Kerberized login for LINUX
Rod Smith
rodsmith at rodsmith.dyndns.org
Thu Aug 29 10:24:01 EDT 2002
In article <3D6E081D.DA911868 at gmx.de>,
harry_rueter at gmx.de (Harry Rüter) writes:
> Hi,
>
> i'm interested in changing my login
> on my LINUX-running computer to a kerberized one.
>
> So, is there a page on the web, which describes the tings i
> have to do step by step ?
> Or can someone on the list tell me the necessary steps ?
I don't know of a Web site that provides step-by-step instructions for
doing this, although it's possible to piece it together from various
standard Kerberos Web sites and documentation that comes with Kerberos.
It's covered in my book, _Advanced Linux Networking_, as well (see
http://www.rodsbooks.com/adv-net/ for more information).
> The problem is, that a misconfguration could make the
> computer unaccessible. Is there a fallback ?
You could leave yourself logged in as root (ideally at the console),
make changes, and test the changes. That way, if anything goes wrong,
you can correct the problem from the existing root login. In a
worst-case scenario, you may need to boot with an emergency boot disk to
recover the system, so have such a disk ready and tested.
> Do i have to use klogin or is there a PAM-solution
> (which would provide the fallback) ?
The Kerberized login program (I've usually seen it called login.krb5,
but it may be klogin, as you say, in some packages) should work for
text-mode logins and is fairly straightforward to install, once
Kerberos is up and running -- the latter is much harder than installing
the kerberized login program itself. There are several PAM solutions. I
haven't tried all of them, but some I've run across include:
- Brashier's module -- Check ftp://ftp.dementia.org/pub/pam/ for files
beginning pam_krb4. These work with Kerberos V4, in case you're still
running that.
- King's module -- The ftp://ftp.dementia.org/pub/pam/ site hosts files
beginning pam_krb5 which work with Kerberos V5. I had problems
compiling these when I tried, but you may have more luck.
- Cusack's module -- check http://www.nectar.com/zope/krb/ for a
package that was written for Solaris but that reportedly also works
with Linux. This module works with Kerberos V5. I'm getting DNS
errors on that domain at the moment, though; perhaps this Web page
has moved.
- Red Hat's module -- Red Hat has made precompiled Kerberos PAM modules
available. I'm not positive, but I think they're based on Cusack's
work. Look for an RPM called pam_krb5. If you're using Red Hat, this
is the easiest way to go. If not, you might still be able to use the
package, although you may need to muck with PAM configuration files.
- Debian's module -- Debian has made PAM modules available; check on
http://ftp.nl.debian.org/debian/pool/non-US/main/libp/libpam-heimdal.
These should work with Debian's Heimdal packages. I'm not sure if they
could be adapted for use with other Kerberos systems.
The PAM solution will, of course, work with any PAM-using login or
other password-using authentication method, including the conventional
login program, most XDMCP servers for Linux, su and sudo, xlock, etc.
Servers like FTP may be configured to use Kerberos, but they'll still
send passwords as cleartext; it's better to use explicitly kerberized
servers in such cases.
If you just need a Kerberized XDMCP package, I gather that such things
exist, but I don't have any URLs, offhand. IMHO, it's better to use PAM
if you want to Kerberize more than a couple of login methods; that's why
PAM was created, and although it'll be harder to set up than a single
explicitly Kerberized login program, it may be simpler than setting up
several Kerberized login programs.
--
Rod Smith, rodsmith at rodsbooks.com
http://www.rodsbooks.com
Author of books on Linux, networking, & multi-OS configuration
More information about the Kerberos
mailing list