Setting Up a Kerberos server (with Debian/Ubuntu)

简介:

First I created three Virtualbox VMs (Debian Linux) for Kerberos server, client and ssh server.
Kerberos server - kerberos.com
Client - client.com
SSH server - ssh.com

Then I added the following lines to the /etc/hosts files of the VMs.
10.0.0.1 kerberos.com
10.0.0.2 client.com
10.0.0.3 ssh.com
Make sure you can ping kerberos.com, ssh.com, client.com from all VMs(To check host-names are resolving).
Kerberos Server

Installing the Kerberos server (kerberos.com)
apt-get install krb5-admin-server krb5-kdc
During the installation it "may" ask following questions (My answers are shown in brackets)
Default Kerberos version 5 realm? [KERBEROS.COM]
Kerberos servers for your realm? [kerberos.com]
Administrative server for your realm? [kerberos.com]
Configuring Kerberos server
Before beginning a new realm must be created
krb5_newrealm

Edit the /etc/krb5.conf file (enter the following lines to the file if they're not there)
[libdefaults]

    default_realm = KERBEROS.COM

...
...
...
[realms]

    kdc = kerberos.com
    admin_server = kerberos.com

...
...
...
[domain_realm]
...
...

    kerberos.com = KERBEROS.COM
    .kerberos.com = KERBEROS.COM

Notice on cdh:
we should open tcp port by updating file /etc/krb5kdc/kdc.conf:
kdc_tcp_ports = 88
then restart kdc service:
service krb5-admin-server restart
service krb5-kdc restart

Adding users (Principles)
Use the kadmin.local tool to add/delete/modify users (principles)

Type kadmin.local to use the tool
listprics will list the existing principles
To add the root user, type
addprinc root

If you want to assign an admin role to a user use the following command
addprinc root/admin
Then you have to uncomment the /admin line in /etc/krb5kdc/kadm.acl file.

In order to check the principle has applied correctly type the following command
kinit

kinit is used to get tickets from the Kerberos server.
It will prompt for password. (Enter the password given to the addprinc command)
Now type the following command to see the ticket.
klist
Client

Installing and configuring client for Kerberos (client.com)
apt-get install krb5-user

It will ask the same questions, asked during the server installation.
[Make sure you can ping kerberos.com from your client.com machine]

Testing
To get a ticket for your client machine type the following command.
kinit root
or (depending on your principles in kerberos.com)
kinit root/admin
If you get a ticket from kerberos.com, its working!.

Services

Using SSH service with Kerberos (ssh.com)
Install open ssh server and krb5-config
apt-get install openssh-server krb5-config
Configure the /etc/krb5.conf accordingly (Just like the previous ones)

Configuring SSH to use with Kerberos
Edit /etc/ssh/sshd_config and enable the following lines
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
Then restart the ssh server [/etc/init.d/ssh restart]

Configuring Kerberos server (kerberos.com) to work with ssh.com
Type the following commands on the kerberos.com to add the ssh.com principle
kadmin.local
addprinc -randkey host/ssh.com
ktadd -k /tmp/ssh.com.keytab host/ssh.com
Now copy the /tmp/ssh.com.keytab file to the ssh server (ssh.com) using the command below
scp /tmp/ssh.com.keytab root@ssh.com:/etc/krb5.keytab
Configuring a client machine for Kerberos authentication
Edit /etc/ssh/ssh_config and enable the following lines
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
Testing SSH service with Kerberos
Log in to the client machine and get a ticket
kinit root
(or kinit root/admin)
Then type the command below. It should log in to the ssh.com without password.
ssh root@ssh.com
Now type the following commands and check the difference
kdestroy
ssh root@ssh.com

Source:- http://www.debian-administration.org/articles/570

目录
相关文章
|
6月前
|
Ubuntu Linux
Centos 7、Debian、Ubuntu中tree指令的检查与下载
Centos 7、Debian、Ubuntu中tree指令的检查与下载
|
Ubuntu 安全 Linux
百度搜索:蓝易云【Ubuntu 20.04 安装VNC Server的教程。】
请注意,VNC连接是以明文形式传输数据的,因此建议在安全的网络环境中使用VNC,并设置强密码以确保安全性。
241 1
|
3月前
|
Ubuntu 网络安全 数据安全/隐私保护
ubuntu server连接wifi教程
本文提供了一个简化Ubuntu Server在Raspberry Pi系统上配置过程的脚本"config_ubuntu_server",包括自动和手动两种方法来设置root权限、SSH配置,并连接WiFi,同时支持无密码SSH访问,适合初学者和高级用户。
78 3
|
3月前
|
Ubuntu 网络协议 开发工具
在 Ubuntu Server 上配置静态 IP 地址
在 Ubuntu Server 上配置静态 IP 地址
304 0
|
3月前
|
Ubuntu Linux 测试技术
下载ISO镜像的方法 Debian、Red Hat 、CentOS、Ubuntu、Kali Linux🌐
Debian、Red Hat、CentOS、Ubuntu与Kali Linux均为知名Linux发行版。下载Debian须访问官网并按计算机架构选ISO文件。Red Hat下载通常需订阅账户,可从官网登录后获取。CentOS可从官网或镜像站点下载,注意CentOS 8已停更。Ubuntu下载简便,官网直接选取版本及架构即可。Kali Linux专为安全测试设计,官网提供直接下载ISO镜像服务。
636 0
|
6月前
|
资源调度 JavaScript Ubuntu
Yarn介绍及快速安装Debian/Ubuntu Linux
现在,你已经成功安装了Yarn,可以在你的JavaScript项目中使用它来管理依赖。
648 3
|
12月前
|
存储 缓存 NoSQL
如何解决Ubuntu server 下 Redis安装报错:“You need tcl 8.5 or newer in order to run the Redis test”.
如何解决Ubuntu server 下 Redis安装报错:“You need tcl 8.5 or newer in order to run the Redis test”.
401 0
|
6月前
|
缓存 Ubuntu
Debian/Ubuntu清理硬盘空间
请注意,在执行清理操作时,务必小心核实要删除的文件,以免意外删除重要数据。 买CN2云服务器,免备案服务器,高防服务器,就选蓝易云。百度搜索:蓝易云
327 4
|
Ubuntu Linux
debian/rehhat/linux/centos/ubuntu 安装IDEA
debian/rehhat/linux/centos/ubuntu 安装IDEA
180 0
|
6月前
|
存储 Ubuntu 网络安全