Authentication In Redhat

James Walthall jwaltha at us.ibm.com
Thu Feb 12 09:50:36 EST 2004 

When you login to a kerberos integrated redhat machine, what information 
is sent for tickets?


Let's say I login as root with password ****, which should be considered 
valid for our example.
We are working from machine with host name HOSTNAME

When kerberos searches for this user in the database, what key is it 
searching for?

realm: RALEIGH.IBM.COM


is it          HOSTNAME/root at RALEIGH.IBM.COM                    ?

is there a way to just insert a key for         /root at RALEIGH.IBM.COM
so that there need not be a key for EVERY host, since we have over 1000 of 
them?

also, if there is a way, please be specific as to how I can go about 
setting that up.


Regards,

James Walthall Jr
IBM - Host Integration Server Test IDD and BETA
Outside: (919) 254-8869
Tieline: 444-8869
Research Triangle Park
Raleigh, North CarolinaaFrom deengert at anl.gov Thu Feb 12 11:01:24 2004
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
	[18.7.7.76])
	by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id i1CG1Oqb012651
	for <kerberos at PCH.mit.edu>; Thu, 12 Feb 2004 11:01:24 -0500 (EST)
Received: from hermes.ctd.anl.gov (hermes.ctd.anl.gov [130.202.113.27])
	i1CG1Mbl006361
	for <kerberos at mit.edu>; Thu, 12 Feb 2004 11:01:23 -0500 (EST)
Received: from hermes.ctd.anl.gov (localhost [127.0.0.1])
	by hermes.ctd.anl.gov (8.9.1a/8.9.1) with ESMTP id KAA22725
	for <kerberos at mit.edu>; Thu, 12 Feb 2004 10:01:21 -0600 (CST)
Received: from anl.gov (atalanta.ctd.anl.gov [146.137.194.4])
	by hermes.ctd.anl.gov (8.9.1a/8.9.1) with ESMTP id KAA22710;
	Thu, 12 Feb 2004 10:01:20 -0600 (CST)
Message-ID: <402BA371.CA6F97E0 at anl.gov>
Date: Thu, 12 Feb 2004 10:01:53 -0600
From: "Douglas E. Engert" <deengert at anl.gov>
X-Mailer: Mozilla 4.79 [en] (Windows NT 5.0; U)
X-Accept-Language: en
MIME-Version: 1.0
To: James Walthall <jwaltha at us.ibm.com>
References: <OF7A0A4FEF.2E178AC0-ON87256E38.0050F7D4-85256E38.00518AAD at us.ibm.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
cc: kerberos at mit.edu
Subject: Re: Authentication In Redhat
X-BeenThere: kerberos at mit.edu
X-Mailman-Version: 2.1
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Help: <mailto:kerberos-request at mit.edu?subject=help>
List-Post: <mailto:kerberos at mit.edu>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
	<mailto:kerberos-request at mit.edu?subject=subscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos>
List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
	<mailto:kerberos-request at mit.edu?subject=unsubscribe>
X-List-Received-Date: Thu, 12 Feb 2004 16:01:24 -0000

Rather then use a shared root account across all 1000 machnes,
consider authorizing selected individuals to become/login as root.
on each machine. 

You can do this using the $HOME/.k5login file on each machine listing
the principals that can use the local acount. i.e. root's home
is "/" thus /.k5login would be used for root. (This also give you
some auditing information, as you can see who got tickets for
which machine and who logged in. 
  

James Walthall wrote:
> 
> When you login to a kerberos integrated redhat machine, what information
> is sent for tickets?

Passwords are not sent. if thats your question.  
> 
> Let's say I login as root with password ****, which should be considered
> valid for our example.
> We are working from machine with host name HOSTNAME

Keep in mind that your local unix account name like root does not have to 
match the principal name use in network authentication or the local unix account
name on the remote machine. 

So you could login to a locla machine as joe, do a kinit tom at RALEIGH.IBM.COM,
and do a ssh -l root remote.ibm.com 

If the /.k5login on remote.host has tom at RALEIGH.IBM.COM  listed,
it will let you in. (ssh may have other restrictions on root logins.)

> 
> When kerberos searches for this user in the database, what key is it
> searching for?


There are two principals, the user and the server. Thyere are actually
two tickets, a TGT for the user, which is used to geta ticket 
for the server. So in my example there is tom at RALEIGH.IBM.COM and
host/remote.ibm.com at RALEIGH.IBM.COM 

> 
> realm: RALEIGH.IBM.COM
> 
> is it          HOSTNAME/root at RALEIGH.IBM.COM                    ?
> 
> is there a way to just insert a key for         /root at RALEIGH.IBM.COM
> so that there need not be a key for EVERY host, since we have over 1000 of
> them?

Does not work like that. Each host has a principal. and the .k5login in each
home directory can server as a ACL for the local account listing which
principals can use the account.   

Try and avoid a root at realm principal. UNIX considers root as local
to each machine. Its more of a role, then an account. Even NFS treats root
special. If you have a root principal, you don't know who is using it. 

> 
> also, if there is a way, please be specific as to how I can go about
> setting that up.
> 
> Regards,
> 
> James Walthall Jr
> IBM - Host Integration Server Test IDD and BETA
> Outside: (919) 254-8869
> Tieline: 444-8869
> Research Triangle Park
> Raleigh, North Carolina
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the Kerberos mailing list