SAS-Kerberos-Login-Grant
SpringBoot集成文档
- Spring Security Kerberos Github
- Spring Security Kerberos Samples Github
- StackOverflow: spring-security-kerberos
kerberos认证
- Kerberos 官网
- Kerberos 官方文档
- Kerberos Bug排查
- Oracle Kerberos 错误消息和故障排除
- Oracle 手册页部分 1: 用户命令
- Kerberos认证协议介绍
kerberos认证 Demo
一、前言
二、分析
三、准备
1. 域名准备
| 模块 | 域名 | IP地址 | 备注 |
|---|---|---|---|
| KDC | ks.light.local | 192.168.137.101 | CentOS虚拟机 |
| Service | kc.light.local | 192.168.137.102 | CentOS虚拟机 |
| Client | - | 192.168.137.1 | Win物理机 |
需要将此Hosts配置到KDC和Service服务上
cat >> /etc/hosts << 'EOF'
192.168.137.101 ks.light.local
192.168.137.102 kc.light.local
EOF
物理��机作为测试的客户端,需要将KDC和Serivce的域名添加到Hosts中
192.168.137.101 ks.light.local
192.168.137.102 kc.light.local
2. 安装Apache Directory Server
- 安装 JDK 下载地址
cat >> /etc/profile << 'EOF'
# Java Enviroment
JAVA_HOME=/usr/local/java/java-se-8u43-ri
# JAVA_HOME=/usr/local/java/jdk-17.0.2
CLASSPATH=.:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar:$CLASSPATH
PATH=$JAVA_HOME/bin:$PATH
export JAVA_HOME CLASSPATH PATH
EOF
# 刷新配置
source /etc/profile
# 查看Java版本
java -version
- 安装 ApacheDS 下载地址
# 解压
tar -zxvf apacheds-2.0.0.AM26.tar.gz -C /usr/local/
# 重命名解压文件夹
mv /usr/local/apacheds-2.0.0.AM26 /usr/local/apacheds
# 启动
/usr/local/apacheds/bin/apacheds.sh start
# 查看进程
ps -ef | grep java | grep apacheds
# 查看日志
tail -f /usr/local/apacheds/instances/default/log/apacheds.log
- 关闭防火墙
systemctl stop firewalld
systemctl status firewalld
systemctl disable firewalld
3. ApacheDS基础配置
-
连接ApacheDS
- host:
ks.light.local - port:
10389 - user:
uid=admin,ou=system - password:
secret
- 新建 Partition
- ID :
light - Suffix:
dc=light,dc=local
-
dc=light,dc=local下新建Entryou=Group- 添加class
organizationalUnit
- 添加class
-
ou=schema下修改cn=nis的m-disabled属性值为FALSE -
ou=Group下新建Entrycn=test- 添加class
posixGroup
- 添加class
-
导入测试用户
test.ldif,导入后双击userPassword属性设置密码
dn: uid=test,ou=Group,dc=light,dc=local
uid: test
cn: test
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}!!
shadowLastChange: 18663
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 0
homeDirectory: /home/test
4. Kerberos Server
-
右键点击
ApacheDS 连接,选择Open Configuration,选择Kerberos Server页签 -
LDAP Server配置,主要是
SASL Setting,Kerberos登录时需要使用LDAP查询用户信息
- SASL Host:
ks.light.local - SASL Principal:
ldap/ks.light.local@LIGHT.LOCAL - Search Base DN:
ou=Users,dc=light,dc=local - SASL Realm:
LIGHT.LOCAL
- Kerberos Server配置,配置完成后重启 ApacheDS
- Enable Kerberos Server: √
- Port: 60088
- Address:
ks.light.local - Enable Kerberos Change Password Server: √
- Port: 60464
- Address:
ks.light.local - Primary KDC Realm:
LIGHT.LOCAL - Search Base DN:
ou=Users,dc=light,dc=local
- 安装客户端
# 安装kerberos 客户端
yum -y install krb5-workstation krb5-libs krb5-auth-dialog
# 修改配置文件
vim /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
# default_realm = EXAMPLE.COM
default_realm = LIGHT.LOCAL
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
LIGHT.LOCAL = {
kdc = ks.light.local:60088
admin_server = ks.light.local:60464
}
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
.light.local = LIGHT.LOCAL
light.local = LIGHT.LOCAL
- 导入
kdc-data.ldif到ldap
dn: dc=light,dc=local
objectClass: dcObject
objectClass: organization
objectClass: top
dc: light
o: light.local
dn: ou=Users,dc=light,dc=local
objectClass: organizationalUnit
objectClass: top
ou: Users
dn: uid=hnelson,ou=Users,dc=light,dc=local
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: krb5principal
objectClass: krb5kdcentry
cn: Horatio Nelson
sn: Nelson
uid: hnelson
userPassword: secret
krb5PrincipalName: hnelson@LIGHT.LOCAL
krb5KeyVersionNumber: 0
dn: uid=krbtgt,ou=Users,dc=light,dc=local
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: krb5principal
objectClass: krb5kdcentry
cn: KDC Service
sn: Service
uid: krbtgt
userPassword: secret
krb5PrincipalName: krbtgt/LIGHT.LOCAL@LIGHT.LOCAL
krb5KeyVersionNumber: 0
