{"id":1019,"date":"2019-01-23T10:52:23","date_gmt":"2019-01-23T02:52:23","guid":{"rendered":"http:\/\/www.rain1024.com\/?p=1019"},"modified":"2023-08-07T20:57:25","modified_gmt":"2023-08-07T12:57:25","slug":"article140","status":"publish","type":"post","link":"http:\/\/rain1024.com\/index.php\/2019\/01\/23\/article140\/","title":{"rendered":"kerberos\u8ba4\u8bc1\u539f\u7406&#8212;\u8bb2\u7684\u975e\u5e38\u7ec6\u81f4"},"content":{"rendered":"<div class=\"blog-content-box\">\n<article class=\"baidu_pl\">\n<div id=\"article_content\" class=\"article_content clearfix csdn-tracking-statistics\" data-pid=\"blog\" data-mod=\"popu_307\" data-dsm=\"post\">\n<div id=\"content_views\" class=\"htmledit_views\">\n<p>\u539f\u6587\uff1a<a href=\"https:\/\/blog.csdn.net\/wulantian\/article\/details\/42418231\">https:\/\/blog.csdn.net\/wulantian\/article\/details\/42418231<\/a><\/p>\n<p>\u524d\u51e0\u5929\u5728\u7ed9\u4eba\u89e3\u91caWindows\u662f\u5982\u4f55\u901a\u8fc7Kerberos\u8fdb\u884cAuthentication\u7684\u65f6\u5019\uff0c\u8bb2\u4e86\u534a\u5929\u4e5f\u522b\u628a\u90a3\u4f4d\u8001\u5144\u8bb2\u660e\u767d\uff0c\u8fd8\u5dee\u70b9\u628a\u81ea\u5df1\u7ed9\u7ed5\u8fdb\u53bb\u3002\u540e\u6765\u60f3\u60f3\u539f\u56e0\u6709\u4ee5\u4e0b\u4e24\u70b9\uff1a\u5bf9\u4e8e\u4e00\u4e2a\u6ca1\u6709\u5b8c\u5168\u4e0d\u4e86\u89e3Kerberos\u7684\u4eba\u6765\u8bf4\uff0cKerberos\u7684\u6574\u4e2aAuthentication\u8fc7\u7a0b\u786e\u5b9e\u4e0d\u597d\u7406\u89e3\u2014\u2014\u4e00\u4f1a\u513f\u4ee5\u8fd9\u4e2aKey\u8fdb\u884c\u52a0\u5bc6\u3001\u4e00\u4f1a\u513f\u53c8\u8981\u4ee5\u53e6\u4e00\u4e2aKey\u8fdb\u884c\u52a0\u5bc6\uff0c\u786e\u5b9e\u5f88\u5bb9\u6613\u628a\u4eba\u7ed9\u5f04\u6655\uff1b\u53e6\u4e00\u65b9\u9762\u662f\u6211\u8bb2\u89e3\u65b9\u5f0f\u6709\u95ee\u9898\uff0c\u4e00\u5f00\u59cb\u5c31\u4eceKerberos\u76843\u4e2aSub-protocol\u5168\u9762\u8bb2\u8ff0\u6574\u4e2aAuthentication \u8fc7\u7a0b\uff0c\u5bf9\u4e8e\u4e00\u4e2a\u5b8c\u5168\u4e0d\u4e86\u89e3Kerberos\u7684\u4eba\u6765\u8bf4\u8981\u6c42\u4e5f\u5fd2\u9ad8\u4e86\u70b9\u3002\u4e3a\u6b64\uff0c\u6211\u82b1\u4e86\u4e00\u4e9b\u65f6\u95f4\u5199\u4e86\u8fd9\u7bc7\u6587\u7ae0\uff0c\u5c3d\u91cf\u4ee5<a href=\"https:\/\/www.baidu.com\/s?wd=%E7%94%B1%E6%B5%85%E5%85%A5%E6%B7%B1&amp;tn=24004469_oem_dg&amp;rsv_dl=gh_pl_sl_csd\" target=\"_blank\" rel=\"noopener\">\u7531\u6d45\u5165\u6df1<\/a>\u3001\u5c42\u5c42\u6df1\u5165\u7684\u65b9\u5f0f\u8bb2\u8ff0\u6211\u6240\u7406\u89e3\u7684\u57fa\u4e8eKerberos\u7684Windows Network Authentication\uff0c\u5e0c\u671b\u8fd9\u7bc7\u6587\u7ae0\u80fd\u5e2e\u52a9\u90a3\u4e9b\u5bf9Kerberos\u4e0d\u660e\u5c31\u91cc\u7684\u4eba\u5e26\u6765\u4e00\u4e1d\u5e2e\u52a9\u3002\u5bf9\u4e8e\u4e00\u4e9b\u4e0d\u5bf9\u7684\u5730\u65b9\uff0c\u6b22\u8fce\u5927\u5bb6\u6279\u8bc4\u6307\u6b63\u3002<\/p>\n<p><strong>\u4e00\u3001\u00a0\u57fa\u672c\u539f\u7406<\/strong><\/p>\n<p>Authentication\u89e3\u51b3\u7684\u662f\u201c\u5982\u4f55\u8bc1\u660e\u67d0\u4e2a\u4eba<a href=\"https:\/\/www.baidu.com\/s?wd=%E7%A1%AE%E7%A1%AE%E5%AE%9E%E5%AE%9E&amp;tn=24004469_oem_dg&amp;rsv_dl=gh_pl_sl_csd\" target=\"_blank\" rel=\"noopener\">\u786e\u786e\u5b9e\u5b9e<\/a>\u5c31\u662f\u4ed6\u6216\u5979\u6240\u58f0\u79f0\u7684\u90a3\u4e2a\u4eba\u201d\u7684\u95ee\u9898\u3002\u5bf9\u4e8e\u5982\u4f55\u8fdb\u884cAuthentication\uff0c\u6211\u4eec\u91c7\u7528\u8fd9\u6837\u7684\u65b9\u6cd5\uff1a\u5982\u679c\u4e00\u4e2a\u79d8\u5bc6\uff08secret\uff09\u4ec5\u4ec5\u5b58\u5728\u4e8eA\u548cB\uff0c\u90a3\u4e48\u6709\u4e2a\u4eba\u5bf9B\u58f0\u79f0\u81ea\u5df1\u5c31\u662fA\uff0cB\u901a\u8fc7\u8ba9A\u63d0\u4f9b\u8fd9\u4e2a\u79d8\u5bc6\u6765\u8bc1\u660e\u8fd9\u4e2a\u4eba\u5c31\u662f\u4ed6\u6216\u5979\u6240\u58f0\u79f0\u7684A\u3002\u8fd9\u4e2a\u8fc7\u7a0b\u5b9e\u9645\u4e0a\u6d89\u53ca\u52303\u4e2a\u91cd\u8981\u7684\u5173\u4e8eAuthentication\u7684\u65b9\u9762\uff1a<\/p>\n<ul>\n<li>\n<div>Secret\u5982\u4f55\u8868\u793a\u3002<\/div>\n<\/li>\n<li>\n<div>A\u5982\u4f55\u5411B\u63d0\u4f9bSecret\u3002<\/div>\n<\/li>\n<li>\n<div>B\u5982\u4f55\u8bc6\u522bSecret\u3002<\/div>\n<\/li>\n<\/ul>\n<p>\u57fa\u4e8e\u8fd93\u4e2a\u65b9\u9762\uff0c\u6211\u4eec\u628aKerberos Authentication\u8fdb\u884c\u6700\u5927\u9650\u5ea6\u7684\u7b80\u5316\uff1a\u6574\u4e2a\u8fc7\u7a0b\u6d89\u53ca\u5230Client\u548cServer\uff0c\u4ed6\u4eec\u4e4b\u95f4\u7684\u8fd9\u4e2aSecret\u6211\u4eec\u7528\u4e00\u4e2aKey\uff08<strong>KServer-Client<\/strong>\uff09\u6765\u8868\u793a\u3002Client\u4e3a\u4e86\u8ba9Server\u5bf9\u81ea\u5df1\u8fdb\u884c\u6709\u6548\u7684\u8ba4\u8bc1\uff0c\u5411\u5bf9\u65b9\u63d0\u4f9b\u5982\u4e0b\u4e24\u7ec4\u4fe1\u606f\uff1a<\/p>\n<ul>\n<li>\n<div>\u4ee3\u8868Client\u81ea\u8eabIdentity\u7684\u4fe1\u606f\uff0c\u4e3a\u4e86\u7b80\u4fbf\uff0c\u5b83\u4ee5\u660e\u6587\u7684\u5f62\u5f0f\u4f20\u9012\u3002<\/div>\n<\/li>\n<li>\n<div align=\"left\">\u5c06Client\u7684Identity\u4f7f\u7528<strong>KServer-Client<\/strong>\u4f5c\u4e3aPublic Key\u3001\u5e76\u91c7\u7528\u5bf9\u79f0\u52a0\u5bc6\u7b97\u6cd5\u8fdb\u884c\u52a0\u5bc6\u3002<\/div>\n<\/li>\n<\/ul>\n<p>\u7531\u4e8e<strong>KServer-Client<\/strong>\u4ec5\u4ec5\u88abClient\u548cServer\u77e5\u6653\uff0c\u6240\u4ee5\u88abClient\u4f7f\u7528KServer-Client\u52a0\u5bc6\u8fc7\u7684Client Identity\u53ea\u80fd\u88abClient\u548cServer\u89e3\u5bc6\u3002\u540c\u7406\uff0cServer\u63a5\u6536\u5230Client\u4f20\u9001\u7684\u8fd9\u4e24\u7ec4\u4fe1\u606f\uff0c\u5148\u901a\u8fc7<strong>KServer-Client<\/strong>\u5bf9\u540e\u8005\u8fdb\u884c\u89e3\u5bc6\uff0c\u968f\u540e\u5c06\u673a\u5bc6\u7684\u6570\u636e\u540c\u524d\u8005\u8fdb\u884c\u6bd4\u8f83\uff0c\u5982\u679c\u5b8c\u5168\u4e00\u6837\uff0c\u5219\u53ef\u4ee5\u8bc1\u660eClient\u80fd\u8fc7\u63d0\u4f9b\u6b63\u786e\u7684<strong>KServer-Client<\/strong>\uff0c\u800c\u8fd9\u4e2a\u4e16\u754c\u4e0a\uff0c\u4ec5\u4ec5\u53ea\u6709\u771f\u6b63\u7684Client\u548c\u81ea\u5df1\u77e5\u9053<strong>KServer-Client<\/strong>\uff0c\u6240\u4ee5\u53ef\u4ee5\u5bf9\u65b9\u5c31\u662f\u4ed6\u6240\u58f0\u79f0\u7684\u90a3\u4e2a\u4eba\u3002<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/cos.rain1024.com\/markdown\/kerberos_01_01.jpg\" alt=\"\" width=\"576\" height=\"269\" border=\"0\" \/><br \/>\nKeberos\u5927\u4f53\u4e0a\u5c31\u662f\u6309\u7167\u8fd9\u6837\u7684\u4e00\u4e2a\u539f\u7406\u6765\u8fdb\u884cAuthentication\u7684\u3002\u4f46\u662fKerberos\u8fdc\u6bd4\u8fd9\u4e2a\u590d\u6742\uff0c\u6211\u5c06\u5728\u540e\u7eed\u7684\u7ae0\u8282\u4e2d\u4e0d\u65ad\u5730\u6269\u5145\u8fd9\u4e2a\u8fc7\u7a0b\uff0c\u77e5\u9053Kerberos\u771f\u5b9e\u7684\u8ba4\u8bc1\u8fc7\u7a0b\u3002\u4e3a\u4e86\u4f7f\u8bfb\u8005\u66f4\u52a0\u5bb9\u6613\u7406\u89e3\u540e\u7eed\u7684\u90e8\u5206\uff0c\u5728\u8fd9\u91cc\u6211\u4eec\u5148\u7ed9\u51fa\u4e24\u4e2a\u91cd\u8981\u7684\u6982\u5ff5\uff1a<\/p>\n<ul>\n<li>\n<div><strong>Long-term Key\/Master Key<\/strong>\uff1a\u5728Security\u7684\u9886\u57df\u4e2d\uff0c\u6709\u7684Key\u53ef\u80fd\u957f\u671f\u5185\u4fdd\u6301\u4e0d\u53d8\uff0c\u6bd4\u5982\u4f60\u5728\u5bc6\u7801\uff0c\u53ef\u80fd\u51e0\u5e74\u90fd\u4e0d\u66fe\u6539\u53d8\uff0c\u8fd9\u6837\u7684Key\u3001\u4ee5\u53ca\u7531\u6b64\u6d3e\u751f\u7684Key\u88ab\u79f0\u4e3aLong-term