Authentication In Redhat

James Walthall jwaltha at us.ibm.com
Thu Feb 12 14:00:46 EST 2004 

My apologies for the bad example. I drafted it up rather quickly.
I guess my real question wasnt stated very clearly.

We have around 1000 machines here that will be running the exact
same configuration, and will be used for load testing.
Every time an employee comes or goes, we have to change the password
on each machine for security purposes. This obviously
is very tedious when running a windows platform without
a dns authentication. We want to convert all of these
same or similar hardware machines to redhate linux 8, and
have them authenticate using kerberos.

We need ONE user that can login using the same user name
and password from any machine, namely Administrator and the password.
The goal is the be able to just change the password in the
Master KDC Database instead of manually going machine
to machine changing the password. This is my job...

I would like to set up kerberos so that there is 1 user with 1
password with all priviledges that root has. That user will be
Administrator. I would like for my team members to be able
to login from any machine using this same user name and
password, and for kerberos to issue a token. Using red hat 
8 configuration, how do you think I would go about doing this?
I'm learning linux, but coming from a windows background.
The simpler this can be explained, the better. Thanks in advance...



Regards,

James Walthall Jr
IBM - Host Integration Server Test IDD and BETA
Outside: (919) 254-8869
Tieline: 444-8869
Research Triangle Park
Raleigh, North Carolina




"Douglas E. Engert" <deengert at anl.gov>
02/12/2004 11:01 AM
 
        To:     James Walthall/Durham/IBM at IBMUS
        cc:     kerberos at mit.edu
        Subject:        Re: Authentication In Redhat


Rather then use a shared root account across all 1000 machnes,
consider authorizing selected individuals to become/login as root.
on each machine. 

You can do this using the $HOME/.k5login file on each machine listing
the principals that can use the local acount. i.e. root's home
is "/" thus /.k5login would be used for root. (This also give you
some auditing information, as you can see who got tickets for
which machine and who logged in. 
 

James Walthall wrote:
> 
> When you login to a kerberos integrated redhat machine, what information
> is sent for tickets?

Passwords are not sent. if thats your question. 
> 
> Let's say I login as root with password ****, which should be considered
> valid for our example.
> We are working from machine with host name HOSTNAME

Keep in mind that your local unix account name like root does not have to 
match the principal name use in network authentication or the local unix 
account
name on the remote machine. 

So you could login to a locla machine as joe, do a kinit 
tom at RALEIGH.IBM.COM,
and do a ssh -l root remote.ibm.com 

If the /.k5login on remote.host has tom at RALEIGH.IBM.COM  listed,
it will let you in. (ssh may have other restrictions on root logins.)

> 
> When kerberos searches for this user in the database, what key is it
> searching for?


There are two principals, the user and the server. Thyere are actually
two tickets, a TGT for the user, which is used to geta ticket 
for the server. So in my example there is tom at RALEIGH.IBM.COM and
host/remote.ibm.com at RALEIGH.IBM.COM 

> 
> realm: RALEIGH.IBM.COM
> 
> is it          HOSTNAME/root at RALEIGH.IBM.COM                    ?
> 
> is there a way to just insert a key for         /root at RALEIGH.IBM.COM
> so that there need not be a key for EVERY host, since we have over 1000 
of
> them?

Does not work like that. Each host has a principal. and the .k5login in 
each
home directory can server as a ACL for the local account listing which
principals can use the account. 

Try and avoid a root at realm principal. UNIX considers root as local
to each machine. Its more of a role, then an account. Even NFS treats root
special. If you have a root principal, you don't know who is using it. 

> 
> also, if there is a way, please be specific as to how I can go about
> setting that up.
> 
> Regards,
> 
> James Walthall Jr
> IBM - Host Integration Server Test IDD and BETA
> Outside: (919) 254-8869
> Tieline: 444-8869
> Research Triangle Park
> Raleigh, North Carolina
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the Kerberos mailing list