SCROLL
Среднее время на прочтение: 3 мин.

Настройка Kerberos Single Sign-On (SSO) с GSSAPI на Debian 11 Bullseye.

Рассмотрим как настроить Kerberos Single Sign-On (SSO) с GSSAPI в Apache веб-сервере на Debian 11 Bullseye.

JUQwJTk4JUQxJTgxJUQxJTg1JUQwJUJFJUQwJUI0JUQwJUJEJUQxJThCJUQwJUI1JTIwJUQwJUI0JUQwJUIwJUQwJUJEJUQwJUJEJUQxJThCJUQwJUI1JTNB

  • Windows домен — jakonda.local
  • Доменная служебная учетная запись — svc.web
  • Linux машина — Debian 11

 

Сперва необходимо создать сервисную учетную запись (в моем случае это будет svc.web) и сгенерировать для нее KEYTAB-файл на домен контроллере Windows.

Делается все это командой ниже, не забываем подставить свои данные вместо моих.

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
ktpass -princ HTTP/web.jakonda.ru@JAKONDA.LOCAL -mapuser svc.web@JAKONDA.LOCAL -pass 3T2XgYCz2IFcBUo0altu -crypto ALL -ptype KRB5_NT_PRINCIPAL -out C:\Keytabs\svc.web.keytab
ktpass -princ HTTP/web.jakonda.ru@JAKONDA.LOCAL -mapuser svc.web@JAKONDA.LOCAL -pass 3T2XgYCz2IFcBUo0altu -crypto ALL -ptype KRB5_NT_PRINCIPAL -out C:\Keytabs\svc.web.keytab
ktpass -princ HTTP/web.jakonda.ru@JAKONDA.LOCAL -mapuser svc.web@JAKONDA.LOCAL -pass 3T2XgYCz2IFcBUo0altu -crypto ALL -ptype KRB5_NT_PRINCIPAL -out C:\Keytabs\svc.web.keytab

JTVCc3RleHRib3glMjBpZCUzRCVFMiU4MCU5OWluZm8lRTIlODAlOTklNUQlRDAlOTglRDAlOUQlRDAlQTQlRDAlOUUlRDAlOUMlRDAlOTAlRDAlQTYlRDAlOTglRDAlQUYuJTIwJUQwJUIzJUQwJUI0JUQwJUI1JUMyJUEwd2ViLmpha29uZGEucnUlMjAlRTIlODAlOTQlMjAlRDElOEQlRDElODIlRDAlQkUlMjAlRDAlQjglRDAlQkMlRDElOEYlMjAlRDAlQjIlRDAlQjUlRDAlQjEtJUQxJTgxJUQwJUI1JUQxJTgwJUQwJUIyJUQwJUI1JUQxJTgwJUQwJUIwJTIwJUQwJUJEJUQwJUIwJTIwJUQwJUJBJUQwJUJFJUQxJTgyJUQwJUJFJUQxJTgwJUQwJUJFJUQwJUJDJTIwJUQwJUI0JUQwJUJFJUQwJUJCJUQwJUI2JUQwJUJEJUQwJUIwJTIwJUQxJTgwJUQwJUIwJUQwJUIxJUQwJUJFJUQxJTgyJUQwJUIwJUQxJTgyJUQxJThDJUMyJUEwS2VyYmVyb3MlMjBTU08lMjAlRDAlQjAlRDElODMlRDElODIlRDAlQjUlRDAlQkQlRDElODIlRDAlQjglRDElODQlRDAlQjglRDAlQkElRDAlQjAlRDElODYlRDAlQjglRDElOEYlMkMlMjAlRDAlQjAlQzIlQTBKQUtPTkRBLkxPQ0FMJTIwJUQxJThEJUQxJTgyJUQwJUJFJTIwJUQwJUI4JUQwJUJDJUQxJThGJTIwJUQwJUI0JUQwJUJFJUQwJUJDJUQwJUI1JUQwJUJEJUQwJUIwLiUyMCVEMCU5MiVEMCVCMCVEMCVCNiVEMCVCRCVEMCVCRSUyMCVEMSU4MSVEMCVCRSVEMCVCMSVEMCVCQiVEMSU4RSVEMCVCNCVEMCVCMCVEMSU4MiVEMSU4QyUyMCVEMSU4MCVEMCVCNSVEMCVCMyVEMCVCOCVEMSU4MSVEMSU4MiVEMSU4MCUyMCVEMCVCRCVEMCVCMCVEMCVCRiVEMCVCOCVEMSU4MSVEMCVCMCVEMCVCRCVEMCVCOCVEMSU4RiUyMCVEMCVCOCVEMCVCQyVEMCVCNSVEMCVCRCVEMCVCOCUyMCVEMCVCNCVEMCVCRSVEMCVCQyVEMCVCNSVEMCVCRCVEMCVCMC4lNUIlMkZzdGV4dGJveCU1RA==