Key\u3002\u5bf9\u4e8eLong-term Key\u7684\u4f7f\u7528\u6709\u8fd9\u6837\u7684\u539f\u5219\uff1a\u88abLong-term Key\u52a0\u5bc6\u7684\u6570\u636e\u4e0d\u5e94\u8be5\u5728\u7f51\u7edc\u4e0a\u4f20\u8f93\u3002\u539f\u56e0\u5f88\u7b80\u5355\uff0c\u4e00\u65e6\u8fd9\u4e9b\u88abLong-term Key\u52a0\u5bc6\u7684\u6570\u636e\u5305\u88ab\u6076\u610f\u7684\u7f51\u7edc\u76d1\u542c\u8005\u622a\u83b7\uff0c\u5728\u539f\u5219\u4e0a\uff0c\u53ea\u8981\u6709\u5145\u8db3\u7684\u65f6\u95f4\uff0c\u4ed6\u662f\u53ef\u4ee5\u901a\u8fc7\u8ba1\u7b97\u83b7\u5f97\u4f60\u7528\u4e8e\u52a0\u5bc6\u7684Long-term Key\u7684\u2014\u2014\u4efb\u4f55\u52a0\u5bc6\u7b97\u6cd5\u90fd\u4e0d\u53ef\u80fd\u505a\u5230\u7edd\u5bf9\u4fdd\u5bc6\u3002<\/div>\n<\/li>\n<\/ul>\n<p>\u5728\u4e00\u822c\u60c5\u51b5\u4e0b\uff0c\u5bf9\u4e8e\u4e00\u4e2aAccount\u6765\u8bf4\uff0c\u5bc6\u7801\u5f80\u5f80\u4ec5\u4ec5\u9650\u4e8e\u8be5Account\u7684\u6240\u6709\u8005\u77e5\u6653\uff0c\u751a\u81f3\u5bf9\u4e8e\u4efb\u4f55Domain\u7684Administrator\uff0c\u5bc6\u7801\u4ecd\u7136\u5e94\u8be5\u662f\u4fdd\u5bc6\u7684\u3002\u4f46\u662f\u5bc6\u7801\u5374\u53c8\u662f\u8bc1\u660e\u8eab\u4efd\u7684\u51ed\u636e\uff0c\u6240\u4ee5\u5fc5\u987b\u901a\u8fc7\u57fa\u4e8e\u4f60\u5bc6\u7801\u7684\u6d3e\u751f\u7684\u4fe1\u606f\u6765\u8bc1\u660e\u7528\u6237\u7684\u771f\u5b9e\u8eab\u4efd\uff0c\u5728\u8fd9\u79cd\u60c5\u51b5\u4e0b\uff0c\u4e00\u822c\u5c06\u4f60\u7684\u5bc6\u7801\u8fdb\u884cHash\u8fd0\u7b97\u5f97\u5230\u4e00\u4e2aHash code, \u6211\u4eec\u4e00\u822c\u7ba1\u8fd9\u6837\u7684Hash Code\u53eb\u505aMaster Key\u3002\u7531\u4e8eHash Algorithm\u662f\u4e0d\u53ef\u9006\u7684\uff0c\u540c\u65f6\u4fdd\u8bc1\u5bc6\u7801\u548cMaster Key\u662f\u4e00\u4e00\u5bf9\u5e94\u7684\uff0c\u8fd9\u6837\u65e2\u4fdd\u8bc1\u4e86\u4f60\u5bc6\u7801\u7684\u4fdd\u5bc6\u6027\uff0c\u6709\u540c\u65f6\u4fdd\u8bc1\u4f60\u7684Master Key\u548c\u5bc6\u7801\u672c\u8eab\u5728\u8bc1\u660e\u4f60\u8eab\u4efd\u7684\u65f6\u5019\u5177\u6709\u76f8\u540c\u7684\u6548\u529b\u3002<\/p>\n<ul>\n<li>\n<div><strong>Short-term Key\/Session Key<\/strong>\uff1a\u7531\u4e8e\u88abLong-term Key\u52a0\u5bc6\u7684\u6570\u636e\u5305\u4e0d\u80fd\u7528\u4e8e\u7f51\u7edc\u4f20\u9001\uff0c\u6240\u4ee5\u6211\u4eec\u4f7f\u7528\u53e6\u4e00\u79cdShort-term Key\u6765\u52a0\u5bc6\u9700\u8981\u8fdb\u884c\u7f51\u7edc\u4f20\u8f93\u7684\u6570\u636e\u3002\u7531\u4e8e\u8fd9\u79cdKey\u53ea\u5728\u4e00\u6bb5\u65f6\u95f4\u5185\u6709\u6548\uff0c\u5373\u4f7f\u88ab\u52a0\u5bc6\u7684\u6570\u636e\u5305\u88ab\u9ed1\u5ba2\u622a\u83b7\uff0c\u7b49\u4ed6\u628aKey\u8ba1\u7b97\u51fa\u6765\u7684\u65f6\u5019\uff0c\u8fd9\u4e2aKey\u65e9\u5c31\u5df2\u7ecf\u8fc7\u671f\u4e86\u3002<\/div>\n<\/li>\n<\/ul>\n<p><strong>\u4e8c\u3001\u5f15\u5165Key Distribution:\u00a0KServer-Client\u4ece\u4f55\u800c\u6765<\/strong><\/p>\n<p>\u4e0a\u9762\u6211\u4eec\u8ba8\u8bba\u4e86Kerberos Authentication\u7684\u57fa\u672c\u539f\u7406\uff1a\u901a\u8fc7\u8ba9\u88ab\u8ba4\u8bc1\u7684\u4e00\u65b9\u63d0\u4f9b\u4e00\u4e2a\u4ec5\u9650\u4e8e\u4ed6\u548c\u8ba4\u8bc1\u65b9\u77e5\u6653\u7684Key\u6765\u9274\u5b9a\u5bf9\u65b9\u7684\u771f\u5b9e\u8eab\u4efd\u3002\u800c\u88ab\u8fd9\u4e2aKey\u52a0\u5bc6\u7684\u6570\u636e\u5305\u9700\u8981\u5728Client\u548cServer\u4e4b\u95f4\u4f20\u9001\uff0c\u6240\u4ee5\u8fd9\u4e2aKey\u4e0d\u80fd\u662f\u4e00\u4e2a<strong>Long-term Key<\/strong>\uff0c\u800c\u53ea\u53ef\u80fd\u662f<strong>Short-term Key<\/strong>\uff0c\u8fd9\u4e2a\u53ef\u4ee5\u4ec5\u4ec5\u5728Client\u548cServer\u7684\u4e00\u4e2aSession\u4e2d\u6709\u6548\uff0c\u6240\u4ee5\u6211\u4eec\u79f0\u8fd9\u4e2aKey\u4e3aClient\u548cServer\u4e4b\u95f4\u7684Session Key\uff08<strong>SServer-Client<\/strong>\uff09\u3002<\/p>\n<p>\u73b0\u5728\u6211\u4eec\u6765\u8ba8\u8bbaClient\u548cServer\u5982\u4f55\u5f97\u5230\u8fd9\u4e2a<strong>SServer-Client<\/strong>\u3002\u5728\u8fd9\u91cc\u6211\u4eec\u8981\u5f15\u5165\u4e00\u4e2a\u91cd\u8981\u7684\u89d2\u8272\uff1a<strong>Kerberos Distribution Center-KDC<\/strong>\u3002KDC\u5728\u6574\u4e2aKerberos Authentication\u4e2d\u4f5c\u4e3aClient\u548cServer\u5171\u540c\u4fe1\u4efb\u7684\u7b2c\u4e09\u65b9\u8d77\u7740\u91cd\u8981\u7684\u4f5c\u7528\uff0c\u800cKerberos\u7684\u8ba4\u8bc1\u8fc7\u7a0b\u5c31\u662f\u901a\u8fc7\u8fd93\u65b9\u534f\u4f5c\u5b8c\u6210\u3002\u987a\u4fbf\u8bf4\u4e00\u4e0b\uff0cKerberos\u8d77\u6e90\u4e8e\u5e0c\u814a\u795e\u8bdd\uff0c\u662f\u4e00\u652f\u5b88\u62a4\u7740\u51a5\u754c\u957f\u77403\u4e2a\u5934\u9885\u7684\u795e\u72ac\uff0c\u5728keberos Authentication\u4e2d\uff0cKerberos\u76843\u4e2a\u5934\u9885\u4ee3\u8868\u4e2d\u8ba4\u8bc1\u8fc7\u7a0b\u4e2d\u6d89\u53ca\u76843\u65b9\uff1a<strong>Client\u3001Server\u548cKDC<\/strong>\u3002<\/p>\n<p>\u5bf9\u4e8e\u4e00\u4e2aWindows Domain\u6765\u8bf4\uff0c<strong>Domain Controller<\/strong>\u626e\u6f14\u7740KDC\u7684\u89d2\u8272\u3002KDC\u7ef4\u62a4\u7740\u4e00\u4e2a\u5b58\u50a8\u7740\u8be5Domain\u4e2d\u6240\u6709\u5e10\u6237\u7684<strong>Account Database<\/strong>\uff08\u4e00\u822c\u5730\uff0c\u8fd9\u4e2aAccount Database\u7531<strong>AD<\/strong>\u6765\u7ef4\u62a4\uff09\uff0c\u4e5f\u5c31\u662f\u8bf4\uff0c\u4ed6\u77e5\u9053\u5c5e\u4e8e\u6bcf\u4e2aAccount\u7684\u540d\u79f0\u548c\u6d3e\u751f\u4e8e\u8be5Account Password\u7684<strong>Master Key<\/strong>\u3002\u800c\u7528\u4e8eClient\u548cServer\u76f8\u4e92\u8ba4\u8bc1\u7684<strong>SServer-Client<\/strong>\u5c31\u662f\u6709KDC\u5206\u53d1\u3002\u4e0b\u9762\u6211\u4eec\u6765\u770b\u770bKDC\u5206\u53d1<strong>SServer-Client<\/strong>\u7684\u8fc7\u7a0b\u3002<\/p>\n<p>\u901a\u8fc7\u4e0b\u56fe\u6211\u4eec\u53ef\u4ee5\u770b\u5230KDC\u5206\u53d1SServer-Client\u7684\u7b80\u5355\u7684\u8fc7\u7a0b\uff1a\u9996\u5148Client\u5411KDC\u53d1\u9001\u4e00\u4e2a\u5bf9SServer-Client\u7684\u7533\u8bf7\u3002\u8fd9\u4e2a\u7533\u8bf7\u7684\u5185\u5bb9\u53ef\u4ee5\u7b80\u5355\u6982\u62ec\u4e3a\u201c<strong>\u6211\u662f\u67d0\u4e2aClient\uff0c\u6211\u9700\u8981\u4e00\u4e2aSession Key\u7528\u4e8e\u8bbf\u95ee\u67d0\u4e2aServer<\/strong>\u00a0\u201d\u3002KDC\u5728\u63a5\u6536\u5230\u8fd9\u4e2a\u8bf7\u6c42\u7684\u65f6\u5019\uff0c\u751f\u6210\u4e00\u4e2aSession Key\uff0c\u4e3a\u4e86\u4fdd\u8bc1\u8fd9\u4e2aSession Key\u4ec5\u4ec5\u9650\u4e8e\u53d1\u9001\u8bf7\u6c42\u7684Client\u548c\u4ed6\u5e0c\u671b\u8bbf\u95ee\u7684Server\u77e5\u6653\uff0cKDC\u4f1a\u4e3a\u8fd9\u4e2aSession Key\u751f\u6210\u4e24\u4e2aCopy\uff0c\u5206\u522b\u88abClient\u548cServer\u4f7f\u7528\u3002\u7136\u540e\u4eceAccount database\u4e2d\u63d0\u53d6Client\u548cServer\u7684Master Key\u5206\u522b\u5bf9\u8fd9\u4e24\u4e2aCopy\u8fdb\u884c\u5bf9\u79f0\u52a0\u5bc6\u3002\u5bf9\u4e8e\u540e\u8005\uff0c\u548cSession Key\u4e00\u8d77\u88ab\u52a0\u5bc6\u7684\u8fd8\u5305\u542b\u5173\u4e8eClient\u7684\u4e00\u4e9b\u4fe1\u606f\u3002<\/p>\n<p>KDC\u73b0\u5728\u6709\u4e86\u4e24\u4e2a\u5206\u522b\u88abClient\u548cServer \u7684Master Key\u52a0\u5bc6\u8fc7\u7684Session Key\uff0c\u8fd9\u4e24\u4e2aSession Key\u5982\u4f55\u5206\u522b\u88abClient\u548cServer\u83b7\u5f97\u5462\uff1f\u4e5f\u8bb8\u4f60 \u9a6c\u4e0a\u4f1a\u8bf4\uff0cKDC\u76f4\u63a5\u5c06\u8fd9\u4e24\u4e2a\u52a0\u5bc6\u8fc7\u7684\u5305\u53d1\u9001\u7ed9Client\u548cServer\u4e0d\u5c31\u53ef\u4ee5\u4e86\u5417\uff0c\u4f46\u662f\u5982\u679c\u8fd9\u6837\u505a\uff0c\u5bf9\u4e8eServer\u6765\u8bf4\u4f1a\u51fa\u73b0\u4e0b\u9762 \u4e24\u4e2a\u95ee\u9898\uff1a<\/p>\n<ul>\n<li>\n<div>\u7531\u4e8e\u4e00\u4e2aServer\u4f1a\u9762\u5bf9\u82e5\u5e72\u4e0d\u540c\u7684Client, \u800c\u6bcf\u4e2aClient\u90fd\u5177\u6709\u4e00\u4e2a\u4e0d\u540c\u7684Session Key\u3002\u90a3\u4e48Server\u5c31\u4f1a\u4e3a\u6240\u6709\u7684Client\u7ef4\u62a4\u8fd9\u6837\u4e00\u4e2aSession Key\u7684\u5217\u8868\uff0c\u8fd9\u6837\u505a\u5bf9\u4e8eServer\u6765\u8bf4\u662f\u6bd4\u8f83\u9ebb\u70e6\u800c\u4f4e\u6548\u7684\u3002<\/div>\n<\/li>\n<li>\n<div>\u7531\u4e8e\u7f51\u7edc\u4f20\u8f93\u7684\u4e0d\u786e\u5b9a\u6027\uff0c\u53ef\u80fd\u51fa\u73b0\u8fd9\u6837\u4e00\u79cd\u60c5\u51b5\uff1aClient\u5f88\u5feb\u83b7\u5f97Session Key\uff0c\u5e76\u5c06\u8fd9\u4e2aSession Key\u4f5c\u4e3aCredential\u968f\u540c\u8bbf\u95ee\u8bf7\u6c42\u53d1\u9001\u5230Server\uff0c\u4f46\u662f\u7528\u4e8eServer\u7684Session Key\u786e\u8fd8\u6ca1\u6709\u6536\u5230\uff0c\u5e76\u4e14\u5f88\u6709\u53ef\u80fd\u627f\u8f7d\u8fd9\u4e2aSession Key\u7684\u6c38\u8fdc\u4e5f\u5230\u4e0d\u4e86Server\u7aef\uff0cClient\u5c06\u6c38\u8fdc\u5f97\u4e0d\u5230\u8ba4\u8bc1\u3002<\/div>\n<\/li>\n<\/ul>\n<p>\u4e3a\u4e86\u89e3\u51b3\u8fd9\u4e2a\u95ee\u9898\uff0cKerberos\u7684\u505a\u6cd5\u5f88\u7b80\u5355\uff0c\u5c06\u8fd9\u4e24\u4e2a\u88ab\u52a0\u5bc6\u7684Copy\u4e00\u5e76\u53d1\u9001\u7ed9Client\uff0c\u5c5e\u4e8eServer\u7684\u90a3\u4efd\u7531Client\u53d1\u9001\u7ed9Server\u3002<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/cos.rain1024.com\/markdown\/kerberos_01_02.jpg\" alt=\"\" width=\"582\" height=\"277\" border=\"0\" \/><br \/>\n\u53ef\u80fd\u6709\u4eba\u4f1a\u95ee\uff0cKDC\u5e76\u6ca1\u6709\u771f\u6b63\u53bb\u8ba4\u8bc1\u8fd9\u4e2a\u53d1\u9001\u8bf7\u6c42\u7684Client\u662f\u5426\u771f\u7684\u5c31\u662f\u90a3\u4e2a\u4ed6\u6240\u58f0\u79f0\u7684\u90a3\u4e2a\u4eba\uff0c\u5c31\u628aSession Key\u53d1\u9001\u7ed9\u4ed6\uff0c\u4f1a\u4e0d\u4f1a\u6709\u4ec0\u4e48\u95ee\u9898\uff1f\u5982\u679c\u53e6\u4e00\u4e2a\u4eba\uff08\u6bd4\u5982Client B\uff09\u58f0\u79f0\u81ea\u5df1\u662fClient A\uff0c\u4ed6\u540c\u6837\u4f1a\u5f97\u5230Client A\u548cServer\u7684Session Key\uff0c\u8fd9\u4f1a\u4e0d\u4f1a\u6709\u4ec0\u4e48\u95ee\u9898\uff1f\u5b9e\u9645\u4e0a\u4e0d\u5b58\u5728\u95ee\u9898\uff0c\u56e0\u4e3aClient B\u58f0\u79f0\u81ea\u5df1\u662fClient A\uff0cKDC\u5c31\u4f1a\u4f7f\u7528Client A\u7684Password\u6d3e\u751f\u7684Master Key\u5bf9Session Key\u8fdb\u884c\u52a0\u5bc6\uff0c\u6240\u4ee5\u771f\u6b63\u77e5\u9053Client A \u7684Password\u7684\u4e00\u65b9\u624d\u4f1a\u901a\u8fc7\u89e3\u5bc6\u83b7\u5f97Session Key\u3002<\/p>\n<p><strong>\u4e09\u3001\u5f15\u5165Authenticator -\u00a0<span lang=\"zh-cn\" xml:lang=\"zh-cn\">\u4e3a\u6709\u6548\u7684\u8bc1\u660e\u81ea\u5df1\u63d0\u4f9b\u8bc1\u636e<\/span><\/strong><\/p>\n<p>\u901a\u8fc7\u4e0a\u9762\u7684\u8fc7\u7a0b\uff0cClient\u5b9e\u9645\u4e0a\u83b7\u5f97\u4e86\u4e24\u7ec4\u4fe1\u606f\uff1a\u4e00\u4e2a\u901a\u8fc7\u81ea\u5df1Master Key\u52a0\u5bc6\u7684Session Key\uff0c\u53e6\u4e00\u4e2a\u88abSever\u7684Master Key\u52a0\u5bc6\u7684\u6570\u636e\u5305\uff0c\u5305\u542bSession Key\u548c\u5173\u4e8e\u81ea\u5df1\u7684\u4e00\u4e9b\u786e\u8ba4\u4fe1\u606f\u3002\u901a\u8fc7\u7b2c\u4e00\u8282\uff0c\u6211\u4eec\u8bf4\u53ea\u8981\u901a\u8fc7\u4e00\u4e2a\u53cc\u65b9\u77e5\u6653\u7684Key\u5c31\u53ef\u4ee5\u5bf9\u5bf9\u65b9\u8fdb\u884c\u6709\u6548\u7684\u8ba4\u8bc1\uff0c\u4f46\u662f\u5728\u4e00\u4e2a\u7f51\u7edc\u7684\u73af\u5883\u4e2d\uff0c\u8fd9\u79cd\u7b80\u5355\u7684\u505a\u6cd5\u662f\u5177\u6709\u5b89\u5168\u6f0f\u6d1e\uff0c\u4e3a\u6b64,Client\u9700\u8981\u63d0\u4f9b\u66f4\u591a\u7684\u8bc1\u660e\u4fe1\u606f\uff0c\u6211\u4eec\u628a\u8fd9\u79cd\u8bc1\u660e\u4fe1\u606f\u79f0\u4e3a<strong>Authenticator<\/strong>\uff0c\u5728Kerberos\u7684Authenticator\u5b9e\u9645\u4e0a\u5c31\u662f<strong>\u5173\u4e8eClient\u7684\u4e00\u4e9b\u4fe1\u606f<\/strong>\u548c\u5f53\u524d\u65f6\u95f4\u7684\u4e00\u4e2a<strong>Timestamp<\/strong>\uff08\u5173\u4e8e\u8fd9\u4e2a\u5b89\u5168\u6f0f\u6d1e\u548cTimestamp\u7684\u4f5c\u7528\uff0c\u6211\u5c06\u5728\u540e\u9762\u89e3\u91ca\uff09\u3002<\/p>\n<p>\u5728\u8fd9\u4e2a\u57fa\u7840\u4e0a\uff0c\u6211\u4eec\u518d\u6765\u770b\u770bServer\u5982\u4f55\u5bf9Client\u8fdb\u884c\u8ba4\u8bc1\uff1aClient\u901a\u8fc7<strong>\u81ea\u5df1\u7684Master Key<\/strong>\u5bf9KDC\u52a0\u5bc6\u7684Session Key\u8fdb\u884c\u89e3\u5bc6\u4ece\u800c\u83b7\u5f97<strong>Session Key<\/strong>\uff0c\u968f\u540e\u521b\u5efa<strong>Authenticator\uff08Client Info + Timestamp\uff09<\/strong>\u5e76\u7528<strong>Session Key<\/strong>\u5bf9\u5176\u52a0\u5bc6\u3002\u6700\u540e\u8fde\u540c\u4eceKDC\u83b7\u5f97\u7684\u3001\u88ab<strong>Server\u7684Master Key<\/strong>\u52a0\u5bc6\u8fc7\u7684\u6570\u636e\u5305\uff08Client\u00a0<strong>Info + Session Key<\/strong>\uff09\u4e00\u5e76\u53d1\u9001\u5230Server\u7aef\u3002\u6211\u4eec\u628a\u901a\u8fc7Server\u7684Master Key\u52a0\u5bc6\u8fc7\u7684\u6570\u636e\u5305\u79f0\u4e3a<strong>Session Ticket<\/strong>\u3002<\/p>\n<p>\u5f53Server\u63a5\u6536\u5230\u8fd9\u4e24\u7ec4\u6570\u636e\u540e\uff0c\u5148\u4f7f\u7528\u4ed6<strong>\u81ea\u5df1\u7684Master Key<\/strong>\u5bf9Session Ticket\u8fdb\u884c\u89e3\u5bc6\uff0c\u4ece\u800c\u83b7\u5f97<strong>Session Key<\/strong>\u3002\u968f\u540e\u4f7f\u7528\u8be5<strong>Session Key<\/strong>\u89e3\u5bc6<strong>Authenticator<\/strong>\uff0c\u901a\u8fc7\u6bd4\u8f83<strong>Authenticator\u4e2d\u7684Client Info<\/strong>\u548c<strong>Session Ticket\u4e2d\u7684Client Info<\/strong>\u4ece\u800c\u5b9e\u73b0\u5bf9Client\u7684\u8ba4\u8bc1\u3002<\/p>\n<p><strong><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/cos.rain1024.com\/markdown\/kerberos_01_03.jpg\" alt=\"\" width=\"582\" height=\"277\" border=\"0\" \/><br \/>\n\u4e3a\u4ec0\u4e48\u8981\u4f7f\u7528Timestamp\uff1f<\/strong><\/p>\n<p>\u5230\u8fd9\u91cc\uff0c\u5f88\u591a\u4eba\u53ef\u80fd\u8ba4\u4e3a\u8fd9\u6837\u7684\u8ba4\u8bc1\u8fc7\u7a0b<a href=\"https:\/\/www.baidu.com\/s?wd=%E5%A4%A9%E8%A1%A3%E6%97%A0%E7%BC%9D&amp;tn=24004469_oem_dg&amp;rsv_dl=gh_pl_sl_csd\" target=\"_blank\" rel=\"noopener\">\u5929\u8863\u65e0\u7f1d<\/a>\uff1a\u53ea\u6709\u5f53Client\u63d0\u4f9b\u6b63\u786e\u7684Session Key\u65b9\u80fd\u5f97\u5230Server\u7684\u8ba4\u8bc1\u3002\u4f46\u662f\u5728\u73b0\u5b9e\u73af\u5883\u4e2d\uff0c\u8fd9\u5b58\u5728\u5f88\u5927\u7684\u5b89\u5168\u6f0f\u6d1e\u3002<\/p>\n<p>\u6211\u4eec\u8bd5\u60f3\u8fd9\u6837\u7684\u73b0\u8c61\uff1aClient\u5411Server\u53d1\u9001\u7684\u6570\u636e\u5305\u88ab\u67d0\u4e2a\u6076\u610f\u7f51\u7edc\u76d1\u542c\u8005\u622a\u83b7\uff0c\u8be5\u76d1\u542c\u8005\u968f\u540e\u5c06\u6570\u636e\u5305\u5ea7\u4f4d\u81ea\u5df1\u7684Credential\u5192\u5145\u8be5Client\u5bf9Server\u8fdb\u884c\u8bbf\u95ee\uff0c\u5728\u8fd9\u79cd\u60c5\u51b5\u4e0b\uff0c\u4f9d\u7136\u53ef\u4ee5\u5f88\u987a\u5229\u5730\u83b7\u5f97Server\u7684\u6210\u529f\u8ba4\u8bc1\u3002\u4e3a\u4e86\u89e3\u51b3\u8fd9\u4e2a\u95ee\u9898\uff0cClient\u5728<strong>Authenticator<\/strong>\u4e2d\u4f1a\u52a0\u5165\u4e00\u4e2a\u5f53\u524d\u65f6\u95f4\u7684<strong>Timestamp<\/strong>\u3002<\/p>\n<p>\u5728Server\u5bf9Authenticator\u4e2d\u7684Client Info\u548cSession Ticket\u4e2d\u7684Client Info\u8fdb\u884c\u6bd4\u8f83\u4e4b\u524d\uff0c\u4f1a\u5148\u63d0\u53d6Authenticator\u4e2d\u7684<strong>Timestamp<\/strong>\uff0c\u5e76\u540c<strong>\u5f53\u524d\u7684\u65f6\u95f4<\/strong>\u8fdb\u884c\u6bd4\u8f83\uff0c\u5982\u679c\u4ed6\u4eec\u4e4b\u95f4\u7684\u504f\u5dee\u8d85\u51fa\u4e00\u4e2a\u53ef\u4ee5<strong>\u63a5\u53d7\u7684\u65f6\u95f4\u8303\u56f4\uff08\u4e00\u822c\u662f5mins\uff09\uff0c<\/strong>Server\u4f1a\u76f4\u63a5\u62d2\u7edd\u8be5Client\u7684\u8bf7\u6c42\u3002\u5728\u8fd9\u91cc\u9700\u8981\u77e5\u9053\u7684\u662f\uff0cServer\u7ef4\u62a4\u7740\u4e00\u4e2a\u5217\u8868\uff0c\u8fd9\u4e2a\u5217\u8868\u8bb0\u5f55\u7740\u5728\u8fd9\u4e2a\u53ef\u63a5\u53d7\u7684\u65f6\u95f4\u8303\u56f4\u5185\u6240\u6709\u8fdb\u884c\u8ba4\u8bc1\u7684Client\u548c\u8ba4\u8bc1\u7684\u65f6\u95f4\u3002\u5bf9\u4e8e\u65f6\u95f4\u504f\u5dee\u5728\u8fd9\u4e2a\u53ef\u63a5\u53d7\u7684\u8303\u56f4\u4e2d\u7684Client\uff0cServer\u4f1a\u4ece\u8fd9\u4e2a\u8fd9\u4e2a\u5217\u8868\u4e2d\u83b7\u5f97<strong>\u6700\u8fd1\u4e00\u4e2a\u8be5Client\u7684\u8ba4\u8bc1\u65f6\u95f4<\/strong>\uff0c\u53ea\u6709\u5f53<strong>Authenticator\u4e2d\u7684Timestamp\u665a\u4e8e\u901a\u8fc7\u4e00\u4e2aClient\u7684\u6700\u8fd1\u7684\u8ba4\u8bc1\u65f6\u95f4<\/strong>\u7684\u60c5\u51b5\u4e0b\uff0cServer\u91c7\u7528\u8fdb\u884c\u540e\u7eed\u7684\u8ba4\u8bc1\u6d41\u7a0b\u3002<\/p>\n<p><strong>Time Synchronization\u7684\u91cd\u8981\u6027<\/strong><\/p>\n<p>\u4e0a\u8ff0 \u57fa\u4e8eTimestamp\u7684\u8ba4\u8bc1\u673a\u5236\u53ea\u6709\u5728Client\u548cServer\u7aef\u7684\u65f6\u95f4\u4fdd\u6301\u540c\u6b65\u7684\u60c5\u51b5\u624d\u6709\u610f\u4e49\u3002\u6240\u4ee5\u4fdd\u6301Time Synchronization\u5728\u6574\u4e2a\u8ba4\u8bc1\u8fc7\u7a0b\u4e2d\u663e\u5f97\u5c24\u4e3a\u91cd\u8981\u3002\u5728\u4e00\u4e2aDomain\u4e2d\uff0c\u4e00\u822c\u901a\u8fc7\u8bbf\u95ee\u540c\u4e00\u4e2a<strong>Time Service<\/strong>\u83b7\u5f97\u5f53\u524d\u65f6\u95f4\u7684\u65b9\u5f0f\u6765\u5b9e\u73b0\u65f6\u95f4\u7684\u540c\u6b65\u3002<\/p>\n<p><strong>\u53cc\u5411\u8ba4\u8bc1\uff08Mutual Authentication\uff09<\/strong><\/p>\n<p>Kerberos\u4e00\u4e2a\u91cd\u8981\u7684\u4f18\u52bf\u5728\u4e8e\u5b83\u80fd\u591f\u63d0\u4f9b\u53cc\u5411\u8ba4\u8bc1\uff1a<strong>\u4e0d\u4f46Server\u53ef\u4ee5\u5bf9Client \u8fdb\u884c\u8ba4\u8bc1\uff0cClient\u4e5f\u80fd\u5bf9Server\u8fdb\u884c\u8ba4\u8bc1<\/strong>\u3002<\/p>\n<p>\u5177\u4f53\u8fc7\u7a0b\u662f\u8fd9\u6837\u7684\uff0c\u5982\u679cClient\u9700\u8981\u5bf9\u4ed6\u8bbf\u95ee\u7684Server\u8fdb\u884c\u8ba4\u8bc1\uff0c\u4f1a\u5728\u5b83\u5411Server\u53d1\u9001\u7684Credential\u4e2d\u8bbe\u7f6e\u4e00\u4e2a\u662f\u5426\u9700\u8981\u8ba4\u8bc1\u7684Flag\u3002Server\u5728\u5bf9Client\u8ba4\u8bc1\u6210\u529f\u4e4b\u540e\uff0c\u4f1a\u628aAuthenticator\u4e2d\u7684Timestamp\u63d0\u51fa\u51fa\u6765\uff0c\u901a\u8fc7Session Key\u8fdb\u884c\u52a0\u5bc6\uff0c\u5f53Client\u63a5\u6536\u5230\u5e76\u4f7f\u7528Session Key\u8fdb\u884c\u89e3\u5bc6\u4e4b\u540e\uff0c\u5982\u679c\u786e\u8ba4<strong>Timestamp<\/strong>\u548c\u539f\u6765\u7684\u5b8c\u5168\u4e00\u81f4\uff0c\u90a3\u4e48\u4ed6\u53ef\u4ee5\u8ba4\u5b9aServer\u6b63\u5f0f\u4ed6\u8bd5\u56fe\u8bbf\u95ee\u7684Server\u3002<\/p>\n<p>\u90a3\u4e48\u4e3a\u4ec0\u4e48Server\u4e0d\u76f4\u63a5\u628a\u901a\u8fc7Session Key\u8fdb\u884c\u52a0\u5bc6\u7684Authenticator\u539f\u6837\u53d1\u9001\u7ed9Client\uff0c\u800c\u8981\u628aTimestamp\u63d0\u53d6\u51fa\u6765\u52a0\u5bc6\u53d1\u9001\u7ed9Client\u5462\uff1f\u539f\u56e0\u5728\u4e8e\u9632\u6b62\u6076\u610f\u7684\u76d1\u542c\u8005\u901a\u8fc7\u83b7\u53d6\u7684Client\u53d1\u9001\u7684Authenticator\u5192\u5145Server\u83b7\u5f97Client\u7684\u8ba4\u8bc1\u3002<\/p>\n<p><strong>\u56db\u3001\u5f15\u5165Ticket Granting \u00a0Service<\/strong><\/p>\n<p>\u901a\u8fc7\u4e0a\u9762\u7684\u4ecb\u7ecd\uff0c\u6211\u4eec\u53d1\u73b0Kerberos\u5b9e\u9645\u4e0a\u4e00\u4e2a\u57fa\u4e8e<strong>Ticket<\/strong>\u7684\u8ba4\u8bc1\u65b9\u5f0f\u3002Client\u60f3\u8981\u83b7\u53d6Server\u7aef\u7684\u8d44\u6e90\uff0c\u5148\u5f97\u901a\u8fc7Server\u7684\u8ba4\u8bc1\uff1b\u800c\u8ba4\u8bc1\u7684\u5148\u51b3\u6761\u4ef6\u662fClient\u5411Server\u63d0\u4f9b\u4eceKDC\u83b7\u5f97\u7684\u4e00\u4e2a\u6709<strong>Server\u7684Master Key<\/strong>\u8fdb\u884c\u52a0\u5bc6\u7684<strong>Session Ticket\uff08Session Key + Client Info\uff09<\/strong>\u3002\u53ef\u4ee5\u8fd9\u4e48\u8bf4\uff0cSession Ticket\u662fClient\u8fdb\u5165Server\u9886\u57df\u7684\u4e00\u5f20\u95e8\u7968\u3002\u800c\u8fd9\u5f20\u95e8\u7968\u5fc5\u987b\u4ece\u4e00\u4e2a\u5408\u6cd5\u7684Ticket\u9881\u53d1\u673a\u6784\u83b7\u5f97\uff0c\u8fd9\u4e2a\u9881\u53d1\u673a\u6784\u5c31\u662f<strong>Client\u548cServer\u53cc\u65b9\u4fe1\u4efb\u7684KDC<\/strong>\uff0c \u540c\u65f6\u8fd9\u5f20Ticket\u5177\u6709\u8d85\u5f3a\u7684\u9632\u4f2a\u6807\u8bc6\uff1a\u5b83\u662f\u88abServer\u7684Master Key\u52a0\u5bc6\u7684\u3002\u5bf9Client\u6765\u8bf4\uff0c \u83b7\u5f97Session Ticket\u662f\u6574\u4e2a\u8ba4\u8bc1\u8fc7\u7a0b\u4e2d\u6700\u4e3a\u5173\u952e\u7684\u90e8\u5206\u3002<\/p>\n<p>\u4e0a\u9762\u6211\u4eec\u53ea\u662f\u7b80\u5355\u5730\u4ece\u5927\u4f53\u4e0a\u8bf4\u660e\u4e86KDC\u5411Client\u5206\u53d1Ticket\u7684\u8fc7\u7a0b\uff0c\u800c\u771f\u6b63\u5728Kerberos\u4e2d\u7684Ticket Distribution\u8981\u590d\u6742\u4e00\u4e9b\u3002\u4e3a\u4e86\u66f4\u597d\u7684\u8bf4\u660e\u6574\u4e2aTicket Distribution\u7684\u8fc7\u7a0b\uff0c\u6211\u5728\u8fd9\u91cc\u505a\u4e00\u4e2a\u7c7b\u6bd4\u3002\u73b0\u5728\u7684\u80a1\u4e8b\u5f88\u706b\u7206\uff0c\u4e0a\u6d77\u57fa\u672c\u4e0a\u662f\u5168\u6c11\u7092\u80a1\uff0c\u6211\u5c31\u4e3e\u4e00\u4e2a\u8ba4\u80a1\u6743\u8bc1\u7684\u4f8b\u5b50\u3002\u6709\u7684\u4e0a\u5e02\u516c\u53f8\u5728\u80a1\u7968\u914d\u80a1\u3001\u589e\u53d1\u3001\u57fa\u91d1\u6269\u52df\u3001\u80a1\u4efd\u51cf\u6301\u7b49\u60c5\u51b5\u4f1a\u5411\u516c\u4f17\u53d1\u884c<strong>\u8ba4\u80a1\u6743\u8bc1<\/strong>\uff0c\u8ba4\u80a1\u6743\u8bc1\u7684\u6301\u6709\u4eba\u53ef\u4ee5\u51ed\u501f\u8fd9\u4e2a\u6743\u8bc1\u8ba4\u8d2d\u4e00\u5b9a\u6570\u91cf\u7684\u8be5\u516c\u53f8\u80a1\u7968\uff0c\u8ba4\u80a1\u6743\u8bc1\u662f\u4e00\u79cd\u5177\u6709\u770b\u6da8\u671f\u6743\u7684\u91d1\u878d\u884d\u751f\u4ea7\u54c1\u3002<\/p>\n<p>\u800c\u6211\u4eec\u4eca\u5929\u6240\u8bb2\u7684Client\u83b7\u5f97Ticket\u7684\u8fc7\u7a0b\u4e5f\u548c\u901a\u8fc7\u8ba4\u80a1\u6743\u8bc1\u8d2d\u4e70\u80a1\u7968\u7684\u8fc7\u7a0b\u7c7b\u4f3c\u3002\u5982\u679c\u6211\u4eec\u628aClient\u63d0\u4f9b\u7ed9Server\u8fdb\u884c\u8ba4\u8bc1\u7684Ticket\u6bd4\u4f5c\u80a1\u7968\u7684\u8bdd\uff0c\u90a3\u4e48Client\u5728\u4eceKDC\u90a3\u8fb9\u83b7\u5f97Ticket\u4e4b\u524d\uff0c\u9700\u8981\u5148\u83b7\u5f97\u8fd9\u4e2aTicket\u7684\u8ba4\u8d2d\u6743\u8bc1\uff0c\u8fd9\u4e2a\u8ba4\u8d2d\u6743\u8bc1\u5728Kerberos\u4e2d\u88ab\u79f0\u4e3a<strong>TGT\uff1aTicket Granting