Some clarifications on SSO

David Tsai dwtsai at MIT.EDU
Tue Aug 10 05:06:59 EDT 2004 

I read an article on JAAS/GSS SSO @ http://www-106.ibm.com/developerworks/java/library/j-gss-sso/ , and found it to be informative (there's almost an exact-same tutorial on the official JAAS website).  I'm working on a kerberos project that does nearly the exact same thing (1 kdc machine, 1 server machine, 1 client machine), but I had a question regarding a general understanding of how kerberos works:

So, the server has a key which it shares with the KDC.  The server uses this key to decrypt incoming sub-session tickets from a client that wants to connect to it.  In the tutorial, I manually type in the server's login/password to log in to the KDC and retrieve the encrypted form of its key.  

My first question is whether or not this key expires (like a ticket does).  

If it does expire, my second question is that in my system, my server is going to be locked away in a room somewhere, and I do not want to have some guy going in there and entering in the login/password for the server everytime it needs to get a fresh key.  I could just hardcode the login/password into the code or save the session key on disk, but that seems insecure.  What do most kerberos network administrators do about this problem?

If it doesn't expire, does this mean that after the initial exchange between the server and the KDC at program startup that there is no network activity at all between the KDC and the server?

Any insight on these questions would be greatly appreciated.

Thanks,
DaviddFrom johnw at cpuinfo.net Tue Aug 10 09:36:49 2004
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
	[18.7.21.83])
	by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id i7ADaml1001183
	for <kerberos at PCH.mit.edu>; Tue, 10 Aug 2004 09:36:48 -0400 (EDT)
Received: from fqx01.cpuinfo.net (fqx01.cpuinfo.net [207.65.218.32])
	i7ADadgC016532
	for <kerberos at mit.edu>; Tue, 10 Aug 2004 09:36:40 -0400 (EDT)
Received: from mail.cpuinfo.net (localhost.cpuinfo.net [127.0.0.1])
	by fqx01.cpuinfo.net (8.12.10/8.12.10) with ESMTP id i7A8R4E2026202
	for <kerberos at mit.edu>; Tue, 10 Aug 2004 08:27:04 GMT
	(envelope-from johnw at cpuinfo.net)
From: "John S. Willingham" <johnw at cpuinfo.net>
To: kerberos at mit.edu
Date: Tue, 10 Aug 2004 09:27:04 +0100
Message-Id: <20040810081740.M6494 at cpuinfo.net>
X-Mailer: Open WebMail 2.32 20040525
X-OriginatingIP: 66.18.96.100 (johnw)
MIME-Version: 1.0
Content-Type: text/plain;
	charset=iso-8859-1
Subject: K5 Login Issues.
X-BeenThere: kerberos at mit.edu
X-Mailman-Version: 2.1
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Help: <mailto:kerberos-request at mit.edu?subject=help>
List-Post: <mailto:kerberos at mit.edu>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
	<mailto:kerberos-request at mit.edu?subject=subscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos>
List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
	<mailto:kerberos-request at mit.edu?subject=unsubscribe>
X-List-Received-Date: Tue, 10 Aug 2004 13:36:49 -0000

General Question,


I have Kerberos setup and installed authenticating existing users without a
problem.  However, after adding a new principal, the new user/princical can
use kinit/kadmin and ksu without authentication errors.  However,  the user
cannot authenticate via ssh/telnet/console on any kerberos enabled server. 
Below are some of the log snippets from the message console on the server they
are attempting to authenticate.  

Server #1

Aug 10 08:32:23 xyxyxy sshd[56801]: (pam_krb5) pam_sm_authenticate: result for
user `user01': Success
Aug 10 08:32:23 xyxyxy sshd[56799]: error: PAM: User not known to the
underlying authentication module

Server #2
Aug 10 08:32:14 ababab sshd[72199]: (pam_krb5) pam_sm_authenticate: result for
user `user01': Success
Aug 10 08:32:14 ababab sshd[72199]: (pam_krb5) pam_sm_acct_mgmt: result for
user `user01': Permission denied
Aug 10 08:32:14 ababab sshd[72197]: error: PAM: User not known to the
underlying authentication module


I have tried a few different approachs to this issue and have basically come
to the conclusion that there is some minor piece of a puzzle that I am missing
or a Larger scale problem, just hoping its not the later.


Note: There are already users/principals that are working without a problem.

Thanks for any assistance or guidance in advance.

---
JSW

More information about the Kerberos mailing list