kerberos pitching Guide

Keywords: SHA1 Database Programming network

Change from: https://www.jianshu.com/p/fc2d2dbd510b

Principle introduction

kerberos is mainly used for identity authentication in network communication, and its main feature is "complexity". So it's best to familiarize yourself with the principles of kerberos before entering the pit. Here we recommend some articles written by others for simple summary:

  1. link
    kerberos authentication principle
    Using conversation scenario to explain the design process of kerbers

  2. Diagram

     

    kerberos authentication flow chart

Supplement of several concepts

  1. principal
    The subject of authentication is simply "user name"

  2. realm
    Realm is a bit like namespace in programming language. In programming languages, variable names only make sense in a "namespace.". Similarly, a principle only makes sense under a certain realm.
    So realm can be regarded as a "container" or "space" of principle. Correspondingly, the principle is named "what? Name? You? Like @ realm".
    In kerberos, we all agree to use uppercase to name realm, such as "EXAMPLE.COM"

  3. password
    The password of a user, corresponding to the master key in kerberos. Password can exist in a keytab file. Therefore, a keytab can be used as input for all scenarios requiring password in kerberos.

  4. credential
    A credential is a credential that "proves that a person is certain that he / she is himself / herself / that an action can indeed happen.". In different use scenarios, the specific meaning of credential is slightly different:

    • For a principal individual, his credential is his password.
    • In the process of kerberos authentication, credential means all kinds of ticket s.

Build a KDC environment

The best way to understand Kerberos is to build a KDC server by yourself. At the same time, it is also very helpful for testing in the development process.

Here, take ubuntu 16.04 as an example to build a kdc server

Installation and downloading

apt-get install krb5-admin-server krb5-kdc krb5-user krb5-config

The functions of these software packages are as follows:

  • Krb5 admin server: kdc Administrator program, which allows users to remotely manage kdc databases.
  • Krb5 kdc: kdc main program
  • Krb5 user: some client commands of Kerberos, used to get, view, destroy ticket s, etc.

To configure

/etc/krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 400
 renew_lifetime = 600
 forwardable = true
 udp_preference_limit = 1

[realms]
 EXAMPLE.COM = {
   kdc = 127.0.0.1:88
   admin_server = 127.0.0.1
 }

This is used to configure kdc, kerberos client, and call kerberos api.
Several important configuration items include:

  • ticket ﹣ lifetime and renew ﹣ lifetime: Specifies the expiration time of kdc authorized tickets and the time allowed to update existing tickets.
  • section of realms: Specifies the path of kdc and admin server

/etc/krb5kdc/kdc.conf

[kdcdefaults]
    kdc_ports = 750,88

[realms]
    EXAMPLE.COM = {
        database_name = /etc/krb5kdc/example/principal
        admin_keytab = FILE:/etc/krb5kdc/example/kadm5.keytab
        acl_file = /etc/krb5kdc/example/kadm5.acl
        key_stash_file = /etc/krb5kdc/example/stash
        kdc_ports = 750,88
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des3-hmac-sha1
        supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
        default_principal_flags = +preauth
    }

This is the exclusive configuration of KDC. You can modify the storage directory of KDC database according to your own needs. I put them all in the directory of / etc/krb5kdc/example. For this directory, I need to build it in advance.

Create database and principal

  1. Use kdb5 util to create a database to store principal related information
kdb5_util create -r EXAMPLE.COM -s
  1. Using kadmin.local to add principal
root@weijiesun-kubuntu:/etc/krb5kdc# kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local:  add_principal test-server/myhost@EXAMPLE.COM
WARNING: no policy specified for test-server/myhost@EXAMPLE.COM; defaulting to no policy
Enter password for principal "test-server/myhost@EXAMPLE.COM":
Re-enter password for principal "test-server/myhost@EXAMPLE.COM":
Principal "test-server/myhost@EXAMPLE.COM" created.
kadmin.local:  add_principal test-client/myhost@EXAMPLE.COM
WARNING: no policy specified for test-client/myhost@EXAMPLE.COM; defaulting to no policy
Enter password for principal "test-client/myhost@EXAMPLE.COM":
Re-enter password for principal "test-client/myhost@EXAMPLE.COM":
Principal "test-client/myhost@EXAMPLE.COM" created.
kadmin.local:  ktadd -k /etc/krb5.keytab test-server/myhost@EXAMPLE.COM
Entry for principal test-server/myhost@EXAMPLE.COM with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal test-server/myhost@EXAMPLE.COM with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal test-server/myhost@EXAMPLE.COM with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal test-server/myhost@EXAMPLE.COM with kvno 2, encryption type des-cbc-crc added to keytab WRFILE:/etc/krb5.keytab.
kadmin.local:  ktadd -k /etc/krb5.keytab test-client/myhost@EXAMPLE.COM
Entry for principal test-client/myhost@EXAMPLE.COM with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal test-client/myhost@EXAMPLE.COM with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal test-client/myhost@EXAMPLE.COM with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal test-client/myhost@EXAMPLE.COM with kvno 2, encryption type des-cbc-crc added to keytab WRFILE:/etc/krb5.keytab.
kadmin.local:  q
root@weijiesun-kubuntu:/etc/krb5kdc#

