【kerberos】深入理解kerberos票据生命周期

ticket lifetime取决于以下5项设置中的最小值:

  • Kerberos server上/var/kerberos/krb5kdc/kdc.conf中max_life
  • 内置principal krbtgt的maximum ticket life,可在kadmin命令行下用getprinc命令查看
  • principal的maximum ticket life,可在kadmin命令行下用getprinc命令查看
  • Kerberos client上/etc/krb5.conf的ticket_lifetime
  • kinit -l 参数后面指定的时间

ticket renew lifetime取决于以下5项设置中的最小值:

  • Kerberos server上/var/kerberos/krb5kdc/kdc.conf中max_renewable_life
  • 内置principal krbtgt的maximum renewable life,可在kadmin命令行下用getprinc命令查看
  • 你的principal的maximum renewable life,可在kadmin命令行下用getprinc命令查看
  • Kerberos client上/etc/krb5.conf的renew_lifetime
  • kinit -r 参数后面指定的时间

查看当前服务器票据

[root@myrepo ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: bigdata@HADOOP.COM

Valid starting       Expires              Service principal
2019-11-27T14:01:44  2019-11-28T14:01:44  krbtgt/HADOOP.COM@HADOOP.COM
	renew until 2019-12-04T14:01:44
  • Valid starting:认证的时间,也就是执行kinit的时间:2019-11-27T14:01:44
    Expires:失效时间2019-11-28T14:01:44,这个时间是票据当前生命周期的失效时间
  • renew until:票据一个生命周期过后,都会自动刷新一次获得新的票据,直到2019-12-04T14:01:44,每次刷新后Expires都会变化;

当然也可以手动刷新

kinit -R

手动刷新的话,valid starting和Expires会变,renew until不变

[root@myrepo ~]# kinit -R
[root@myrepo ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: bigdata@HADOOP.COM

Valid starting       Expires              Service principal
2019-11-27T15:08:45  2019-11-28T15:08:45  krbtgt/HADOOP.COM@HADOOP.COM
	renew until 2019-12-04T14:01:44

其实可以看出renew until决定了票据的最终失效时间;renew until是如何决定的?
renew until由以下参数决定

a:Kerberos server上/var/kerberos/krb5kdc/kdc.conf中max_renewable_life;决定了上限
b:Kerberos client上/etc/krb5.conf的renew_lifetime
c:krbtgt的maximum renewable life,使用getprinc命令查看
d:principal的maximum renewable life,可在kadmin命令行下用getprinc命令查看
e:kinit -r 15days

c的上限a
d的上限为c
b,e的上限为d

b,e<d<c<a

验证

vi /var/kerberos/krb5kdc/kdc.conf

[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
 HADOOP.COM = {
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  database_name = /var/kerberos/principal
  max_life = 25h
  max_renewable_life = 90d
  supported_enctypes = aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }

重启krb5kdc

systemctl restart krb5kdc

为了方便测试,我们将kdc中的renewable设置成最小90days,其他的分别设置成100days,110days,120days

修改krbtgt的maximum renewable life为100days

kadmin.local:  modprinc -maxlife 1days -maxrenewlife 100days +allow_renewable krbtgt/HADOOP.COM
Principal "krbtgt/HADOOP.COM@HADOOP.COM" modified.

修改bigdata的maximum renewable life为110days

modprinc -maxlife 1days -maxrenewlife 110days +allow_renewable bigdata

修改客户端krb5.conf renew_lifetime为120days

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 120d
 forwardable = true
 rdns = false
 default_realm = HADOOP.COM

验证

[root@myrepo ~]# kinit bigdata
Password for bigdata@HADOOP.COM:
[root@myrepo ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: bigdata@HADOOP.COM

Valid starting       Expires              Service principal
2019-11-27T15:55:54  2019-11-28T15:55:54  krbtgt/HADOOP.COM@HADOOP.COM
	renew until 2020-02-25T15:55:54

此时renew until 2020-02-25T15:55:54,Time(2020-02-25T15:55:54)-Time(2019-11-27T15:55:54)=90days
修改krbtgt的maximum renewable life为80days

kadmin.local:  modprinc -maxlife 1days -maxrenewlife 80days +allow_renewable krbtgt/HADOOP.COM
Principal "krbtgt/HADOOP.COM@HADOOP.COM" modified.

重新kinit

[root@myrepo ~]# kinit bigdata
Password for bigdata@HADOOP.COM:
[root@myrepo ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: bigdata@HADOOP.COM

Valid starting       Expires              Service principal
2019-11-27T16:00:05  2019-11-28T16:00:05  krbtgt/HADOOP.COM@HADOOP.COM
	renew until 2020-02-15T16:00:05

此时renew until 2020-02-15T16:00:05,Time(2020-02-15T16:00:05)-Time(2019-11-27T16:00:05)=80days

修改bigdata的maximum renewable life为70days

kadmin.local:  modprinc -maxlife 1days -maxrenewlife 70days +allow_renewable bigdata
Principal "bigdata@HADOOP.COM" modified.

重新kinit

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: bigdata@HADOOP.COM

Valid starting       Expires              Service principal
2019-11-27T16:03:40  2019-11-28T16:03:40  krbtgt/HADOOP.COM@HADOOP.COM
	renew until 2020-02-05T16:03:40

此时renew until 2020-02-05T16:03:40,Time(2020-02-05T16:03:40)-Time(2019-11-27T16:03:40)=70days

修改客户端的krb5.conf,renew_lifetime为60days

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 60d
 forwardable = true
 rdns = false
 default_realm = HADOOP.COM

kinit

[root@myrepo ~]# kinit bigdata
Password for bigdata@HADOOP.COM:
[root@myrepo ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: bigdata@HADOOP.COM

Valid starting       Expires              Service principal
2019-11-27T16:08:21  2019-11-28T16:08:21  krbtgt/HADOOP.COM@HADOOP.COM
	renew until 2020-01-26T16:08:21

Time(2020-01-26T16:08:21)-Time(2019-11-27T16:08:21)=60days

此刻如果手动刷新设置renewable_lifetime 为80days

[root@myrepo ~]# kinit -r 80days
Password for bigdata@HADOOP.COM:
[root@myrepo ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: bigdata@HADOOP.COM

Valid starting       Expires              Service principal
2019-11-27T16:09:41  2019-11-28T16:09:41  krbtgt/HADOOP.COM@HADOOP.COM
	renew until 2020-02-05T16:09:41

Time(2020-02-05T16:09:41)-TIme(2019-11-27T16:09:41)=70days

原文链接:https://blog.csdn.net/woloqun/article/details/103277813/

posted @ 2022-11-10 19:24  彬在俊  阅读(313)  评论(0编辑  收藏  举报