Re: krb5 login help
The kerberos server admins have to add you a host key, they then give you that key and you put it in a keytab file on your client. I.e. they a "kadmin addprinc -pw somepassword host/[EMAIL PROTECTED]" and give you the result to put in a keytab file. Doing this ensures you can ask the server to send you something encrypted with your key. If you don't do this, your kerberos authentication is spoofable by anyone who can intercept traffic between you and the kerb server. So actually, you have to ask them for the host key :) Ask them - they should give you one. No there isn't a nob to turn it off, that would be insecure. Personally, how we do it here on this campus is we have an https secured web page (https://password.srv.ualberta.ca/krb/) that we allow any campus LAN admin types to log into and get a principal created or modified that is of the form host/[EMAIL PROTECTED] How your campus kerberos admins choose to do this I wouldn't know, sorry, you'll have to break down and ask them. -Bob * Donald J. Ankney <[EMAIL PROTECTED]> [2006-10-24 14:27]: > > On Oct 24, 2006, at 12:29 PM, Bob Beck wrote: > > > > > Did you give the wee beastie a host key on your kerberos server? > >both ssh and /bin/login will attempt to verify a host key against > >the server so that your kerberos server isn't getting spoofed. > > > I think this is the place where I'm running into problems. Checking > my authlog, I find: > > krb5-or-pwd: verify: Server not found in Kerberos database > > The next problem is that I don't control the server (I'm trying to > authenticate my departmental server against the university-wide > kerberos server). I'll dig into google on that one, but on a > conceptual note, don't I just need to have their key stored on my > client and not vice versa? This should be a one-way trust (me > trusting them, not vice-versa), right? Or are there security > implications that I'm not understanding with Kerberos? > > -- #!/usr/bin/perl if ((not 0 && not 1) != (! 0 && ! 1)) { print "Larry and Tom must smoke some really primo stuff...\n"; }
Re: krb5 login help
Original message >Date: Tue, 24 Oct 2006 15:50:58 -0500 (CDT) >From: Jacob Yocom-Piatt <[EMAIL PROTECTED]> >Subject: Re: krb5 login help >To: misc@openbsd.org > >>The next problem is that I don't control the server (I'm trying to >>authenticate my departmental server against the university-wide >>kerberos server). I'll dig into google on that one, but on a >>conceptual note, don't I just need to have their key stored on my >>client and not vice versa? This should be a one-way trust (me >>trusting them, not vice-versa), right? Or are there security >>implications that I'm not understanding with Kerberos? >> oops, i may have misunderstood your post in my first response. from the sound of it, you want to do cross realm authentication. i am guessing that your setup is as below DEPT.WASHINGTON.EDU = your realm, WASHINGTON.EDU = whole university realm you control the DEPT.WASHINGTON.EDU kdc and want users with DEPT.WASHINGTON.EDU tickets to be able to authenticate against WASHINGTON.EDU. add a principal krbtgt/[EMAIL PROTECTED] to both the DEPT.WASHINGTON.EDU kdc and the WASHINGTON.EDU kdc. the key for this principal needs to be identical on both hosts. this should give one way trust and not allow WASHINGTON.EDU ticket holders to get into the DEPT.WASHINGTON.EDU show. you will certainly need to work with the admin for the WASHINGTON.EDU realm to get this working. google for "cross realm authentication heimdal" to dig up more info. cheers, jake
Re: krb5 login help
Original message >Date: Tue, 24 Oct 2006 13:28:20 -0700 >From: "Donald J. Ankney" <[EMAIL PROTECTED]> >Subject: Re: krb5 login help >To: Bob Beck <[EMAIL PROTECTED]> >Cc: misc@openbsd.org > >On Oct 24, 2006, at 12:29 PM, Bob Beck wrote: > >> >> Did you give the wee beastie a host key on your kerberos server? >> both ssh and /bin/login will attempt to verify a host key against >> the server so that your kerberos server isn't getting spoofed. > > >I think this is the place where I'm running into problems. Checking >my authlog, I find: > >krb5-or-pwd: verify: Server not found in Kerberos database > >The next problem is that I don't control the server (I'm trying to >authenticate my departmental server against the university-wide >kerberos server). I'll dig into google on that one, but on a >conceptual note, don't I just need to have their key stored on my >client and not vice versa? This should be a one-way trust (me >trusting them, not vice-versa), right? Or are there security >implications that I'm not understanding with Kerberos? > you need to extract the keytab for the host you want to allow kerberosV authentication on from the kerberosV server against which you want to authenticate. if you are authenticating against the university-wide server, you need to have keytabs generated by the university-wide server and then put those on your machine. if you are administrating the whole realm, this is easy enough to via kadmin. do "info heimdal" and read the part about keytabs. otherwise you will need to have someone generate host keys for each of your hosts and get those keys to you.
