Configuring Kerberos for Solaris

Adams, Ann (A.M.) aadams6 at ford.com
Tue Mar 25 10:09:06 EST 2003 

Ok,

I have to ask, does SUN have a kerberized hpptd?  I thought they only had the standard network services.  I have not seen a reference by either SUN, HP, or MIT to a kerberized httpd. Has SUN done any development on web authentication via Kerberos?

I was looking around some of the university sites to see if there was a kerberized web authentication modules available for testing.  My impression was that they had been written but nothing publicly available to test.  

Dartmouth had publicly available a Kerberos IV module, but I didn't see anything for Kerberos V.  CUSSP is a perl5 module from Cornell University that is referenced below.  Both of these are well documented and clear, but it doesn't appear to continue into the Kerberos V environment.

 excerpt from Dartmouth web site below:....
		Kerberos authentication can be invoked from a CGI script.
		There are Perl interfaces to do this. 
		The example below shows a CGI that authenticates the user,
		 then displays the name(s) and information from the
		 ticket(s) that were generated.

		In Perl, you can use the GetK4Ticket function to validate a user.
		This function is defined in the CUSSP library.

		GetK4Ticket is defined as:
		($rc, $em, %tckt) = CUSSP::GetK4Ticket("WWW-agent",
		 "WWW", $cgi->remote_addr(), undef, $ENV{'REMOTE_PORT'}); 


If anything I have stated in incorrect, I request correction.  If there are other resources I should be looking at please indicate.


regards,
Ann Adams
Computer Architect/SIE
Ford Motor Company



-----Original Message-----
From: Wyllys Ingersoll [mailto:wyllys.ingersoll at sun.com]
Sent: Monday, March 24, 2003 7:50 PM
To: Ganesh
Cc: kerberos at mit.edu
Subject: Re: Configuring kerberos for Solaris


Ganesh wrote:
> I'm trying to configure kerberos, to authenticate the
> users through Web. I've successfully compiled
> mod_auth_pam.c on Solaris 8 and am able to authenticate
> the users, if I use pam_unix.so.1 in my pam.conf file.
> But if I try to authenticate by using pam_krb5.so.1
> it fails.
> 
> I'm using the pam_krb5.so.1 which is shipped along with solaris2.8.

If you are using the pam_krb5 that shipped with Solaris 2.8 then you
also need to be using the SEAM package for Solaris 8 (free download
from www.sun.com).   If you go that route, I recommend making sure
you have all the latest pam_krb5 and SEAM related patches.

If you are determined to stick with the MIT Kerberos libraries and not
use the Solaris Kerberos stuff, then you should probably get a different
pam_krb5 module (http://www.fcusack.com is one such module).

-Wyllys

> 
> A snap shot of my pam.conf file :
> 
> # The commented line works fine
> #
> httpd   auth sufficient   /usr/lib/security/$ISA/pam_krb5.so.1
> #httpd   auth required   /usr/lib/security/$ISA/pam_unix.so.1
> 
> httpd   account  sufficient     /usr/lib/security/$ISA/pam_krb5.so.1
> #httpd   account required       /usr/lib/security/$ISA/pam_unix.so.1
> 
> My /etc/krb5/krb5.conf file ..
> 
> [libdefaults]
>    default_realm = INDIA.HP.COM
>    default_tkt_enctypes = DES-CBC-CRC
>    default_tgs_enctypes = DES-CBC-CRC
>    ccache_type = 2
> 
> [realms]
>    INDIA.HP.COM = {
>       kdc = nt40239.india.hp.com:88
>       admin_server = nt40239.india.hp.com:749
>       default_domain = india.hp.com
> }
> 
> [domain_realm]
>  .india.hp.com = INDIA.HP.COM
>  india.hp.com = INDIA.HP.COM
> 
> [logging]
>         kdc = FILE:/var/log/krb5kdc.log
>         admin_server = FILE:/var/log/kadmin.log
>         default = FILE:/var/log/krb5lib.log
> 
> I've also updated the /etc/services file to look into my
> KDC server.
> 
> My kDC server(Linux server) is up and running as I'm 
> able to authenticate the users, with the same KDC if 
> the client is HP-Ux m/c.
> 
> Is that I've to make any changes in my krb5.conf file or
> have to rebuild the pam_krb5.so file ? Please give your
> inputs!
> 
> TIA,
> Ganesh.
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos


________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list