我已经为测试目的设置了 Ubuntu。-安装了 MIT kerberos(最新) -安装了 OpeenSsh(最新)
我已经设置并使用了 KerberosAuthentication 和 pam_krb5 类型的身份验证以及 GSSAPIAuthentication。一切都很好。
当我设置仅使用“KerberosAuthentication”或“pam_krb5”时,我看到对主机/的请求:
Nov 20 00:09:11 kdcname krb5kdc[12476](info): AS_REQ (2 etypes {16 17}) 192.168.1.104: NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], Additional pre-authentication required
Nov 20 00:09:11 kdcname krb5kdc[12476](info): AS_REQ (2 etypes {16 17}) 192.168.1.104: NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], Additional pre-authentication required
Nov 20 00:09:11 kdcname krb5kdc[12476](info): AS_REQ (2 etypes {16 17}) 192.168.1.104: ISSUE: authtime 1511154551, etypes {rep=17 tkt=18 ses=17}, [email protected] for krbtgt/[email protected]
Nov 20 00:09:11 kdcname krb5kdc[12476](info): AS_REQ (2 etypes {16 17}) 192.168.1.104: ISSUE: authtime 1511154551, etypes {rep=17 tkt=18 ses=17}, [email protected] for krbtgt/[email protected]
Nov 20 00:09:11 kdcname krb5kdc[12476](info): TGS_REQ (2 etypes {16 17}) 192.168.1.104: ISSUE: authtime 1511154551, etypes {rep=17 tkt=18 ses=17}, [email protected] for host/[email protected]
Nov 20 00:09:11 kdcname krb5kdc[12476](info): TGS_REQ (2 etypes {16 17}) 192.168.1.104: ISSUE: authtime 1511154551, etypes {rep=17 tkt=18 ses=17}, [email protected] for host/[email protected]
某些东西(TGS_REQ)是否需要主机/服务主体?
在我看来,您只需要 AS_REQ 来验证用户的密码。
这是为了防止中间人攻击 KDC。
我在Google 图书中找到了答案:
kerberos 的第 108/109 页权威指南似乎具有权威性。
我会延迟接受这个作为答案。这里应该有更多的文字,我的意图不是自我推销和复制/粘贴超过一个句子左右似乎不合适。