Kerberos authenticatino and ldap authorization

RJ45 rj45 at slacknet.com
Wed Mar 7 09:43:16 UTC 2007 


there are many difficulties and YES there is the documentation
on FreeBSD handbook but it does not helped me so much I Still ahve 
difficulties.

I isntalled MIT krb5 also and I Am using kadmin from MIT
to manage krb5 server.


First problem

kadmin:  ktadd -k /etc/krb5.keytab host/host.domain
kadmin: Unsupported key table format version number while adding key to 
keytab

I can't undertand this message i touched /etc/krb5.keytab
but via kadmin it is unable to export the krb5 key I added before
with

  addprinc -randkey host/host.domain

i also chmod 777 krb5.keytab nothing to do

at the end I exported it from the kdc and copied it by hand in
/etc/krb5.keytab on my client FreeBSD box, but I do not know
if in this way it will work.

anyway now I have another problem.
I am not able to configure ssh to login via kerberos.

I tryed everything

KerberosAuthentication yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes

Then I changed /etc/pam.d/sshd

# auth
auth            required        pam_nologin.so          no_warn
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
auth            sufficient      pam_krb5.so             no_warn try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth            required        pam_unix.so             no_warn try_first_pass

# account
account         required        pam_krb5.so
account         required        pam_login_access.so
account         required        pam_unix.so

# session
#session        optional        pam_ssh.so
session         required        pam_permit.so

# password
password        sufficient      pam_krb5.so             no_warn try_first_pass
password        required        pam_unix.so             no_warn try_first_pass


and ssh won't authenticate via kerberos:

Mar  7 10:27:24 bastionbox1 sshd[1019]: Invalid user myself from 
131.x.y.z
Mar  7 10:27:33 bastionbox1 sshd[1019]: error: PAM: authentication error 
for illegal user myself from mylapdop.domain


I must miss something I do not know what...

Actually I do not think this scenario on BSD users is commonly used,
and I Cannot find documentation to help myself, anyway I need this 
scenario that was implemented on Linux before.
I do not want to use Linux anyway for this porpouse (bastion SSH
box for public login via krb5/ldap)
At the end anyway the scenario needs to be krb5 for authentication
and LDAP for authorization

For now I am not able to authenticate via krb5

any hints ?

thanks

Rick


On Tue, 6 Mar 2007, Tillman Hodgson wrote:

> On Tue, Mar 06, 2007 at 10:07:57AM -0700, RJ45 wrote:
>> for example I would like to installa MIT krb5 implementation from ports
>> instead of using heidmal default this because the kerberos server
>> on my network is a MIT server and I can't use kadmin on FreeBSD
>> to administrer the kerberos server remotely using heidmal implementation.
>> Anyone has experience of MIT krb5 implementation on FreeBSD ?
>
> The handbook has a chapter on setting up Kerberos, albeit focused on Heimdal.
> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kerberos5.html
>
> In section 14.8.6 it notes that the kadmin protocol differs between
> Kerberos implementations -- you have to use the MIT kadmin to administer
> a remote MIT KDC.
>
> Other than the kadmin bits (which are fairly different between the two
> but isn't used by end-users anyway), it's pretty much transparent to a
> Kerberos-enabled workstation which implementation it's using. I
> typically install both (to different paths to avoid file conflicts)
> because I like using the newest Heimdal rather than the one in base and
> also because the included client applications differ. For example, MIT
> has Kerberos rsh whereas the base Heimdal doesn't for some of the
> platforms that I use.
>
> If you run into any specific issues when setting it up, please post back
> to the list and cc me and I'll give you a hand.
>
> -T
>
>
> -- 
> "I once bought a cellphone that had a little sticker on the box that said
> 'DO NOT EAT PACKAGING MATERIAL'. There went another freebie snack at the
>  office."
>    - A.S.R. quote (Andreas "Buzh" Skau)
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>

More information about the freebsd-questions mailing list