\u4e3a\u4ec0\u4e48\u9700\u8981 Kerberos \u534f\u8bae<\/h4>\n\n\n\n
Kerberos \u534f\u8bae\u7684\u76ee\u7684\u662f\u8eab\u4efd\u9a8c\u8bc1\u3002\u65e2\u7136\u662f\u8eab\u4efd\u9a8c\u8bc1\uff0c\u90a3\u6211\u76f4\u63a5\u8f93\u5165\u7528\u6237\u540d\u5bc6\u7801\u4e0d\u5c31\u597d\u4e86\uff0c\u4e3a\u4f55\u8981\u6709Kerberos\u8fd9\u6837\u4e00\u4e2a\u590d\u6742\u7684\u4e1c\u897f\uff1f\u4e3e\u4f8b\u6765\u8bf4\uff0c\u6709A\u3001B\u3001C\u4e09\u4e2a\u670d\u52a1\u5668\uff0c\u5206\u522b\u63d0\u4f9b\u4e0d\u540c\u7684\u670d\u52a1\uff0cuser\u8981\u8bbf\u95eeA\u3001B\u3001C\u90fd\u9700\u8981\u8f93\u5165\u7528\u6237\u540d\u5bc6\u7801\uff08\u8fd9\u8fd8\u662f\u4e0d\u540c\u670d\u52a1\u4f7f\u7528\u76f8\u540c\u5bc6\u7801\u7684\u7b80\u5355\u60c5\u51b5\uff09\uff0c\u4f46\u662fA\u3001B\u3001C\u6ca1\u5fc5\u8981\u90fd\u5b58\u4e00\u4efduser\u7684\u5bc6\u7801\uff0c\u6240\u4ee5\u5c31\u884d\u751f\u51fa\u4e00\u4e2a\u4e2d\u592e\u670d\u52a1\u5668D\u6765\u4e13\u95e8\u5b58\u50a8\u7528\u6237\u540d\u5bc6\u7801\uff1b\u5982\u679cuser\u901a\u8fc7\u4e86D\u7684\u8ba4\u8bc1\uff0c\u90a3\u5c31\u662f\u5408\u6cd5\u7684\u8eab\u4efd\uff0c\u5c31\u53ef\u4ee5\u4f7f\u7528A\u3001B\u3001C\u4e2d\u7684\u4efb\u4f55\u4e00\u4e2a\u670d\u52a1\uff0c\u6240\u4ee5user\u9700\u8981\u544a\u8bc9A\u3001B\u3001C\u5b83\u901a\u8fc7\u4e86D\u7684\u8ba4\u8bc1\u3002\u5982\u4f55\u8bc1\u660e\u8fd9\u4e2a\u4e8b\u60c5\uff0c\u4ee5\u53ca\u4fe1\u606f\u5728\u7f51\u7edc\u4f20\u8f93\u8fc7\u7a0b\u5982\u4f55\u9632\u6b62\u88ab\u622a\u83b7\u7be1\u6539\u800c\u5047\u5192\u7b49\u7b49\uff0c\u89e3\u51b3\u8fd9\u4e9b\u95ee\u9898\u5c31\u9760 Kerberos \u534f\u8bae\u3002<\/strong><\/p>\n\n\n\n \u4ee5\u4e0a\u8fd9\u4e9b\u770b\u4e0a\u53bb\u662f\u4e0d\u662f\u548c\u73b0\u5728\u5927\u5bb6\u5e38\u542c\u5230\u548c\u7528\u5230\u7684 SSO \u534f\u8bae\u89e3\u51b3\u7684\u95ee\u9898\u5f88\u50cf\uff1f\u524d\u6bb5\u65f6\u95f4\u6211\u5728\u770b CAS \u534f\u8bae\u65f6\u5c31\u6709\u6587\u7ae0\u63d0\u5230 CAS \u534f\u8bae\u7684\u8bbe\u8ba1\u53c2\u8003\u4e86 Kerberos \u534f\u8bae\u7684\u601d\u60f3\uff0c\u800cCAS\u534f\u8bae\u73b0\u5728\u662f\u4f7f\u7528\u975e\u5e38\u5e7f\u6cdb\u7684 SSO \u534f\u8bae\uff0c\u4e5f\u662f\u4e00\u4e2a\u7b80\u5355\u800c\u5f3a\u5927\u7684\u57fa\u4e8e\u7968\u636e\u7684(ticket-based)\u534f\u8bae\u3002<\/p>\n\n\n\n Kerberos\u7684\u6807\u5fd7\u662f\u4e09\u5934\u72d7\uff0c\u72d7\u5934\u5206\u522b\u4ee3\u8868\u4ee5\u4e0b\u89d2\u8272\uff1a<\/p>\n\n\n\n