我已经设置了 Ubuntu 用于测试目的。-安装了 MIT kerberos(最新)-安装了 OpeenSsh(最新)
我已经设置并运行了 KerberosAuthentication 和 pam_krb5 类型的身份验证以及 GSSAPIAuthentication。一切正常。
当我设置仅使用“KerberosAuthentication”或“pam_krb5”时,我看到对主机/的请求:
Nov 20 00:09:11 kdcname krb5kdc[12476](info): AS_REQ (2 etypes {16 17}) 192.168.1.104: NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], Additional pre-authentication required
Nov 20 00:09:11 kdcname krb5kdc[12476](info): AS_REQ (2 etypes {16 17}) 192.168.1.104: NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], Additional pre-authentication required
Nov 20 00:09:11 kdcname krb5kdc[12476](info): AS_REQ (2 etypes {16 17}) 192.168.1.104: ISSUE: authtime 1511154551, etypes {rep=17 tkt=18 ses=17}, [email protected] for krbtgt/[email protected]
Nov 20 00:09:11 kdcname krb5kdc[12476](info): AS_REQ (2 etypes {16 17}) 192.168.1.104: ISSUE: authtime 1511154551, etypes {rep=17 tkt=18 ses=17}, [email protected] for krbtgt/[email protected]
Nov 20 00:09:11 kdcname krb5kdc[12476](info): TGS_REQ (2 etypes {16 17}) 192.168.1.104: ISSUE: authtime 1511154551, etypes {rep=17 tkt=18 ses=17}, [email protected] for host/[email protected]
Nov 20 00:09:11 kdcname krb5kdc[12476](info): TGS_REQ (2 etypes {16 17}) 192.168.1.104: ISSUE: authtime 1511154551, etypes {rep=17 tkt=18 ses=17}, [email protected] for host/[email protected]
主机/服务主体是否需要某些东西(TGS_REQ)?
在我看来,您所需要的只是 AS_REQ 来验证用户的密码。
答案1
这是为了防止针对 KDC 的中间人攻击。
我找到了答案谷歌图书:
Kerberos 权威指南第 108/109 页看起来具有权威性。
我将延迟接受此答案。这里应该有更多内容,我的意图不是自我推销,复制/粘贴超过一句话似乎不合适。