Question About Kerberos

Danny Lai dannylai at pacific.net.sg
Tue Mar 26 05:00:15 EST 2002 

csri at sonata-software.com (Srinivas Cheruku) wrote in message news:<E0315628431FD611BB4300C04F152376745BDF at BG1MAIL>...
> I can give solution for your questions 2 and 3 and i never worked with SSH2
> hence cant answer 1.
> 
> Q2.
> Regarding installing OpenSSH with Kerberos i can help you.
> 
> a.	Downloaded OpenSSH  from http://www.openssh.com/ and the
> Kerberos/GSSAPI patch from
> http://www.sxw.org.uk/computing/patches/openssh.html
> 
> b.	Extract the openssh-2.9p2.tar file and then apply the patch by
> #cd openssh-2.9p2
> #patch -p1 < ../ openssh-2.9p2-gssapi.patch
> 
> c.	Configuration and Installation
> #pwd
> /sparc/usr/srinivas/openssh-2.9p2
> #autoreconf 
> autoreconf version should be later than 2.50
> # ./configure --with-kerberos5=<MIT Kerberos Installation path>
> --sysconfdir=/etc/ssh
> 
> #make
> #make install
> 
> No need of changing the /etc/ssh/sshd_config file. By default it makes use
> of Kerberos Authentication.
> 
> d.	Start the sshd daemon.
> # /usr/local/sbin/sshd
> #
> 
> e.	Get a TGT from the MIT KDC.
> $./kinit -f  user at REALM.COM
> Extract the service key of the host principal to keytab file.
> 
> f. Connect to the sshd server using ssh client
> $ ssh -v hostname
> Then, the ssh client contacts MIT KDC and gets a service ticket for host. It
> also forwards the TGT to the secure shell.
> 
> g.	When you type klist in the shell, then you can see the forwarded
> TGT.
> 
> 
> Q3. 
> No need of creating the same user.
> a. you need add the principal name with which you want to access the account
> in .k5login
> 
> b. connect using the below command
> $ssh -l user at REALM hostname
> 
> Good Luck,
> Srini
> 
> -----Original Message-----
> From: dannylai at pacific.net.sg [mailto:dannylai at pacific.net.sg]
> Sent: Wednesday, March 20, 2002 8:59 PM
> To: kerberos at mit.edu
> Subject: Question About Kerberos
> 
> 
> Hi
> 
> I am new to Kerberos. Recently, I have installed a Kerberos5 version
> 1.2.4 on a RedHat 7.2 server with a realm name UNIVERSAL.COM. In the
> same server, I also installed a SSH2 version 3.1.0 from SSH
> Communication. I compiled the SSH2 source code with
> "--with-kerberos5". In addition, I also include the parameters
> 
> "AllowedAuthentication kerberos-1 at ssh.com, kerberos-tgt-1 at ssh.com" in
> the /etc/ssh2/sshd2_config.
> 
> I have no problem to logon to the same machine using Kerberos
> authentication.
> 
> To test a remote kerberize host, I have installed anonther machine
> with RedHat 6.2 and installed with a kerberized SSH2 version 3.1.0
> with the same configuration for the /etc/ssh2/sshd2_config. However,
> the authentication does not work this round.
> 
> (a) Can you indicate which portion is not configured correctly?
> 
> (b) I was trying to installed OpenSSH but I can't find any article
> mention about configuring OpenSSH with Kerberos V. Where can I locate
> any document?
> 
> (c) If I am not wrong, for each kerberize host, and allow a kerberos
> user to logon to this host, I need to add a same user account name in
> the kerberize host /etc/passwd but without password. Is it suppose to
> be?
> 
> Thank you very much for answering my question.
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos
> *********************************************************************
> Disclaimer: The information in this e-mail and any attachments is
> confidential / privileged. It is intended solely for the addressee or
> addressees. If you are not the addressee indicated in this message, you may
> not copy or deliver this message to anyone. In such case, you should destroy
> this message and kindly notify the sender by reply email. Please advise
> immediately if you or your employer does not consent to Internet email for
> messages of this kind.
> *********************************************************************
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos

Thanks for the solutions. One more thing need to be verified, beside
the KDC server I need to install the MIT Kerberos, do I need to
install MIT Kerberos in the kerberize host that only allow my user to
ssh in?

More information about the Kerberos mailing list