Split View: Ubuntu krb5-kdc 설치방법 (Kerberos)
Ubuntu krb5-kdc 설치방법 (Kerberos)
Overview
Hadoop은 대용량의 데이터를 보관할 수 있습니다. 따라서 이러한 데이터를 안전하게 보관하기 위해서는 Kerberos를 적용해야합니다. 이번 포스팅에서는 Kerberos 적용에 필요한 KDC 서버 구축 과정을 소개합니다. 자세한 사항은 ubuntu-MIT-kerberos-setting 문서를 참고하시길 바랍니다.
krb5-kdc , krb5-admin-server 설치
apt 명령어를 통해 krb5-kdc 와 krb5-admin-server 를 설치해줍니다.
sudo apt install krb5-kdc krb5-admin-server
설치 중 아래와 같이 realm을 입력하는 창이 나오는데 이 때 원하는 realm을 입력해줍니다. 저는 UBUNTU.YJ.COM 으로 설정해주었습니다.
kerberos 서버가 설치될 hostname을 입력하라는 창이 나오게 되는데 이 때 아래와 같이 server의 hostname을 입력해줍니다.
이어서 admin 서버의 hostname을 입력합니다. 저의 경우 admin 서버도 kerberos 서버와 동일한 서버에 설치할 것이기 때문에 같은 호스트명을 입력해주었습니다.
설치가 완료되면 krb5_newrealm 명령어를 통해 데이터베이스를 생성합니다. 이 과정에서 database master 의 비밀번호를 설정합니다.
root@ubuntu01:~# sudo krb5_newrealm
This script should be run on the master KDC/admin server to initialize
a Kerberos realm. It will ask you to type in a master key password.
This password will be used to generate a key that is stored in
/etc/krb5kdc/stash. You should try to remember this password, but it
is much more important that it be a strong password than that it be
remembered. However, if you lose the password and /etc/krb5kdc/stash,
you cannot decrypt your Kerberos database.
Loading random data
Initializing database '/var/lib/krb5kdc/principal' for realm 'UBUNTU.YJ.COM',
master key name 'K/M@UBUNTU.YJ.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
Now that your realm is set up you may wish to create an administrative
principal using the addprinc subcommand of the kadmin.local program.
Then, this principal can be added to /etc/krb5kdc/kadm5.acl so that
you can use the kadmin program on other computers. Kerberos admin
principals usually belong to a single user and end in /admin. For
example, if jruser is a Kerberos administrator, then in addition to
the normal jruser principal, a jruser/admin principal should be
created.
Don't forget to set up DNS information so your clients can find your
KDC and admin servers. Doing so is documented in the administration
guide.
kadmin.local 실행
kadmin.local 명령어를 실행하면, realm과 kdc에 속한 principal을 관리할 수 있는 프로그램이 실행됩니다. listprinc 를 실행하면 현재 등록된 principal 들을 확인할 수 있습니다.
root@ubuntu01:~# kadmin.local
Authenticating as principal youngjukim/admin@UBUNTU.YJ.COM with password.
kadmin.local: listprincs
K/M@UBUNTU.YJ.COM
kadmin/admin@UBUNTU.YJ.COM
kadmin/changepw@UBUNTU.YJ.COM
krbtgt/UBUNTU.YJ.COM@UBUNTU.YJ.COM
kadmin.local 에서 실행할 수 있는 명령어
kadmin.local: ?
Available kadmin.local requests:
add_principal, addprinc, ank
Add principal
delete_principal, delprinc
Delete principal
modify_principal, modprinc
Modify principal
rename_principal, renprinc
Rename principal
change_password, cpw Change password
get_principal, getprinc Get principal
list_principals, listprincs, get_principals, getprincs
List principals
add_policy, addpol Add policy
modify_policy, modpol Modify policy
delete_policy, delpol Delete policy
get_policy, getpol Get policy
list_policies, listpols, get_policies, getpols
List policies
get_privs, getprivs Get privileges
ktadd, xst Add entry(s) to a keytab
ktremove, ktrem Remove entry(s) from a keytab
lock Lock database exclusively (use with extreme caution!)
unlock Release exclusive database lock
purgekeys Purge previously retained old keys from a principal
get_strings, getstrs Show string attributes on a principal
set_string, setstr Set a string attribute on a principal
del_string, delstr Delete a string attribute on a principal
list_requests, lr, ? List available requests.
kdc admin ACL 등록
youngjukim/admin principal 외에 다른 admin principal을 등록하고 싶은 경우가 있다. 그 때는 아래 처럼 */admin * 부분을 주석 해제하여주면 된다. 이후 krb5-admin-server를 재시작해주면 */admin 으로 생성되는 principal은 admin 권한을 가지도록 설정된다.