JUQwJTlGJUQwJUI1JUQxJTgwJUQwJUI1JUQwJUI0JUQwJUIwJUQwJUI1JUQwJUJDJUMyJUEwJUQxJTgxJUQwJUIzJUQwJUI1JUQwJUJEJUQwJUI1JUQxJTgwJUQwJUI4JUQxJTgwJUQwJUJFJUQwJUIyJUQwJUIwJUQwJUJEJUQwJUJEJUQxJThCJUQwJUI5JTIwS0VZVEFCLSVEMSU4NCVEMCVCMCVEMCVCOSVEMCVCQiUyMCVEMCVCRCVEMCVCMCUyMERlYmlhbiUyMCVEMCVCQiVEMSU4RSVEMCVCMSVEMSU4QiVEMCVCQyUyMCVEMSU4MyVEMCVCNCVEMCVCRSVEMCVCMSVEMCVCRCVEMSU4QiVEMCVCQyUyMCVEMSU4MSVEMCVCRiVEMCVCRSVEMSU4MSVEMCVCRSVEMCVCMSVEMCVCRSVEMCVCQyUyMCVEMCVCOCUyMCVEMSU4MCVEMCVCMCVEMCVCNyVEMCVCQyVEMCVCNSVEMSU4OSVEMCVCMCVEMCVCNSVEMCVCQyUyMCVEMCVCNSVEMCVCMyVEMCVCRSUyMCVEMCVCMiUyMCVEMCVCQSVEMCVCMCVEMSU4MiVEMCVCMCVEMCVCQiVEMCVCRSVEMCVCMyVEMCVCNSUyMCUyRmV0YyUyQyUyMCVEMCVCQiVEMCVCOCVEMCVCMSVEMCVCRSUyMCVEMCVCMiUyMCVEMCVCQiVEMSU4RSVEMCVCMSVEMCVCRSVEMCVCQyUyMCVEMCVCNCVEMSU4MCVEMSU4MyVEMCVCMyVEMCVCRSVEMCVCQyUyMCVEMCVCMSVEMCVCNSVEMCVCNyVEMCVCRSVEMCVCRiVEMCVCMCVEMSU4MSVEMCVCRCVEMCVCRSVEMCVCQyUyMCVEMCVCQyVEMCVCNSVEMSU4MSVEMSU4MiVEMCVCNSUyMCVEMCVCQyVEMCVCNSVEMSU4MSVEMSU4MiVEMCVCNS4=

 

Назначим права и уровень доступа к файлу:

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
chown root:www-data /etc/svc.web.keytab
chmod 640 /etc/svc.web.keytab
chown root:www-data /etc/svc.web.keytab chmod 640 /etc/svc.web.keytab
chown root:www-data /etc/svc.web.keytab
chmod 640 /etc/svc.web.keytab

 

Устанавливаем пакеты веб-сервера apache, модуль аутентификации gssapi для него и kerberos.

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
apt-get install apache2 apache2-utils libapache2-mod-auth-gssapi krb5-user
apt-get install apache2 apache2-utils libapache2-mod-auth-gssapi krb5-user
apt-get install apache2 apache2-utils libapache2-mod-auth-gssapi krb5-user

 

JUQwJTkyJUQxJThCJUQwJUJGJUQwJUJFJUQwJUJCJUQwJUJEJUQxJThGJUQwJUI1JUQwJUJDJTIwJUQwJUJEJUQwJUIwJUQxJTgxJUQxJTgyJUQxJTgwJUQwJUJFJUQwJUI5JUQwJUJBJUQxJTgzJTIwa2VyYmVyb3MuJTIwJUQwJUE0JUQwJUIwJUQwJUI5JUQwJUJCJTIwJUQwJUJBJUQwJUJFJUQwJUJEJUQxJTg0JUQwJUI4JUQwJUIzJUQxJTgzJUQxJTgwJUQwJUIwJUQxJTg2JUQwJUI4JUQwJUI4JTIwJTJGZXRjJTJGa3JiNS5jb25mJTIwJUQwJUJGJUQxJTgwJUQwJUI4JUQwJUIyJUQwJUJFJUQwJUI0JUQwJUI4JUQwJUJDJTIwJUQwJUJBJTIwJUQwJUIyJUQwJUI4JUQwJUI0JUQxJTgzJTIwJUQwJUJEJUQwJUI4JUQwJUI2JUQwJUI1JTJDJTIwJUQxJTgxJTIwJUQxJTgzJUQxJTg3JUQwJUI1JUQxJTgyJUQwJUJFJUQwJUJDJTIwJUQwJUJGJUQwJUJFJUQwJUI0JUQxJTgxJUQxJTgyJUQwJUIwJUQwJUJEJUQwJUJFJUQwJUIyJUQwJUJBJUQwJUI4JTIwJUQxJTgxJUQwJUIyJUQwJUJFJUQwJUI4JUQxJTg1JTIwJUQwJUI3JUQwJUJEJUQwJUIwJUQxJTg3JUQwJUI1JUQwJUJEJUQwJUI4JUQwJUI5Lg==

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = JAKONDA.LOCAL
default_keytab_name = /etc/svc.web.keytab
dns_lookup_kdc = false
dns_lookup_realm = false
forwardable = true
ticket_lifetime = 24h
[realms]
NORDRIM.LOCAL = {
kdc = dc01.jakonda.local
default_domain = JAKONDA.LOCAL
admin_server = dc01.jakonda.local
}
[domain_realm]
.jakonda.local = JAKONDA.LOCAL
jakonda.local = JAKONDA.LOCAL
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = JAKONDA.LOCAL default_keytab_name = /etc/svc.web.keytab dns_lookup_kdc = false dns_lookup_realm = false forwardable = true ticket_lifetime = 24h [realms] NORDRIM.LOCAL = { kdc = dc01.jakonda.local default_domain = JAKONDA.LOCAL admin_server = dc01.jakonda.local } [domain_realm] .jakonda.local = JAKONDA.LOCAL jakonda.local = JAKONDA.LOCAL
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = JAKONDA.LOCAL
 default_keytab_name = /etc/svc.web.keytab
 dns_lookup_kdc = false
 dns_lookup_realm = false
 forwardable = true
 ticket_lifetime = 24h

[realms]
 NORDRIM.LOCAL = {
 kdc = dc01.jakonda.local
 default_domain = JAKONDA.LOCAL
 admin_server = dc01.jakonda.local
 }

[domain_realm]
 .jakonda.local = JAKONDA.LOCAL
 jakonda.local = JAKONDA.LOCAL

JTVCc3RleHRib3glMjBpZCUzRCVFMiU4MCU5OWluZm8lRTIlODAlOTklNUQlRDAlOTglRDAlOUQlRDAlQTQlRDAlOUUlRDAlQTAlRDAlOUMlRDAlOTAlRDAlQTYlRDAlOTglRDAlQUYuJTIwJUQwJTkyJUQwJUIwJUQwJUI2JUQwJUJEJUQwJUJFJTIwJUQxJTgxJUQwJUJFJUQwJUIxJUQwJUJCJUQxJThFJUQwJUI0JUQwJUIwJUQxJTgyJUQxJThDJTIwJUQxJTgwJUQwJUI1JUQwJUIzJUQwJUI4JUQxJTgxJUQxJTgyJUQxJTgwJTIwJUQwJUJEJUQwJUIwJUQwJUJGJUQwJUI4JUQxJTgxJUQwJUIwJUQwJUJEJUQwJUI4JUQxJThGJTIwJUQwJUI4JUQwJUJDJUQwJUI1JUQwJUJEJUQwJUI4JTIwJUQwJUI0JUQwJUJFJUQwJUJDJUQwJUI1JUQwJUJEJUQwJUIwJTIwJUQwJUJBJUQwJUIwJUQwJUJBJTIwJUQwJUIyJTIwJUQwJUJGJUQxJTgwJUQwJUI4JUQwJUIyJUQwJUI1JUQwJUI0JUQwJUI1JUQwJUJEJUQwJUJEJUQwJUJFJUQwJUJDJTIwJUQwJUJGJUQxJTgwJUQwJUI4JUQwJUJDJUQwJUI1JUQxJTgwJUQwJUI1JTIwJUQwJUIyJUQxJThCJUQxJTg4JUQwJUI1LiVDMiVBMCU1QiUyRnN0ZXh0Ym94JTVE

 

JUQwJTk0JUQwJUJCJUQxJThGJTIwJUQwJUJGJUQxJTgwJUQwJUJFJUQwJUIyJUQwJUI1JUQxJTgwJUQwJUJBJUQwJUI4JTIwJUQxJTg3JUQxJTgyJUQwJUJFJTIwJUQwJUIyJUQxJTgxJUQwJUI1JTIwJUQwJUJEJUQwJUIwJUQxJTgxJUQxJTgyJUQxJTgwJUQwJUJFJUQwJUI1JUQwJUJEJUQwJUJFJTIwJUQwJUJGJUQxJTgwJUQwJUIwJUQwJUIyJUQwJUI4JUQwJUJCJUQxJThDJUQwJUJEJUQwJUJFJTIwJUQwJUI4JTIwS0VZVEFCLSVEMSU4NCVEMCVCMCVEMCVCOSVEMCVCQiUyMCVEMCVCMiVEMCVCMCVEMCVCQiVEMCVCOCVEMCVCNCVEMCVCRCVEMSU4QiVEMCVCOSUyQyUyMCVEMCVCQyVEMCVCRSVEMCVCNiVEMCVCRCVEMCVCRSUyMCVEMCVCMiVEMSU4QiVEMCVCRiVEMCVCRSVEMCVCQiVEMCVCRCVEMCVCOCVEMCVCMiUyMCVEMCVCQSVEMCVCRSVEMCVCQyVEMCVCMCVEMCVCRCVEMCVCNCVEMSU4MyUzQQ==

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
kinit -V -k -t /etc/svc.web.keytab HTTP/web.jakonda.ru@JAKONDA.LOCAL
Using default cache: /tmp/krb5cc_0
Using principal: HTTP/web.jakonda.ru@JAKONDA.LOCAL
Using keytab: /etc/svc.web.keytab
Authenticated to Kerberos v5
kinit -V -k -t /etc/svc.web.keytab HTTP/web.jakonda.ru@JAKONDA.LOCAL Using default cache: /tmp/krb5cc_0 Using principal: HTTP/web.jakonda.ru@JAKONDA.LOCAL Using keytab: /etc/svc.web.keytab Authenticated to Kerberos v5
kinit -V -k -t /etc/svc.web.keytab HTTP/web.jakonda.ru@JAKONDA.LOCAL

Using default cache: /tmp/krb5cc_0
Using principal: HTTP/web.jakonda.ru@JAKONDA.LOCAL
Using keytab: /etc/svc.web.keytab
Authenticated to Kerberos v5

JUQwJTk1JUQxJTgxJUQwJUJCJUQwJUI4JTIwJUQwJUJGJUQwJUJFJUQxJTgxJUQwJUJCJUQwJUI1JTIwJUQwJUIyJUQxJThCJUQwJUJGJUQwJUJFJUQwJUJCJUQwJUJEJUQwJUI1JUQwJUJEJUQwJUI4JUQxJThGJTIwJUQwJUJBJUQwJUJFJUQwJUJDJUQwJUIwJUQwJUJEJUQwJUI0JUQxJThCJTJDJTIwJUQwJUIyJUQxJThCJUQwJUIyJUQwJUJFJUQwJUI0JTIwJUQxJTgyJUQwJUIwJUQwJUJBJUQwJUJFJUQwJUI5JTIwJUQwJUI2JUQwJUI1JTIwJUQwJUJBJUQwJUIwJUQwJUJBJTIwJUQwJUI4JTIwJUQxJTgzJTIwJUQwJUJDJUQwJUI1JUQwJUJEJUQxJThGJTJDJTIwJUQxJTgyJUQwJUJFJTIwJUQwJUI3JUQwJUJEJUQwJUIwJUQxJTg3JUQwJUI4JUQxJTgyJTIwJUQwJUIyJUQxJTgxJUQwJUI1JTIwJUQwJUIyJTIwJUQwJUJGJUQwJUJFJUQxJTgwJUQxJThGJUQwJUI0JUQwJUJBJUQwJUI1JTJDJTIwJUQwJUJDJUQwJUJFJUQwJUI2JUQwJUJEJUQwJUJFJTIwJUQwJUJGJUQxJTgwJUQwJUI4JUQxJTgxJUQxJTgyJUQxJTgzJUQwJUJGJUQwJUIwJUQxJTgyJUQxJThDJTIwJUQwJUJBJTIwJUQwJUJBJUQwJUJFJUQwJUJEJUQxJTg0JUQwJUI4JUQwJUIzJUQxJTgzJUQxJTgwJUQwJUIwJUQxJTg2JUQwJUI4JUQwJUI4JTIwJUQwJUIyJUQwJUI1JUQwJUIxJTIwJUQxJTgxJUQwJUI1JUQxJTgwJUQwJUIyJUQwJUI1JUQxJTgwJUQwJUIwLg==

 

Для теста работы Kerberos SSO аутентификации создадим файл /var/www/html/index.php со следующим содержанием:

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
<?php
echo "<h2>Kerberos Auth</h2>";
echo "Auth type: " . $_SERVER['AUTH_TYPE'] . "<br />";
echo "Remote user: " . $_SERVER['REMOTE_USER'] . "<br />";
?>
<?php echo "<h2>Kerberos Auth</h2>"; echo "Auth type: " . $_SERVER['AUTH_TYPE'] . "<br />"; echo "Remote user: " . $_SERVER['REMOTE_USER'] . "<br />"; ?>
<?php
echo "<h2>Kerberos Auth</h2>";
echo "Auth type: " . $_SERVER['AUTH_TYPE'] . "<br />";
echo "Remote user: " . $_SERVER['REMOTE_USER'] . "<br />";
?>

 

Создаем конфигурацию виртуального хоста /etc/apache2/sites-available/001-web.conf со следующим содержанием:

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
<VirtualHost *:80>
ServerName web.jakonda.ru
DocumentRoot /var/www/html
DirectoryIndex index.php
<Location />
AuthType GSSAPI
AuthName "Kerberos Login"
GssapiCredStore keytab:/etc/svc.web.keytab
GssapiAcceptorName HTTP
GssapiBasicAuth On
GssapiLocalName On
GssapiUseSessions On
GssapiNegotiateOnce On
Require valid-user
</Location>
</VirtualHost>
<VirtualHost *:80> ServerName web.jakonda.ru DocumentRoot /var/www/html DirectoryIndex index.php <Location /> AuthType GSSAPI AuthName "Kerberos Login" GssapiCredStore keytab:/etc/svc.web.keytab GssapiAcceptorName HTTP GssapiBasicAuth On GssapiLocalName On GssapiUseSessions On GssapiNegotiateOnce On Require valid-user </Location> </VirtualHost>
<VirtualHost *:80>
        ServerName web.jakonda.ru

        DocumentRoot /var/www/html
        DirectoryIndex index.php

        <Location />
                AuthType GSSAPI
                AuthName "Kerberos Login"

