Rather then use a shared root account across all 1000 machnes, consider authorizing selected individuals to become/login as root. on each machine.
You can do this using the $HOME/.k5login file on each machine listing the principals that can use the local acount. i.e. root's home is "/" thus /.k5login would be used for root. (This also give you some auditing information, as you can see who got tickets for which machine and who logged in. James Walthall wrote: > > When you login to a kerberos integrated redhat machine, what information > is sent for tickets? Passwords are not sent. if thats your question. > > Let's say I login as root with password ****, which should be considered > valid for our example. > We are working from machine with host name HOSTNAME Keep in mind that your local unix account name like root does not have to match the principal name use in network authentication or the local unix account name on the remote machine. So you could login to a locla machine as joe, do a kinit [EMAIL PROTECTED], and do a ssh -l root remote.ibm.com If the /.k5login on remote.host has [EMAIL PROTECTED] listed, it will let you in. (ssh may have other restrictions on root logins.) > > When kerberos searches for this user in the database, what key is it > searching for? There are two principals, the user and the server. Thyere are actually two tickets, a TGT for the user, which is used to geta ticket for the server. So in my example there is [EMAIL PROTECTED] and host/[EMAIL PROTECTED] > > realm: RALEIGH.IBM.COM > > is it HOSTNAME/[EMAIL PROTECTED] ? > > is there a way to just insert a key for /[EMAIL PROTECTED] > so that there need not be a key for EVERY host, since we have over 1000 of > them? Does not work like that. Each host has a principal. and the .k5login in each home directory can server as a ACL for the local account listing which principals can use the account. Try and avoid a [EMAIL PROTECTED] principal. UNIX considers root as local to each machine. Its more of a role, then an account. Even NFS treats root special. If you have a root principal, you don't know who is using it. > > also, if there is a way, please be specific as to how I can go about > setting that up. > > Regards, > > James Walthall Jr > IBM - Host Integration Server Test IDD and BETA > Outside: (919) 254-8869 > Tieline: 444-8869 > Research Triangle Park > Raleigh, North Carolina > ________________________________________________ > Kerberos mailing list [EMAIL PROTECTED] > https://mailman.mit.edu/mailman/listinfo/kerberos -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos