>>>>> "BK" == Barry King <[EMAIL PROTECTED]> writes:
BK> I'm looking for a way to use a combination of kerberos & ldap BK> authentication for (primarily Fedora 8) Linux workstations. My BK> goal is to have an automated install that will allow users to BK> authenticate to kerberos immediately after install, without the BK> need to create host principals or extract keytabs. You don't need to create host principals in order for a user to authenticate to a Kerberos realm on that host. In fact, if you have your SRV and _kerberos RR's in the DNS, the initial /etc/krb5.conf will probably let you kinit and use kerberized cliens without any changes at all. Now, if you want *password* authentication, as opposed to ticket-based, that's another story -- e.g., if you want sshd to verify a password supplied by the password or keyboard-interactive userauth methods. Then the host needs a shared key with the KDC so that it can verify the KDC's identity and prevent a spoofing attack. I think pam_krb5 lets you turn off that verification, but it's unwise from a security standpoint. - Richard BK> Right now, when I ssh in, it hangs and I get this with debug BK> turned on: BK> Jan 16 09:48:17 bkingkstest1 sshd[2295]: pam_krb5[2295]: trying BK> previously-entered password for 'bking', allowing libkrb5 to BK> prompt for more Jan 16 09:48:17 bkingkstest1 sshd[2295]: BK> pam_krb5[2295]: authenticating ' [EMAIL PROTECTED]' to BK> 'krbtgt/[EMAIL PROTECTED]' Jan 16 09:48:17 bkingkstest1 sshd[2295]: BK> pam_krb5[2295]: krb5_get_init_creds_password(krbtgt/[EMAIL PROTECTED] BK> returned 0 (Success) Jan 16 09:48:17 bkingkstest1 sshd[2295]: BK> pam_krb5[2295]: got result 0 (Success) BK> Thoughts? BK> My (sanitized) krb5.conf: BK> [logging] default = SYSLOG:ERR:USER BK> [libdefaults] default_realm = REALM dns_lookup_kdc = false BK> dns_lookup_realm = false noaddresses = true validate = false BK> [realms] EXPERTCITY.COM = { kdc = names1.realm master_kdc = BK> names0.realm admin_server = names0.realm auth_to_local = BK> RULE:[2:$1;$2](.*;root)s/;root$// auth_to_local = BK> RULE:[2:$1;$2](.*;admin)s/;admin$// BK> auth_to_local = DEFAULT BK> } [domain_realm] BK> .realm = REALM BK> [appdefaults] pam = { forwardable = true BK> } My pam.d/system-auth: BK> auth required /lib/security/$ISA/pam_env.so auth sufficient BK> /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient BK> /lib/security/$ISA/pam_krb5.so minimum_uid=3000 use_authtok debug BK> #auth required /lib/security/$ISA/pam_deny.so BK> account required /lib/security/$ISA/pam_unix.so broken_shadow BK> account sufficient /lib/security/$ISA/pam_localuser.so account BK> sufficient /lib/security/$ISA/pam_krb5.so debug account sufficient BK> /lib/security/$ISA/pam_ldap.so debug account required BK> /lib/security/$ISA/pam_permit.so BK> password requisite /lib/security/$ISA/pam_cracklib.so retry=3 BK> password sufficient /lib/security/$ISA/pam_unix.so nullok BK> use_authtok md5 shadow password sufficient BK> /lib/security/$ISA/pam_krb5.so use_authtok debug password required BK> /lib/security/$ISA/pam_deny.so debug BK> session required /lib/security/$ISA/pam_limits.so session required BK> /lib/security/$ISA/pam_unix.so #session required BK> /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel/ umask=0022 BK> sauth required /lib/security/$ISA/pam_env.so auth sufficient BK> /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient BK> /lib/security/$ISA/pam_krb5.so minimum_uid=3000 use_authtok debug BK> #auth required /lib/security/$ISA/pam_deny.so BK> account required /lib/security/$ISA/pam_unix.so broken_shadow BK> account sufficient /lib/security/$ISA/pam_localuser.so account BK> sufficient /lib/security/$ISA/pam_krb5.so debug account sufficient BK> /lib/security/$ISA/pam_ldap.so debug account required BK> /lib/security/$ISA/pam_permit.so BK> password requisite /lib/security/$ISA/pam_cracklib.so retry=3 BK> password sufficient /lib/security/$ISA/pam_unix.so nullok BK> use_authtok md5 shadow password sufficient BK> /lib/security/$ISA/pam_krb5.so use_authtok debug password required BK> /lib/security/$ISA/pam_deny.so debug BK> session required /lib/security/$ISA/pam_limits.so session required BK> /lib/security/$ISA/pam_unix.so #session required BK> /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel/ umask=0022 BK> session optional /lib/security/$ISA/pam_krb5.so debug session BK> optional /lib/security/$ISA/pam_ldap.so debug session optional BK> /lib/security/$ISA/pam_krb5.so debug session optional BK> /lib/security/$ISA/pam_ldap.so debug BK> Any ideas? Is what I'm trying even possible? BK> Thanks, BK> -- Barry King [EMAIL PROTECTED] -- Richard Silverman [EMAIL PROTECTED] ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos