÍ·´Ïò)¡£ CNAME Äܹ»Õý³£Ê¹Ó㬠µ«±ØÐëÓÐÕýÈ·µÄ¶ÔÓ¦ A ºÍ PTR ¼Ç¼¡£ ´Ëʱ¸ø³öµÄ´íÎóÐÅÏ¢¿ÉÄܺÜÈÃÈËÀ§»ó£º ¡°Kerberos5 refuses authentication because Read req failed: Key table entry not found¡±¡£
ijЩ×÷Ϊ¿Í»§Ê¹ÓÃÄúµÄ KDC µÄ²Ù×÷ϵͳ¿ÉÄÜûÓн« ksu ÉèÖÃΪ setuid root µÄȨÏÞ¡£ ÕâÒâζ×Å ksu ½«²»Äܹ»Õý³£¹¤×÷£¬ ´Ó°²È«½Ç¶È˵ÕâÊÇÒ»¸ö²»´íµÄÖ÷Ò⣬ µ«¿ÉÄÜÁîÈË·³ÄÕ¡£ ÕâÀàÎÊÌâ²¢²»ÊÇ KDC µÄ´íÎó¡£
ʹÓà MIT Kerberos ʱ£¬ Èç¹ûÏ£ÍûÔÊÐíÒ»¸ö principal ÓµÓг¬¹ýĬÈϵÄʮСʱÓÐЧÆÚµÄ ticket Ôò±ØÐëʹÓà kadmin ÖÐµÄ modify_principal À´ÐÞ¸Ä principal ±¾ÉíÒÔ¼° krbtgt µÄ maxlife(×î´óÓÐЧÆÚ)¡£ ´Ëºó£¬ principal ¿ÉÒÔʹÓà kinit µÄ -l ²ÎÊýÀ´ÇëÇóÒ»¸öÓиü³¤ÓÐЧÆÚµÄ ticket¡£
×¢Òâ: Èç¹ûÔÚ KDC ÉÏÔËÐÐÁËÌý°ü³ÌÐò£¬ ²¢ÔÚ¹¤×÷Õ¾ÉÏÖ´ÐÐ kinit£¬ Äú¿ÉÄÜ»á×¢Òâµ½ TGT ÊÇÔÚ kinit Ò»¿ªÊ¼Ö´ÐеÄʱºò¾Í·¢³öÁ赀 ©¤©¤ ÉõÖÁÔÚÄúÊäÈë¿ÚÁî֮ǰ£¡ ¹ØÓÚÕâ¸öÏÖÏóµÄ½âÊÍÊÇ Kerberos ·þÎñÆ÷¿ÉÒÔÎÞÏÞÖÆµØÊÕ·¢ TGT (Ticket Granting Ticket) ¸øÈκÎδ¾ÊÚȨµÄÇëÇó£» µ«ÊÇ£¬ ÿһ¸ö TGT ¶¼ÊÇʹÓÃÓû§µÄ¿ÚÁîÅÉÉú³öÀ´µÄÃÜÔ¿½øÐмÓÃܵġ£ Òò´Ë£¬ µ±Óû§ÊäÈë¿ÚÁîʱËü²¢²»»á·¢Ë͸ø KDC£¬ ¶øÊÇÖ±½ÓÓÃÓÚ½âÃÜ kinit ËùÄõ½µÄ TGT¡£ Èç¹û½âÃܹý³ÌµÃµ½ÁËÒ»¸ö°üº¬ºÏ·¨µÄʱ¼ä´ÁµÄÓÐЧ ticket£¬ Ôò˵Ã÷Óû§µÄ Kerberos ƾ¾ÝÓÐЧ¡£ ÕâЩƾ¾Ý°üº¬ÁËÒ»¸ö»á»°ÃÜÔ¿ÓÃÒÔÔÚËæºó½¨Á¢ Kerberos ·þÎñÆ÷µÄ¼ÓÃÜͨѶ£¬ ´«µÝÓÉ·þÎñÆ÷×Ô¼ºµÄ˽Կ¼ÓÃܵÄʵ¼ÊµÄ ticket-granting ticket¡£ Õâ¸öµÚ¶þ²ã¼ÓÃܶÔÓÚÓû§À´ËµÊÇ¿´²»µ½µÄ£¬ µ«ËüʹµÃ Kerberos ·þÎñÆ÷Äܹ»Ñé֤ÿһ¸ö TGT µÄÕæÊµÐÔ¡£