Here, we create two new users: test server/ myhost@EXAMPLE.COM And test client/ myhost@EXAMPLE.COM . And put their key in the KeyTab file / etc/krb5.keytab.

  1. Start kdc
root@weijiesun-kubuntu:/etc/krb5kdc# service krb5-kdc start
 * Starting Kerberos KDC krb5kdc                                                                                                                                                       [ OK ]
root@weijiesun-kubuntu:/etc/krb5kdc# service krb5-admin-server start
 * Starting Kerberos administrative servers kadmind                                                                                                                                    [ OK ]

Of course, for different distributions, this step may execute different commands.

  1. Using kinit to verify whether KDC is started successfully
kinit -k -t /etc/krb5.keytab test-client/myhost@EXAMPLE.COM

kinit corresponds to the step of getting TGT from kdc. It sends the request to the kdc server specified in / etc/krb5.conf.
If the TGT request succeeds, you can see it in klist.

weijiesun@weijiesun-kubuntu ~ $ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: test-client/myhost@EXAMPLE.COM

Valid starting       Expires              Service principal
2018-08-17T13:50:25  2018-08-17T13:57:05  krbtgt/EXAMPLE.COM@EXAMPLE.COM
        renew until 2018-08-17T14:00:25

Embed the kerberos authentication process into the project

When using kerberos for authentication, we usually don't use the kerberos interface directly. Instead, more general standard interfaces such as GSSAPI or SASL will be used. This is done because:

  • kerberos interface is more trivial
  • SASL and GSSAPI are both IETF standards, and they have made a more macro abstraction on the behavior of identity authentication. Thus, different authentication schemes can be flexibly accessed.

GSSAPI

GSSAPI's process is basically similar to that of kerberos. In practical applications, you can basically assume that GSSAPI is kerberos itself. In our most commonly used kerberos implementation MIT kerberos GSSAPI interface is also a built-in item.

Compare and recommend a gssapi sample provided by MIT official, which is a very good example of learning kerberos complete authentication process. There are also detailed documents to teach you how to use:

The built-in GSS sample of MIT kerberos project can also be used to learn kerberos authentication process:

SASL

SASL It is a more general identity authentication interface, which can be compatible with many mainstream authentication schemes in design. Many projects also use SASL interface and process when they do identity authentication.

SASL itself has many realizations. I'm making millet Pegasus In the project, the cyrus-sasl.

It is not easy to integrate sasl into the project and use gssapi as the authentication scheme. Here are some key points:

  • In terms of design, SASL is an interface between client and server for authentication. SASL does not reserve an interface for getting TGT from KDC. In fact, when SASL performs the first step of authentication, it assumes that the user has obtained the TGT. So we need to implement our own code to get TGT, which is the process of kinit.
  • SASL user name and kerberos principal naming style are not exactly the same. In the kerberos standard, the principle is named name1 / Name2 / name3 /... / name @ realm; in SASL, the user name is named username/FQDN. Therefore, when using SASL, it is necessary to pass the username and FQDN to the authentication interface of SASL separately, so as to construct the principle of kerberos.
  • Study Cyrus SASL carefully Authentication example , and refer to this article File

 

 

Published 4 original articles, won praise 1, and visited 493
Private letter follow

Posted by teguh123 on Thu, 16 Jan 2020 06:33:13 -0800

Hot Keywords

©2024 Programmer Group