SSH as root with different principal
Lukas Kubin
kubin at opf.slu.cz
Thu Jul 31 06:36:53 EDT 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thu, 31 Jul 2003, Chris Clausen wrote:
> Lukas Kubin <kubin at opf.slu.cz> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > On Thu, 31 Jul 2003, Christopher D. Clausen wrote:
> >
> >> Did you do "apt-get install ssh-krb5" ?
> >
> > Yes, I did. Both on client and server.
> >
> >> And then use ssh -K -l root theremoteserver
> >
> > I tried.
> >
> >> Oh, you probably need host keys in /etc/krb5.keytab for the server
> >> machine (and possibly the client).
> >
> > How do I do It? I did ktadd on the kdc server for
> > myrealusernam at MYREALM, saved it to a temporary keytab file, then I
> > transfered it to the /etc/krb5.keytab on client.
> > Is there somethin similar I have to do on the remote server? (which is
> > also the kdc and kadmin server)
>
>
> Not a key for your user, a key for the server.
>
> You must create a host principal, in the form host/fqdn
> for example, from admin:
> kadmin: addprinc -randkey host/sleepless.acm.uiuc.edu
> kadmin: ktadd -k /tmp/krb5.keytab host/sleepless.acm.uiuc.edu
I did, providing that "sleepless..." is the host I need to connect from,
ie. the client.
> Securely copy this file to /etc/krb5.keytab on your server. Also, edit
> /etc/hosts and MAKE SURE the Fully Qualified Domain Name of the machine
> is listed before any short names or things will not work. The Debian
> configure script like to change this quite a bit.
To which server should I copy it? To the one I want to connect to as root?
I did it.
> Does kerberized ssh work for you is you are ssh-ing to your own account
> on the remote machine? B/c just added your user principal to
> /root/.k5login should allow you into the root account without any
> additional effort.
No. I created an account with the same username as my principal is and
tried to connect. Unsuccessfully.
I will try to describe it simply to see whether I understand it or not:
- - <client> is hostname of computer I connect as normal user from
- - <server> is hostname of computer I need to connect to as user root
- - <myprincipal> is my K5 principal
1. In kadmin I create host/<client>@REALM principal
2. In kadmin I "ktadd -k /tmp/keytab host/<client>@REALM"
3. Copy /tmp/keytab to <server>. Since <server> is the same machine I run
kadmin.local at, I will just move /tmp/keytab to /etc/krb5.keytab
4. On <server> I put <myprincipal> to .k5login in root's homedir
5. On <client> I get TGT using <myprincipal>
6. On <client> I run "ssh -K root@<server>"
This is what I'm doing and it doesn't work. Should I also create
krb5.keytab on <client>? If yes, then what key should I put there in?
Thank you.
lukas
>
> <<CDC
>
>
>
>
- --
Lukas Kubin
phone: +420596398285
email: kubin at opf.slu.cz
Information centre
The School of Business Administration in Karvina
Silesian University in Opava
Czech Republic
http://www.opf.slu.cz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Made with pgp4pine 1.75-6
iD8DBQE/KPFWhukdIiZrwu4RAmaZAJ99e5QcfvS2Gis2EgqaFbXj6fk10QCgimZ9
u7EtFUU7GjQZBhoLw1OphTU=
=7QLo
-----END PGP SIGNATURE-----
More information about the Kerberos
mailing list