# This file Is the access control list for krb5 administration.
# When this file is edited run service krb5-admin-server restart to activate
# One common way to set up Kerberos administration is to allow any principal
# ending in /admin is given full administrative rights.
# To enable this, uncomment the following line:
*/admin *
admin ACL을 반영하기 위해서 krb5-admin-server를 재시작한다.
root@ubuntu01:~# service krb5-admin-server status
● krb5-admin-server.service - Kerberos 5 Admin Server
Loaded: loaded (/lib/systemd/system/krb5-admin-server.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2022-11-20 16:00:19 UTC; 11min ago
root@ubuntu01:~# service krb5-admin-server restart
아래 파일에서 kdc 서버의 port, ticket lifetime이나, 로그 위치, 데이터베이스 위치, encryption type 등을 바꿀 수 있다.
[kdcdefaults]
kdc_ports = 750,88
[realms]
UBUNTU.YJ.COM = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
#supported_enctypes = aes256-cts:normal aes128-cts:normal
default_principal_flags = +preauth
}
kinit Test
Client가 kdc에 접근하여 ticket을 발급받으려면, 아래와 같은 것이 선행되어야한다. 자세한 내용은 (krb5-client)[https://plugins.miniorange.com/steps-to-setup-kerberos-on-ubuntu-rhel-centos] 를 참고한다.
- kdc서버 쪽에서 접근하고자 하는 principl 이 database에 추가되어야 한다.
- Client에 kdc 접근을 위한 Library가 설치되어있어야 한다. (krb5-user or krb5-workstation)
- Client kinit princiapl 을 수행한다. 이때 Client는 해당 principal에 대한 keytab을 가지고 있거나 password를 알고있어야한다.
1. kadmin.local에서 princial 생성하기. (password 방식)
root@ubuntu01:~# kadmin.local
Authenticating as principal youngjukim/admin@UBUNTU.YJ.COM with password.
kadmin.local: addprinc test-user
No policy specified for test-user@UBUNTU.YJ.COM; defaulting to no policy
Enter password for principal "test-user@UBUNTU.YJ.COM":
Re-enter password for principal "test-user@UBUNTU.YJ.COM":
Principal "test-user@UBUNTU.YJ.COM" created.
2. Client에서 kdc 접근을 위한 library 설치하기 + /etc/krb5.conf 수정
sudo apt install krb5-user 명령어를 입력하면 설치가 진행된다.
root@ubuntu02:~# cat /etc/krb5.conf
[libdefaults]
default_realm = UBUNTU.YJ.COM
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
[realms]
UBUNTU.YJ.COM = {
kdc = ubuntu01
admin_server = ubuntu01
}
[domain_realm]
3. kinit principal 수행
kinit principal 을 수행한다. 이때 keytab이 있다면, -kt 옵션으로 keytab의 path를 지정할 수 도 있다. klist 를 입력하면, 발급받은 kerberos ticket의 정보를 확인할 수 있다.
root@ubuntu02:~# kinit -V test-user
Using default cache: /tmp/krb5cc_0
Using principal: test-user@UBUNTU.YJ.COM
Password for test-user@UBUNTU.YJ.COM:
Authenticated to Kerberos v5
root@ubuntu02:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: test-user@UBUNTU.YJ.COM
Valid starting Expires Service principal
11/20/2022 16:34:17 11/21/2022 02:34:17 krbtgt/UBUNTU.YJ.COM@UBUNTU.YJ.COM
renew until 11/21/2022 16:33:33
Reference
How to Install krb5-kdc on Ubuntu (Kerberos)
Overview
Hadoop can store large amounts of data. Therefore, Kerberos must be applied to securely protect this data. In this post, we introduce the process of building a KDC server required for Kerberos implementation. For more details, please refer to the ubuntu-MIT-kerberos-setting documentation.
