Configuring Kerberos for Solaris
Adams, Ann (A.M.)
aadams6 at ford.com
Tue Mar 25 10:09:06 EST 2003
Ok,
I have to ask, does SUN have a kerberized hpptd? I thought they only had the standard network services. I have not seen a reference by either SUN, HP, or MIT to a kerberized httpd. Has SUN done any development on web authentication via Kerberos?
I was looking around some of the university sites to see if there was a kerberized web authentication modules available for testing. My impression was that they had been written but nothing publicly available to test.
Dartmouth had publicly available a Kerberos IV module, but I didn't see anything for Kerberos V. CUSSP is a perl5 module from Cornell University that is referenced below. Both of these are well documented and clear, but it doesn't appear to continue into the Kerberos V environment.
excerpt from Dartmouth web site below:....
Kerberos authentication can be invoked from a CGI script.
There are Perl interfaces to do this.
The example below shows a CGI that authenticates the user,
then displays the name(s) and information from the
ticket(s) that were generated.
In Perl, you can use the GetK4Ticket function to validate a user.
This function is defined in the CUSSP library.
GetK4Ticket is defined as:
($rc, $em, %tckt) = CUSSP::GetK4Ticket("WWW-agent",
"WWW", $cgi->remote_addr(), undef, $ENV{'REMOTE_PORT'});
If anything I have stated in incorrect, I request correction. If there are other resources I should be looking at please indicate.
regards,
Ann Adams
Computer Architect/SIE
Ford Motor Company
-----Original Message-----
From: Wyllys Ingersoll [mailto:wyllys.ingersoll at sun.com]
Sent: Monday, March 24, 2003 7:50 PM
To: Ganesh
Cc: kerberos at mit.edu
Subject: Re: Configuring kerberos for Solaris
Ganesh wrote:
> I'm trying to configure kerberos, to authenticate the
> users through Web. I've successfully compiled
> mod_auth_pam.c on Solaris 8 and am able to authenticate
> the users, if I use pam_unix.so.1 in my pam.conf file.
> But if I try to authenticate by using pam_krb5.so.1
> it fails.
>
> I'm using the pam_krb5.so.1 which is shipped along with solaris2.8.
If you are using the pam_krb5 that shipped with Solaris 2.8 then you
also need to be using the SEAM package for Solaris 8 (free download
from www.sun.com). If you go that route, I recommend making sure
you have all the latest pam_krb5 and SEAM related patches.
If you are determined to stick with the MIT Kerberos libraries and not
use the Solaris Kerberos stuff, then you should probably get a different
pam_krb5 module (http://www.fcusack.com is one such module).
-Wyllys
>
> A snap shot of my pam.conf file :
>
> # The commented line works fine
> #
> httpd auth sufficient /usr/lib/security/$ISA/pam_krb5.so.1
> #httpd auth required /usr/lib/security/$ISA/pam_unix.so.1
>
> httpd account sufficient /usr/lib/security/$ISA/pam_krb5.so.1
> #httpd account required /usr/lib/security/$ISA/pam_unix.so.1
>
> My /etc/krb5/krb5.conf file ..
>
> [libdefaults]
> default_realm = INDIA.HP.COM
> default_tkt_enctypes = DES-CBC-CRC
> default_tgs_enctypes = DES-CBC-CRC
> ccache_type = 2
>
> [realms]
> INDIA.HP.COM = {
> kdc = nt40239.india.hp.com:88
> admin_server = nt40239.india.hp.com:749
> default_domain = india.hp.com
> }
>
> [domain_realm]
> .india.hp.com = INDIA.HP.COM
> india.hp.com = INDIA.HP.COM
>
> [logging]
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmin.log
> default = FILE:/var/log/krb5lib.log
>
> I've also updated the /etc/services file to look into my
> KDC server.
>
> My kDC server(Linux server) is up and running as I'm
> able to authenticate the users, with the same KDC if
> the client is HP-Ux m/c.
>
> Is that I've to make any changes in my krb5.conf file or
> have to rebuild the pam_krb5.so file ? Please give your
> inputs!
>
> TIA,
> Ganesh.
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list