Change from: https://www.jianshu.com/p/fc2d2dbd510b
Principle introduction
kerberos is mainly used for identity authentication in network communication, and its main feature is "complexity". So it's best to familiarize yourself with the principles of kerberos before entering the pit. Here we recommend some articles written by others for simple summary:
-
link
kerberos authentication principle
Using conversation scenario to explain the design process of kerbers -
Diagram
kerberos authentication flow chart
Supplement of several concepts
-
principal
The subject of authentication is simply "user name" -
realm
Realm is a bit like namespace in programming language. In programming languages, variable names only make sense in a "namespace.". Similarly, a principle only makes sense under a certain realm.
So realm can be regarded as a "container" or "space" of principle. Correspondingly, the principle is named "what? Name? You? Like @ realm".
In kerberos, we all agree to use uppercase to name realm, such as "EXAMPLE.COM" -
password
The password of a user, corresponding to the master key in kerberos. Password can exist in a keytab file. Therefore, a keytab can be used as input for all scenarios requiring password in kerberos. -
credential
A credential is a credential that "proves that a person is certain that he / she is himself / herself / that an action can indeed happen.". In different use scenarios, the specific meaning of credential is slightly different:- For a principal individual, his credential is his password.
- In the process of kerberos authentication, credential means all kinds of ticket s.
Build a KDC environment
The best way to understand Kerberos is to build a KDC server by yourself. At the same time, it is also very helpful for testing in the development process.
Here, take ubuntu 16.04 as an example to build a kdc server
Installation and downloading
apt-get install krb5-admin-server krb5-kdc krb5-user krb5-config
The functions of these software packages are as follows:
- Krb5 admin server: kdc Administrator program, which allows users to remotely manage kdc databases.
- Krb5 kdc: kdc main program
- Krb5 user: some client commands of Kerberos, used to get, view, destroy ticket s, etc.
To configure
/etc/krb5.conf
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 400 renew_lifetime = 600 forwardable = true udp_preference_limit = 1 [realms] EXAMPLE.COM = { kdc = 127.0.0.1:88 admin_server = 127.0.0.1 }
This is used to configure kdc, kerberos client, and call kerberos api.
Several important configuration items include:
- ticket ﹣ lifetime and renew ﹣ lifetime: Specifies the expiration time of kdc authorized tickets and the time allowed to update existing tickets.
- section of realms: Specifies the path of kdc and admin server
/etc/krb5kdc/kdc.conf
[kdcdefaults] kdc_ports = 750,88 [realms] EXAMPLE.COM = { database_name = /etc/krb5kdc/example/principal admin_keytab = FILE:/etc/krb5kdc/example/kadm5.keytab acl_file = /etc/krb5kdc/example/kadm5.acl key_stash_file = /etc/krb5kdc/example/stash kdc_ports = 750,88 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = des3-hmac-sha1 supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3 default_principal_flags = +preauth }
This is the exclusive configuration of KDC. You can modify the storage directory of KDC database according to your own needs. I put them all in the directory of / etc/krb5kdc/example. For this directory, I need to build it in advance.
