Full text fix: Kerberos overview, source code compilation, installation, configuration details


The Internet is notoriously insecure, and many of the protocols used on it do not provide any guarantee of security.As a result, applications that send unencrypted passwords over the network are highly vulnerable.This kind of insecurity problem, not firewall can solve.To solve this kind of network security problem, Kerberos protocol was born.Kerberos is a network authentication protocol that uses powerful key encryption technology to provide powerful authentication functions for client/server communication. The client and server can establish a connection over an insecure network to authenticate each other.Communications can even be encrypted to ensure data privacy and integrity.MIT offers an open source implementation of the Kerberos protocol, MIT Kerberos, which anyone wishing to use can either look at the code themselves and make sure it is trusted, or apply it directly to commercial products.In short, Kerberos is the solution to network security problems.It provides authentication and powerful encryption tools over the web to help companies protect their internal information systems.It can be said that Kerberos is invaluable to information/technology architecture.[root@felixzh1 home]# Yum install -ykrb5-server krb5-libs krb5-workstationKerberos client node [root@felixzh2~]# yum install -ykrb5-devel krb5-workstation configuration file -krb5.conf applies to all applications using Kerboros on both client and server sides.The default installation location is /etc/krb5.conf, which can be specified using the environment variable KRB5_CONFIG.It usually contains the following nodes (it can also contain nodes in KDC.conf, but this is not recommended) :Node parameter is too much, not to introduce, one detail can refer to website: https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html#sections default installation,The content of the krb5.conf file is as follows:[libdefaults] default_realm = ATHENA.MIT.EDU dns_lookup_kdc = true dns_lookup_realm = false [realms] ATHENA.MIT.EDU = { kdc = kerberos.mit.edu kdc = kerberos-1.mit.edu kdc = kerberos-2.mit.edu admin_server = kerberos.mit.edu primary_kdc = kerberos.mit.edu } EXAMPLE.COM = { kdc = kerberos.example.com kdc = kerberos-1.example.com admin_server = kerberos.example.com } [domain_realm] mit.edu = ATHENA.MIT.EDU [capaths] ATHENA.MIT.EDU = { EXAMPLE.COM = . } EXAMPLE.COM = { ATHENA.MIT.EDU =.} configuration file -kdc.conf kdC.conf complents krb5.conf and is usually only applicable to KDC-specific processes (krb5kdc, kadmind, kdb5_util).At this point, krb5.conf and KdC.conf will be combined into a single configuration file for use.Note: The modification of the KDC. Conf file takes effect only after the KDC process is restarted.The default installation location/var/kerberos/krb5kdc/KDC. Conf, can use environment variables KRB5_KDC_PROFILE specified.Usually contains the following nodes: https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/kdc_conf.html#sections default installation, KDC. Conf file content is as follows: website sample is as follows:[kdcdefaults] kdc_listen = 88 kdc_tcp_listen = 88[realms] ATHENA.MIT.EDU = { kadmind_port = 749 max_life = 12h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = aes256-cts-hmac-sha1-96 supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal database_module = openldap_ldapconf } [logging] kdc = FILE:/usr/local/var/krb5kdc/kdc.log admin_server = FILE:/usr/local/var/krb5kdc/kadmin.log [dbdefaults] ldap_kerberos_container_dn = cn=krbcontainer,dc=mit,dc=edu [dbmodules] openldap_ldapconf = { db_library = kldap disable_last_success = true ldap_kdc_dn = “cn=krbadmin,dc=mit,dc=edu” # this object needs to have read rights on # the realm container and principal subtrees ldap_kadmind_dn = “cn=krbadmin,dc=mit,dc=edu” # this object needs to have read and write rights on # the realm container and principal subtrees ldap_service_password_file = /etc/kerberos/service.keyfile ldap_servers = ldaps://kerberos.mit.edu ldap_conns_per_server = 5 } Configuration file -kadm5.aclKerberos Kadmind uses the ACL file (kadm5.acl) to manage Kerberos database permissions.For operations affecting the principals, KADM5. ACL can be precisely controlled to each principal.The default installation location/var/kerberos/krb5kdc/kadm5. The acl, you can use the KDC. Conf acl_file parameters specified in the realms of nodes.Note: The modification of the kadm5.acl file takes effect only after the kadmind process is restarted.Syntax: Principal permissions [target_Principal [Restrictions]] Note: Set in action units, priority from top to bottom, lower and lower.Principal Permissions is required, and [target_Principal [Restrictions]] is optional.The permissions parameter is as follows:https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/kadm5_acl.html#syntax default installation, kadm5. Acl file content is as follows: website sample is as follows:*/admin@ATHENA.MIT.EDU * # line 1joeadmin@ATHENA.MIT.EDU ADMCIL # line 2joeadmin/*@ATHENA.MIT.EDU i */root@ATHENA.MIT.EDU # line 3*/root@ATHENA.MIT.EDU ci *1@ATHENA.MIT.EDU # line 4*/root@ATHENA.MIT.EDU l * # line 5sms@ATHENA.MIT.EDU x * -maxLife 9h-postdateable # line 6Realm Configuration Decision Before installing Kerberos V5, it is necessary to consider the following:Confirm the name of the Kerberos realm (or the name of each realm if multiple realms are required).Confirm how hostnames are assigned to Kerberos Realms.Default port:88 (KDC) and 749 (KadMIND) specifies whether to use the default port.Identify how many Replica KDCs are required and how to deploy.Verify the host names of the master and replica KDCS.How often the database is propagated from the master KDC to the replica KDC.https://web.mit.edu/kerberos/krb5-latest/doc/admin/realm_config.html#realm-configuration-decisions source code to compile the latest version 1.19.2.[root@felixzh1 home]# yum install byaccflex bison[root@felixzh1 home]# wget http://web.mit.edu/kerberos/dist/krb5/1.19/krb5-1.19.2.tar.gz [root @ felixzh1 home] # CD krb5-1.19.2 / SRC / [root @ felixzh1src]# ./configure[root@felixzh1 src]# make -j 8[root@felixzh1 src]# make install

Leave a Reply

Your email address will not be published.