KDC (Key Distribute Center)是任何采用Kerberos鉴权和/或加密的应用程序所必须的。本文记述在Arch Linux上以MIT Kerberos设置KDC之过程。
安装krb5包
sudo pacman -S krb5编辑/etc/krb5.conf,/var/lib/krb5kdc/kdc.conf及/var/lib/krb5kdc/kadm5.acl(须创建此文件)
# /etc/krb5.conf
[libdefaults]
default_realm = OXLAB.ORG
[realms]
OXLAB.ORG = {
admin_server = kdc.oxlab.org
kdc = kdc.oxlab.org
default_principal_flags = +preauth
}
[domain_realm]
oxlab.org = OXLAB.ORG
.oxlab.org = OXLAB.ORG
.n.oxlab.org = OXLAB.ORG
.r.oxlab.org = OXLAB.ORG
[logging]# /var/lib/krb5kdc/kdc.conf
[kdcdefaults]
kdc_listen = 88
kdc_tcp_listen = 88
[realms]
OXLAB.ORG = {
database_name = /var/lib/krb5kdc/principal
acl_file = /var/lib/krb5kdc/kadm5.acl
key_stash_file = /var/lib/krb5kdc/.k5.OXLAB.ORG
kdc_listen = 88
kdc_tcp_listen = 88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
}# /var/lib/krb5kdc/kadm5.acl
leo/admin@OXLAB.ORG *创建Kerberos数据库,并设置密钥
sudo kdb5_util -r OXLAB.ORG create -s运转并启用KDC和kadmind
sudo systemctl enable --now krb5-kdc.service krb5-kadmind.service建立Principals,并将KDC的Principal加入/etc/krb5.keytab
sudo kadmin.local
# interactive shell
# user principals
addprinc leo
addprinc jenny
# admin principal
addprinc leo/admin
# KDC host principal
addprinc -randkey host/kdc.oxlab.org
kdadd host/kdc.oxlab.org将/etc/krb5.conf的内容复制到域中其他主机,运转kadmin -p leo/admin并输入上一步所设置之密码,便可通过kadmin远程管理KDC。
后记
本文中包含如下假设:
- 域的名称(realm)是
OXLAB.ORG,所用域名为oxlab.org - KDC的主机名是
kdc.oxlab.org - 管理员用户的Principal是
leo/admin - 用户包含
leo和jenny