My apologies for the bad example. I drafted it up rather quickly. I guess my real question wasnt stated very clearly.
We have around 1000 machines here that will be running the exact same configuration, and will be used for load testing. Every time an employee comes or goes, we have to change the password on each machine for security purposes. This obviously is very tedious when running a windows platform without a dns authentication. We want to convert all of these same or similar hardware machines to redhate linux 8, and have them authenticate using kerberos. We need ONE user that can login using the same user name and password from any machine, namely Administrator and the password. The goal is the be able to just change the password in the Master KDC Database instead of manually going machine to machine changing the password. This is my job... I would like to set up kerberos so that there is 1 user with 1 password with all priviledges that root has. That user will be Administrator. I would like for my team members to be able to login from any machine using this same user name and password, and for kerberos to issue a token. Using red hat 8 configuration, how do you think I would go about doing this? I'm learning linux, but coming from a windows background. The simpler this can be explained, the better. Thanks in advance... Regards, James Walthall Jr IBM - Host Integration Server Test IDD and BETA Outside: (919) 254-8869 Tieline: 444-8869 Research Triangle Park Raleigh, North Carolina "Douglas E. Engert" <[EMAIL PROTECTED]> 02/12/2004 11:01 AM To: James Walthall/Durham/[EMAIL PROTECTED] cc: [EMAIL PROTECTED] Subject: Re: Authentication In Redhat Rather then use a shared root account across all 1000 machnes, consider authorizing selected individuals to become/login as root. on each machine. You can do this using the $HOME/.k5login file on each machine listing the principals that can use the local acount. i.e. root's home is "/" thus /.k5login would be used for root. (This also give you some auditing information, as you can see who got tickets for which machine and who logged in. James Walthall wrote: > > When you login to a kerberos integrated redhat machine, what information > is sent for tickets? Passwords are not sent. if thats your question. > > Let's say I login as root with password ****, which should be considered > valid for our example. > We are working from machine with host name HOSTNAME Keep in mind that your local unix account name like root does not have to match the principal name use in network authentication or the local unix account name on the remote machine. So you could login to a locla machine as joe, do a kinit [EMAIL PROTECTED], and do a ssh -l root remote.ibm.com If the /.k5login on remote.host has [EMAIL PROTECTED] listed, it will let you in. (ssh may have other restrictions on root logins.) > > When kerberos searches for this user in the database, what key is it > searching for? There are two principals, the user and the server. Thyere are actually two tickets, a TGT for the user, which is used to geta ticket for the server. So in my example there is [EMAIL PROTECTED] and host/[EMAIL PROTECTED] > > realm: RALEIGH.IBM.COM > > is it HOSTNAME/[EMAIL PROTECTED] ? > > is there a way to just insert a key for /[EMAIL PROTECTED] > so that there need not be a key for EVERY host, since we have over 1000 of > them? Does not work like that. Each host has a principal. and the .k5login in each home directory can server as a ACL for the local account listing which principals can use the account. Try and avoid a [EMAIL PROTECTED] principal. UNIX considers root as local to each machine. Its more of a role, then an account. Even NFS treats root special. If you have a root principal, you don't know who is using it. > > also, if there is a way, please be specific as to how I can go about > setting that up. > > Regards, > > James Walthall Jr > IBM - Host Integration Server Test IDD and BETA > Outside: (919) 254-8869 > Tieline: 444-8869 > Research Triangle Park > Raleigh, North Carolina > ________________________________________________ > Kerberos mailing list [EMAIL PROTECTED] > https://mailman.mit.edu/mailman/listinfo/kerberos -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos