Created
September 1, 2015 07:09
-
-
Save wangweij/4911aad265a8097e3315 to your computer and use it in GitHub Desktop.
A script to create a local KDC
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /bin/bash | |
| if [ "$3" = "" ]; then | |
| cat <<EOF | |
| Usage: `basename $0` realm-name kdc-host port-number | |
| This command will create necessary files for a new KDC instance | |
| in the current directory. This includes a kdc.conf, a krb5.conf | |
| and a startup script to use KDC each time. The command itself | |
| does not make any environment changes. | |
| Define ALLOW_WEAK=true to support DES on both KDC and client. | |
| Define KRB5SRC if you want to use your own krb5 build. | |
| Otherwise the system installed one (built-in) is used. | |
| Set it to "built-in" to force using built-in. | |
| Note: killall is in the psmisc package in Ubuntu. | |
| EOF | |
| exit | |
| fi | |
| if [ "$KRB5SRC" = "" ]; then | |
| # I like to build my own krb5 in these places | |
| for a in $HOME/work/krb5/src /space/work/krb5/src /space/repos/external/krb5/src; do | |
| if [ -f $a/clients/kinit/kinit ]; then | |
| KRB5SRC=$a | |
| break | |
| fi | |
| done | |
| fi | |
| if [ "$KRB5SRC" = "" ]; then | |
| KRB5SRC=built-in | |
| fi | |
| REALM=$1 | |
| KDC=$2 | |
| PORT=$3 | |
| ROOT=`pwd` | |
| LC_REALM=`echo $REALM | tr '[A-Z]' '[a-z]'` | |
| if [ -e kdc.conf ]; then | |
| echo kdc.conf already exists. Terminated. | |
| exit 1 | |
| fi | |
| if [ -e krb5.conf ]; then | |
| echo krb5.conf already exists. Terminated. | |
| exit 1 | |
| fi | |
| if [ "$ALLOW_WEAK" = "true" ]; then | |
| USE_WEAK= | |
| else | |
| USE_WEAK=# | |
| fi | |
| cat <<EOF > kdc.conf | |
| [kdcdefaults] | |
| kdc_ports = ${PORT} | |
| [realms] | |
| ${REALM} = { | |
| database_name = ${ROOT}/principal | |
| admin_keytab = FILE:${ROOT}/kadm5.keytab | |
| acl_file = ${ROOT}/kadm5.acl | |
| key_stash_file = ${ROOT}/.k5.ATHENA.MIT.EDU | |
| kdc_ports = ${PORT} | |
| max_life = 10h 0m 0s | |
| max_renewable_life = 7d 0h 0m 0s | |
| #reject_bad_transit = false | |
| #default_principal_flags=+preauth | |
| ${USE_WEAK}supported_enctypes = aes256-cts:normal aes128-cts:normal des3-cbc-sha1:normal arcfour-hmac:normal des-cbc-crc:normal | |
| } | |
| EOF | |
| cat <<EOF > krb5.conf | |
| [libdefaults] | |
| default_realm = ${REALM} | |
| default_keytab_name = FILE:${ROOT}/krb5.keytab | |
| forwardable = true | |
| dns_lookup_kdc = no | |
| dns_lookup_realm = no | |
| #default_tkt_enctypes=aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-hmac-sha1 des-cbc-crc | |
| #permitted_enctypes=aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-hmac-sha1 des-cbc-crc | |
| #default_tgs_enctypes=aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-hmac-sha1 des-cbc-crc | |
| ${USE_WEAK}allow_weak_crypto=true | |
| [realms] | |
| ${REALM} = { | |
| kdc = ${KDC}:${PORT} | |
| } | |
| [logging] | |
