keytab如何正常工作？ [英] How does keytab work exactly?

问题描述

我有一些关于使用keytab进行身份验证的问题希望这里有种人可以帮助我

i have some questions on using keytab for Authentication hope the kind people here can enlightend me

说，我有userA谁将使用在端口运行的服务1010.首先，userA将登录Active Directory以验证自己。

Say, i have userA who is going to use a service running at port 1010. First, userA will login to Active Directory to authenticate himself.

登录后，userA将尝试连接到服务器以使用其服务1010.为了让服务器验证UserA是谁，我需要使用 setspn 在Active Directory中注册SPN。例如

After login, userA will try to connect to the server to use its service 1010. In order for the server to verify that UserA is who he is, I need to use setspn to register SPN at the Active Directory. eg

setspn -s service1010/mydomain.com serviceaccount1

然后需要在Active目录下生成ktab文件，例如

Then need to generate ktab file at Active directory, eg

ktab -a serviceprincal1010/server.domain.com@DOMAIN.COM -k mykeytab.keytab

然后带 mykeytab.keytab 到服务器。

在服务器上，我会使用带有登录配置的JAAS来查询KDC，例如

At the server, I would use JAAS with a login config to query the KDC eg

ServicePrincipalLoginContext
{
  com.sun.security.auth.module.Krb5LoginModule required    
  principal=serviceprincal1010/server.domain.com@DOMAIN.COM 
  doNotPrompt=true useKeyTab=true keyTab=mykeytab.keytab storeKey=true;

};

从现在开始，我很困惑。 userA如何得到验证（即，userA实际上是谁？）。

From this point on, I am confused. How does userA get verified (ie, userA is actually who he is? ).

推荐答案

你的图表错了。你对kerberos的运作方式有一个基本的误解。 （顺便说一下，这很常见）。使用kerberos进行身份验证的服务永远不会与kdc进行通信。它所做的只是使用它的密钥（keytab）来解密用户呈现的blob。

Your diagram is wrong. You have a basic misunderstanding about how kerberos works. ( It's fairly common by the way). A service that uses kerberos for authentication NEVER talks to the kdc. All it ever does is use it's secret key ( keytab ) to decrypt blobs that are presented by the user.

与KDC谈话的kerberos唯一的部分是客户端或用户端。当它尝试在端口1010访问服务时，它首先要求KDC提供该服务的服务票据。这是使用服务的密钥加密的blob，其中包含用户的身份。 （加上一堆其他协议相关的东西）。

The only part of kerberos that ever talks to the KDC is the client or user side. When it attempts to access the service at port 1010, it first asks the KDC for a service ticket for that service. This is a blob encrypted with the service's secret key that has the user's identity inside it. ( plus a bunch of other protocol related stuff ).

如果您的服务在端口1010上有基于GSS的api，您需要做的就是告诉密钥表所在的API，然后询问用户ID是什么在连接上。您永远不需要与外部服务建立任何其他连接。我不熟悉Java API，但是应该只需要一两次调用来验证用户凭据。

If you have an GSS based api inside your service on port 1010, all you need to do is tell that API where the keytab is and then ask it what the userid is on the connection. You never need to make any other connections to external services. I am not familiar with the Java API's, but there should only be one or two calls required to verify the user credentials.

虽然此对话框与当前使用的Kerberos版本不完全匹配，但它可以帮助您理解基本原理。

While this dialogue doesn't exactly match the version of Kerberos currently in use, it will help you understand the basic principals.

http://web.mit.edu/kerberos/dialogue .html

这篇关于keytab如何正常工作？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！