Re: krb5 login help
On Oct 24, 2006, at 12:29 PM, Bob Beck wrote: Did you give the wee beastie a host key on your kerberos server? both ssh and /bin/login will attempt to verify a host key against the server so that your kerberos server isn't getting spoofed. I think this is the place where I'm running into problems. Checking my authlog, I find: krb5-or-pwd: verify: Server not found in Kerberos database The next problem is that I don't control the server (I'm trying to authenticate my departmental server against the university-wide kerberos server). I'll dig into google on that one, but on a conceptual note, don't I just need to have their key stored on my client and not vice versa? This should be a one-way trust (me trusting them, not vice-versa), right? Or are there security implications that I'm not understanding with Kerberos?
Re: krb5 login help
> I'm trying to configure 3.9 to authenticate against a Kerberos 5 > realm. Kerberos is correctly configured (I can get a ticket via > kinit). I've created a new user class and assigned krb5-or-pwd > authentication (relevant portion of login.conf is below). I assigned > a user to the class and attempted to login as that user. It would > accept neither the kerberos nor local password (tried both through > ssh and the local console). Did you give the wee beastie a host key on your kerberos server? both ssh and /bin/login will attempt to verify a host key against the server so that your kerberos server isn't getting spoofed. For example, one of mine looks like: # ktutil list FILE:/etc/kerberosV/krb5.keytab: Vno Type Principal 1 des-cbc-crc host/[EMAIL PROTECTED] so you need to (on your kerb server) ensure you have a host/[EMAIL PROTECTED] key with the corresponding key in the keytab entry on your client machine -Bob
Re: krb5 login help
On Tue, 2006-10-24 at 09:22 -0700, Donald J. Ankney wrote: > I assume I'm missing a step here, but can't find any documentation or > hints as to what that might be. I'd appreciate any links or > suggestions on man pages that I should read. what does your logs say? is your Kerberos server in DNS? is your time synced (within 5 min.) with the Kerberos server? -- Ryan Corder <[EMAIL PROTECTED]> Systems Engineer, NovaSys Health LLC. 501-219- ext. 646 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: krb5 login help
On 10/24/06, Donald J. Ankney <[EMAIL PROTECTED]> wrote: I've been searching mailing lists, man pages, and google with no good results, so I'm here to ask for a little nudge in the right direction. Did you turn on kerberos in sshd_config? -- GDB has a 'break' feature; why doesn't it have 'fix' too?
krb5 login help
I've been searching mailing lists, man pages, and google with no good results, so I'm here to ask for a little nudge in the right direction. I'm trying to configure 3.9 to authenticate against a Kerberos 5 realm. Kerberos is correctly configured (I can get a ticket via kinit). I've created a new user class and assigned krb5-or-pwd authentication (relevant portion of login.conf is below). I assigned a user to the class and attempted to login as that user. It would accept neither the kerberos nor local password (tried both through ssh and the local console). My next thought was that krb5 will allow authentication via a ticket only (and not interactive login), so I grabbed a ticket (kinit -f) on another system and tried to ssh in with the same results -- it prompted for a password and accepted neither the kerberos nor local passwords. I assume I'm missing a step here, but can't find any documentation or hints as to what that might be. I'd appreciate any links or suggestions on man pages that I should read. Thanks in advance. -- Don login.conf excerpt: - netid:\ :path=/usr/bin /bin /usr/sbin /sbin /usr/X11R6/bin /usr/ local/bin:\ :umask=022:\ :datasize-max=512M:\ :datasize-cur=512M:\ :maxproc-max=128:\ :maxproc-cur=64:\ :openfiles-cur=64:\ :stacksize-cur=4M:\ :localcipher=blowfish,6:\ :ypcipher=old:\ :auth=krb5-or-pwd: