Kerberos authenticatino and ldap authorization
RJ45
rj45 at slacknet.com
Wed Mar 7 09:43:16 UTC 2007
there are many difficulties and YES there is the documentation
on FreeBSD handbook but it does not helped me so much I Still ahve
difficulties.
I isntalled MIT krb5 also and I Am using kadmin from MIT
to manage krb5 server.
First problem
kadmin: ktadd -k /etc/krb5.keytab host/host.domain
kadmin: Unsupported key table format version number while adding key to
keytab
I can't undertand this message i touched /etc/krb5.keytab
but via kadmin it is unable to export the krb5 key I added before
with
addprinc -randkey host/host.domain
i also chmod 777 krb5.keytab nothing to do
at the end I exported it from the kdc and copied it by hand in
/etc/krb5.keytab on my client FreeBSD box, but I do not know
if in this way it will work.
anyway now I have another problem.
I am not able to configure ssh to login via kerberos.
I tryed everything
KerberosAuthentication yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
Then I changed /etc/pam.d/sshd
# auth
auth required pam_nologin.so no_warn
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
# session
#session optional pam_ssh.so
session required pam_permit.so
# password
password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
and ssh won't authenticate via kerberos:
Mar 7 10:27:24 bastionbox1 sshd[1019]: Invalid user myself from
131.x.y.z
Mar 7 10:27:33 bastionbox1 sshd[1019]: error: PAM: authentication error
for illegal user myself from mylapdop.domain
I must miss something I do not know what...
Actually I do not think this scenario on BSD users is commonly used,
and I Cannot find documentation to help myself, anyway I need this
scenario that was implemented on Linux before.
I do not want to use Linux anyway for this porpouse (bastion SSH
box for public login via krb5/ldap)
At the end anyway the scenario needs to be krb5 for authentication
and LDAP for authorization
For now I am not able to authenticate via krb5
any hints ?
thanks
Rick
On Tue, 6 Mar 2007, Tillman Hodgson wrote:
> On Tue, Mar 06, 2007 at 10:07:57AM -0700, RJ45 wrote:
>> for example I would like to installa MIT krb5 implementation from ports
>> instead of using heidmal default this because the kerberos server
>> on my network is a MIT server and I can't use kadmin on FreeBSD
>> to administrer the kerberos server remotely using heidmal implementation.
>> Anyone has experience of MIT krb5 implementation on FreeBSD ?
>
> The handbook has a chapter on setting up Kerberos, albeit focused on Heimdal.
> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kerberos5.html
>
> In section 14.8.6 it notes that the kadmin protocol differs between
> Kerberos implementations -- you have to use the MIT kadmin to administer
> a remote MIT KDC.
>
> Other than the kadmin bits (which are fairly different between the two
> but isn't used by end-users anyway), it's pretty much transparent to a
> Kerberos-enabled workstation which implementation it's using. I
> typically install both (to different paths to avoid file conflicts)
> because I like using the newest Heimdal rather than the one in base and
> also because the included client applications differ. For example, MIT
> has Kerberos rsh whereas the base Heimdal doesn't for some of the
> platforms that I use.
>
> If you run into any specific issues when setting it up, please post back
> to the list and cc me and I'll give you a hand.
>
> -T
>
>
> --
> "I once bought a cellphone that had a little sticker on the box that said
> 'DO NOT EAT PACKAGING MATERIAL'. There went another freebie snack at the
> office."
> - A.S.R. quote (Andreas "Buzh" Skau)
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>
More information about the freebsd-questions
mailing list