[ KERBEROS 서버 ]
yum -y remove bind
rm -f /etc/named.conf*
rm -f /var/named/keys/*
# 나의 아이피 확인
DNS_SERVER_IP=$(ifconfig | grep -A 2 ens | grep "inet " | awk '{ print $2 }')
# 도메인 이름 설정
echo Input Your Domain NAME :
DOMAIN_NAME=hmwoo.com # read DOMAIN_NAME
# hostname 변경 (kerberos가 hostname이 맞는지 조회함)
hostnamectl --static set-hostname kdc.hmwoo.com
hostname
# DNS 서버 설치
yum -y install bind bind-chroot
# DNS 서버 설정
sed -i "s/^\s*listen-on port 53.*/\tlisten-on port 53 { any; };/g" /etc/named.conf
sed -i "s/^\s*listen-on-v6 port 53.*/\tlisten-on-v6 port 53 { none; };/g" /etc/named.conf
sed -i "s/^\s*allow-query.*/\tallow-query\t{ any; };/g" /etc/named.conf
# zone 추가
cat <<ZONE_ADD >> /etc/named.conf
zone "${DOMAIN_NAME}" IN {
$(printf '\t')type master;
$(printf '\t')file "${DOMAIN_NAME%%.*}.zone";
$(printf '\t')allow-update {none;};
};
ZONE_ADD
# zone 파일 추가
cat <<ZONE_FILE_ADD > /var/named/${DOMAIN_NAME%%.*}.zone
\$TTL$(printf '\t')3H
@$(printf '\t')SOA$(printf '\t')@$(printf '\t')root.$(printf '\t')(20201111 1D 1H 1W 1H)
$(printf '\t')IN$(printf '\t')NS$(printf '\t')@
$(printf '\t')IN$(printf '\t')A$(printf '\t')$DNS_SERVER_IP
kdc$(printf '\t')IN$(printf '\t')A$(printf '\t')$DNS_SERVER_IP
ZONE_FILE_ADD
yum -y install krb5-server krb5-workstation pam_krb5
systemctl restart named
cat <<KRB_SETTING > /etc/krb5.conf
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
default_realm = ${DOMAIN_NAME^^}
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
${DOMAIN_NAME^^} = {
kdc = kdc.${DOMAIN_NAME}
admin_server = kdc.${DOMAIN_NAME}
}
[domain_realm]
.${DOMAIN_NAME} = ${DOMAIN_NAME^^}
${DOMAIN_NAME} = ${DOMAIN_NAME^^}
KRB_SETTING
cat <<KRB_SETTING > /var/kerberos/krb5kdc/kadm5.acl
*/admin@${DOMAIN_NAME^^}$(printf '\t')*
KRB_SETTING
cat <<KRB_SETTING > /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
${DOMAIN_NAME^^} = {
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
KRB_SETTING
echo -e P@ssw0rd'!'"\n"P@ssw0rd! | kdb5_util create -r ${DOMAIN_NAME^^} -s
systemctl restart kadmin krb5kdc
echo -e P@ssw0rd'!'"\n"P@ssw0rd! | kadmin.local -q "add_principal krbuser"
kadmin.local -q "listprincs"
echo -e P@ssw0rd'!'"\n"P@ssw0rd! | kadmin.local -q "add_principal root/admin"
kadmin.local -q "ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin"
kadmin.local -q "ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/changepw"
kadmin.local -q "addprinc -randkey host/kdc.hmwoo.com"
kadmin.local -q "ktadd host/kdc.hmwoo.com"
sed -i "s/^\s*GSSAPIAuthentication.*//g" /etc/ssh/sshd_config
sed -i "s/^\s*GSSAPIDelegateCredentials.*//g" /etc/ssh/sshd_config
cat <<SSH_SETTING >> /etc/ssh/sshd_config
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
SSH_SETTING
sed -i "s/^\s*Host.*//g" /etc/ssh/ssh_config
sed -i "s/^\s*GSSAPIAuthentication.*//g" /etc/ssh/ssh_config
sed -i "s/^\s*GSSAPIDelegateCredentials.*//g" /etc/ssh/ssh_config
sed -i "s/^\s*SendEnv.*//g" /etc/ssh/ssh_config
sed -i "s/^\s*ForwardX11Trusted.*//g" /etc/ssh/ssh_config
cat <<SSH_SETTING >> /etc/ssh/ssh_config
Host *
$(printf '\t')ForwardX11Trusted yes
$(printf '\t')SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
$(printf '\t')SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
$(printf '\t')SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
$(printf '\t')SendEnv XMODIFIERS
$(printf '\t')GSSAPIAuthentication yes
$(printf '\t')GSSAPIDelegateCredentials yes
SSH_SETTING
systemctl restart sshd
adduser krbuser
systemctl stop firewalld
setenforce 0
[ 클라이언트 ]
echo Input Your DNS IP :
DNS_SERVER_IP=192.168.108.50 # read DNS_SERVER_IP
# 도메인 이름 설정
echo Input Your Domain NAME :
DOMAIN_NAME=hmwoo.com # read DOMAIN_NAME
NET_SET_FILE=`ls /etc/sysconfig/network-scripts | grep ifcfg | grep -v lo`
yum -y install krb5-workstation pam_krb5
grep -v -e "^$" -e "^DNS1=" /etc/sysconfig/network-scripts/${NET_SET_FILE} | awk '{print} END {print "DNS1='"${DNS_SERVER_IP}"'"}' > /tmp/${NET_SET_FILE}
cat /tmp/${NET_SET_FILE} > /etc/sysconfig/network-scripts/${NET_SET_FILE} && rm -f /tmp/${NET_SET_FILE}
systemctl restart network
echo nameserver ${DNS_SERVER_IP} > /etc/resolv.conf
cat <<KRB_SETTING > /etc/krb5.conf
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
default_realm = ${DOMAIN_NAME^^}
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
${DOMAIN_NAME^^} = {
kdc = kdc.${DOMAIN_NAME}
admin_server = kdc.${DOMAIN_NAME}
}
[domain_realm]
.${DOMAIN_NAME} = ${DOMAIN_NAME^^}
${DOMAIN_NAME} = ${DOMAIN_NAME^^}
KRB_SETTING
sed -i "s/^\s*GSSAPIAuthentication.*//g" /etc/ssh/sshd_config
sed -i "s/^\s*GSSAPIDelegateCredentials.*//g" /etc/ssh/sshd_config
cat <<SSH_SETTING >> /etc/ssh/sshd_config
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
SSH_SETTING
sed -i "s/^\s*Host.*//g" /etc/ssh/ssh_config
sed -i "s/^\s*GSSAPIAuthentication.*//g" /etc/ssh/ssh_config
sed -i "s/^\s*GSSAPIDelegateCredentials.*//g" /etc/ssh/ssh_config
sed -i "s/^\s*SendEnv.*//g" /etc/ssh/ssh_config
sed -i "s/^\s*ForwardX11Trusted.*//g" /etc/ssh/ssh_config
cat <<SSH_SETTING >> /etc/ssh/ssh_config
Host *
$(printf '\t')ForwardX11Trusted yes
$(printf '\t')SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
$(printf '\t')SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
$(printf '\t')SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
$(printf '\t')SendEnv XMODIFIERS
$(printf '\t')GSSAPIAuthentication yes
$(printf '\t')GSSAPIDelegateCredentials yes
SSH_SETTING
systemctl restart sshd
echo P@ssw0rd! | kinit krbuser
# kdestroy 로 발급받은 유저 삭제 가능
klist
ssh -oStrictHostKeyChecking=no krbuser@kdc.hmwoo.com'Operating Systems > Linux' 카테고리의 다른 글
| [ Linux ] SSH 서버 설치 (0) | 2021.07.31 |
|---|---|
| [ Linux ] TELNET 서버 설치 (0) | 2021.07.31 |
| [ Linux ] RPM 패키지 생성 (0) | 2021.07.26 |
| [ Linux ] MAIL 서버 설치 (0) | 2021.07.24 |
| [ Linux ] LDAP 서버 설치 (0) | 2021.07.20 |
