准备两个虚拟机:192.168.1.101、192.168.1.102,101作为kerberos的server端,102作为kerberos的client端。开启88端口。
1、安装kerberos服务server端
yum -y install krb5-libs krb5-server
1.1、配置/etc/krb5.conf
# Configuration snippets may be placed in this directory as well includedir /etc/krb5.conf.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false default_realm = SNSPRJ.COM default_ccache_name = KEYRING:persistent:%{uid} # insert by xiaohb 20170824 start udp_preference_limit = 1 # insert by xiaohb 20170824 end [realms] # EXAMPLE.COM = { # kdc = kerberos.example.com # admin_server = kerberos.example.com # } SNSPRJ.COM = { kdc = kerberos.snsprj.com admin_server = kerberos.snsprj.com } [domain_realm] # .example.com = EXAMPLE.COM # example.com = EXAMPLE.COM .snsprj.com = SNSPRJ.COM snsprj.com = SNSPRJ.COM
udp_preference_limit = 1 禁止使用udp
1.2、配置/var/kerberos/krb5kdc/kdc.conf
[kdcdefaults] kdc_ports = 88 kdc_tcp_ports = 88 [realms] SNSPRJ.COM = { #master_key_type = aes256-cts acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal }
1.3、创建/初始化Kerberos database
/usr/sbin/kdb5_util create -s
若出现Loading random data卡住,可以重新开启一个窗口执行cat /dev/sda > /dev/urandom命令,加快消耗CPU,增加随机数采集。
当Kerberos database创建好后,可以看到目录 /var/kerberos/krb5kdc 下生成了几个文件:
-rw-------. 1 root root 21 Aug 24 11:34 kadm5.acl -rw-------. 1 root root 450 Aug 24 11:27 kdc.conf -rw-------. 1 root root 8192 Aug 24 11:35 principal -rw-------. 1 root root 8192 Aug 24 11:33 principal.kadm5 -rw-------. 1 root root 0 Aug 24 11:33 principal.kadm5.lock -rw-------. 1 root root 0 Aug 24 11:35 principal.ok
1.4、添加database administrator
/usr/sbin/kadmin.local -q "addprinc username/admin"
1.5、为database administrator设置ACL权限,将文件/var/kerberos/krb5kdc/kadm5.acl的内容编辑为
*/admin@SNSPRJ.COM *
1.6、启动Kerberos daemons
/bin/systemctl start krb5kdc.service
/bin/systemctl start kadmin.service
2、安装kerberos client端
yum install krb5-workstation krb5-libs
2.1、配置/etc/krb5.conf,直接把kerberos端的krb5.conf文件复制过来即可。
3、kerberos基本操作命令
4、使用JAAS登录kerberos server
package com.snsprj.jaas0822; import javax.security.auth.*; import javax.security.auth.callback.*; import javax.security.auth.login.*; import com.sun.security.auth.callback.TextCallbackHandler; /** * This JaasAcn application attempts to authenticate a user * and reports whether or not the authentication was successful. * * Created by skh on 2017/8/22. */ public class JaasAcn { public static void main(String[] args) { String path = "/workspace/idea/ssm/src/test/java/com/snsprj/jaas0822/"; System.setProperty("java.security.auth.login.config", path + "jaas.conf"); System.setProperty("java.security.krb5.conf", path + "krb5.conf"); // System.setProperty("java.security.krb5.realm", "SNSPRJ.COM"); // System.setProperty("java.security.krb5.kdc", "kerberos.snsprj.com"); // sun.security.krb5.debug System.setProperty("sun.security.krb5.debug", "true"); // Obtain a LoginContext, needed for authentication. Tell it // to use the LoginModule implementation specified by the // entry named "JaasSample" in the JAAS login configuration // file and to also use the specified CallbackHandler. LoginContext lc = null; try { lc = new LoginContext("JaasSample", new TextCallbackHandler()); // attempt authentication try { lc.login(); } catch (LoginException le) { le.printStackTrace(); System.err.println("Authentication failed:"); System.err.println(" " + le.getMessage()); System.exit(-1); } } catch (LoginException le) { System.err.println("Cannot create LoginContext. " + le.getMessage()); } catch (SecurityException se) { System.err.println("Cannot create LoginContext. " + se.getMessage()); System.exit(-1); } System.out.println("Authentication succeeded!"); } }
jaas.conf
/** Login Configuration for the JaasAcn and ** JaasAzn Applications **/ JaasSample { com.sun.security.auth.module.Krb5LoginModule required debug=true refreshKrb5Config=true; };
krb5.conf copy from kerberos server.
参考资料:
【The Kerberos 5 GSS-API Mechanism】:https://docs.oracle.com/javase/9/security/kerberos-5-gss-api-mechanism.htm#JSSEC-GUID-23D30A4B-CC38-45ED-83D5-C59ABB72762E
【javax.security.auth.login.LoginException: Receive timed out】:https://stackoverflow.com/questions/44214324/java-io-ioexception-login-failure-for-myuserexample-com-from-keytab/44228073#44228073