当前位置:网站首页>【kerberos】深入理解kerberos票据生命周期

【kerberos】深入理解kerberos票据生命周期

2022-07-06 09:15:00 kiraraLou

ticket lifetime取决于以下5项设置中的最小值:

  • Kerberos server上/var/kerberos/krb5kdc/kdc.conf中max_life
  • 内置principal krbtgt的maximum ticket life,可在kadmin命令行下用getprinc命令查看
  • principal的maximum ticket life,可在kadmin命令行下用getprinc命令查看
  • Kerberos client上/etc/krb5.conf的ticket_lifetime
  • kinit -l 参数后面指定的时间

ticket renew lifetime取决于以下5项设置中的最小值:

  • Kerberos server上/var/kerberos/krb5kdc/kdc.conf中max_renewable_life
  • 内置principal krbtgt的maximum renewable life,可在kadmin命令行下用getprinc命令查看
  • 你的principal的maximum renewable life,可在kadmin命令行下用getprinc命令查看
  • Kerberos client上/etc/krb5.conf的renew_lifetime
  • kinit -r 参数后面指定的时间

查看当前服务器票据

[[email protected] ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]

Valid starting       Expires              Service principal
2019-11-27T14:01:44  2019-11-28T14:01:44  krbtgt/[email protected]
	renew until 2019-12-04T14:01:44
  • Valid starting:认证的时间,也就是执行kinit的时间:2019-11-27T14:01:44
    Expires:失效时间2019-11-28T14:01:44,这个时间是票据当前生命周期的失效时间
  • renew until:票据一个生命周期过后,都会自动刷新一次获得新的票据,直到2019-12-04T14:01:44,每次刷新后Expires都会变化;

当然也可以手动刷新

kinit -R

手动刷新的话,valid starting和Expires会变,renew until不变

[[email protected] ~]# kinit -R
[[email protected] ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]

Valid starting       Expires              Service principal
2019-11-27T15:08:45  2019-11-28T15:08:45  krbtgt/[email protected]
	renew until 2019-12-04T14:01:44

其实可以看出renew until决定了票据的最终失效时间;renew until是如何决定的?
renew until由以下参数决定

a:Kerberos server上/var/kerberos/krb5kdc/kdc.conf中max_renewable_life;决定了上限
b:Kerberos client上/etc/krb5.conf的renew_lifetime
c:krbtgt的maximum renewable life,使用getprinc命令查看
d:principal的maximum renewable life,可在kadmin命令行下用getprinc命令查看
e:kinit -r 15days

c的上限a
d的上限为c
b,e的上限为d

b,e<d<c<a

验证

vi /var/kerberos/krb5kdc/kdc.conf

[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
 HADOOP.COM = {
    
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  database_name = /var/kerberos/principal
  max_life = 25h
  max_renewable_life = 90d
  supported_enctypes = aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }

重启krb5kdc

systemctl restart krb5kdc

为了方便测试,我们将kdc中的renewable设置成最小90days,其他的分别设置成100days,110days,120days

修改krbtgt的maximum renewable life为100days

kadmin.local:  modprinc -maxlife 1days -maxrenewlife 100days +allow_renewable krbtgt/HADOOP.COM
Principal "krbtgt/[email protected]" modified.

修改bigdata的maximum renewable life为110days

modprinc -maxlife 1days -maxrenewlife 110days +allow_renewable bigdata

修改客户端krb5.conf renew_lifetime为120days

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 120d
 forwardable = true
 rdns = false
 default_realm = HADOOP.COM

验证

[[email protected] ~]# kinit bigdata
Password for [email protected]:
[[email protected] ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]

Valid starting       Expires              Service principal
2019-11-27T15:55:54  2019-11-28T15:55:54  krbtgt/[email protected]
	renew until 2020-02-25T15:55:54

此时renew until 2020-02-25T15:55:54,Time(2020-02-25T15:55:54)-Time(2019-11-27T15:55:54)=90days
修改krbtgt的maximum renewable life为80days

kadmin.local:  modprinc -maxlife 1days -maxrenewlife 80days +allow_renewable krbtgt/HADOOP.COM
Principal "krbtgt/[email protected]" modified.

重新kinit

[[email protected] ~]# kinit bigdata
Password for [email protected]:
[[email protected] ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]

Valid starting       Expires              Service principal
2019-11-27T16:00:05  2019-11-28T16:00:05  krbtgt/[email protected]
	renew until 2020-02-15T16:00:05

此时renew until 2020-02-15T16:00:05,Time(2020-02-15T16:00:05)-Time(2019-11-27T16:00:05)=80days

修改bigdata的maximum renewable life为70days

kadmin.local:  modprinc -maxlife 1days -maxrenewlife 70days +allow_renewable bigdata
Principal "[email protected]" modified.

重新kinit

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]

Valid starting       Expires              Service principal
2019-11-27T16:03:40  2019-11-28T16:03:40  krbtgt/[email protected]
	renew until 2020-02-05T16:03:40

此时renew until 2020-02-05T16:03:40,Time(2020-02-05T16:03:40)-Time(2019-11-27T16:03:40)=70days

修改客户端的krb5.conf,renew_lifetime为60days

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 60d
 forwardable = true
 rdns = false
 default_realm = HADOOP.COM

kinit

[[email protected] ~]# kinit bigdata
Password for [email protected]:
[[email protected] ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]

Valid starting       Expires              Service principal
2019-11-27T16:08:21  2019-11-28T16:08:21  krbtgt/[email protected]
	renew until 2020-01-26T16:08:21

Time(2020-01-26T16:08:21)-Time(2019-11-27T16:08:21)=60days

此刻如果手动刷新设置renewable_lifetime 为80days

[[email protected] ~]# kinit -r 80days
Password for [email protected]:
[[email protected] ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]

Valid starting       Expires              Service principal
2019-11-27T16:09:41  2019-11-28T16:09:41  krbtgt/[email protected]
	renew until 2020-02-05T16:09:41

Time(2020-02-05T16:09:41)-TIme(2019-11-27T16:09:41)=70days

原文链接:https://blog.csdn.net/woloqun/article/details/103277813/

原网站

版权声明
本文为[kiraraLou]所创,转载请带上原文链接,感谢
https://blog.csdn.net/Mrerlou/article/details/125328611

边栏推荐

猜你喜欢

随机推荐