MIT Kerberos网络安全指南：实现企业级身份验证与加密

Kerberos

需积分: 10 195 浏览量更新于2024-07-18 收藏 731KB PDF 举报

身份认证购VIP最低享 7 折!

30元优惠券

Kerberos Administration Guide 是一份详细的文档，针对网络认证协议Kerberos进行了深入的讲解和指导。Kerberos的设计初衷是为了在不安全的网络环境中提供强大的身份验证，通过使用密钥加密技术确保客户端与服务器之间的通信安全。它的核心功能是解决互联网上普遍存在的安全问题，如缺乏加密导致的密码泄露风险以及对用户身份验证和权限控制的漏洞。 Kerberos协议由麻省理工学院（MIT）开发并免费提供，其源代码开放，允许用户自行审查以确保代码的安全性。除了自由版本，它还作为商业产品的形式由多个供应商支持，以满足不同企业的需求。Kerberos解决了防火墙的局限性，防火墙往往假定外部威胁，而实际上内部攻击更为常见。Kerberos通过加密技术在客户端和服务器之间建立信任，并确保数据的隐私和完整性。文档详细内容涵盖了安装指南、配置文件管理、realm配置决策、数据库管理、账户锁定策略以及与OpenLDAP后端的集成等内容。例如，配置文件部分指导如何设置realm名称、映射主机名到Kerberos域、选择KDC（Key Distribution Center）的端口以及处理主数据库的同步和复制。数据库管理员可以通过kadmin工具进行操作，包括设置日期格式、创建和管理principals（用户或服务账号）、制定policies（访问控制策略），以及管理用户的特权和数据库操作。账户锁定功能被用于防止恶意登录尝试，包括如何配置锁定策略、测试其效果、监控锁定状态，以及考虑其对KDC性能的影响。对于那些采用OpenLDAP作为后端存储的环境，文档还提供了具体的配置步骤，确保Kerberos与企业应用服务器的无缝集成。 Kerberos Administration Guide是一份全面的资源，不仅介绍了Kerberos协议的工作原理，还提供了实际操作和管理的指南，帮助企业机构有效提升网络安全，保护敏感信息免受攻击。这份文档对于IT管理员和系统架构师来说，是一份极其宝贵的参考材料。

资源详情

资源推荐

Kerberos Administration Guide, Release 1.16.1

1.2 Additional references

1. Debian: Setting up MIT Kerberos 5

2. Solaris: Conﬁguring the Kerberos Service

10 Chapter 1. Installation guide

Kerberos Administration Guide, Release 1.16.1

then the second value of foo (baz) would never be read.

The krb5.conf ﬁle can include other ﬁles using either of the following directives at the beginning of a line:

include FILENAME

includedir DIRNAME

FILENAME or DIRNAME should be an absolute path. The named ﬁle or directory must exist and be readable. Includ-

ing a directory includes all ﬁles within the directory whose names consist solely of alphanumeric characters, dashes,

or underscores. Starting in release 1.15, ﬁles with names ending in ”.conf” are also included, unless the name begins

with ”.”. Included proﬁle ﬁles are syntactically independent of their parents, so each included ﬁle must begin with a

section header.

The krb5.conf ﬁle can specify that conﬁguration should be obtained from a loadable module, rather than the ﬁle itself,

using the following directive at the beginning of a line before any section headers:

module MODULEPATH:RESIDUAL

MODULEPATH may be relative to the library path of the krb5 installation, or it may be an absolute path. RESIDUAL

is provided to the module at initialization time. If krb5.conf uses a module directive, kdc.conf should also use one if it

exists.

Sections

The krb5.conf ﬁle may contain the following sections:

[libdefaults] Settings used by the Kerberos V5 library

[realms] Realm-speciﬁc contact information and settings

[domain_realm] Maps server hostnames to Kerberos realms

[capaths] Authentication paths for non-hierarchical cross-realm

[appdefaults] Settings used by some Kerberos V5 applications

[plugins] Controls plugin module registration

Additionally, krb5.conf may include any of the relations described in kdc.conf , but it is not a recommended practice.

