OpenSSH and Kerberos

Wed, 04 May 2011 14:29:40 -0700 

Hi! Hope this is an appropriate question for this list.

I have several hundred Linux boxes where we would like to have kerberos 
enabled ssh between them. They all are on the same domain, but other 
machines are also on the same domain. We have our own subnet 
(129.177/16, uib.no). My thought was to alter the /etc/ssh/ssh_config 
(client config) on each machine, but my setup results in connection 
problems to machines on the same domain, that are run by others, 
possibly not kerberos enabled. These connections does not fail over to 
other auth-methods and thus the user is unable to log in from my machines.

Here is our additions to the config, am I doing it the correct way?:

# First FQDNs at UiB
Host 129.177.* *.uib.no
   GSSAPIAuthentication yes
   GSSAPIDelegateCredentials yes
   GSSAPIKeyExchange yes
   GSSAPITrustDNS yes
   SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY 
LC_MESSAGES
   SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
   SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
   SendEnv XMODIFIERS
   ForwardX11Trusted yes

# Then FQDNs not at UiB
Host *.*
   GSSAPIAuthentication yes
   ForwardX11Trusted yes
   SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY 
LC_MESSAGES
   SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
   SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
   SendEnv XMODIFIERS

# And at last short names (non-FQDNs)
Host *
   GSSAPIAuthentication yes
   GSSAPIDelegateCredentials yes
   GSSAPIKeyExchange yes
   GSSAPITrustDNS yes
   SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY 
LC_MESSAGES
   SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
   SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
   SendEnv XMODIFIERS
   ForwardX11Trusted yes

-- 
Mvh/Regards, Bjørge Solli
Systemarkitekt Unix klientdrift
Overingeniør/Chief engineer at Uni. Bergen, IT, Infrastruktur, Unix
Nygårdsgaten 5. Pb.7800, N-5020 Bergen, Norway. www.uib.no/it
(+47) Tlf: (555)82774 Mob: 91614343 Fax: (555)84299
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to