|
|
花了偶5个小时,搜索了无数网页,一点心得。过几天再看看LDAP。就可以不需要每台机器设置用户ID了。:)。
不废话了,步骤如下:
A. 安装 heimdal
B. 安装 openssh,开启kerberos功能
C. 安装 pam_krb5
D. 配置文件
E. 测试
[php]
需求:
Linux PAM 0.80
OpenSSL 0.9.7g
Cracklib 2.8.3
===================================================
A. 安装heimdal
1. 我没选择MIT的那个,是因为先看到了heimdal。:)。你们可以试试MIT Krb5.
2. 用BLFS的方法安装。配置也很容易,设立一个用户名就可以了,不过这个用户名
要在系统存在(/etc/passwd),密码可以是空,这个是必须的。因为 Kerberos
无法得到相关的用户uid/gid/home directory/shell等资料。
3. /etc/heimdal/krb5.conf 文件在最后列出。
4. 配置好 krb5.conf,测试 kinit 和 klist。成功后,heimdal安装成功。
注意:login/su 这2个命令,我是用shadow+LinuxPAM提供的,不是heimdal提供的。
$ldd /bin/login (忽略 lib64,如果系统是32位的话)
libshadow.so.0 => /lib/libshadow.so.0 (0x00002aaaaabc7000)
libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00002aaaaacdd000)
libpam.so.0 => /lib64/libpam.so.0 (0x00002aaaaae11000)
libpam_misc.so.0 => /lib64/libpam_misc.so.0 (0x00002aaaaaf1a000)
libc.so.6 => /lib64/libc.so.6 (0x00002aaaab01d000)
libdl.so.2 => /lib64/libdl.so.2 (0x00002aaaab24b000)
/lib64/ld-linux-x86-64.so.2 (0x00002aaaaaaab000)
$ldd /bin/su 结果和 login 是一样的。
===================================================
[/php]
B. 安装openssh
[php]
1. 按照BLFS安装。打入2个补丁(网上找的,见附件)。
configure中加入 --with-kerberos5 --with-pam
2. 配置文件:
/etc/ssh/ssh_config中加入/修改:
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
Protocol 2
/etc/ssh/sshd_config中加入/修改:
UsePrivilegeSeparation yes
UseLogin no
UsePAM yes
UsePAMSetCred yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
KerberosAuthentication yes
KerberosOrLocalPasswd no
KerberosGetAFSToken yes
ChallengeResponseAuthentication yes
Protocol 2
[/php]
3。重启 sshd, 完成 OpenSSH 配置。
==================================================
[php]
C. 安装 pam_krb5
1. 下载软件
http://prdownloads.sourceforge.net/pam-krb5/pam_krb5-1.3-rc7.tar.gz?download
2. 安装
./configure --prefix=/usr && make && make install 搞定。
3. 完成安装
==================================================
D. 配置文件。
1. /etc/pam.d/login
# Begin /etc/pam.d/login
auth requisite pam_securetty.so
auth requisite pam_nologin.so
#auth sufficient pam_unix.so shadow md5 nullok likeauth
auth required pam_krb5.so try_first_pass
account required pam_access.so
account required pam_unix.so
##account sufficient pam_krb5.so use_first_pass
##account required pam_krb5.so
session required pam_env.so
session required pam_motd.so
session required pam_limits.so
session optional pam_mail.so dir=/var/mail standard
session optional pam_lastlog.so
#session required pam_unix.so
session optional pam_krb5.so
##session required pam_krb5.so
password required pam_cracklib.so retry=3 difok=8 minlen=5 \
dcredit=3 ocredit=3 \
ucredit=2 lcredit=2
password required pam_unix.so md5 shadow use_authtok
# End /etc/pam.d/login
2. /etc/pam.d/sshd
# Begin /etc/pam.d/sshd
auth sufficient pam_krb5.so try_first_pass
account required pam_unix.so
session optional pam_krb5.so
password required pam_permit.so
# End /etc/pam.d/sshd
两个文件,自己配置一下,我只是测试,还没来得及微调。
可以参考pam_krb里边的pam.d文件。
==================================================
E.测试
如果都正确的话,应该可以登陆了。
我的系统有一个用户名是will,shadow密码随便。
登陆后,klist 应该可以显示有一张ticket。
$ klist
Credentials cache: FILE:/tmp/krb5cc_1000_AAx1gu
Principal: will@MYFANTASY.ORG
Issued Expires Principal
Oct 10 04:47:23 Oct 10 14:47:23 krbtgt/MYFANTASY.ORG@MYFANTASY.ORG
$ ssh fantasy.myfantasy.org ###这个是 ssh server(测试中使用的是本机)
Last login: Mon Oct 10 04:47:23 2005 (登陆成功!!)
(ssh 服务器里边没有设立rsa/des key,也没有设立任何信任)
$ klist (查看Kerberos ticket)
Credentials cache: FILE:/tmp/krb5cc_M17563
Principal: will@MYFANTASY.ORG
Issued Expires Principal
Oct 10 04:49:29 Oct 10 14:47:23 krbtgt/MYFANTASY.ORG@MYFANTASY.ORG
============================================================
附录:
1. 配置文件:krb5.conf
# Begin /etc/heimdal/krb5.conf
[appdefaults]
pam = {
#One day ticket
ticket_lifetime = 360000
renew_lifetime = 360000
forwardable = true
\ }
[libdefaults]
default_realm = MYFANTASY.ORG
encrypt = true
[realms]
MYFANTASY.ORG = {
kdc = fantasy.myfantasy.org
admin_server = fantasy.myfantasy.org
kpasswd_server = fantasy.myfantasy.org
}
[domain_realm]
.myfantasy.org = MYFANTASY.ORG
[logging]
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb.log
# End /etc/heimdal/krb5.conf
2. auth.log 日志文件
Oct 10 03:29:23 fantasy login[17256]: pam_krb5: authentication succeeds for `will'
Oct 10 03:29:23 fantasy login[17256]: pam_krb5: pam_sm_authenticate returning 0 (Success) (第一次login成功)
---------------------------------------------------------------------------------------------
Oct 10 03:29:30 fantasy sshd[17283]: debug1: rexec start in 4 out 4 newsock 4 pipe 6 sock 7
Oct 10 03:29:30 fantasy sshd[17060]: debug1: Forked child 17283.
Oct 10 03:29:30 fantasy sshd[17283]: debug1: inetd sockets after dupping: 3, 3
Oct 10 03:29:30 fantasy sshd[17283]: Connection from 192.168.0.1 port 57367
Oct 10 03:29:30 fantasy sshd[17283]: debug1: Client protocol version 2.0; client software version OpenSSH_4.2
Oct 10 03:29:30 fantasy sshd[17283]: debug1: match: OpenSSH_4.2 pat OpenSSH*
Oct 10 03:29:30 fantasy sshd[17283]: debug1: Enabling compatibility mode for protocol 2.0
Oct 10 03:29:30 fantasy sshd[17283]: debug1: Local version string SSH-2.0-OpenSSH_4.2
Oct 10 03:29:30 fantasy sshd[17283]: debug1: PAM: initializing for "will"
Oct 10 03:29:30 fantasy sshd[17283]: debug1: PAM: setting PAM_RHOST to "fantasy.myfantasy.org"
Oct 10 03:29:30 fantasy sshd[17283]: debug1: PAM: setting PAM_TTY to "ssh"
Oct 10 03:29:30 fantasy sshd[17283]: Failed none for will from 192.168.0.1 port 57367 ssh2 (这里会等待大概10秒多时间,不知道为啥)
Oct 10 03:29:50 fantasy sshd[17283]: debug1: Received some client credentials
Oct 10 03:29:50 fantasy sshd[17283]: Authorized to will, krb5 principal will@MYFANTASY.ORG (krb5_kuserok)
Oct 10 03:29:50 fantasy sshd[17283]: debug1: do_pam_account: called
Oct 10 03:29:50 fantasy sshd[17283]: Accepted gssapi-with-mic for will from 192.168.0.1 port 57367 ssh2
Oct 10 03:29:50 fantasy sshd[17283]: debug1: monitor_child_preauth: will has been authenticated by privileged process
Oct 10 03:29:50 fantasy sshd[17288]: debug1: temporarily_use_uid: 1000/100 (e=0/100)
Oct 10 03:29:50 fantasy sshd[17288]: debug1: restore_uid: 0/100
Oct 10 03:29:50 fantasy sshd[17288]: debug1: PAM: reinitializing credentials
Oct 10 03:29:50 fantasy sshd[17288]: debug1: permanently_set_uid: 1000/100
Oct 10 03:29:50 fantasy sshd[17288]: debug1: Entering interactive session for SSH2.
Oct 10 03:29:50 fantasy sshd[17288]: debug1: server_init_dispatch_20
Oct 10 03:29:50 fantasy sshd[17288]: debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384
Oct 10 03:29:50 fantasy sshd[17288]: debug1: input_session_request
Oct 10 03:29:50 fantasy sshd[17288]: debug1: channel 0: new [server-session]
Oct 10 03:29:50 fantasy sshd[17288]: debug1: session_new: init
Oct 10 03:29:50 fantasy sshd[17288]: debug1: session_new: session 0
Oct 10 03:29:50 fantasy sshd[17288]: debug1: session_open: channel 0
Oct 10 03:29:50 fantasy sshd[17288]: debug1: session_open: session 0: link with channel 0
Oct 10 03:29:50 fantasy sshd[17288]: debug1: server_input_channel_open: confirm session
Oct 10 03:29:50 fantasy sshd[17288]: debug1: server_input_channel_req: channel 0 request pty-req reply 0
Oct 10 03:29:50 fantasy sshd[17288]: debug1: session_by_channel: session 0 channel 0
Oct 10 03:29:50 fantasy sshd[17288]: debug1: session_input_channel_req: session 0 req pty-req
Oct 10 03:29:50 fantasy sshd[17288]: debug1: Allocating pty.
Oct 10 03:29:50 fantasy sshd[17283]: debug1: session_new: init
Oct 10 03:29:50 fantasy sshd[17283]: debug1: session_new: session 0
Oct 10 03:29:50 fantasy sshd[17288]: debug1: session_pty_req: session 0 alloc /dev/pts/1
Oct 10 03:29:50 fantasy sshd[17288]: debug1: server_input_channel_req: channel 0 request shell reply 0
Oct 10 03:29:50 fantasy sshd[17288]: debug1: session_by_channel: session 0 channel 0
Oct 10 03:29:50 fantasy sshd[17288]: debug1: session_input_channel_req: session 0 req shell
Oct 10 03:29:50 fantasy sshd[17288]: debug1: PAM: setting PAM_TTY to "/dev/pts/1"
Oct 10 03:29:50 fantasy sshd[17289]: debug1: Setting controlling tty using TIOCSCTTY.
Oct 10 03:29:50 fantasy sshd[17289]: debug1: Setting KRB5CCNAME to FILE:/tmp/krb5cc_Y17288
Oct 10 03:29:50 fantasy sshd[17289]: debug1: Reexecuting do_pam_session() (成功登陆!)
==============================
由 黯然销魂 原创,转载请注明 LFS/Linuxsir.org
[/php] |
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有帐号?注册
x
|
IP卡
狗仔卡
发表于 2005-10-10 11:19:38
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡
楼主