这里列出
Kerberos
中常用的命令。
使用指南(日常)
登录 kinit admin/admin@EXAMPLE.COM
[root@dounine ~]# kinit admin/admin@EXAMPLE.COMPassword for admin/admin@EXAMPLE.COM: 123456
查询登录状态 klist
[root@dounine ~]# klistTicket cache: FILE:/tmp/krb5cc_0Default principal: admin/admin@EXAMPLE.COM Valid starting Expires Service principal2018-07-12T00:54:55 2018-07-13T00:54:55 krbtgt/EXAMPLE.COM@EXAMPLE.COM
退出 kdestroy
[root@dounine ~]# kdestroy[root@dounine ~]# klistklist: No credentials cache found (filename: /tmp/krb5cc_0)
指使指南(维护)
登录管理KDC
服务器
登录后台 kadmin.local
[root@dounine ~]# kadmin.localAuthenticating as principal root/admin@EXAMPLE.COM with password. kadmin.local:
查看用户列表 listprincs
[root@dounine ~]# kadmin.localAuthenticating as principal root/admin@EXAMPLE.COM with password. kadmin.local: listprincs K/M@EXAMPLE.COM activity_analyzer/host1.demo.com@EXAMPLE.COM activity_explorer/host1.demo.com@EXAMPLE.COM admin/admin@EXAMPLE.COM ...
修改帐号密码(可修改忘记密码)
[root@dounine ~]# kadmin.localAuthenticating as principal root/admin@EXAMPLE.COM with password. kadmin.local: change_password admin/admin@EXAMPLE.COM Enter password for principal "admin/admin@EXAMPLE.COM": 123456Re-enter password for principal "admin/admin@EXAMPLE.COM": 123456Password for "admin/admin@EXAMPLE.COM" changed.
创建用户
[root@dounine ~]# kadmin.localAuthenticating as principal root/admin@EXAMPLE.COM with password. kadmin.local: add_principal test1WARNING: no policy specified for test1@EXAMPLE.COM; defaulting to no policy Enter password for principal "test1@EXAMPLE.COM": 123456Re-enter password for principal "test1@EXAMPLE.COM": 123456Principal "test1@EXAMPLE.COM" created.
删除用户
[root@dounine ~]# kadmin.localAuthenticating as principal root/admin@EXAMPLE.COM with password. kadmin.local: delete_principal test1 Are you sure you want to delete the principal "test1@EXAMPLE.COM"? (yes/no): yes Principal "test1@EXAMPLE.COM" deleted. Make sure that you have removed this principal from all ACLs before reusing.
只导出用户keytab
文件(并且不要修改密码)
[root@dounine ~]# kadmin.localAuthenticating as principal root/admin@EXAMPLE.COM with password. kadmin.local: xst -k admin.keytab -norandkey admin/admin@EXAMPLE.COM Entry for principal admin/admin@EXAMPLE.COM with kvno 6, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:admin.keytab. Entry for principal admin/admin@EXAMPLE.COM with kvno 6, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:admin.keytab. Entry for principal admin/admin@EXAMPLE.COM with kvno 6, encryption type des3-cbc-sha1 added to keytab WRFILE:admin.keytab. Entry for principal admin/admin@EXAMPLE.COM with kvno 6, encryption type arcfour-hmac added to keytab WRFILE:admin.keytab. Entry for principal admin/admin@EXAMPLE.COM with kvno 6, encryption type camellia256-cts-cmac added to keytab WRFILE:admin.keytab. Entry for principal admin/admin@EXAMPLE.COM with kvno 6, encryption type camellia128-cts-cmac added to keytab WRFILE:admin.keytab. Entry for principal admin/admin@EXAMPLE.COM with kvno 6, encryption type des-hmac-sha1 added to keytab WRFILE:admin.keytab. Entry for principal admin/admin@EXAMPLE.COM with kvno 6, encryption type des-cbc-md5 added to keytab WRFILE:admin.keytab. kadmin.local: exit
PS:有些教程说是ktadd
,其实它们是一样的效果,在命令使用帮助中我们可以查询到哪些命令是一样的。
[root@dounine ~]# kadmin.localAuthenticating as principal root/admin@EXAMPLE.COM with password. kadmin.local: ? #是查看帮助命令Available kadmin.local requests: add_principal, addprinc, ank Add principal delete_principal, delprinc Delete principal modify_principal, modprinc Modify principal rename_principal, renprinc Rename principal change_password, cpw Change password get_principal, getprinc Get principal list_principals, listprincs, get_principals, getprincs List principals add_policy, addpol Add policy modify_policy, modpol Modify policy delete_policy, delpol Delete policy get_policy, getpol Get policy list_policies, listpols, get_policies, getpols List policies get_privs, getprivs Get privileges ktadd, xst Add entry(s) to a keytab ktremove, ktrem Remove entry(s) from a keytab lock Lock database exclusively (use with extreme caution!)unlock Release exclusive database lockpurgekeys Purge previously retained old keys from a principalget_strings, getstrs Show string attributes on a principalset_string, setstr Set a string attribute on a principaldel_string, delstr Delete a string attribute on a principallist_requests, lr, ? List available requests.quit, exit, q Exit program.
用逗号分隔的命令就是相等的,例如
add_principal, addprinc, ank delete_principal, delprinc ktadd, xst ...等等
使用Keytab
验证是否可以登录(无错误输出即可)
kinit -kt /etc/security/keytabs/admin.keytab admin/admin@EXAMPLE.COM
查看keytab
文件中的帐号列表
[root@dounine ~]# klist -ket hbase.headless.keytabKeytab name: FILE:hbase.headless.keytabKVNO Timestamp Principal---- ------------------- ------------------------------------------------------ 7 2018-07-30T10:19:16 hbase-flink@demo.com (des-cbc-md5) 7 2018-07-30T10:19:16 hbase-flink@demo.com (aes128-cts-hmac-sha1-96) 7 2018-07-30T10:19:16 hbase-flink@demo.com (aes256-cts-hmac-sha1-96) 7 2018-07-30T10:19:16 hbase-flink@demo.com (des3-cbc-sha1) 7 2018-07-30T10:19:16 hbase-flink@demo.com (arcfour-hmac)
作者:dounine
链接:https://www.jianshu.com/p/69e6a2e7c648
点击查看更多内容
1人点赞
评论
共同学习,写下你的评论
评论加载中...
作者其他优质文章
正在加载中
感谢您的支持,我会继续努力的~
扫码打赏,你说多少就多少
赞赏金额会直接到老师账户
支付方式
打开微信扫一扫,即可进行扫码打赏哦