Question About Kerberos
Nicolas Williams
Nicolas.Williams at ubsw.com
Thu Mar 21 08:12:39 EST 2002
No, don't use OpenSSH 2.9p2 - use 3.0.2p1 with Simon's latest GSS patch
plus the patch for the recent channels.c security bug.
Simon's GSS patch for OpenSSH 2.9p2 supports an old version of the
SSH/GSS draft.
Cheers,
Nico
On Thu, Mar 21, 2002 at 06:06:56PM +0530, Srinivas Cheruku wrote:
> I can give solution for your questions 2 and 3 and i never worked with SSH2
> hence cant answer 1.
>
> Q2.
> Regarding installing OpenSSH with Kerberos i can help you.
>
> a. Downloaded OpenSSH from http://www.openssh.com/ and the
> Kerberos/GSSAPI patch from
> http://www.sxw.org.uk/computing/patches/openssh.html
>
> b. Extract the openssh-2.9p2.tar file and then apply the patch by
> #cd openssh-2.9p2
> #patch -p1 < ../ openssh-2.9p2-gssapi.patch
>
> c. Configuration and Installation
> #pwd
> /sparc/usr/srinivas/openssh-2.9p2
> #autoreconf
> autoreconf version should be later than 2.50
> # ./configure --with-kerberos5=<MIT Kerberos Installation path>
> --sysconfdir=/etc/ssh
>
> #make
> #make install
>
> No need of changing the /etc/ssh/sshd_config file. By default it makes use
> of Kerberos Authentication.
>
> d. Start the sshd daemon.
> # /usr/local/sbin/sshd
> #
>
> e. Get a TGT from the MIT KDC.
> $./kinit -f user at REALM.COM
> Extract the service key of the host principal to keytab file.
>
> f. Connect to the sshd server using ssh client
> $ ssh -v hostname
> Then, the ssh client contacts MIT KDC and gets a service ticket for host. It
> also forwards the TGT to the secure shell.
>
> g. When you type klist in the shell, then you can see the forwarded
> TGT.
>
>
> Q3.
> No need of creating the same user.
> a. you need add the principal name with which you want to access the account
> in .k5login
>
> b. connect using the below command
> $ssh -l user at REALM hostname
>
> Good Luck,
> Srini
>
> -----Original Message-----
> From: dannylai at pacific.net.sg [mailto:dannylai at pacific.net.sg]
> Sent: Wednesday, March 20, 2002 8:59 PM
> To: kerberos at mit.edu
> Subject: Question About Kerberos
>
>
> Hi
>
> I am new to Kerberos. Recently, I have installed a Kerberos5 version
> 1.2.4 on a RedHat 7.2 server with a realm name UNIVERSAL.COM. In the
> same server, I also installed a SSH2 version 3.1.0 from SSH
> Communication. I compiled the SSH2 source code with
> "--with-kerberos5". In addition, I also include the parameters
>
> "AllowedAuthentication kerberos-1 at ssh.com, kerberos-tgt-1 at ssh.com" in
> the /etc/ssh2/sshd2_config.
>
> I have no problem to logon to the same machine using Kerberos
> authentication.
>
> To test a remote kerberize host, I have installed anonther machine
> with RedHat 6.2 and installed with a kerberized SSH2 version 3.1.0
> with the same configuration for the /etc/ssh2/sshd2_config. However,
> the authentication does not work this round.
>
> (a) Can you indicate which portion is not configured correctly?
>
> (b) I was trying to installed OpenSSH but I can't find any article
> mention about configuring OpenSSH with Kerberos V. Where can I locate
> any document?
>
> (c) If I am not wrong, for each kerberize host, and allow a kerberos
> user to logon to this host, I need to add a same user account name in
> the kerberize host /etc/passwd but without password. Is it suppose to
> be?
>
> Thank you very much for answering my question.
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos
> *********************************************************************
> Disclaimer: The information in this e-mail and any attachments is
> confidential / privileged. It is intended solely for the addressee or
> addressees. If you are not the addressee indicated in this message, you may
> not copy or deliver this message to anyone. In such case, you should destroy
> this message and kindly notify the sender by reply email. Please advise
> immediately if you or your employer does not consent to Internet email for
> messages of this kind.
> *********************************************************************
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos
--
-DISCLAIMER: an automatically appended disclaimer may follow. By posting-
-to a public e-mail mailing list I hereby grant permission to distribute-
-and copy this message.-
Visit our website at http://www.ubswarburg.com
This message contains confidential information and is intended only
for the individual named. If you are not the named addressee you
should not disseminate, distribute or copy this e-mail. Please
notify the sender immediately by e-mail if you have received this
e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secure or error-free
as information could be intercepted, corrupted, lost, destroyed,
arrive late or incomplete, or contain viruses. The sender therefore
does not accept liability for any errors or omissions in the contents
of this message which arise as a result of e-mail transmission. If
verification is required please request a hard-copy version. This
message is provided for informational purposes and should not be
construed as a solicitation or offer to buy or sell any securities or
related financial instruments.
More information about the Kerberos
mailing list