On May 27, 2005 3:57 pm, eric wrote:
> Continuing on my battle to get 50 hosts under central administration, I've
> now gotten heimdal working. Wow, I can klist, kinit and kdestroy.
> Interesting, but logging into other machines is *more* interesting :-)
>
> I've configured SSH with the following attributes enabled (those different
> from default).
>
> PasswordAuthentication no
> PermitEmptyPasswords no
> ChallengeResponseAuthentication yes
> KerberosAuthentication yes
> KerberosOrLocalPasswd no
> KerberosTicketCleanup yes
> KerberosGetAFSToken no
> GSSAPIAuthentication yes
> GSSAPICleanupCredentials yes
>
> In my ~/.ssh/config file, I have...
>
> Host *
> GSSAPIDelegateCredentials yes
>
> Next, I have the following configured in kerberos.
>
> kadmin> list *
> [EMAIL PROTECTED]
> [EMAIL PROTECTED]
> kadmin/[EMAIL PROTECTED]
> kadmin/[EMAIL PROTECTED]
> plonk/[EMAIL PROTECTED]
> kadmin/[EMAIL PROTECTED]
> changepw/[EMAIL PROTECTED]
> krbtgt/[EMAIL PROTECTED]
>
> Then I added a host in the database
>
> kadmin> add --random-key host/somehost.example.net
> Max ticket life [1 day]:
> Max renewable life [1 week]:
> Principal expiration time [never]:
> Password expiration time [never]:
> Attributes []:
> kadmin> quit
>
Have you created and distributed a keytab file to the system running sshd? Is
this your first time configuring kerberos, if it is, my I recommend picking
up the O'Reilly book 'Kerberos: The Definitive Guide.' I found it handy when
I sat down to play with kerberos.
> And my /etc/login.conf file has the following...
>
> staff:\
>
> :ignorenologin:\
> :requirehome@:\
> :auth=krb5:
>
> ("plonk" is a local user who is part of the "staff" login class).
>
> When I try and login via SSH, I get the following sequence of events.
>
> somehost.example.net$ ssh -v kdc.example.net
> [snip]
> debug1: Authentications that can continue: publickey,gssapi-with-mic
> debug1: Next authentication method: gssapi-with-mic
> debug1: Delegating credentials
> debug1: Authentications that can continue: publickey,gssapi-with-mic
> debug1: Next authentication method: publickey
> debug1: Offering public key: /home/staff/eric/.ssh/id_rsa
> debug1: Authentications that can continue: publickey,gssapi-with-mic
> debug1: Trying private key: /home/staff/eric/.ssh/identity
> debug1: Trying private key: /home/staff/eric/.ssh/id_dsa
> debug1: No more authentication methods to try.
> Permission denied (publickey,gssapi-with-mic).
>
> I've also tried this with "UseLogin yes" enabled in sshd to no luck.
>
> Here's my /etc/kerberosV/krb5.conf
>
> [libdefaults]
> default_realm = SG.DEPAUL.EDU
> clockskew = 300
> ticket_lifetime = 1560
> [appdefaults]
> default_lifetime = 7d
> encrypt = true
> forward = true
> forwardable = true
> renewable = true
> login = {
> forwardable = true
> krb5_get_tickets = true
> }
> kinit = {
> forwardable = true
> }
> [realms]
> SG.DEPAUL.EDU = {
> kdc = kdc.depaul.edu
> #kdc = kdc1.sg.depaul.edu
> #kdc = kdc2.sg.depaul.edu
> #kdc = kdc3.sg.depaul.edu
> admin_server = palladium.sg.depaul.edu
> kpasswd_server = palladium.sg.depaul.edu
> }
> [domain_realm]
> .sg.depaul.edu = SG.DEPAUL.EDU
> sg.depaul.edu = SG.DEPAUL.EDU
> [kadmin]
> default_keys = v5
>
> Also, in addition to the above, is there a way to enable sudo(8) or
> su(8) to use kerberos? I think, in a former life, I recall this being
> possible....though it's been quite a while. I'm really just looking to get
> rid of accounts, if possible. Or at least change account management to be
> only done through one mechanism.
>
> Both machines above are 3.7-RELEASE running GENERIC.
>
> Thanks.
>
> - Eric