Ticket<\/strong>\uff0cTGT\u7684\u5206\u53d1\u65b9\u4ecd\u7136\u662fKDC\u3002<\/p>\n<p>\u6211\u4eec\u73b0\u5728\u6765\u770b\u770bClient\u662f\u5982\u4f55\u4eceKDC\u5904\u83b7\u5f97TGT\u7684\uff1a\u9996\u5148Client\u5411KDC\u53d1\u8d77\u5bf9TGT\u7684\u7533\u8bf7\uff0c\u7533\u8bf7\u7684\u5185\u5bb9\u5927\u81f4\u53ef\u4ee5\u8fd9\u6837\u8868\u793a\uff1a\u201c<strong>\u6211\u9700\u8981\u4e00\u5f20TGT\u7528\u4ee5\u7533\u8bf7\u83b7\u53d6\u7528\u4ee5\u8bbf\u95ee\u6240\u6709Server\u7684Ticket<\/strong>\u201d\u3002KDC\u5728\u6536\u5230\u8be5\u7533\u8bf7\u8bf7\u6c42\u540e\uff0c\u751f\u6210\u4e00\u4e2a\u7528\u4e8e\u8be5Client\u548cKDC\u8fdb\u884c\u5b89\u5168\u901a\u4fe1\u7684<strong>Session Key\uff08SKDC-Client\uff09<\/strong>\u3002\u4e3a\u4e86\u4fdd\u8bc1\u8be5Session Key\u4ec5\u4f9b\u8be5Client\u548c\u81ea\u5df1\u4f7f\u7528\uff0cKDC\u4f7f\u7528<strong>Client\u7684Master Key<\/strong>\u548c<strong>\u81ea\u5df1\u7684Master Key<\/strong>\u5bf9\u751f\u6210\u7684Session Key\u8fdb\u884c\u52a0\u5bc6\uff0c\u4ece\u800c\u83b7\u5f97\u4e24\u4e2a\u52a0\u5bc6\u7684<strong>SKDC-Client<\/strong>\u7684Copy\u3002\u5bf9\u4e8e\u540e\u8005\uff0c\u968f<strong>SKDC-Client<\/strong>\u4e00\u8d77\u88ab\u52a0\u5bc6\u7684\u8fd8\u5305\u542b\u4ee5\u540e\u7528\u4e8e\u9274\u5b9aClient\u8eab\u4efd\u7684\u5173\u4e8eClient\u7684\u4e00\u4e9b\u4fe1\u606f\u3002\u6700\u540eKDC\u5c06\u8fd9\u4e24\u4efdCopy\u4e00\u5e76\u53d1\u9001\u7ed9Client\u3002\u8fd9\u91cc\u6709\u4e00\u70b9\u9700\u8981\u6ce8\u610f\u7684\u662f\uff1a\u4e3a\u4e86\u514d\u53bbKDC\u5bf9\u4e8e\u57fa\u4e8e\u4e0d\u540cClient\u7684Session Key\u8fdb\u884c\u7ef4\u62a4\u7684\u9ebb\u70e6\uff0c\u5c31\u50cfServer\u4e0d\u4f1a\u4fdd\u5b58<strong>Session Key\uff08SServer-Client\uff09<\/strong>\u4e00\u6837\uff0cKDC\u4e5f\u4e0d\u4f1a\u53bb\u4fdd\u5b58\u8fd9\u4e2aSession Key\uff08<strong>SKDC-Client<\/strong>\uff09\uff0c\u800c\u9009\u62e9\u5b8c\u5168\u9760Client\u81ea\u5df1\u63d0\u4f9b\u7684\u65b9\u5f0f\u3002<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/cos.rain1024.com\/markdown\/kerberos_01_07.gif\" alt=\"\" width=\"572\" height=\"265\" border=\"0\" \/><br \/>\n\u5f53Client\u6536\u5230KDC\u7684\u4e24\u4e2a\u52a0\u5bc6\u6570\u636e\u5305\u4e4b\u540e\uff0c\u5148\u4f7f\u7528<strong>\u81ea\u5df1\u7684Master Key<\/strong>\u5bf9\u7b2c\u4e00\u4e2aCopy\u8fdb\u884c\u89e3\u5bc6\uff0c\u4ece\u800c\u83b7\u5f97KDC\u548cClient\u7684<strong>Session Key\uff08SKDC-Client\uff09<\/strong>\uff0c\u5e76\u628a\u8be5Session \u548cTGT\u8fdb\u884c\u7f13\u5b58\u3002\u6709\u4e86Session Key\u548cTGT\uff0cClient\u81ea\u5df1\u7684Master Key\u5c06\u4e0d\u518d\u9700\u8981\uff0c\u56e0\u4e3a\u6b64\u540eClient\u53ef\u4ee5\u4f7f\u7528<strong>SKDC-Client<\/strong>\u5411KDC\u7533\u8bf7\u7528\u4ee5\u8bbf\u95ee\u6bcf\u4e2aServer\u7684Ticket\uff0c\u76f8\u5bf9\u4e8eClient\u7684Master Key\u8fd9\u4e2aLong-term Key\uff0cSKDC-Client\u662f\u4e00\u4e2aShort-term Key\uff0c\u5b89\u5168\u4fdd\u8bc1\u5f97\u5230\u66f4\u597d\u7684\u4fdd\u969c\uff0c\u8fd9\u4e5f\u662fKerberos\u591a\u4e86\u8fd9\u4e00\u6b65\u7684\u5173\u952e\u6240\u5728\u3002\u540c\u65f6\u9700\u8981\u6ce8\u610f\u7684\u662fSKDC-Client\u662f\u4e00\u4e2aSession Key\uff0c\u4ed6\u5177\u6709\u81ea\u5df1\u7684\u751f\u547d\u5468\u671f\uff0c\u540c\u65f6TGT\u548cSession\u76f8\u4e92\u5173\u8054\uff0c\u5f53Session Key\u8fc7\u671f\uff0cTGT\u4e5f\u5c31\u5ba3\u544a\u5931\u6548\uff0c\u6b64\u540eClient\u4e0d\u5f97\u4e0d\u91cd\u65b0\u5411KDC\u7533\u8bf7\u65b0\u7684TGT\uff0cKDC\u5c06\u4f1a\u751f\u6210\u4e00\u4e2a\u4e0d\u540cSession Key\u548c\u4e0e\u4e4b\u5173\u8054\u7684TGT\u3002\u540c\u65f6\uff0c\u7531\u4e8eClient Log off\u4e5f\u5bfc\u81f4SKDC-Client\u7684\u5931\u6548\uff0c\u6240\u4ee5SKDC-Client\u53c8\u88ab\u79f0\u4e3a<strong>Logon Session Key<\/strong>\u3002<\/p>\n<p>\u63a5\u4e0b\u6765\uff0c\u6211\u4eec\u770b\u770bClient\u5982\u4f55\u4f7f\u7528TGT\u6765\u4eceKDC\u83b7\u5f97\u57fa\u4e8e\u67d0\u4e2aServer\u7684Ticket\u3002\u5728\u8fd9\u91cc\u6211\u8981\u5f3a\u8c03\u4e00\u4e0b\uff0cTicket\u662f\u57fa\u4e8e\u67d0\u4e2a\u5177\u4f53\u7684Server\u7684\uff0c\u800cTGT\u5219\u662f\u548c\u5177\u4f53\u7684Server\u65e0\u5173\u7684\uff0cClient\u53ef\u4ee5\u4f7f\u7528\u4e00\u4e2aTGT\u4eceKDC\u83b7\u5f97\u57fa\u4e8e\u4e0d\u540cServer\u7684Ticket\u3002\u6211\u4eec<a href=\"https:\/\/www.baidu.com\/s?wd=%E8%A8%80%E5%BD%92%E6%AD%A3%E4%BC%A0&amp;tn=24004469_oem_dg&amp;rsv_dl=gh_pl_sl_csd\" target=\"_blank\" rel=\"noopener\">\u8a00\u5f52\u6b63\u4f20<\/a>\uff0cClient\u5728\u83b7\u5f97\u81ea\u5df1\u548cKDC\u7684<strong>Session Key\uff08SKDC-Client\uff09<\/strong>\u4e4b\u540e\uff0c\u751f\u6210\u81ea\u5df1\u7684Authenticator\u4ee5\u53ca\u6240\u8981\u8bbf\u95ee\u7684Server\u540d\u79f0\u7684\u5e76\u4f7f\u7528<strong>SKDC-Client<\/strong>\u8fdb\u884c\u52a0\u5bc6\u3002\u968f\u540e\u8fde\u540cTGT\u4e00\u5e76\u53d1\u9001\u7ed9KDC\u3002KDC\u4f7f\u7528<strong>\u81ea\u5df1\u7684Master Key<\/strong>\u5bf9TGT\u8fdb\u884c\u89e3\u5bc6\uff0c\u63d0\u53d6Client Info\u548c<strong>Session Key\uff08SKDC-Client\uff09<\/strong>\uff0c\u7136\u540e\u4f7f\u7528\u8fd9\u4e2a<strong>SKDC-Client<\/strong>\u89e3\u5bc6Authenticator\u83b7\u5f97Client Info\uff0c\u5bf9\u4e24\u4e2aClient Info\u8fdb\u884c\u6bd4\u8f83\u8fdb\u800c\u9a8c\u8bc1\u5bf9\u65b9\u7684\u771f\u5b9e\u8eab\u4efd\u3002\u9a8c\u8bc1\u6210\u529f\uff0c\u751f\u6210\u4e00\u4efd\u57fa\u4e8eClient\u6240\u8981\u8bbf\u95ee\u7684Server\u7684Ticket\u7ed9Client\uff0c\u8fd9\u4e2a\u8fc7\u7a0b\u5c31\u662f\u6211\u4eec\u7b2c\u4e8c\u8282\u4e2d\u4ecb\u7ecd\u7684\u4e00\u6837\u4e86\u3002<\/p>\n<p><strong><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/cos.rain1024.com\/markdown\/kerberos_01_05.gif\" alt=\"\" width=\"572\" height=\"265\" border=\"0\" \/><br \/>\n\u4e94\u3001Kerberos\u76843\u4e2aSub-protocol\uff1a\u6574\u4e2aAuthentication<\/strong><\/p>\n<p>\u901a\u8fc7\u4ee5\u4e0a\u7684\u4ecb\u7ecd\uff0c\u6211\u4eec\u57fa\u672c\u4e0a\u4e86\u89e3\u4e86\u6574\u4e2aKerberos authentication\u7684\u6574\u4e2a\u6d41\u7a0b\uff1a\u6574\u4e2a\u6d41\u7a0b\u5927\u4f53\u4e0a\u5305\u542b\u4ee5\u4e0b3\u4e2a\u5b50\u8fc7\u7a0b\uff1a<\/p>\n<ol>\n<li>\n<div>Client\u5411KDC\u7533\u8bf7TGT\uff08Ticket Granting Ticket\uff09\u3002<\/div>\n<\/li>\n<li>\n<div>Client\u901a\u8fc7\u83b7\u5f97TGT\u5411DKC\u7533\u8bf7\u7528\u4e8e\u8bbf\u95eeServer\u7684Ticket\u3002<\/div>\n<\/li>\n<li>\n<div>Client\u6700\u7ec8\u5411\u4e3a\u4e86Server\u5bf9\u81ea\u5df1\u7684\u8ba4\u8bc1\u5411\u5176\u63d0\u4ea4Ticket\u3002<\/div>\n<\/li>\n<\/ol>\n<p>\u4e0d\u8fc7\u4e0a\u9762\u7684\u4ecb\u7ecd\u79bb\u771f\u6b63\u7684Kerberos Authentication\u8fd8\u662f\u6709\u4e00\u70b9\u51fa\u5165\u3002Kerberos\u6574\u4e2a\u8ba4\u8bc1\u8fc7\u7a0b\u901a\u8fc73\u4e2asub-protocol\u6765\u5b8c\u6210\u3002\u8fd9\u4e2a3\u4e2aSub-Protocol\u5206\u522b\u5b8c\u6210\u4e0a\u9762\u5217\u51fa\u76843\u4e2a\u5b50\u8fc7\u7a0b\u3002\u8fd93\u4e2asub-protocol\u5206\u522b\u4e3a\uff1a<\/p>\n<ol>\n<li>\n<div>Authentication Service Exchange<\/div>\n<\/li>\n<li>\n<div>Ticket Granting\u00a0Service Exchange<\/div>\n<\/li>\n<li>\n<div>Client\/Server Exchange<\/div>\n<\/li>\n<\/ol>\n<p>\u4e0b\u56fe\u7b80\u5355\u5c55\u793a\u4e86\u5b8c\u6210\u8fd9\u4e2a3\u4e2aSub-protocol\u6240\u8fdb\u884cMessage Exchange\u3002<\/p>\n<p><strong><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/cos.rain1024.com\/markdown\/kerberos_01_06.gif\" alt=\"\" width=\"572\" height=\"265\" border=\"0\" \/><br \/>\n1\uff0e Authentication Service Exchange<\/strong><\/p>\n<p>\u901a\u8fc7\u8fd9\u4e2aSub-protocol\uff0cKDC\uff08\u786e\u5207\u5730\u8bf4\u662fKDC\u4e2d\u7684Authentication Service\uff09\u5b9e\u73b0\u5bf9Client\u8eab\u4efd\u7684\u786e\u8ba4\uff0c\u5e76\u9881\u53d1\u7ed9\u8be5Client\u4e00\u4e2aTGT\u3002\u5177\u4f53\u8fc7\u7a0b\u5982\u4e0b\uff1a<\/p>\n<p>Client\u5411KDC\u7684Authentication Service\u53d1\u9001Authentication Service Request\uff08<strong>KRB_AS_REQ<\/strong>\uff09, \u4e3a\u4e86\u786e\u4fddKRB_AS_REQ\u4ec5\u9650\u4e8e\u81ea\u5df1\u548cKDC\u77e5\u9053\uff0cClient\u4f7f\u7528\u81ea\u5df1\u7684Master Key\u5bf9KRB_AS_REQ\u7684\u4e3b\u4f53\u90e8\u5206\u8fdb\u884c\u52a0\u5bc6\uff08KDC\u53ef\u4ee5\u901a\u8fc7Domain \u7684Account Database\u83b7\u5f97\u8be5Client\u7684Master Key\uff09\u3002KRB_AS_REQ\u7684\u5927\u4f53\u5305\u542b\u4ee5\u4e0b\u7684\u5185\u5bb9\uff1a<\/p>\n<ul>\n<li>\n<div>Pre-authentication data\uff1a\u5305\u542b\u7528\u4ee5\u8bc1\u660e\u81ea\u5df1\u8eab\u4efd\u7684\u4fe1\u606f\u3002\u8bf4\u767d\u4e86\uff0c\u5c31\u662f\u8bc1\u660e\u81ea\u5df1\u77e5\u9053\u81ea\u5df1\u58f0\u79f0\u7684\u90a3\u4e2aaccount\u7684Password\u3002\u4e00\u822c\u5730\uff0c\u5b83\u7684\u5185\u5bb9\u662f\u4e00\u4e2a\u88abClient\u7684Master key\u52a0\u5bc6\u8fc7\u7684Timestamp\u3002<\/div>\n<\/li>\n<li>\n<div>Client name &amp; realm: \u7b80\u5355\u5730\u8bf4\u5c31\u662fDomain name\\Client<\/div>\n<\/li>\n<li>\n<div>Server Name\uff1a\u6ce8\u610f\u8fd9\u91cc\u7684Server Name\u5e76\u4e0d\u662fClient\u771f\u6b63\u8981\u8bbf\u95ee\u7684Server\u7684\u540d\u79f0\uff0c\u800c\u6211\u4eec\u4e5f\u8bf4\u4e86TGT\u662f\u548cServer\u65e0\u5173\u7684\uff08Client\u53ea\u80fd\u4f7f\u7528Ticket\uff0c\u800c\u4e0d\u662fTGT\u53bb\u8bbf\u95eeServer\uff09\u3002\u8fd9\u91cc\u7684Server Name\u5b9e\u9645\u4e0a\u662f<strong>KDC\u7684Ticket Granting Service\u7684Server Name<\/strong>\u3002<\/div>\n<\/li>\n<\/ul>\n<p>AS\uff08Authentication Service\uff09\u901a\u8fc7\u5b83\u63a5\u6536\u5230\u7684KRB_AS_REQ\u9a8c\u8bc1\u53d1\u9001\u65b9\u7684\u662f\u5426\u662f\u5728Client name &amp; realm\u4e2d\u58f0\u79f0\u7684\u90a3\u4e2a\u4eba\uff0c\u4e5f\u5c31\u662f\u8bf4\u8981\u9a8c\u8bc1\u53d1\u9001\u653e\u662f\u5426\u77e5\u9053Client\u7684Password\u3002\u6240\u4ee5AS\u53ea\u9700\u4eceAccount Database\u4e2d\u63d0\u53d6Client\u5bf9\u5e94\u7684Master Key\u5bf9Pre-authentication data\u8fdb\u884c\u89e3\u5bc6\uff0c\u5982\u679c\u662f\u4e00\u4e2a\u5408\u6cd5\u7684Timestamp\uff0c\u5219\u53ef\u4ee5\u8bc1\u660e\u53d1\u9001\u653e\u63d0\u4f9b\u7684\u662f\u6b63\u786e\u65e0\u8bef\u7684\u5bc6\u7801\u3002\u9a8c\u8bc1\u901a\u8fc7\u4e4b\u540e\uff0cAS\u5c06\u4e00\u4efdAuthentication Service Response\uff08KRB_AS_REP\uff09\u53d1\u9001\u7ed9Client\u3002KRB_AS_REQ\u4e3b\u8981\u5305\u542b\u4e24\u4e2a\u90e8\u5206\uff1a\u672cClient\u7684Master Key\u52a0\u5bc6\u8fc7\u7684Session Key\uff08SKDC-Client\uff1aLogon Session Key\uff09\u548c\u88ab\u81ea\u5df1\uff08KDC\uff09\u52a0\u5bc6\u7684TGT\u3002\u800cTGT\u5927\u4f53\u53c8\u5305\u542b\u4ee5\u4e0b\u7684\u5185\u5bb9\uff1a<\/p>\n<ul>\n<li>\n<div>Session Key: SKDC-Client\uff1aLogon Session Key<\/div>\n<\/li>\n<li>\n<div>Client name &amp; realm: \u7b80\u5355\u5730\u8bf4\u5c31\u662fDomain name\\Client<\/div>\n<\/li>\n<li>\n<div>End time: TGT\u5230\u671f\u7684\u65f6\u95f4\u3002<\/div>\n<\/li>\n<\/ul>\n<p>Client\u901a\u8fc7\u81ea\u5df1\u7684Master Key\u5bf9\u7b2c\u4e00\u90e8\u5206\u89e3\u5bc6\u83b7\u5f97Session Key\uff08SKDC-Client\uff1aLogon Session Key\uff09\u4e4b\u540e\uff0c\u643a\u5e26\u7740TGT\u4fbf\u53ef\u4ee5\u8fdb\u5165\u4e0b\u4e00\u6b65\uff1aTGS\uff08Ticket Granting Service\uff09Exchange\u3002<\/p>\n<p><strong>2\uff0e TGS\uff08Ticket Granting Service\uff09Exchange<\/strong><\/p>\n<p>TGS\uff08Ticket Granting Service\uff09Exchange\u901a\u8fc7Client\u5411KDC\u4e2d\u7684TGS\uff08Ticket Granting Service\uff09\u53d1\u9001Ticket Granting Service Request\uff08<strong>KRB_TGS_REQ<\/strong>\uff09\u5f00\u59cb\u3002KRB_TGS_REQ\u5927\u4f53\u5305\u542b\u4ee5\u4e0b\u7684\u5185\u5bb9\uff1a<\/p>\n<ul>\n<li>\n<div>TGT\uff1aClient\u901a\u8fc7AS Exchange\u83b7\u5f97\u7684Ticket Granting Ticket\uff0cTGT\u88abKDC\u7684Master Key\u8fdb\u884c\u52a0\u5bc6\u3002<\/div>\n<\/li>\n<li>\n<div>Authenticator\uff1a\u7528\u4ee5\u8bc1\u660e\u5f53\u521dTGT\u7684\u62e5\u6709\u8005\u662f\u5426\u5c31\u662f\u81ea\u5df1\uff0c\u6240\u4ee5\u5b83\u5fc5\u987b\u4ee5TGT\u7684\u529e\u6cd5\u65b9\u548c\u81ea\u5df1\u7684Session Key\uff08SKDC-Client\uff1aLogon Session Key\uff09\u6765\u8fdb\u884c\u52a0\u5bc6\u3002<\/div>\n<\/li>\n<li>\n<div>Client name &amp; realm: \u7b80\u5355\u5730\u8bf4\u5c31\u662fDomain name\\Client\u3002<\/div>\n<\/li>\n<li>\n<div>Server name &amp; realm: \u7b80\u5355\u5730\u8bf4\u5c31\u662fDomain name\\Server\uff0c\u8fd9\u56de\u662fClient\u8bd5\u56fe\u8bbf\u95ee\u7684\u90a3\u4e2aServer\u3002<\/div>\n<\/li>\n<\/ul>\n<p>TGS\u6536\u5230KRB_TGS_REQ\u5728\u53d1\u7ed9Client\u771f\u6b63\u7684Ticket\u4e4b\u524d\uff0c\u5148\u5f97\u6574\u4e2aClient\u63d0\u4f9b\u7684\u90a3\u4e2aTGT\u662f\u5426\u662fAS\u9881\u53d1\u7ed9\u5b83\u7684\u3002\u4e8e\u662f\u5b83\u4e0d\u5f97\u4e0d\u901a\u8fc7Client\u63d0\u4f9b\u7684Authenticator\u6765\u8bc1\u660e\u3002\u4f46\u662fAuthentication\u662f\u901a\u8fc7<strong>Logon Session Key\uff08SKDC-Client\uff09<\/strong>\u8fdb\u884c\u52a0\u5bc6\u7684\uff0c\u800c\u81ea\u5df1\u5e76\u6ca1\u6709\u4fdd\u5b58\u8fd9\u4e2aSession Key\u3002\u6240\u4ee5TGS\u5148\u5f97\u901a\u8fc7\u81ea\u5df1\u7684Master Key\u5bf9Client\u63d0\u4f9b\u7684TGT\u8fdb\u884c\u89e3\u5bc6\uff0c\u4ece\u800c\u83b7\u5f97\u8fd9\u4e2aLogon Session Key\uff08SKDC-Client\uff09\uff0c\u518d\u901a\u8fc7\u8fd9\u4e2a<strong>Logon Session Key\uff08SKDC-Client\uff09<\/strong>\u89e3\u5bc6Authenticator\u8fdb\u884c\u9a8c\u8bc1\u3002\u9a8c\u8bc1\u901a\u8fc7\u5411\u5bf9\u65b9\u53d1\u9001Ticket Granting Service Response\uff08KRB_TGS_REP\uff09\u3002\u8fd9\u4e2aKRB_TGS_REP\u6709\u4e24\u90e8\u5206\u7ec4\u6210\uff1a\u4f7f\u7528<strong>Logon Session Key\uff08SKDC-Client\uff09<\/strong>\u52a0\u5bc6\u8fc7\u7528\u4e8eClient\u548cServer\u7684<strong>Session Key\uff08SServer-Client\uff09<\/strong>\u548c\u4f7f\u7528<strong>Server\u7684Master Key<\/strong>\u8fdb\u884c\u52a0\u5bc6\u7684Ticket\u3002\u8be5Ticket\u5927\u4f53\u5305\u542b\u4ee5\u4e0b\u4e00\u4e9b\u5185\u5bb9\uff1a<\/p>\n<ul>\n<li>\n<div>Session Key\uff1aSServer-Client\u3002<\/div>\n<\/li>\n<li>\n<div>Client name &amp; realm: \u7b80\u5355\u5730\u8bf4\u5c31\u662fDomain name\\Client\u3002<\/div>\n<\/li>\n<li>\n<div>End time: Ticket\u7684\u5230\u671f\u65f6\u95f4\u3002<\/div>\n<\/li>\n<\/ul>\n<p>Client\u6536\u5230KRB_TGS_REP\uff0c\u4f7f\u7528<strong>Logon Session Key\uff08SKDC-Client\uff09<\/strong>\u89e3\u5bc6\u7b2c\u4e00\u90e8\u5206\u540e\u83b7\u5f97<strong>Session Key\uff08SServer-Client\uff09<\/strong>\u3002\u6709\u4e86Session