{"id":1100,"date":"2019-12-24T11:31:49","date_gmt":"2019-12-24T07:31:49","guid":{"rendered":"http:\/\/blog.5flor.ru\/?p=1100"},"modified":"2019-12-24T11:32:09","modified_gmt":"2019-12-24T07:32:09","slug":"kerberos-autentification-ssh","status":"publish","type":"post","link":"https:\/\/blog.5flor.ru\/?p=1100","title":{"rendered":"Kerberos autentification SSH"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">\u0422\u0440\u0435\u0431\u0443\u0435\u0442\u0441\u044f \u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u0430\u044f \u0440\u0430\u0431\u043e\u0442\u0430 NTP \u0438 dns \u0437\u0430\u043f\u0438\u0441\u0438 \u0432 \u0437\u043e\u043d\u0435.<\/h2>\n\n\n\n<pre class=\"wp-block-preformatted\">192.168.1.11 <strong>kbserver.example.com<\/strong>\n192.168.1.12 <strong>kbclient.example.com<\/strong>\n\n\n<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">\u0422\u0440\u0435\u0431\u0443\u0435\u0442\u0441\u044f \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u0438\u0442\u044c \u043f\u0430\u043a\u0435\u0442\u044b:\n# <strong>yum install -y krb5-workstation pam_krb5<\/strong><\/pre>\n\n\n\n<p>\u0412 \u0444\u0430\u0439\u043b\u0435\u00a0<strong>\/etc\/krb5.conf<\/strong>\u00a0 \u043d\u0443\u0436\u043d\u043e \u043d\u0430\u0441\u0442\u0440\u043e\u0438\u0442\u044c \u043f\u043e\u0434\u043a\u043b\u044e\u0447\u0435\u043d\u0438\u0435 \u043a \u0434\u043e\u043c\u0435\u043d\u0443.<\/p>\n\n\n\n<p>[libdefaults]<br>default_realm = TEST.COM<\/p>\n\n\n\n<p> [realms]   <br>TESTCOM.COM = {<br>    kdc = dc.test.com<br>    default_domain = test.com<br> admin_server = dc.test.com<br>  } <\/p>\n\n\n\n<p>[domain_realm]<br>.test.com = TEST.COM<br> test.com = TEST.COM<\/p>\n\n\n\n<p>\u0412 \u0444\u0430\u0439\u043b\u0435\u00a0<strong>\/etc\/ssh\/ssh_config<\/strong>\u00a0\u0440\u0430\u0441\u043a\u043e\u043c\u0435\u043d\u0442\u0438\u0440\u043e\u0432\u0430\u0442\u044c \u0441\u0442\u0440\u043e\u0447\u043a\u0438:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><strong>GSSAPIAuthentication<\/strong> yes\n<strong>GSSAPIDelegateCredentials<\/strong> yes\n<\/pre>\n\n\n\n<p>\u043f\u0435\u0440\u0435\u0437\u0430\u043f\u0443\u0441\u043a ssh<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"># <strong>systemctl reload sshd<\/strong><\/pre>\n\n\n\n<p>\u041a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0438\u0440\u0443\u0435\u043c\u00a0<strong>PAM<\/strong>\u00a0\u043c\u043e\u0434\u0443\u043b\u044c <\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"># <strong>authconfig --enablekrb5 --update<\/strong><\/pre>\n\n\n\n<p>\u0442\u0435\u0441\u0442 <\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"># <strong>su - user01<\/strong>\n$ <strong>kinit<\/strong>\nPassword for user01@EXAMPLE.COM: <del>user01<\/del>\n$ <strong>klist<\/strong>\nTicket cache: KEYRING:persistent:1000:1000\nDefault principal: user01@EXAMPLE.COM\n\nValid starting Expires Service principal\n07\/22\/2014 17:20:15 07\/23\/2014 17:19:54 krbtgt\/EXAMPLE.COM@EXAMPLE.COM\n renew until 07\/22\/2014 17:19:54\n$ <strong>ssh <\/strong><strong>kbserver.example.com<\/strong><\/pre>\n\n\n\n<p>\u0442\u0430\u043a \u0436\u0435 \u0442\u0440\u0435\u0431\u0443\u0435\u0442\u0441\u044f \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0438\u0442\u044c \u0434\u043e\u0441\u0442\u0443\u043f \u043f\u043e ssh \u043a \u0441\u0435\u0440\u0432\u0435\u0440\u0443<br>\u0434\u043b\u044f \u044d\u0442\u043e\u0433\u043e \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044e\u0442\u0441\u044f \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u044b \u0432 \u0444\u0430\u0439\u043b\u0435 \/etc\/ssh.sshd_config<br>AllowUsers root<br> AllowGroups it root<br>\u0433\u0440\u0443\u043f\u043f\u0430 root \u043d\u0443\u0436\u043d\u0430.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u0422\u0440\u0435\u0431\u0443\u0435\u0442\u0441\u044f \u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u0430\u044f \u0440\u0430\u0431\u043e\u0442\u0430 NTP \u0438 dns \u0437\u0430\u043f\u0438\u0441\u0438 \u0432 \u0437\u043e\u043d\u0435. 192.168.1.11 kbserver.example.com 192.168.1.12 kbclient.example.com \u0422\u0440\u0435\u0431\u0443\u0435\u0442\u0441\u044f \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u0438\u0442\u044c \u043f\u0430\u043a\u0435\u0442\u044b: # yum install -y krb5-workstation pam_krb5 \u0412 \u0444\u0430\u0439\u043b\u0435\u00a0\/etc\/krb5.conf\u00a0 \u043d\u0443\u0436\u043d\u043e \u043d\u0430\u0441\u0442\u0440\u043e\u0438\u0442\u044c \u043f\u043e\u0434\u043a\u043b\u044e\u0447\u0435\u043d\u0438\u0435 \u043a \u0434\u043e\u043c\u0435\u043d\u0443. [libdefaults]default_realm = TEST.COM [realms] TESTCOM.COM = { kdc = dc.test.com default_domain &hellip; <a href=\"https:\/\/blog.5flor.ru\/?p=1100\">\u0427\u0438\u0442\u0430\u0442\u044c \u0434\u0430\u043b\u0435\u0435 <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1,9],"tags":[],"class_list":["post-1100","post","type-post","status-publish","format-standard","hentry","category-1","category-9"],"_links":{"self":[{"href":"https:\/\/blog.5flor.ru\/index.php?rest_route=\/wp\/v2\/posts\/1100"}],"collection":[{"href":"https:\/\/blog.5flor.ru\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.5flor.ru\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.5flor.ru\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.5flor.ru\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1100"}],"version-history":[{"count":0,"href":"https:\/\/blog.5flor.ru\/index.php?rest_route=\/wp\/v2\/posts\/1100\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.5flor.ru\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1100"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.5flor.ru\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1100"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.5flor.ru\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1100"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}