                GssapiCredStore keytab:/etc/svc.web.keytab
                GssapiAcceptorName HTTP
                GssapiBasicAuth On
                GssapiLocalName On
                GssapiUseSessions On
                GssapiNegotiateOnce On

                Require valid-user
        </Location>
</VirtualHost>

 

Включаем виртуальный хост и перезапускаем службу apache:

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
a2ensite 001-web.conf && /etc/init.d/apache2 restart
a2ensite 001-web.conf && /etc/init.d/apache2 restart
a2ensite 001-web.conf && /etc/init.d/apache2 restart

 

JUQwJTlGJUQxJTgwJUQwJUI4JTIwJUQwJUIyJUQxJTg1JUQwJUJFJUQwJUI0JUQwJUI1JTIwJUQwJUJEJUQwJUIwJTIwJUQxJTgxJUQxJTgyJUQwJUIwJUQwJUJEJUQwJUI4JUQxJTg2JUQxJTgzJUMyJUEwd2ViLmpha29uZGEucnUlMjAoJUQwJUIyJTIwJUQwJUJDJUQwJUJFJUQwJUI1JUQwJUJDJTIwJUQxJTgxJUQwJUJCJUQxJTgzJUQxJTg3JUQwJUIwJUQwJUI1JTIwJUQxJThGJTIwJUQwJUIwJUQwJUIyJUQxJTgyJUQwJUJFJUQxJTgwJUQwJUI4JUQwJUI3JUQwJUJFJUQwJUIyJUQwJUIwJUQwJUJCJUQxJTgxJUQxJThGJTIwJUQwJUJEJUQwJUIwJTIwV2luZG93cyUyMCVEMCVCQyVEMCVCMCVEMSU4OCVEMCVCOCVEMCVCRCVEMCVCNSUyMCVEMCVCMiVEMSU4NSVEMCVCRSVEMCVCNCVEMSU4RiVEMSU4OSVEMSU4MyVEMSU4RSUyMCVEMCVCMiUyMCVEMCVCNCVEMCVCRSVEMCVCQyVEMCVCNSVEMCVCRCUyMGpha29uZGEubG9jYWwlMjAlRDAlQkYlRDAlQkUlRDAlQjQlMjAlRDAlQjQlRDAlQkUlRDAlQkMlRDAlQjUlRDAlQkQlRDAlQkQlRDElOEIlRDAlQkMlMjAlRDAlQkYlRDAlQkUlRDAlQkIlRDElOEMlRDAlQjclRDAlQkUlRDAlQjIlRDAlQjAlRDElODIlRDAlQjUlRDAlQkIlRDAlQjUlRDAlQkMlMjBKYWtvbmRhKSUyMCVEMCVCQyVEMCVCRSVEMCVCOSUyMCVEMCVCMiVEMSU4QiVEMCVCMiVEMCVCRSVEMCVCNCUyMCVEMCVCMSVEMSU4MyVEMCVCNCVEMCVCNSVEMSU4MiUyMCVEMSU4MSVEMCVCQiVEMCVCNSVEMCVCNCVEMSU4MyVEMSU4RSVEMSU4OSVEMCVCOCVEMCVCQyUzQQ==

 

ПОНРАВИЛАСЬ ИЛИ ОКАЗАЛАСЬ ПОЛЕЗНОЙ СТАТЬЯ, ПОДДЕРЖИ АВТОРА ДОНАТОМ

Обсуждение

3 комментариев
  • Не совсем понятно на какой странице у вас запрашивает логин и пароль, keytab вы правильно сгенерировали ? Билет получаете ? Тестовый виртуальный хост делали, определяется ли remote user ?

    • Это ответ на комментарий jakonda

      Вроде правильно, ибо после выполнения команды на проверку валидности все также как в статье.
      Запрашивает пароль как раз при попытке перейти на веб-страницу хоста, при вводе не авторизуется, не говоря уже о прозрачной авторизации. Соответственно, значение remote user даже не вижу.

  • Сделал все по Вашей инструкции, но при входе на страницу все равно просит ввести логин и пароль =(