Èç¹ûÐèÒªÓÐЧÆÚ¸ü³¤µÄ ticket (ÀýÈçÒ»ÖÜ) ¶øÇÒÄúʹÓà OpenSSH
Á¬½Ó±£´æÄúµÄ ticket µÄ»úÆ÷£¬ ÇëÈ·ÈÏ sshd_config ÖÐµÄ Kerberos TicketCleanup
±»ÉèÖÃΪ no ·ñÔòÔÚ×¢Ïúʱ»á×Ô¶¯É¾³ýËùÓÐµÄ ticket¡£
ÇмÇÖ÷»úµÄ principals µÄ ticket ÓÐЧÆÚÒ»¶¨Òª±ÈÓû§µÄ³¤¡£ Èç¹ûÄúµÄÓû§ principal µÄÓÐЧÆÚÊÇÒ»ÖÜ£¬ ¶øËùÁ¬½ÓµÄÖ÷»úµÄÓÐЧÆÚÊǾŸöСʱ£¬ Ôò»º´æµÄÖ÷»ú principal ½«ÏÈÐйýÆÚ£¬ ½á¹ûÊÇ ticket »º´æÎÞ·¨Õý³£¹¤×÷¡£
µ±ÅäÖà krb5.dict ÎļþÀ´·ÀֹʹÓÃÌØ¶¨µÄ¼òµ¥¿ÚÁî (kadmind µÄÁª»úÊÖ²áÖмòÒª½éÉÜÁËËü)£¬ ÇëÇмÇÖ»ÓÐÖ¸¶¨ÁË¿ÚÁî²ßÂ﵀ principals ²Å»áʹÓÃËüÃÇ¡£ krb5.dict ÎļþµÄ¸ñʽºÜ¼òµ¥£º ÿ¸ö´®Õ¼Ò»ÐС£ ´´½¨Ò»¸öµ½ /usr/share/dict/words µÄ·ûºÅÁ¬½Ó»áºÜÓÐÓá£
¡¡¡¡MIT ºÍ Heimdal Ö÷ÒªµÄÇø±ðÔÚÓÚ kadmin ³ÌÐòʹÓò»Í¬ (¾¡¹ÜµÈ¼Û) µÄÃüÁîºÍÐÒé¡£ Èç¹ûÄúµÄ KDC ÊÇ MIT µÄ£¬ ÔòÆäÓ°ÏìÊDz»ÄÜʹÓà Heimdal µÄ kadmin ³ÌÐòÀ´Ô¶³Ì¹ÜÀí KDC (»òÏà·´)¡£
¡¡¡¡Íê³ÉͬÑù¹¤×÷µÄÃüÁî¿ÉÄÜ»áÓÐЩÐíµÄ²»Í¬¡£ ÍÆ¼ö°´ÕÕ MIT Kerberos µÄÍøÕ¾ (http://web.mit.edu/Kerberos/www/) ÉϵÄ˵Ã÷À´²Ù×÷¡£ ÇëСÐĹØÓÚ·¾¶µÄÎÊÌ⣬ MIT port »áĬÈϰ²×°µ½ /usr/local/£¬ ÄúÒò´Ë¿ÉÄÜ»áÖ´ÐÐ ¡°ÆÕͨµÄ¡± ϵͳӦÓóÌÐò¶ø·Ç MIT, Èç¹ûÄúµÄ PATH »·¾³±äÁ¿°Ñ °ÑϵͳĿ¼·ÅÔÚÇ°ÃæµÄ»°¡£
