Question About Kerberos

Srinivas Cheruku csri at sonata-software.com
Thu Mar 21 07:43:23 EST 2002


There is a small correction to my previous mail

Q3. 
No need of creating the same user.
a. you need add the principal name with which you want to access the account
in .k5login

b. connect using the below command
$ssh -l user hostname



-----Original Message-----
From: Srinivas Cheruku [mailto:csri at sonata-software.com]
Sent: Thursday, March 21, 2002 6:07 PM
To: dannylai at pacific.net.sg; kerberos at mit.edu
Subject: RE: Question About Kerberos


I can give solution for your questions 2 and 3 and i never worked with SSH2
hence cant answer 1.

Q2.
Regarding installing OpenSSH with Kerberos i can help you.

a.	Downloaded OpenSSH  from http://www.openssh.com/ and the
Kerberos/GSSAPI patch from
http://www.sxw.org.uk/computing/patches/openssh.html

b.	Extract the openssh-2.9p2.tar file and then apply the patch by
#cd openssh-2.9p2
#patch -p1 < ../ openssh-2.9p2-gssapi.patch

c.	Configuration and Installation
#pwd
/sparc/usr/srinivas/openssh-2.9p2
#autoreconf 
autoreconf version should be later than 2.50
# ./configure --with-kerberos5=<MIT Kerberos Installation path>
--sysconfdir=/etc/ssh

#make
#make install

No need of changing the /etc/ssh/sshd_config file. By default it makes use
of Kerberos Authentication.

d.	Start the sshd daemon.
# /usr/local/sbin/sshd
#

e.	Get a TGT from the MIT KDC.
$./kinit -f  user at REALM.COM
Extract the service key of the host principal to keytab file.

f. Connect to the sshd server using ssh client
$ ssh -v hostname
Then, the ssh client contacts MIT KDC and gets a service ticket for host. It
also forwards the TGT to the secure shell.

g.	When you type klist in the shell, then you can see the forwarded
TGT.


Q3. 
No need of creating the same user.
a. you need add the principal name with which you want to access the account
in .k5login

b. connect using the below command
$ssh -l user at REALM hostname

Good Luck,
Srini

-----Original Message-----
From: dannylai at pacific.net.sg [mailto:dannylai at pacific.net.sg]
Sent: Wednesday, March 20, 2002 8:59 PM
To: kerberos at mit.edu
Subject: Question About Kerberos


Hi

I am new to Kerberos. Recently, I have installed a Kerberos5 version
1.2.4 on a RedHat 7.2 server with a realm name UNIVERSAL.COM. In the
same server, I also installed a SSH2 version 3.1.0 from SSH
Communication. I compiled the SSH2 source code with
"--with-kerberos5". In addition, I also include the parameters

"AllowedAuthentication kerberos-1 at ssh.com, kerberos-tgt-1 at ssh.com" in
the /etc/ssh2/sshd2_config.

I have no problem to logon to the same machine using Kerberos
authentication.

To test a remote kerberize host, I have installed anonther machine
with RedHat 6.2 and installed with a kerberized SSH2 version 3.1.0
with the same configuration for the /etc/ssh2/sshd2_config. However,
the authentication does not work this round.

(a) Can you indicate which portion is not configured correctly?

(b) I was trying to installed OpenSSH but I can't find any article
mention about configuring OpenSSH with Kerberos V. Where can I locate
any document?

(c) If I am not wrong, for each kerberize host, and allow a kerberos
user to logon to this host, I need to add a same user account name in
the kerberize host /etc/passwd but without password. Is it suppose to
be?

Thank you very much for answering my question.
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
http://mailman.mit.edu/mailman/listinfo/kerberos
*********************************************************************
Disclaimer: The information in this e-mail and any attachments is
confidential / privileged. It is intended solely for the addressee or
addressees. If you are not the addressee indicated in this message, you may
not copy or deliver this message to anyone. In such case, you should destroy
this message and kindly notify the sender by reply email. Please advise
immediately if you or your employer does not consent to Internet email for
messages of this kind.
*********************************************************************
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
http://mailman.mit.edu/mailman/listinfo/kerberos
*********************************************************************
Disclaimer: The information in this e-mail and any attachments is
confidential / privileged. It is intended solely for the addressee or
addressees. If you are not the addressee indicated in this message, you may
not copy or deliver this message to anyone. In such case, you should destroy
this message and kindly notify the sender by reply email. Please advise
immediately if you or your employer does not consent to Internet email for
messages of this kind.
*********************************************************************



More information about the Kerberos mailing list