- Installing krb5-kdc and krb5-admin-server
- Running kadmin.local
- Registering KDC Admin ACL
- kinit Test
- Reference
Installing krb5-kdc and krb5-admin-server
Install krb5-kdc and krb5-admin-server using the apt command.
sudo apt install krb5-kdc krb5-admin-server
During installation, a screen will appear asking you to enter a realm as shown below. Enter your desired realm at this point. I set it to UBUNTU.YJ.COM.
A screen will appear asking you to enter the hostname where the Kerberos server will be installed. Enter the server's hostname as shown below.
Next, enter the hostname for the admin server. In my case, since I am installing the admin server on the same server as the Kerberos server, I entered the same hostname.
Once the installation is complete, create the database using the krb5_newrealm command. During this process, you will set the database master password.
root@ubuntu01:~# sudo krb5_newrealm
This script should be run on the master KDC/admin server to initialize
a Kerberos realm. It will ask you to type in a master key password.
This password will be used to generate a key that is stored in
/etc/krb5kdc/stash. You should try to remember this password, but it
is much more important that it be a strong password than that it be
remembered. However, if you lose the password and /etc/krb5kdc/stash,
you cannot decrypt your Kerberos database.
Loading random data
Initializing database '/var/lib/krb5kdc/principal' for realm 'UBUNTU.YJ.COM',
master key name 'K/M@UBUNTU.YJ.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
Now that your realm is set up you may wish to create an administrative
principal using the addprinc subcommand of the kadmin.local program.
Then, this principal can be added to /etc/krb5kdc/kadm5.acl so that
you can use the kadmin program on other computers. Kerberos admin
principals usually belong to a single user and end in /admin. For
example, if jruser is a Kerberos administrator, then in addition to
the normal jruser principal, a jruser/admin principal should be
created.
Don't forget to set up DNS information so your clients can find your
KDC and admin servers. Doing so is documented in the administration
guide.
Running kadmin.local
Running the kadmin.local command launches a program that can manage principals belonging to the realm and KDC. Running listprinc shows the currently registered principals.
root@ubuntu01:~# kadmin.local
Authenticating as principal youngjukim/admin@UBUNTU.YJ.COM with password.
kadmin.local: listprincs
K/M@UBUNTU.YJ.COM
kadmin/admin@UBUNTU.YJ.COM
kadmin/changepw@UBUNTU.YJ.COM
krbtgt/UBUNTU.YJ.COM@UBUNTU.YJ.COM
Commands available in kadmin.local
kadmin.local: ?
Available kadmin.local requests:
add_principal, addprinc, ank
Add principal
delete_principal, delprinc
Delete principal
modify_principal, modprinc
Modify principal
rename_principal, renprinc
Rename principal
change_password, cpw Change password
get_principal, getprinc Get principal
list_principals, listprincs, get_principals, getprincs
List principals
add_policy, addpol Add policy
modify_policy, modpol Modify policy
delete_policy, delpol Delete policy
get_policy, getpol Get policy
list_policies, listpols, get_policies, getpols
List policies
get_privs, getprivs Get privileges
ktadd, xst Add entry(s) to a keytab
ktremove, ktrem Remove entry(s) from a keytab
lock Lock database exclusively (use with extreme caution!)
unlock Release exclusive database lock
purgekeys Purge previously retained old keys from a principal
get_strings, getstrs Show string attributes on a principal
set_string, setstr Set a string attribute on a principal
del_string, delstr Delete a string attribute on a principal
list_requests, lr, ? List available requests.
Registering KDC Admin ACL
If you want to register admin principals other than the youngjukim/admin principal, uncomment the */admin * section as shown below. After restarting krb5-admin-server, any principal created with */admin will be configured to have admin privileges.