×¢Òâ: Èç¹ûʹÓà FreeBSD ÌṩµÄ MIT security/krb5 port£¬ Ò»¶¨Òª×ÐϸÔĶÁ port Ëù°²×°µÄ /usr/local/share/doc/krb5/README.FreeBSD£¬ Èç¹ûÄúÏëÖªµÀΪʲôͨ¹ý telnetd ºÍ klogind µÇ¼ʱ»á³öÏÖһЩ¹îÒìµÄÏÖÏóµÄ»°¡£ ×îÖØÒªµØ£¬ ¡°incorrect permissions on cache file(»º´æÎļþȨÏÞ²»ÕýÈ·)¡± ÐÐΪÐèҪʹÓà login.krb5 À´½øÐÐÑéÖ¤£¬ ²ÅÄܹ»ÕýÈ·µØÐÞ¸Äת·¢Æ¾¾ÝµÄÊôÖ÷¡£
¡¡¡¡³ý´ËÖ®Í⣬ »¹Ó¦ÐÞ¸Ä rc.conf ²¢¼ÓÈëÏÂÁÐÅäÖãº
kerberos5_server="/usr/local/sbin/krb5kdc" kadmind5_server="/usr/local/sbin/kadmind" kerberos5_server_enable="YES" kadmind5_server_enable="YES"
¡¡¡¡ÕâÑù×öµÄÔÒòÊÇ£¬ MIT kerberos »á½«¿ÉÖ´ÐÐÎļþ×°µ½ /usr/local ֮ϡ£
¡¡¡¡ÔÚÍøÂçÉÏÆôÓõÄÿ¸ö·þÎñ¶¼±ØÐë½øÐÐÐÞ¸ÄÒÔ±ãÈÃÆäÄܹ»ÅäºÏ Kerberos ¹¤×÷ (·ñÔò¾ÍÖ»ÄÜʹÓÃÆäËü·½·¨À´±£»¤ËüÃDz»ÊÜÍøÂç¹¥»÷µÄÇÖº¦)£¬ Èç¹û²»ÊÇÕâÑù£¬ ÔòÓû§µÄƾ¾Ý¾ÍÓпÉÄܱ»ÇÔÈ¡²¢ÔÙ´ÎʹÓᣠһ¸öÀý×ÓÊǶÔËùÓеÄÔ¶³Ì shell (ÀýÈçͨ¹ý rsh ºÍ telnet) ÆôÓÃÁË Kerberos µ«Ã»Óн«Ê¹ÓÃÃ÷ÎÄÑéÖ¤µÄ POP3 Óʼþ·þÎñÆ÷ Kerberos»¯¡£
¡¡¡¡ÔÚ¶àÓû§»·¾³ÖÐ Kerberos µÄ°²È«ÐԻᱻÏ÷Èõ¡£ ÕâÊÇÒòΪËü°Ñ ticket ±£´æµ½ /tmp Ŀ¼ÖУ¬ ¶øÕâ¸öĿ¼¿ÉÒÔ±»ÈκÎÓû§¶ÁÈ¡¡£ Èç¹ûÓÐÓû§ÓëÆäËüÈËͬʱ¹²Ïíһ̨¼ÆËã»ú (Ò²¾ÍÊÇ multi-user)£¬ ÔòÕâ¸öÓû§µÄ ticket ¾Í¿ÉÄܱ»ÆäËüÓû§ÇÔÈ¡ (¸´ÖÆ)¡£
¡¡¡¡¿ÉÒÔͨ¹ýʹÓà -c ÎļþÃû ÕâÑùµÄÃüÁîÐÐÑ¡Ï »òÕß(ÍÆ¼öµÄ)¸Ä±ä KRB5CCNAME »·¾³±äÁ¿À´±ÜÃâÕâ¸öÎÊÌ⣬ µ«ºÜÉÙÓÐÈËÕâô×ö¡£ÔÔòÉÏ£¬ ½« ticket ±£´æµ½Óû§µÄ home Ŀ¼²¢¼òµ¥µØÉèÖÃȨÏÞ¾ÍÄܹ»»º½âÕâ¸öÎÊÌâ¡£