Create database and principal
- Use kdb5 util to create a database to store principal related information
kdb5_util create -r EXAMPLE.COM -s
- Using kadmin.local to add principal
root@weijiesun-kubuntu:/etc/krb5kdc# kadmin.local Authenticating as principal root/admin@EXAMPLE.COM with password. kadmin.local: add_principal test-server/myhost@EXAMPLE.COM WARNING: no policy specified for test-server/myhost@EXAMPLE.COM; defaulting to no policy Enter password for principal "test-server/myhost@EXAMPLE.COM": Re-enter password for principal "test-server/myhost@EXAMPLE.COM": Principal "test-server/myhost@EXAMPLE.COM" created. kadmin.local: add_principal test-client/myhost@EXAMPLE.COM WARNING: no policy specified for test-client/myhost@EXAMPLE.COM; defaulting to no policy Enter password for principal "test-client/myhost@EXAMPLE.COM": Re-enter password for principal "test-client/myhost@EXAMPLE.COM": Principal "test-client/myhost@EXAMPLE.COM" created. kadmin.local: ktadd -k /etc/krb5.keytab test-server/myhost@EXAMPLE.COM Entry for principal test-server/myhost@EXAMPLE.COM with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal test-server/myhost@EXAMPLE.COM with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab. Entry for principal test-server/myhost@EXAMPLE.COM with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal test-server/myhost@EXAMPLE.COM with kvno 2, encryption type des-cbc-crc added to keytab WRFILE:/etc/krb5.keytab. kadmin.local: ktadd -k /etc/krb5.keytab test-client/myhost@EXAMPLE.COM Entry for principal test-client/myhost@EXAMPLE.COM with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal test-client/myhost@EXAMPLE.COM with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab. Entry for principal test-client/myhost@EXAMPLE.COM with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal test-client/myhost@EXAMPLE.COM with kvno 2, encryption type des-cbc-crc added to keytab WRFILE:/etc/krb5.keytab. kadmin.local: q root@weijiesun-kubuntu:/etc/krb5kdc#
Here, we create two new users: test server/ myhost@EXAMPLE.COM And test client/ myhost@EXAMPLE.COM . And put their key in the KeyTab file / etc/krb5.keytab.
- Start kdc
root@weijiesun-kubuntu:/etc/krb5kdc# service krb5-kdc start * Starting Kerberos KDC krb5kdc [ OK ] root@weijiesun-kubuntu:/etc/krb5kdc# service krb5-admin-server start * Starting Kerberos administrative servers kadmind [ OK ]
Of course, for different distributions, this step may execute different commands.
- Using kinit to verify whether KDC is started successfully
kinit -k -t /etc/krb5.keytab test-client/myhost@EXAMPLE.COM
kinit corresponds to the step of getting TGT from kdc. It sends the request to the kdc server specified in / etc/krb5.conf.
If the TGT request succeeds, you can see it in klist.
weijiesun@weijiesun-kubuntu ~ $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: test-client/myhost@EXAMPLE.COM Valid starting Expires Service principal 2018-08-17T13:50:25 2018-08-17T13:57:05 krbtgt/EXAMPLE.COM@EXAMPLE.COM renew until 2018-08-17T14:00:25
Embed the kerberos authentication process into the project
When using kerberos for authentication, we usually don't use the kerberos interface directly. Instead, more general standard interfaces such as GSSAPI or SASL will be used. This is done because:
- kerberos interface is more trivial
- SASL and GSSAPI are both IETF standards, and they have made a more macro abstraction on the behavior of identity authentication. Thus, different authentication schemes can be flexibly accessed.
GSSAPI
GSSAPI's process is basically similar to that of kerberos. In practical applications, you can basically assume that GSSAPI is kerberos itself. In our most commonly used kerberos implementation MIT kerberos GSSAPI interface is also a built-in item.
Compare and recommend a gssapi sample provided by MIT official, which is a very good example of learning kerberos complete authentication process. There are also detailed documents to teach you how to use:
The built-in GSS sample of MIT kerberos project can also be used to learn kerberos authentication process:
SASL
SASL It is a more general identity authentication interface, which can be compatible with many mainstream authentication schemes in design. Many projects also use SASL interface and process when they do identity authentication.
SASL itself has many realizations. I'm making millet Pegasus In the project, the cyrus-sasl.
It is not easy to integrate sasl into the project and use gssapi as the authentication scheme. Here are some key points:
- In terms of design, SASL is an interface between client and server for authentication. SASL does not reserve an interface for getting TGT from KDC. In fact, when SASL performs the first step of authentication, it assumes that the user has obtained the TGT. So we need to implement our own code to get TGT, which is the process of kinit.
- SASL user name and kerberos principal naming style are not exactly the same. In the kerberos standard, the principle is named name1 / Name2 / name3 /... / name @ realm; in SASL, the user name is named username/FQDN. Therefore, when using SASL, it is necessary to pass the username and FQDN to the authentication interface of SASL separately, so as to construct the principle of kerberos.
- Study Cyrus SASL carefully Authentication example , and refer to this article File