[libdefaults]

The libdefaults section may contain any of the following relations:

allow_weak_crypto If this ﬂag is set to false, then weak encryption types (as noted in Encryption types in kdc.conf )

will be ﬁltered out of the lists default_tgs_enctypes, default_tkt_enctypes, and permitted_enctypes. The

default value for this tag is false, which may cause authentication failures in existing Kerberos infrastructures that

do not support strong crypto. Users in affected environments should set this tag to true until their infrastructure

adopts stronger ciphers.

ap_req_checksum_type An integer which speciﬁes the type of AP-REQ checksum to use in authenticators. This

variable should be unset so the appropriate checksum for the encryption key in use will be used. This can be set

if backward compatibility requires a speciﬁc checksum type. See the kdc_req_checksum_type conﬁguration

option for the possible values and their meanings.

canonicalize If this ﬂag is set to true, initial ticket requests to the KDC will request canonicalization of the client

principal name, and answers with different client principals than the requested principal will be accepted. The

default value is false.

ccache_type This parameter determines the format of credential cache types created by kinit(1) or other programs.

The default value is 4, which represents the most current format. Smaller values can be used for compatibility

with very old implementations of Kerberos which interact with credential caches on the same host.

12 Chapter 2. Conﬁguration Files

Kerberos Administration Guide, Release 1.16.1

clockskew Sets the maximum allowable amount of clockskew in seconds that the library will tolerate before assuming

that a Kerberos message is invalid. The default value is 300 seconds, or ﬁve minutes.

The clockskew setting is also used when evaluating ticket start and expiration times. For example, tickets that

have reached their expiration time can still be used (and renewed if they are renewable tickets) if they have been

expired for a shorter duration than the clockskew setting.

default_ccache_name This relation speciﬁes the name of the default credential cache. The default is DEFCCNAME.

This relation is subject to parameter expansion (see below). New in release 1.11.

default_client_keytab_name This relation speciﬁes the name of the default keytab for obtaining client credentials.

The default is DEFCKTNAME. This relation is subject to parameter expansion (see below). New in release 1.11.

default_keytab_name This relation speciﬁes the default keytab name to be used by application servers such as sshd.

The default is DEFKTNAME. This relation is subject to parameter expansion (see below).

default_realm Identiﬁes the default Kerberos realm for the client. Set its value to your Kerberos realm. If this value

is not set, then a realm must be speciﬁed with every Kerberos principal when invoking programs such as kinit(1).

default_tgs_enctypes Identiﬁes the supported list of session key encryption types that the client should re-

quest when making a TGS-REQ, in order of preference from highest to lowest. The list may be de-

limited with commas or whitespace. See Encryption types in kdc.conf for a list of the accepted values

for this tag. The default value is aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96

aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1

arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc

des-cbc-md5 des-cbc-md4, but single-DES encryption types will be implicitly removed from this list if

the value of allow_weak_crypto is false.

Do not set this unless required for speciﬁc backward compatibility purposes; stale values of this setting can

prevent clients from taking advantage of new stronger enctypes when the libraries are upgraded.

default_tkt_enctypes Identiﬁes the supported list of session key encryption types that the

client should request when making an AS-REQ, in order of preference from high-

est to lowest. The format is the same as for default_tgs_enctypes. The default

value for this tag is aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96

aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1

arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc

des-cbc-md5 des-cbc-md4, but single-DES encryption types will be implicitly removed from this list if

the value of allow_weak_crypto is false.

Do not set this unless required for speciﬁc backward compatibility purposes; stale values of this setting can

prevent clients from taking advantage of new stronger enctypes when the libraries are upgraded.

dns_canonicalize_hostname Indicate whether name lookups will be used to canonicalize hostnames for use in ser-

vice principal names. Setting this ﬂag to false can improve security by reducing reliance on DNS, but means

that short hostnames will not be canonicalized to fully-qualiﬁed hostnames. The default value is true.

dns_lookup_kdc Indicate whether DNS SRV records should be used to locate the KDCs and other servers for a realm,

if they are not listed in the krb5.conf information for the realm. (Note that the admin_server entry must be in

the krb5.conf realm information in order to contact kadmind, because the DNS implementation for kadmin is

incomplete.)

Enabling this option does open up a type of denial-of-service attack, if someone spoofs the DNS records and

redirects you to another server. However, it’s no worse than a denial of service, because that fake KDC will

be unable to decode anything you send it (besides the initial ticket request, which has no encrypted data), and

anything the fake KDC sends will not be trusted without veriﬁcation using some secret that it won’t know.

dns_uri_lookup Indicate whether DNS URI records should be used to locate the KDCs and other servers for a realm,

if they are not listed in the krb5.conf information for the realm. SRV records are used as a fallback if no URI

records were found. The default value is true. New in release 1.15.

