Re: krb5 login help
On 10/24/06, Donald J. Ankney [EMAIL PROTECTED] wrote: I've been searching mailing lists, man pages, and google with no good results, so I'm here to ask for a little nudge in the right direction. Did you turn on kerberos in sshd_config? -- GDB has a 'break' feature; why doesn't it have 'fix' too?
Re: krb5 login help
On Tue, 2006-10-24 at 09:22 -0700, Donald J. Ankney wrote: I assume I'm missing a step here, but can't find any documentation or hints as to what that might be. I'd appreciate any links or suggestions on man pages that I should read. what does your logs say? is your Kerberos server in DNS? is your time synced (within 5 min.) with the Kerberos server? -- Ryan Corder [EMAIL PROTECTED] Systems Engineer, NovaSys Health LLC. 501-219- ext. 646 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: krb5 login help
I'm trying to configure 3.9 to authenticate against a Kerberos 5 realm. Kerberos is correctly configured (I can get a ticket via kinit). I've created a new user class and assigned krb5-or-pwd authentication (relevant portion of login.conf is below). I assigned a user to the class and attempted to login as that user. It would accept neither the kerberos nor local password (tried both through ssh and the local console). Did you give the wee beastie a host key on your kerberos server? both ssh and /bin/login will attempt to verify a host key against the server so that your kerberos server isn't getting spoofed. For example, one of mine looks like: # ktutil list FILE:/etc/kerberosV/krb5.keytab: Vno Type Principal 1 des-cbc-crc host/[EMAIL PROTECTED] so you need to (on your kerb server) ensure you have a host/[EMAIL PROTECTED] key with the corresponding key in the keytab entry on your client machine -Bob
Re: krb5 login help
On Oct 24, 2006, at 12:29 PM, Bob Beck wrote: Did you give the wee beastie a host key on your kerberos server? both ssh and /bin/login will attempt to verify a host key against the server so that your kerberos server isn't getting spoofed. I think this is the place where I'm running into problems. Checking my authlog, I find: krb5-or-pwd: verify: Server not found in Kerberos database The next problem is that I don't control the server (I'm trying to authenticate my departmental server against the university-wide kerberos server). I'll dig into google on that one, but on a conceptual note, don't I just need to have their key stored on my client and not vice versa? This should be a one-way trust (me trusting them, not vice-versa), right? Or are there security implications that I'm not understanding with Kerberos?
Re: krb5 login help
Original message Date: Tue, 24 Oct 2006 13:28:20 -0700 From: Donald J. Ankney [EMAIL PROTECTED] Subject: Re: krb5 login help To: Bob Beck [EMAIL PROTECTED] Cc: misc@openbsd.org On Oct 24, 2006, at 12:29 PM, Bob Beck wrote: Did you give the wee beastie a host key on your kerberos server? both ssh and /bin/login will attempt to verify a host key against the server so that your kerberos server isn't getting spoofed. I think this is the place where I'm running into problems. Checking my authlog, I find: krb5-or-pwd: verify: Server not found in Kerberos database The next problem is that I don't control the server (I'm trying to authenticate my departmental server against the university-wide kerberos server). I'll dig into google on that one, but on a conceptual note, don't I just need to have their key stored on my client and not vice versa? This should be a one-way trust (me trusting them, not vice-versa), right? Or are there security implications that I'm not understanding with Kerberos? you need to extract the keytab for the host you want to allow kerberosV authentication on from the kerberosV server against which you want to authenticate. if you are authenticating against the university-wide server, you need to have keytabs generated by the university-wide server and then put those on your machine. if you are administrating the whole realm, this is easy enough to via kadmin. do info heimdal and read the part about keytabs. otherwise you will need to have someone generate host keys for each of your hosts and get those keys to you.
Re: krb5 login help
Original message Date: Tue, 24 Oct 2006 15:50:58 -0500 (CDT) From: Jacob Yocom-Piatt [EMAIL PROTECTED] Subject: Re: krb5 login help To: misc@openbsd.org The next problem is that I don't control the server (I'm trying to authenticate my departmental server against the university-wide kerberos server). I'll dig into google on that one, but on a conceptual note, don't I just need to have their key stored on my client and not vice versa? This should be a one-way trust (me trusting them, not vice-versa), right? Or are there security implications that I'm not understanding with Kerberos? oops, i may have misunderstood your post in my first response. from the sound of it, you want to do cross realm authentication. i am guessing that your setup is as below DEPT.WASHINGTON.EDU = your realm, WASHINGTON.EDU = whole university realm you control the DEPT.WASHINGTON.EDU kdc and want users with DEPT.WASHINGTON.EDU tickets to be able to authenticate against WASHINGTON.EDU. add a principal krbtgt/[EMAIL PROTECTED] to both the DEPT.WASHINGTON.EDU kdc and the WASHINGTON.EDU kdc. the key for this principal needs to be identical on both hosts. this should give one way trust and not allow WASHINGTON.EDU ticket holders to get into the DEPT.WASHINGTON.EDU show. you will certainly need to work with the admin for the WASHINGTON.EDU realm to get this working. google for cross realm authentication heimdal to dig up more info. cheers, jake
Re: krb5 login help
The kerberos server admins have to add you a host key, they then give
you that key and you put it in a keytab file on your client. I.e. they
a kadmin addprinc -pw somepassword host/[EMAIL PROTECTED]
and give you the result to put in a keytab file.
Doing this ensures you can ask the server to send you something
encrypted with your key. If you don't do this, your kerberos
authentication is spoofable by anyone who can intercept traffic
between you and the kerb server.
So actually, you have to ask them for the host key :) Ask
them - they should give you one.
No there isn't a nob to turn it off, that would be insecure.
Personally, how we do it here on this campus is we have an https
secured web page (https://password.srv.ualberta.ca/krb/) that we allow
any campus LAN admin types to log into and get a principal created or
modified that is of the form
host/[EMAIL PROTECTED] How your campus
kerberos admins choose to do this I wouldn't know, sorry, you'll have
to break down and ask them.
-Bob
* Donald J. Ankney [EMAIL PROTECTED] [2006-10-24 14:27]:
On Oct 24, 2006, at 12:29 PM, Bob Beck wrote:
Did you give the wee beastie a host key on your kerberos server?
both ssh and /bin/login will attempt to verify a host key against
the server so that your kerberos server isn't getting spoofed.
I think this is the place where I'm running into problems. Checking
my authlog, I find:
krb5-or-pwd: verify: Server not found in Kerberos database
The next problem is that I don't control the server (I'm trying to
authenticate my departmental server against the university-wide
kerberos server). I'll dig into google on that one, but on a
conceptual note, don't I just need to have their key stored on my
client and not vice versa? This should be a one-way trust (me
trusting them, not vice-versa), right? Or are there security
implications that I'm not understanding with Kerberos?
--
#!/usr/bin/perl
if ((not 0 not 1) != (! 0 ! 1)) {
print Larry and Tom must smoke some really primo stuff...\n;
}