KDC \u8d1f\u8d23\u7968\u636e\u7684\u7ba1\u7406\uff0c\u4f46\u662f KDC \u4e0d\u662f\u4e00\u4e2a\u72ec\u7acb\u7684\u670d\u52a1\uff0c\u5b83\u4e3b\u8981\u7531\u4ee5\u4e0b\u4e24\u670d\u52a1\u7ec4\u6210\uff1a<\/p>\n\n\n\n \u5728\u6df1\u5165\u4e86\u89e3 Kerberos \u534f\u8bae\u7684\u539f\u7406\u4e4b\u524d\uff0c\u5148\u6574\u7406\u4ecb\u7ecd\u4e00\u4e0b Kerberos \u534f\u8bae\u7684\u51e0\u4e2a\u5927\u524d\u63d0\uff0c\u6709\u52a9\u4e8e\u7406\u89e3\uff1a<\/p>\n\n\n\n Designing an Authentication System: a Dialogue in Four Scenes KERBEROS PROTOCOL TUTORIAL Explain like I\u2019m 5: Kerberos \u4e00\u6587\u641e\u5b9aKerberosKerberos \u534f\u8bae\u4e2d\u7684\u4e00\u4e9b\u6982\u5ff5\u3001\u540d\u8bcd\u89e3\u91ca<\/h4>\n\n\n\n
Kerberos \u534f\u8bae\u7684\u8ba4\u8bc1\u6d41\u7a0b<\/h4>\n\n\n\n
![\"\"](\"https:\/\/ixyzero.com\/blog\/wp-content\/uploads\/2022\/11\/krbmsg.gif\")
<\/figure>\n\n\n\nKerberos \u8ba4\u8bc1\u6d41\u7a0b\u4e2d\u7684\u6570\u636e\u4ea4\u4e92<\/h4>\n\n\n\n
PrincipalClient \u53ef\u4ee5\u7b80\u5355\u7406\u89e3\u4e3a username-\u7528\u6237\u540d\uff1b\nPrincipalService \u662f servicename-\u670d\u52a1\u540d\uff1b\nIP_list \u53ef\u4ee5\u7406\u89e3\u4e3a\u53ef\u5408\u6cd5\u4f7f\u7528ticket\u7684\u7f51\u7edc\u5730\u5740\u8303\u56f4\uff08\u5982\u679c\u89e3\u5bc6\u51fa\u6765\u7684IP\u5730\u5740\u4e0d\u5728IP_list\u8303\u56f4\u5185\uff0c\u53ef\u4ee5\u8ba4\u4e3a\u6b64ticket\u65e0\u6548\uff09\uff1b\nLifetime \u53ef\u4ee5\u7406\u89e3\u4e3a\u8fc7\u671f\u65f6\u95f4\u6216\u8005\u8bf4\u6709\u6548\u751f\u547d\u5468\u671f\u8303\u56f4\uff1b\nTgtRealm \u53ef\u4ee5\u7406\u89e3\u4e3a\u7b7e\u53d1tgt\u7684\u4e3b\u4f53\nTimestamp \u7b7e\u53d1\u65e5\u671f\u65f6\u95f4\u6233\n\nSK_TGS \u7531 AS \u968f\u673a\u751f\u6210\u7684\u5728 client \u548c TGS \u4e4b\u95f4\u5171\u4eab\u7684\u4f1a\u8bdd\u5bc6\u94a5(sessionkey)\nSK_Service \u7531 TGS \u968f\u673a\u751f\u6210\u7684\u5728 client \u548c Service \u4e4b\u95f4\u5171\u4eab\u7684\u4f1a\u8bdd\u5bc6\u94a5(sessionkey)\uff0c\u548c Authenticator \u4e00\u8d77\u9a8c\u8bc1\u4e92\u76f8\u7684\u8eab\u4efd\n\nK_User \u662f\u7528\u6237\u7684\u5bc6\u7801\uff0c\u53ea\u6709\u7528\u6237\u548c KDC(AS+TGS) \u77e5\u9053\nK_TGS \u662f TGS \u7684\u5bc6\u7801\uff0c\u53ea\u6709 KDC(AS+TGS) \u77e5\u9053\nK_Service \u662f Service \u7684\u5bc6\u7801\uff0c\u53ea\u6709 Service \u548c KDC(AS+TGS) \u77e5\u9053\n\nAuthenticator \u8eab\u4efd\u9a8c\u8bc1\u5668\uff0c\u7531 client \u751f\u6210\u7684\u8d77\u5230\u9a8c\u8bc1\u8eab\u4efd\u4f5c\u7528\u7684\u5185\u5bb9\uff0c\u662f\u4f7f\u7528\u5404\u9636\u6bb5\u7684\u4f1a\u8bdd\u5bc6\u94a5(sessionkey)\u5bf9 {PrincipalClient, Timestamp} \u8fdb\u884c\u52a0\u5bc6\u751f\u6210\u7684\n\n\u8bf7\u6c421\uff1a\nAS_REQ = ( PrincipalClient , PrincipalService , IP_list , Lifetime )\n>>> \u7531 client \u5411 AS \u53d1\u8d77\u7684\u8bf7\u6c42\uff0c\u5185\u5bb9\u5305\u542b\u81ea\u5df1\u7684\u7528\u6237\u540d\u3001\u76ee\u6807\u670d\u52a1\u540d\u3001\u7f51\u7edc\u5730\u5740\u3001\u7533\u8bf7\u7968\u8bc1\u6709\u6548\u671f\u7b49\u4e3b\u8981\u4fe1\u606f\n\n\n\u54cd\u5e941\uff1a\nTGT = ( PrincipalClient , TgtRealm , IP_list , Timestamp , Lifetime , SK_TGS )\nAS_REP = { PrincipalService , Timestamp , Lifetime , SK_TGS }K_User { TGT }K_TGS\n>>> \u7531 AS \u8fd4\u56de\u7ed9 client \u7684\u54cd\u5e94\uff0c\u5185\u5bb9\u662f \u4f7f\u7528\u7528\u6237\u5bc6\u7801\u52a0\u5bc6\u7684{\u76ee\u6807\u670d\u52a1\u540d\u3001\u7b7e\u53d1\u65e5\u671f\u65f6\u95f4\u6233\u3001\u7968\u8bc1\u6709\u6548\u671f\u3001client\u548cTGS\u5171\u4eab\u7684\u4f1a\u8bdd\u5bc6\u94a5} + \u4f7f\u7528TGS\u5bc6\u7801\u52a0\u5bc6\u7684TGT \uff0c\u5176\u4e2dTGT\u91cc\u9762\u5305\u542b\u4e86\u4e00\u4e2aclient\u548cTGS\u5171\u4eab\u7684\u4f1a\u8bdd\u5bc6\u94a5\uff0c\u662f\u7531 AS \u968f\u673a\u751f\u6210\u7684\uff0cTGS\u53ea\u6709\u5728\u7528\u81ea\u5df1\u7684\u5bc6\u7801\u6210\u529f\u89e3\u5bc6\u4e4b\u540e\u624d\u80fd\u63d0\u53d6\u51fa\u8fd9\u4e2a\u4f1a\u8bdd\u5bc6\u94a5\n\n\n\u8bf7\u6c422\uff1a\nAuthenticator = { PrincipalClient , Timestamp }SK_TGS\nTGS_REQ = ( PrincipalService , Lifetime , Authenticator) { TGT }K_TGS\n>>> \u7531 client \u5411 TGS \u53d1\u8d77\u7684\u8bf7\u6c42\uff0c\u5185\u5bb9\u5305\u542b\u76ee\u6807\u670d\u52a1\u540d\u3001\u7968\u8bc1\u6709\u6548\u671f\u548c\u8eab\u4efd\u9a8c\u8bc1\u5668Authenticator-1\uff08\u8fd9\u4e2a\u8eab\u4efd\u9a8c\u8bc1\u5668\u662f\u7528\u4e0a\u9762\u7684\u4f1a\u8bdd\u5bc6\u94a5\u8fdb\u884c\u52a0\u5bc6\u751f\u6210\u7684\u5185\u5bb9\uff0c\u7528\u6765\u9a8c\u8bc1 client \u7684\u8eab\u4efd\uff09\uff0c\u8fd8\u6709\u4e00\u4e2a\u7528TGS\u5bc6\u7801\u52a0\u5bc6\u7684TGT\n\n\n\u54cd\u5e942\uff1a\nServiceTicket = ( PrincipalClient , PrincipalService , IP_list , Timestamp , Lifetime , SK_Service )\nTGS_REP = { PrincipalService , Timestamp , Lifetime , SK_Service }SK_TGS { ServiceTicket }K_Service\n>>> \u7531 TGS \u8fd4\u56de\u7ed9 client \u7684\u54cd\u5e94\uff0c\u5185\u5bb9\u662f \u4f7f\u7528\u4e0a\u4e00\u6b65\u4e2d\u4f1a\u8bdd\u5bc6\u94a5\u52a0\u5bc6\u7684{\u76ee\u6807\u670d\u52a1\u540d\u3001\u7b7e\u53d1\u65e5\u671f\u65f6\u95f4\u6233\u3001\u7968\u8bc1\u6709\u6548\u671f\u3001client\u548cService\u5171\u4eab\u7684\u4f1a\u8bdd\u5bc6\u94a5} + \u4f7f\u7528\u670d\u52a1\u5bc6\u7801\u52a0\u5bc6\u7684ServiceTicket \uff0cclient\u548cService\u5171\u4eab\u7684\u4f1a\u8bdd\u5bc6\u94a5\u662f\u7531 TGS \u968f\u673a\u751f\u6210\u7684\uff0cService \u53ea\u6709\u5728\u7528\u81ea\u5df1\u7684\u5bc6\u7801\u6210\u529f\u89e3\u5bc6\u4e4b\u540e\u624d\u80fd\u63d0\u53d6\u51fa\u8fd9\u4e2a\u4f1a\u8bdd\u5bc6\u94a5\n\n\n\u8bf7\u6c423\uff1a\nAuthenticator = { PrincipalClient , Timestamp }SK_Service\nAP_REQ = Authenticator { ServiceTicket }K_Service\n>>> \u7531 client \u5411 Service \u53d1\u8d77\u7684\u8bf7\u6c42\uff0c\u5185\u5bb9\u5305\u542b\u8eab\u4efd\u9a8c\u8bc1\u5668Authenticator-2\uff08\u8fd9\u4e2a\u8eab\u4efd\u9a8c\u8bc1\u5668\u662f\u7528\u4e0a\u9762\u7684\u4f1a\u8bdd\u5bc6\u94a5\u8fdb\u884c\u52a0\u5bc6\u751f\u6210\u7684\u5185\u5bb9\uff0c\u7528\u6765\u9a8c\u8bc1 client \u7684\u8eab\u4efd\uff09+ \u4f7f\u7528 Service \u5bc6\u7801\u52a0\u5bc6\u7684 ServiceTicket\n\n\n\u54cd\u5e943\uff1a\nAP_REP \u662f\u670d\u52a1\u7aef\u7ed9\u5ba2\u6237\u7aef\u7684\u54cd\u5e94\u5305\uff0c\u7528\u6765\u8bc1\u660e\u6211\u786e\u5b9e\u662f client \u6240\u671f\u671b\u7684 service \uff0c\u56e0\u4e3a\u6211\u6709 SK_Service \u80fd\u6b63\u786e\u89e3\u5bc6\u4e0a\u4e00\u6b65\u4f60\u63d0\u4f9b\u7684 Authenticator \u4ece\u800c\u5b8c\u6210\u4e86\u53cc\u5411\u8ba4\u8bc1\uff08\u4e00\u822c\u4e0d\u9700\u8981\uff0c\u4e00\u822c\u60c5\u51b5\u4e0b\u53ea\u9700\u8981 service \u80fd\u591f\u9a8c\u8bc1 client \u662f\u771f\u7684\u5c31\u884c\uff0cclient \u5f88\u5c11\u8981\u6c42 service \u4e5f\u662f\u771f\u7684\uff09\u3002<\/code><\/pre>\n\n\n\n\u53c2\u8003\u94fe\u63a5\uff1a<\/h5>\n\n\n\n
http:\/\/web.mit.edu\/kerberos\/dialogue.html<\/a><\/p>\n\n\n\n
https:\/\/www.kerberos.org\/software\/tutorial.html<\/a><\/p>\n\n\n\n
https:\/\/www.roguelynn.com\/words\/explain-like-im-5-kerberos\/<\/a><\/p>\n\n\n\n
https:\/\/zhuanlan.zhihu.com\/p\/266491528<\/a><\/p>\n\n\n\n