# This file Is the access control list for krb5 administration.
# When this file is edited run service krb5-admin-server restart to activate
# One common way to set up Kerberos administration is to allow any principal
# ending in /admin is given full administrative rights.
# To enable this, uncomment the following line:
*/admin *
Restart krb5-admin-server to apply the admin ACL.
root@ubuntu01:~# service krb5-admin-server status
● krb5-admin-server.service - Kerberos 5 Admin Server
Loaded: loaded (/lib/systemd/system/krb5-admin-server.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2022-11-20 16:00:19 UTC; 11min ago
root@ubuntu01:~# service krb5-admin-server restart
You can change the KDC server's port, ticket lifetime, log location, database location, encryption type, and more in the file below.
[kdcdefaults]
kdc_ports = 750,88
[realms]
UBUNTU.YJ.COM = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
#supported_enctypes = aes256-cts:normal aes128-cts:normal
default_principal_flags = +preauth
}
kinit Test
For a client to access the KDC and obtain a ticket, the following must be done first. For more details, refer to (krb5-client)[https://plugins.miniorange.com/steps-to-setup-kerberos-on-ubuntu-rhel-centos].
- The principal that wants to access the KDC must be added to the database on the KDC server side.
- The client must have the library installed for KDC access. (krb5-user or krb5-workstation)
- The client performs kinit principal. At this point, the client must either have the keytab for that principal or know the password.
1. Creating a principal in kadmin.local (password method)
root@ubuntu01:~# kadmin.local
Authenticating as principal youngjukim/admin@UBUNTU.YJ.COM with password.
kadmin.local: addprinc test-user
No policy specified for test-user@UBUNTU.YJ.COM; defaulting to no policy
Enter password for principal "test-user@UBUNTU.YJ.COM":
Re-enter password for principal "test-user@UBUNTU.YJ.COM":
Principal "test-user@UBUNTU.YJ.COM" created.
2. Installing the library for KDC access on the client + Modifying /etc/krb5.conf
Enter the command sudo apt install krb5-user to proceed with the installation.
root@ubuntu02:~# cat /etc/krb5.conf
[libdefaults]
default_realm = UBUNTU.YJ.COM
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
[realms]
UBUNTU.YJ.COM = {
kdc = ubuntu01
admin_server = ubuntu01
}
[domain_realm]
3. Performing kinit principal
Perform kinit principal. If you have a keytab, you can specify the keytab path using the -kt option. Entering klist will show the information of the issued Kerberos ticket.
root@ubuntu02:~# kinit -V test-user
Using default cache: /tmp/krb5cc_0
Using principal: test-user@UBUNTU.YJ.COM
Password for test-user@UBUNTU.YJ.COM:
Authenticated to Kerberos v5
root@ubuntu02:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: test-user@UBUNTU.YJ.COM
Valid starting Expires Service principal
11/20/2022 16:34:17 11/21/2022 02:34:17 krbtgt/UBUNTU.YJ.COM@UBUNTU.YJ.COM
renew until 11/21/2022 16:33:33
Reference
- (https://ubuntu.com/server/docs/service-kerberos)[https://ubuntu.com/server/docs/service-kerberos]
- (https://web.mit.edu/kerberos/)[https://web.mit.edu/kerberos/]
- (https://web.mit.edu/kerberos/krb5-latest/doc/)[https://web.mit.edu/kerberos/krb5-latest/doc/]
Quiz
Q1: What is the main topic covered in "How to Install krb5-kdc on Ubuntu (Kerberos)"?
Learn how to install krb5-kdc on Ubuntu
Q2: What are the key steps for Installing krb5-kdc and krb5-admin-server?
Install krb5-kdc and krb5-admin-server using the apt command. During installation, a screen will
appear asking you to enter a realm as shown below. Enter your desired realm at this point. I set
it to UBUNTU.YJ.COM.
Q3: Explain the core concept of Running kadmin.local.
Running the kadmin.local command launches a program that can manage principals belonging to the
realm and KDC. Running listprinc shows the currently registered principals. Commands available in
kadmin.local
Q4: What are the key aspects of Registering KDC Admin ACL?
If you want to register admin principals other than the youngjukim/admin principal, uncomment the
/admin section as shown below. After restarting krb5-admin-server, any principal created with
*/admin will be configured to have admin privileges.
Q5: How does kinit Test work?
For a client to access the KDC and obtain a ticket, the following must be done first. For more
details, refer to
(krb5-client)[https://plugins.miniorange.com/steps-to-setup-kerberos-on-ubuntu-rhel-centos].