dn: uid=ldap,ou=Users,dc=light,dc=local
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: krb5principal
objectClass: krb5kdcentry
cn: LDAP
sn: Service
uid: ldap
userPassword: randall
krb5PrincipalName: ldap/ks.light.local@LIGHT.LOCAL
krb5KeyVersionNumber: 0
- 初始化Ticket
# 初始化ticket
# 输入密码 文件中指定的是secret
[root@ks ~]# kinit hnelson
Password for hnelson@LIGHT.LOCAL:
# 查看ticket
[root@ks ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: hnelson@LIGHT.LOCAL
Valid starting Expires Service principal
2024-03-31T16:26:13 2024-04-01T16:26:06 krbtgt/LIGHT.LOCAL@LIGHT.LOCAL
renew until 2024-04-07T16:26:06
- 使用 ktutil 导出 keytab 文件
[root@ks ~]# ktutil
ktutil: add_entry -password -p hnelson@LIGHT.LOCAL -k 1 -e aes128-cts-hmac-sha1-96
Password for hnelson@LIGHT.LOCAL:
ktutil: wkt /usr/local/apacheds/keytab/hnelson.keytab
ktutil: quit
add_entry 为每一种加密方式添加keytab ,然后用 wkt 将keytab写入到文件。参考IBM Knowledge Center
- 验证keytab文件,如下keytab 文件也能成功验证。
[root@ks ~]# kinit -kt /usr/local/apacheds/keytab/hnelson.keytab hnelson
[root@ks ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: hnelson@LIGHT.LOCAL
Valid starting Expires Service principal
2024-03-31T16:28:49 2024-04-01T16:28:48 krbtgt/LIGHT.LOCAL@LIGHT.LOCAL
renew until 2024-04-07T16:28:48
5. Service 服务器配置
- 安装客户端
# 安装kerberos 客户端
yum -y install krb5-workstation krb5-libs krb5-auth-dialog
mkdir -p /usr/local/apacheds/keytab/
# 修改配置文件
vim /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
# default_realm = EXAMPLE.COM
default_realm = LIGHT.LOCAL
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
LIGHT.LOCAL = {
kdc = ks.light.local:60088
admin_server = ks.light.local:60464
}
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
.light.local = LIGHT.LOCAL
light.local = LIGHT.LOCAL
- 将kerberos server服务器将 keytab 文件复制到 service 服务器
# 在kerberos server服务器执行
scp /usr/local/apacheds/keytab/hnelson.keytab root@192.168.137.102:/usr/local/apacheds/keytab/
# 如果执行了此步骤 下面的 3 4 可以跳过
- 初始化Ticket
# 初始化ticket
# 输入密码 文件中指定的是secret
[root@ks ~]# kinit hnelson
Password for hnelson@LIGHT.LOCAL:
# 查看ticket
[root@ks ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: hnelson@LIGHT.LOCAL
Valid starting Expires Service principal
2024-03-31T16:26:13 2024-04-01T16:26:06 krbtgt/LIGHT.LOCAL@LIGHT.LOCAL
renew until 2024-04-07T16:26:06
- 使用 ktutil 导出 keytab 文件
[root@ks ~]# ktutil
ktutil: add_entry -password -p hnelson@LIGHT.LOCAL -k 1 -e aes128-cts-hmac-sha1-96
Password for hnelson@LIGHT.LOCAL:
ktutil: wkt /usr/local/apacheds/keytab/hnelson.keytab
ktutil: quit
add_entry 为每一种加密方式添加keytab ,然后用 wkt 将keytab写入到文件。参考IBM Knowledge Center
- 验证keytab文件,如下keytab 文件也能成功验证。
[root@kc ~]# kinit -kt /usr/local/apacheds/keytab/hnelson.keytab hnelson
[root@kc ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: hnelson@LIGHT.LOCAL
Valid starting Expires Service principal
2024-03-31T16:40:39 2024-04-01T16:40:39 krbtgt/LIGHT.LOCAL@LIGHT.LOCAL
renew until 2024-04-07T16:40:39
6. Kerberos登录ApacheDS
- Kerberos 连接 ApacheDS
- host:
ks.light.local - port:
10389 - user:
uid=admin,ou=system - password:
secret - Authentication Method:
GSSAPI(Kerberos) - Bind DN or User:
hnelson - Bind Password:
secret - Kerberos Settings
- Obtain TGT from KDC(provide username and password): √
- Use following configuration: √
- Kerberos Realm:
LIGHT.LOCAL - KDC Host:
ks.light.local - KDC Port:
60088
- Kerberos Realm:
如果登录失败,可以查看ApacheDS的日志
tail -f /usr/local/apacheds/instances/default/log/apacheds.log
7. 添加SPN (Service Principal Name)
# 添加SPN 导出keytab
[root@ks ~]# ktutil
ktutil: add_entry -password -p HTTP/kc.light.local@LIGHT.LOCAL -k 1 -e aes256-cts-hmac-sha1-96
Password for HTTP/kc.light.local@LIGHT.LOCAL:
ktutil: wkt /usr/local/apacheds/keytab/spn.keytab
ktutil: exit
# 发送到 service 服务器
scp /usr/local/apacheds/keytab/spn.keytab root@192.168.137.102:/usr/local/apacheds/keytab/
# 验证
kinit -kt /usr/local/apacheds/keytab/spn.keytab kc.light.local