Kerberos是一种计算机网络授权协议,用来在非安全网络中,对个人通信以安全的手段进行身份认证。 采用客户端/服务器结构,并且能够进行相互认证,即客户端和服务器端均可对对方进行身份认证。
KDC:Key Distribution Center – Each user and service shares a secret key with the KDC – The KDC generates and distributes session keys – Communicating parties prove to each other that they
KDC 包含两部分:
– Authentication Server (AS) ● Issues “Ticket-Granting Tickets” (TGT) – Ticket Granting Server (TGS) ● Issues service tickets
交互流程图:
liudong@n6-131-078:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1098
Default principal: liudong@BYTEDANCE.COM
Valid starting Expires Service principal
06/21/2016 11:43:29 06/22/2016 11:43:26 krbtgt/BYTEDANCE.COM@BYTEDANCE.COM # TGT
06/21/2016 11:43:45 06/22/2016 11:43:26 host/10.6.26.137@ # host service ticket
06/21/2016 11:43:45 06/22/2016 11:43:26 host/10.6.26.137@BYTEDANCE.COM
Clients (users or services) are identified by “principals” Principals look like: primary/instance@realm
– Primary: user or service name – Instance: optional for user principals, but required for service principals – Realm: the Kerberos realm
Examples:
– User: joe@FOO.COM – Service: imap/bar.foo.com@FOO.COM
准备工作:
Configuration files
– /etc/krb5.conf – /etc/kadm5.acl
Prepare the Kerberos database – Initialize the Kerberos database – Add administrator’s principal – Start the KDC and KDC administration processes
Configuration file /etc/krb5.conf You can just copy this from the KDC