2.1. Contents 13

Kerberos Administration Guide, Release 1.16.1

err_fmt This relation allows for custom error message formatting. If a value is set, error messages will be formatted

by substituting a normal error message for %M and an error code for %C in the value.

extra_addresses This allows a computer to use multiple local addresses, in order to allow Kerberos to work in a net-

work that uses NATs while still using address-restricted tickets. The addresses should be in a comma-separated

list. This option has no effect if noaddresses is true.

forwardable If this ﬂag is true, initial tickets will be forwardable by default, if allowed by the KDC. The default value

is false.

ignore_acceptor_hostname When accepting GSSAPI or krb5 security contexts for host-based service principals,

ignore any hostname passed by the calling application, and allow clients to authenticate to any service principal

in the keytab matching the service name and realm name (if given). This option can improve the administrative

ﬂexibility of server applications on multihomed hosts, but could compromise the security of virtual hosting

environments. The default value is false. New in release 1.10.

k5login_authoritative If this ﬂag is true, principals must be listed in a local user’s k5login ﬁle to be granted login

access, if a .k5login(5) ﬁle exists. If this ﬂag is false, a principal may still be granted login access through other

mechanisms even if a k5login ﬁle exists but does not list the principal. The default value is true.

k5login_directory If set, the library will look for a local user’s k5login ﬁle within the named directory, with a ﬁlename

corresponding to the local username. If not set, the library will look for k5login ﬁles in the user’s home directory,

with the ﬁlename .k5login. For security reasons, .k5login ﬁles must be owned by the local user or by root.

kcm_mach_service On macOS only, determines the name of the bootstrap service used to contact the KCM daemon

for the KCM credential cache type. If the value is -, Mach RPC will not be used to contact the KCM daemon.

The default value is org.h5l.kcm.

kcm_socket Determines the path to the Unix domain socket used to access the KCM daemon for the KCM credential

cache type. If the value is -, Unix domain sockets will not be used to contact the KCM daemon. The default

value is /var/run/.heim_org.h5l.kcm-socket.

kdc_default_options Default KDC options (Xored for multiple values) when requesting initial tickets. By default it

is set to 0x00000010 (KDC_OPT_RENEWABLE_OK).

kdc_timesync Accepted values for this relation are 1 or 0. If it is nonzero, client machines will compute the difference

between their time and the time returned by the KDC in the timestamps in the tickets and use this value to correct

for an inaccurate system clock when requesting service tickets or authenticating to services. This corrective

factor is only used by the Kerberos library; it is not used to change the system clock. The default value is 1.

kdc_req_checksum_type An integer which speciﬁes the type of checksum to use for the KDC requests, for compat-

ibility with very old KDC implementations. This value is only used for DES keys; other keys use the preferred

checksum type for those keys.

The possible values and their meanings are as follows.

1 CRC32

2 RSA MD4

3 RSA MD4 DES

4 DES CBC

7 RSA MD5

8 RSA MD5 DES

9 NIST SHA

12 HMAC SHA1 DES3

-138 Microsoft MD5 HMAC checksum type

noaddresses If this ﬂag is true, requests for initial tickets will not be made with address restrictions set, allowing the

tickets to be used across NATs. The default value is true.

permitted_enctypes Identiﬁes all encryption types that are permitted for use in session key encryption.

The default value for this tag is aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96

14 Chapter 2. Conﬁguration Files

剩余156页未读，继续阅读

bose2365

粉丝: 25
资源: 226

MIT Kerberos网络安全指南：实现企业级身份验证与加密

Kerberos权威指南 Kerberos The Definitive Guide

CDH启用Kerberos认证

Solaris配置kerberos

Kerberos 代理实现Kerberos 切换

kerberos认证_Mac里捣腾Kerberos（一）

kerberos认证 python实现 不使用kerberos客户端

hadoop客户端kerberos认证

编写kafka认证kerberos

kerberos kafka集群配置

详述如何在Linux上配置Kerberos服务并使用Kerberos身份认证

flink的kerberos认证

虚拟机怎么安装Kerberos

kerberos认证 python实现

cant get kerberos realm

java 连接kerberos hadoop

kerberos hadoop认证简单教程

java security对接kerberos

如何在Hadoop安装Kerberos

apache hadoop开启kerberos

安装kerberos的坑

最新资源

kerberos认证 python实现不使用kerberos客户端