Key\u548cTicket\uff0cClient\u5c31\u53ef\u4ee5\u4e4b\u95f4\u548cServer\u8fdb\u884c\u4ea4\u4e92\uff0c\u800c\u65e0\u987b\u5728\u901a\u8fc7KDC\u4f5c\u4e2d\u95f4\u4eba\u4e86\u3002\u6240\u4ee5\u6211\u4eec\u8bf4Kerberos\u662f\u4e00\u79cd\u9ad8\u6548\u7684\u8ba4\u8bc1\u65b9\u5f0f\uff0c\u5b83\u53ef\u4ee5\u76f4\u63a5\u901a\u8fc7Client\u548cServer\u53cc\u65b9\u6765\u5b8c\u6210\uff0c\u4e0d\u50cfWindows NT 4\u4e0b\u7684NTLM\u8ba4\u8bc1\u65b9\u5f0f\uff0c\u6bcf\u6b21\u8ba4\u8bc1\u90fd\u8981\u901a\u8fc7\u4e00\u4e2a\u53cc\u65b9\u4fe1\u4efb\u7684\u7b2c3\u65b9\u6765\u5b8c\u6210\u3002<\/p>\n<p>\u6211\u4eec\u73b0\u5728\u6765\u770b\u770b Client\u5982\u679c\u4f7f\u7528Ticket\u548cServer\u600e\u6837\u8fdb\u884c\u4ea4\u4e92\u7684\uff0c\u8fd9\u4e2a\u9636\u6bb5\u901a\u8fc7\u6211\u4eec\u7684\u7b2c3\u4e2aSub-protocol\u6765\u5b8c\u6210\uff1a<strong>CS\uff08Client\/Server \uff09Exchange<\/strong>\u3002<\/p>\n<p><strong>3\uff0e CS\uff08Client\/Server \uff09Exchange<\/strong><\/p>\n<p>\u8fd9\u4e2a\u5df2\u7ecf\u5728\u672c\u6587\u7684\u7b2c\u4e8c\u8282\u4e2d\u5df2\u7ecf\u4ecb\u7ecd\u8fc7\uff0c\u5bf9\u4e8e\u91cd\u590d\u53d1\u5185\u5bb9\u5c31\u4e0d\u518d\u7d2f\u8d58\u4e86\u3002Client\u901a\u8fc7TGS Exchange\u83b7\u5f97Client\u548cServer\u7684<strong>Session Key\uff08SServer-Client\uff09<\/strong>\uff0c\u968f\u540e\u521b\u5efa\u7528\u4e8e\u8bc1\u660e\u81ea\u5df1\u5c31\u662fTicket\u7684\u771f\u6b63\u6240\u6709\u8005\u7684Authenticator\uff0c\u5e76\u4f7f\u7528<strong>Session Key\uff08SServer-Client\uff09<\/strong>\u8fdb\u884c\u52a0\u5bc6\u3002\u6700\u540e\u5c06\u8fd9\u4e2a\u88ab\u52a0\u5bc6\u8fc7\u7684Authenticator\u548cTicket\u4f5c\u4e3aApplication Service Request\uff08KRB_AP_REQ\uff09\u53d1\u9001\u7ed9Server\u3002\u9664\u4e86\u4e0a\u8ff0\u4e24\u9879\u5185\u5bb9\u4e4b\u5916\uff0cKRB_AP_REQ\u8fd8\u5305\u542b\u4e00\u4e2aFlag\u7528\u4e8e\u8868\u793aClient\u662f\u5426\u9700\u8981\u8fdb\u884c\u53cc\u5411\u9a8c\u8bc1\uff08Mutual Authentication\uff09\u3002<\/p>\n<p>Server\u63a5\u6536\u5230KRB_AP_REQ\u4e4b\u540e\uff0c\u901a\u8fc7\u81ea\u5df1\u7684Master Key\u89e3\u5bc6Ticket\uff0c\u4ece\u800c\u83b7\u5f97Session Key\uff08SServer-Client\uff09\u3002\u901a\u8fc7Session Key\uff08SServer-Client\uff09\u89e3\u5bc6Authenticator\uff0c\u8fdb\u800c\u9a8c\u8bc1\u5bf9\u65b9\u7684\u8eab\u4efd\u3002\u9a8c\u8bc1\u6210\u529f\uff0c\u8ba9Client\u8bbf\u95ee\u9700\u8981\u8bbf\u95ee\u7684\u8d44\u6e90\uff0c\u5426\u5219\u76f4\u63a5\u62d2\u7edd\u5bf9\u65b9\u7684\u8bf7\u6c42\u3002<\/p>\n<p>\u5bf9\u4e8e\u9700\u8981\u8fdb\u884c\u53cc\u5411\u9a8c\u8bc1\uff0cServer\u4eceAuthenticator\u63d0\u53d6Timestamp\uff0c\u4f7f\u7528Session Key\uff08SServer-Client\uff09\u8fdb\u884c\u52a0\u5bc6\uff0c\u5e76\u5c06\u5176\u53d1\u9001\u7ed9Client\u7528\u4e8eClient\u9a8c\u8bc1Server\u7684\u8eab\u4efd\u3002<\/p>\n<p><strong>\u516d\u3001User2User Sub-Protocol\uff1a\u6709\u6548\u5730\u4fdd\u969cServer\u7684\u5b89\u5168<\/strong><\/p>\n<p>\u901a\u8fc73\u4e2aSub-protocol\u7684\u4ecb\u7ecd\uff0c\u6211\u4eec\u53ef\u4ee5\u5168\u9762\u5730\u638c\u63e1\u6574\u4e2aKerberos\u7684\u8ba4\u8bc1\u8fc7\u7a0b\u3002\u5b9e\u9645\u4e0a\uff0c\u5728Windows 2000\u65f6\u4ee3\uff0c\u57fa\u4e8eKerberos\u7684Windows Authentication\u5c31\u662f\u6309\u7167\u8fd9\u6837\u7684\u5de5\u4f5c\u6d41\u7a0b\u6765\u8fdb\u884c\u7684\u3002\u4f46\u662f\u6211\u5728\u4e0a\u9762\u4e00\u8282\u7ed3\u675f\u7684\u65f6\u5019\u4e5f\u8bf4\u4e86\uff0c\u57fa\u4e8e3\u4e2aSub-protocol\u7684Kerberos\u4f5c\u4e3a\u4e00\u79cdNetwork Authentication\u662f\u5177\u6709\u5b83\u81ea\u5df1\u7684\u5c40\u9650\u548c\u5b89\u5168\u9690\u60a3\u7684\u3002\u6211\u5728\u6574\u7bc7\u6587\u7ae0\u4e00\u76f4\u5728\u5f3a\u8c03\u8fd9\u6837\u7684\u4e00\u4e2a\u539f\u5219\uff1a<strong>\u4ee5\u67d0\u4e2aEntity\u7684Long-term Key\u52a0\u5bc6\u7684\u6570\u636e\u4e0d\u5e94\u8be5\u5728\u7f51\u7edc\u4e2d\u4f20\u9012<\/strong>\u3002\u539f\u56e0\u5f88\u7b80\u5355\uff0c\u6240\u6709\u7684\u52a0\u5bc6\u7b97\u6cd5\u90fd\u4e0d\u80fd\u4fdd\u8bc1100%\u7684\u5b89\u5168\uff0c\u5bf9\u52a0\u5bc6\u7684\u6570\u636e\u8fdb\u884c\u89e3\u5bc6\u53ea\u662f\u4e00\u4e2a\u65f6\u95f4\u7684\u8fc7\u7a0b\uff0c\u6700\u5927\u9650\u5ea6\u5730\u63d0\u4f9b\u5b89\u5168\u4fdd\u969c\u7684\u505a\u6cd5\u5c31\u662f\uff1a<strong>\u4f7f\u7528\u4e00\u4e2aShort-term key\uff08Session Key\uff09\u4ee3\u66ffLong-term Key\u5bf9\u6570\u636e\u8fdb\u884c\u52a0\u5bc6\uff0c\u4f7f\u5f97\u6076\u610f\u7528\u6237\u5bf9\u5176\u89e3\u5bc6\u83b7\u5f97\u52a0\u5bc6\u7684Key\u65f6\uff0c\u8be5Key\u65e9\u5df2\u5931\u6548<\/strong>\u3002\u4f46\u662f\u5bf9\u4e8e3\u4e2aSub-Protocol\u7684C\/S Exchange\uff0cClient\u643a\u5e26\u7684Ticket\u5374\u662f\u88ab<strong>Server Master Key<\/strong>\u8fdb\u884c\u52a0\u5bc6\u7684\uff0c\u8fd9\u663e\u73b0\u4e0d\u7b26\u5408\u6211\u4eec\u63d0\u51fa\u7684\u539f\u5219\uff0c\u964d\u4f4eServer\u7684\u5b89\u5168\u7cfb\u6570\u3002<\/p>\n<p>\u6240\u4ee5\u6211\u4eec\u5fc5\u987b\u5bfb\u6c42\u4e00\u79cd\u89e3\u51b3\u65b9\u6848\u6765\u89e3\u51b3\u4e0a\u9762\u7684\u95ee\u9898\u3002\u8fd9\u4e2a\u89e3\u51b3\u65b9\u6848\u5f88\u660e\u663e\uff1a\u5c31\u662f\u91c7\u7528\u4e00\u4e2aShort-term\u7684Session Key\uff0c\u800c\u4e0d\u662fServer Master Key\u5bf9Ticket\u8fdb\u884c\u52a0\u5bc6\u3002\u8fd9\u5c31\u662f\u6211\u4eec\u4eca\u5929\u8981\u4ecb\u7ecd\u7684Kerberos\u7684\u7b2c4\u4e2aSub-protocol\uff1a<strong>User2User Protocol<\/strong>\u3002\u6211\u4eec\u77e5\u9053\uff0c\u65e2\u7136\u662fSession Key\uff0c\u4ec5\u5fc5\u7136\u6d89\u53ca\u5230\u4e24\u65b9\uff0c\u800c\u5728Kerberos\u6574\u4e2a\u8ba4\u8bc1\u8fc7\u7a0b\u6d89\u53ca\u52303\u65b9\uff1aClient\u3001Server\u548cKDC\uff0c\u6240\u4ee5\u7528\u4e8e\u52a0\u5bc6Ticket\u7684\u53ea\u53ef\u80fd\u662fServer\u548cKDC\u4e4b\u95f4\u7684<strong>Session Key\uff08SKDC-Server\uff09\u3002<\/strong><\/p>\n<p>\u6211\u4eec\u77e5\u9053Client\u901a\u8fc7\u5728AS Exchange\u9636\u6bb5\u83b7\u5f97\u7684TGT\u4eceKDC\u90a3\u4e48\u83b7\u5f97\u8bbf\u95eeServer\u7684Ticket\u3002\u539f\u6765\u7684Ticket\u662f\u901a\u8fc7<strong>Server\u7684Master Key<\/strong>\u8fdb\u884c\u52a0\u5bc6\u7684\uff0c\u800c\u8fd9\u4e2aMaster Key\u53ef\u4ee5\u901a\u8fc7Account Database\u83b7\u5f97\u3002\u4f46\u662f\u73b0\u5728KDC\u9700\u8981\u4f7f\u7528Server\u548cKDC\u4e4b\u95f4\u7684<strong>SKDC-Server<\/strong>\u8fdb\u884c\u52a0\u5bc6\uff0c\u800cKDC\u662f\u4e0d\u4f1a\u7ef4\u62a4\u8fd9\u4e2aSession Key\uff0c\u6240\u4ee5<strong>\u8fd9\u4e2aSession Key\u53ea\u80fd\u9760\u7533\u8bf7Ticket\u7684Client\u63d0\u4f9b<\/strong>\u3002\u6240\u4ee5\u5728AS Exchange\u548cTGS Exchange\u4e4b\u95f4\uff0cClient\u8fd8\u5f97\u5bf9Server\u8fdb\u884c\u8bf7\u6c42\u5df2\u83b7\u5f97Server\u548cKDC\u4e4b\u95f4\u7684Session Key\uff08<strong>SKDC-Server<\/strong>\uff09\u3002\u800c\u5bf9\u4e8eServer\u6765\u8bf4\uff0c\u5b83\u53ef\u4ee5\u50cfClient\u4e00\u6837\u901a\u8fc7<strong>AS Exchange<\/strong>\u83b7\u5f97\u4ed6\u548cKDC\u4e4b\u95f4\u7684Session Key\uff08<strong>SKDC-Server<\/strong>\uff09\u548c\u4e00\u4e2a\u5c01\u88c5\u4e86\u8fd9\u4e2aSession Key\u5e76\u88ab<strong>KDC\u7684Master Key\u8fdb\u884c\u52a0\u5bc6\u7684TGT<\/strong>\uff0c\u4e00\u65e6\u83b7\u5f97\u8fd9\u4e2aTGT\uff0cServer\u4f1a\u7f13\u5b58\u5b83\uff0c\u4ee5\u5f85Client\u5bf9\u5b83\u7684\u8bf7\u6c42\u3002\u6211\u4eec\u73b0\u5728\u6765\u8be6\u7ec6\u5730\u8ba8\u8bba\u8fd9\u4e00\u8fc7\u7a0b\u3002<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/cos.rain1024.com\/markdown\/kerberos_03_01.gif\" alt=\"\" width=\"572\" height=\"265\" border=\"0\" \/><br \/>\n\u4e0a\u56fe\u57fa\u672c\u4e0a\u7ffb\u8bd1\u4e86\u57fa\u4e8eUser2User\u7684\u8ba4\u8bc1\u8fc7\u7a0b\uff0c\u8fd9\u4e2a\u8fc7\u7a0b\u75314\u4e2a\u6b65\u9aa4\u7ec4\u6210\u3002\u6211\u4eec\u53d1\u73b0\u8f83\u4e4b\u6211\u5728\u4e0a\u9762\u4e00\u8282\u4ecb\u7ecd\u7684\u57fa\u4e8e\u4f20\u7edf3\u4e2aSub-protocol\u7684\u8ba4\u8bc1\u8fc7\u7a0b\uff0c\u8fd9\u6b21\u5bf9\u4e86\u7b2c2\u90e8\u3002\u6211\u4eec<a href=\"https:\/\/www.baidu.com\/s?wd=%E4%BB%8E%E5%A4%B4%E5%88%B0%E5%B0%BE&amp;tn=24004469_oem_dg&amp;rsv_dl=gh_pl_sl_csd\" target=\"_blank\" rel=\"noopener\">\u4ece\u5934\u5230\u5c3e<\/a>\u7b80\u5355\u5730\u8fc7\u4e00\u904d\uff1a<\/p>\n<ol>\n<li>\n<div>AS Exchange\uff1aClient\u901a\u8fc7\u6b64\u8fc7\u7a0b\u83b7\u5f97\u4e86\u5c5e\u4e8e\u81ea\u5df1\u7684TGT\uff0c\u6709\u4e86\u6b64TGT\uff0cClient\u53ef\u51ed\u6b64\u5411KDC\u7533\u8bf7\u7528\u4e8e\u8bbf\u95ee\u67d0\u4e2aServer\u7684Ticket\u3002<\/div>\n<\/li>\n<li>\n<div>\u8fd9\u4e00\u6b65\u7684\u4e3b\u8981\u4efb\u52a1\u662f\u83b7\u5f97\u5c01\u88c5\u4e86Server\u548cKDC\u7684Session Key\uff08SKDC-Server\uff09\u7684\u5c5e\u4e8eServer\u7684TGT\u3002\u5982\u679c\u8be5TGT\u5b58\u5728\u4e8eServer\u7684\u7f13\u5b58\u4e2d\uff0c\u5219Server\u4f1a\u76f4\u63a5\u5c06\u5176\u8fd4\u56de\u7ed9Client\u3002\u5426\u5219\u901a\u8fc7AS Exchange\u4eceKDC\u83b7\u53d6\u3002<\/div>\n<\/li>\n<li>\n<div>TGS Exchange\uff1aClient\u901a\u8fc7\u5411KDC\u63d0\u4f9b\u81ea\u5df1\u7684TGT\uff0cServer\u7684TGT\u4ee5\u53caAuthenticator\u5411KDC\u7533\u8bf7\u7528\u4e8e\u8bbf\u95eeServer\u7684Ticket\u3002KDC\u4f7f\u7528\u5148\u7528\u81ea\u5df1\u7684Master Key\u89e3\u5bc6Client\u7684TGT\u83b7\u5f97SKDC-Client\uff0c\u901a\u8fc7SKDC-Client\u89e3\u5bc6Authenticator\u9a8c\u8bc1\u53d1\u9001\u8005\u662f\u5426\u662fTGT\u7684\u771f\u6b63\u62e5\u6709\u8005\uff0c\u9a8c\u8bc1\u901a\u8fc7\u518d\u7528\u81ea\u5df1\u7684Master Key\u89e3\u5bc6Server\u7684TGT\u83b7\u5f97KDC\u548cServer \u7684Session Key\uff08SKDC-Server\uff09\uff0c\u5e76\u7528\u8be5Session Key\u52a0\u5bc6Ticket\u8fd4\u56de\u7ed9Client\u3002<\/div>\n<\/li>\n<li>\n<div>C\/S Exchange\uff1aClient\u643a\u5e26\u8005\u901a\u8fc7KDC\u548cServer \u7684Session Key\uff08SKDC-Server\uff09\u8fdb\u884c\u52a0\u5bc6\u7684Ticket\u548c\u901a\u8fc7Client\u548cServer\u7684Session Key\uff08SServer-Client\uff09\u7684Authenticator\u8bbf\u95eeServer\uff0cServer\u901a\u8fc7SKDC-Server\u89e3\u5bc6Ticket\u83b7\u5f97SServer-Client\uff0c\u901a\u8fc7SServer-Client\u89e3\u5bc6Authenticator\u5b9e\u73b0\u5bf9Client\u7684\u9a8c\u8bc1\u3002<\/div>\n<\/li>\n<\/ol>\n<p>\u8fd9\u5c31\u662f\u6574\u4e2a\u8fc7\u7a0b\u3002<\/p>\n<p><strong>\u4e03\u3001Kerberos\u7684\u4f18\u70b9<\/strong><\/p>\n<p>\u5206\u6790\u6574\u4e2aKerberos\u7684\u8ba4\u8bc1\u8fc7\u7a0b\u4e4b\u540e\uff0c\u6211\u4eec\u6765\u603b\u7ed3\u4e00\u4e0bKerberos\u90fd\u6709\u54ea\u4e9b\u4f18\u70b9\uff1a<\/p>\n<p><strong>1\uff0e\u8f83\u9ad8\u7684Performance<\/strong><\/p>\n<p>\u867d\u7136\u6211\u4eec\u4e00\u518d\u5730\u8bf4Kerberos\u662f\u4e00\u4e2a\u6d89\u53ca\u52303\u65b9\u7684\u8ba4\u8bc1\u8fc7\u7a0b\uff1aClient\u3001Server\u3001KDC\u3002\u4f46\u662f\u4e00\u65e6Client\u83b7\u5f97\u7528\u8fc7\u8bbf\u95ee\u67d0\u4e2aServer\u7684Ticket\uff0c\u8be5Server\u5c31\u80fd\u6839\u636e\u8fd9\u4e2aTicket\u5b9e\u73b0\u5bf9Client\u7684\u9a8c\u8bc1\uff0c\u800c\u65e0\u987bKDC\u7684\u518d\u6b21\u53c2\u4e0e\u3002\u548c\u4f20\u7edf\u7684\u57fa\u4e8eWindows NT 4.0\u7684\u6bcf\u4e2a\u5b8c\u5168\u4f9d\u8d56Trusted Third Party\u7684NTLM\u6bd4\u8f83\uff0c\u5177\u6709\u8f83\u5927\u7684\u6027\u80fd\u63d0\u5347\u3002<\/p>\n<p><strong>2\uff0e\u5b9e\u73b0\u4e86\u53cc\u5411\u9a8c\u8bc1\uff08Mutual Authentication\uff09<\/strong><\/p>\n<p>\u4f20\u7edf\u7684NTLM\u8ba4\u8bc1\u57fa\u4e8e\u8fd9\u6837\u4e00\u4e2a\u524d\u63d0\uff1aClient\u8bbf\u95ee\u7684\u8fdc\u7a0b\u7684Service\u662f\u53ef\u4fe1\u7684\u3001\u65e0\u9700\u5bf9\u4e8e\u8fdb\u884c\u9a8c\u8bc1\uff0c\u6240\u4ee5NTLM\u4e0d\u66fe\u63d0\u4f9b\u53cc\u5411\u9a8c\u8bc1\u7684\u529f\u80fd\u3002\u8fd9\u663e\u7136\u6709\u70b9\u7406\u60f3\u4e3b\u4e49\uff0c\u4e3a\u6b64Kerberos\u5f25\u8865\u4e86\u8fd9\u4e2a\u4e0d\u8db3\uff1aClient\u5728\u8bbf\u95eeServer\u7684\u8d44\u6e90\u4e4b\u524d\uff0c\u53ef\u4ee5\u8981\u6c42\u5bf9Server\u7684\u8eab\u4efd\u6267\u884c\u8ba4\u8bc1\u3002<\/p>\n<p><strong>3\uff0e\u5bf9Delegation\u7684\u652f\u6301<\/strong><\/p>\n<p>Impersonation\u548cDelegation\u662f\u4e00\u4e2a\u5206\u5e03\u5f0f\u73af\u5883\u4e2d\u4e24\u4e2a\u91cd\u8981\u7684\u529f\u80fd\u3002Impersonation\u5141\u8bb8Server\u5728\u672c\u5730\u4f7f\u7528Logon \u7684Account\u6267\u884c\u67d0\u4e9b\u64cd\u4f5c\uff0cDelegation\u9700\u7528Server\u5c06logon\u7684Account\u5e26\u5165\u5230\u53e6\u8fc7\u4e00\u4e2aContext\u6267\u884c\u76f8\u5e94\u7684\u64cd\u4f5c\u3002NTLM\u4ec5\u5bf9Impersonation\u63d0\u4f9b\u652f\u6301\uff0c\u800cKerberos\u901a\u8fc7\u4e00\u79cd\u53cc\u5411\u7684\u3001\u53ef\u4f20\u9012\u7684\uff08Mutual \u3001Transitive\uff09\u4fe1\u4efb\u6a21\u5f0f\u5b9e\u73b0\u4e86\u5bf9Delegation\u7684\u652f\u6301\u3002<\/p>\n<p><strong>4\uff0e\u4e92\u64cd\u4f5c\u6027\uff08Interoperability\uff09<\/strong><\/p>\n<p>Kerberos\u6700\u521d\u7531MIT\u9996\u521b\uff0c\u73b0\u5728\u5df2\u7ecf\u6210\u4e3a\u4e00\u884c\u88ab\u5e7f\u6cdb\u63a5\u53d7\u7684\u6807\u51c6\u3002\u6240\u4ee5\u5bf9\u4e8e\u4e0d\u540c\u7684\u5e73\u53f0\u53ef\u4ee5\u8fdb\u884c\u5e7f\u6cdb\u7684\u4e92\u64cd\u4f5c\u3002<\/p>\n<\/div>\n<\/div>\n<\/article>\n<\/div>\n<p>&nbsp;<\/p>\n<div class=\"comment-box\">\n<div class=\"comment-edit-box d-flex\"><\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\u539f\u6587\uff1ahttps:\/\/blog.csdn.net\/wulantian\/article\/details\/4241\u2026 <span class=\"read-more\"><a href=\"http:\/\/rain1024.com\/index.php\/2019\/01\/23\/article140\/\">Read More &raquo;<\/a><\/span><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[18,21],"tags":[69],"class_list":["post-1019","post","type-post","status-publish","format-standard","hentry","category-technique","category-21","tag-69"],"_links":{"self":[{"href":"http:\/\/rain1024.com\/index.php\/wp-json\/wp\/v2\/posts\/1019","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/rain1024.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/rain1024.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/rain1024.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/rain1024.com\/index.php\/wp-json\/wp\/v2\/comments?post=1019"}],"version-history":[{"count":1,"href":"http:\/\/rain1024.com\/index.php\/wp-json\/wp\/v2\/posts\/1019\/revisions"}],"predecessor-version":[{"id":1392,"href":"http:\/\/rain1024.com\/index.php\/wp-json\/wp\/v2\/posts\/1019\/revisions\/1392"}],"wp:attachment":[{"href":"http:\/\/rain1024.com\/index.php\/wp-json\/wp\/v2\/media?parent=1019"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/rain1024.com\/index.php\/wp-json\/wp\/v2\/categories?post=1019"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/rain1024.com\/index.php\/wp-json\/wp\/v2\/tags?post=1019"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}