我已经为testing目的设置了Ubuntu。 – 安装MIT kerberos(最新) – 安装OpeenSsh(最新)
我已经安装了KerberosAuthentication和pam_krb5types的身份validation以及GSSAPIAuthentication。 一切都很好。
当我只安装使用“KerberosAuthentication”或“pam_krb5”我看到主机/的请求:
Nov 20 00:09:11 kdcname krb5kdc[12476](info): AS_REQ (2 etypes {16 17}) 192.168.1.104: NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], Additional pre-authentication required Nov 20 00:09:11 kdcname krb5kdc[12476](info): AS_REQ (2 etypes {16 17}) 192.168.1.104: NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], Additional pre-authentication required Nov 20 00:09:11 kdcname krb5kdc[12476](info): AS_REQ (2 etypes {16 17}) 192.168.1.104: ISSUE: authtime 1511154551, etypes {rep=17 tkt=18 ses=17}, [email protected] for krbtgt/[email protected] Nov 20 00:09:11 kdcname krb5kdc[12476](info): AS_REQ (2 etypes {16 17}) 192.168.1.104: ISSUE: authtime 1511154551, etypes {rep=17 tkt=18 ses=17}, [email protected] for krbtgt/[email protected] Nov 20 00:09:11 kdcname krb5kdc[12476](info): TGS_REQ (2 etypes {16 17}) 192.168.1.104: ISSUE: authtime 1511154551, etypes {rep=17 tkt=18 ses=17}, [email protected] for host/ssh[email protected] Nov 20 00:09:11 kdcname krb5kdc[12476](info): TGS_REQ (2 etypes {16 17}) 192.168.1.104: ISSUE: authtime 1511154551, etypes {rep=17 tkt=18 ses=17}, [email protected] for host/[email protected] 主机/服务主体需要什么(TGS_REQ)?
在我看来,所有你需要的是AS_REQ来validation用户的密码。
这是为了防止中间人攻击KDC。
我在Google图书中find了答案:
权威指南的108/109页似乎是权威性的。
我会延迟接受这个答案。 这里应该有更多的写作,我的目的不是自我宣传和复制/粘贴不只是一句话,或者似乎是不恰当的。