¡¡¡¡¸ù¾ÝÉè¼Æ£¬ KDC ±ØÐëÊǰ²È«µÄ£¬ ÒòΪÖ÷ÃÜÂëÊý¾Ý¿â±£´æÔÚËüÉÏÃæ¡£ ¾ö²»Ó¦¸ÃÔÚ KDCÉÏÃæÔËÐÐÆäËü·þÎñ£¬ ¶øÇÒ»¹Ó¦È·±£ËüµÄÎïÀí°²È«¡£ ÓÉÓÚ Kerberos ʹÓÃͬһ¸öÃÜÔ¿ (´«ËµÖеÄÄǸö ¡°Ö÷¡± ÃÜÔ¿) À´¼ÓÃÜËùÓеÄÃÜÂ룬 ¶ø½«Õâ¸öÎļþ±£´æÔÚ KDC£¬ Òò´ËÆä°²È«ÓÈÎªÖØÒª
¡¡¡¡²»¹ý£¬ Ö÷ÃÜÔ¿µÄй¶²¢Ã»ÓÐÏëÏóÖеÄÄÇô¿ÉÅ¡£ Ö÷ÃÜÔ¿Ö»ÓÃÀ´¼ÓÃÜ Kerberos Êý¾Ý¿âÒÔ¼°²úÉúËæ»úÊý·¢ÉúÆ÷µÄÖÖ×Ó¡£ Ö»Òª KDC Êǰ²È«µÄ£¬ ¼´Ê¹¹¥»÷ÕßÄõ½ÁËÖ÷ÃÜÔ¿Ò²×ö²»ÁËʲô¡£
¡¡¡¡ÁíÍ⣬ Èç¹û KDC ²»¿ÉÓà (ÀýÈçÓÉÓھܾø·þÎñ¹¥»÷»òÍøÂç¹ÊÕÏ) ÔòÍøÂç·þÎñ½«ÓÉÓÚÑéÖ¤·þÎñÎÞ·¨½øÐжø²»ÄÜʹÓ㬠´Ó¶øµ¼Ö¸ü´ó·¶Î§µÄ¾Ü¾ø·þÎñ¹¥»÷¡£ ͨ¹ý²¿Êð¶à¸ö KDC (Ò»¸öÖ÷·þÎñÆ÷£¬ ÅäºÏÒ»¸ö»ò¶à¸ö´Ó·þÎñÆ÷) ²¢²ÉÓþ¹ý×ÐϸÉè¼ÆºÍʵÏֵı¸ÓÃÑéÖ¤·½Ê½¿ÉÒÔ±ÜÃâÕâÖÖÎÊÌâ (PAM ÊÇÒ»¸ö²»´íµÄÑ¡Ôñ)¡£
¡¡¡¡Kerberos ÔÊÐíÓû§¡¢Ö÷»úºÍ·þÎñÖ®¼ä½øÐÐÏ໥ÈÏÖ¤¡£ µ«Ëü²¢Ã»ÓÐÌṩ»úÖÆÀ´ÏòÓû§¡¢Ö÷»ú»ò·þÎñÑéÖ¤ KDC¡£ ÕâÒâζ×ÅÖÖ¹ýľÂíµÄ³ÌÐò£¬ÀýÈç kinit ÓпÉÄܼǼÓû§ËùÓеÄÓû§ÃûºÍÃÜÂë¡£ ¾¡¹ÜÈç´Ë£¬ ¿ÉÒÔÓÃÀàËÆ security/tripwire ÕâÑùµÄÎļþϵͳÍêÕûÐÔ¼ì²é¹¤¾ßÀ´±ÜÃâ´ËÀàÇé¿öµÄ·¢Éú¡£
±¾ÎĵµºÍÆäËüÎĵµ¿É´ÓÕâÀïÏÂÔØ£ºftp://ftp.FreeBSD.org/pub/FreeBSD/doc/.
Èç¹û¶ÔÓÚFreeBSDÓÐÎÊÌ⣬ÇëÏÈÔĶÁÎĵµ£¬Èç²»Äܽâ¾öÔÙÁªÏµ<questions@FreeBSD.org>.
¹ØÓÚ±¾ÎĵµµÄÎÊÌâÇë·¢ÐÅÁªÏµ <doc@FreeBSD.org>.