| kdc = FILE:/tmp/krb5kdc_${REALM}.log | |
| [domain_realm] | |
| .${LC_REALM} = ${REALM} | |
| EOF | |
| if [ "$KRB5SRC" != "built-in" ]; then | |
| cat <<EOF >> krb5.conf | |
| [dbmodules] | |
| db_module_dir = $KRB5SRC/tests/../plugins/kdb/db2 | |
| EOF | |
| fi | |
| if [ "$KRB5SRC" != "built-in" ]; then | |
| cat <<EOF > startup | |
| #! /bin/bash | |
| if [ "\$KRB5SRC" = "" ]; then | |
| KRB5SRC=$KRB5SRC | |
| fi | |
| export LD_LIBRARY_PATH=\$KRB5SRC/lib | |
| export DYLD_LIBRARY_PATH=\$KRB5SRC/lib | |
| if [ "\$(which kinit)" != "\$KRB5SRC/bin/kinit" ]; then | |
| export PATH=\$KRB5SRC/bin:\$PATH | |
| fi | |
| EOF | |
| else | |
| echo "#! /bin/bash" > startup | |
| fi | |
| cat <<EOF >> startup | |
| export KRB5CCNAME=/tmp/krb5cc_${REALM} | |
| export KRB5_CONFIG=${ROOT}/krb5.conf | |
| export KRB5_KDC_PROFILE=${ROOT}/kdc.conf | |
| export _JAVA_OPTIONS="-Djava.security.krb5.conf=${ROOT}/krb5.conf" | |
| function delprinc { | |
| for a in \$@; do | |
| kadmin.local -q "delprinc -force \$a" | |
| done | |
| } | |
| function getprinc { | |
| if [ "\$1" = "" ]; then | |
| kadmin.local -q "listprincs" | |
| else | |
| for a in \$@; do | |
| kadmin.local -q "getprinc \$a" | |
| done | |
| fi | |
| } | |
| function addprinc { | |
| # name [pass] | |
| PASSWORD=-randkey | |
| if [ "\$2" != "" ]; then | |
| PASSWORD="-pw \$2" | |
| fi | |
| echo addprinc \$PASSWORD \$1 | |
| kadmin.local -q "addprinc \$PASSWORD \$1" | |
| kadmin.local -q "ktadd -norandkey \$1" | |
| } | |
| function initkdc { | |
| kdb5_util create -s -W -P master | |
| } | |
| EOF | |
| ( | |
| echo "function startkdc {" | |
| if [ $PORT -lt 1024 ]; then | |
| if [ "$KRB5SRC" != "built-in" ]; then | |
| echo " sudo sh -c \"DYLD_LIBRARY_PATH=\$DYLD_LIBRARY_PATH LD_LIBRARY_PATH=\$LD_LIBRARY_PATH KRB5_CONFIG=\$KRB5_CONFIG KRB5_KDC_PROFILE=\$KRB5_KDC_PROFILE \$KRB5SRC/bin/krb5kdc\"" | |
| else | |
| echo " sudo sh -c \"KRB5_CONFIG=\$KRB5_CONFIG KRB5_KDC_PROFILE=\$KRB5_KDC_PROFILE krb5kdc\"" | |
| fi | |
| else | |
| echo " krb5kdc" | |
| fi | |
| echo "}" | |
| echo | |
| echo "function killkdc {" | |
| if [ $PORT -lt 1024 ]; then | |
| echo " sudo sh -c \"killall krb5kdc\"" | |
| else | |
| echo " killall krb5kdc" | |
| fi | |
| echo "}" | |
| ) >> startup | |
| cat <<EOF > README | |
| 0. Initiate the env | |
| . startup | |
| 1. Create the KDC: | |
| initkdc | |
| 2. Starts the KDC: | |
| killall krb5kdc | |
| startkdc | |
| 3. Add principals | |
| Either run the kadmin.local command, or use functions below | |
| addprinc dummy bogus | |
| addprinc foo bar | |
| addprinc server/host.${LC_REALM} | |
| addprinc backend/host.${LC_REALM} | |
| ktadd -e "aes128-cts:normal rc4-hmac:normal" server/host.${LC_REALM} | |
| ktadd -e "aes128-cts:normal rc4-hmac:normal" backend/host.${LC_REALM} | |
| 4. Try it out | |
| kinit dummy | |
| klist | |
| EOF |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment