Single Sign On with Kerberos V
這篇文章假設你已經有 Kerberos 伺服器. 也假設你建立好 Kerberos 使用者帳號.
在開始設定 SSO(Single Sign On) 之前必需先設定與網路時間協定(ntp)同步. 否則無法自動登入
先在 Kerberos 伺服器上產生對應的電腦 key.
[root@kerberos ~]# kadmin
Authenticating as principal root/admin@EXAMPLE.COM with password.
Password for root/admin@EXAMPLE.COM:
kadmin: addprinc -randkey host/test.example.com
NOTICE: no policy specified for host/test.example.com@EXAMPLE.COM; assigning “default”
Principal “host/test.example.com@EXAMPLE.COM” created.
kadmin: ktadd -k /tmp/test.keytab host/test.example.com
Entry for principal host/test.example.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/tmp/test.keytab.
Entry for principal host/test.example.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/tmp/test.keytab.
Entry for principal host/test.example.com with kvno 3, encryption type DES with HMAC/sha1 added to keytab WRFILE:/tmp/test.keytab.
Entry for principal host/test.example.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/tmp/test.keytab.
kadmin: quit
[root@kerberos ~]# ktutil
ktutil: rkt /tmp/test.keytab
ktutil: list
slot KVNO Principal
—- —- ———————————————————————
1 3 host/test.example.com@EXAMPLE.COM
2 3 host/test.example.com@EXAMPLE.COM
3 3 host/test.example.com@EXAMPLE.COM
4 3 host/test.example.com@EXAMPLE.COM
ktutil: wkt /etc/krb5.keytab
ktutil: quit
複製產生的 key 到要被設定 SSO 的機器.
[root@kerberos ~]# scp /tmp/test.keytab test:/etc/krb5.keytab
再來就要修改 sshd 讓該機器能允許用 Kerberos tokens 認證. 首先編輯 /etc/ssh/sshd_config , 把Kerberos & GSSAPI 打開
# Kerberos options
KerberosAuthentication yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
#KerberosGetAFSToken no# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
再編輯 /etc/ssh/ssh_config
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
然後重新啓動 sshd
service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
這樣的設定就可以使用 Kerberos tokens 認證,也就達成了 SSO 的功能
使用 ssh -v 來驗證是否真的使用 Kerberos tokens 認證.
[username@kerberos ~]$ ssh test -v
OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to test [xxx.xxx.xxx.xxx] port 22.
debug1: Connection established.
debug1: identity file /home/username/.ssh/identity type -1
debug1: identity file /home/username/.ssh/id_rsa type -1
debug1: identity file /home/username/.ssh/id_dsa type -1
debug1: loaded 3 keys
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host ‘test’ is known and matches the RSA host key.
debug1: Found key in /home/username/.ssh/known_hosts:108
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Authentication succeeded (gssapi-with-mic).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Last login: Tue Apr 1 10:55:39 2008 from where
Welcome to Linux!
[username@test ~]$