Authentication In Redhat
Thomas A. La Porte
tlaporte at anim.dreamworks.com
Thu Feb 12 15:02:08 EST 2004
James,
Douglas has outlined pretty much what we do at our site which is
extremely effective. We manage well over 1000 machines, all of
which have a .k5login file in the root user's home directory.
What you need is a common .k5login file which contains the
principals of each member of your team who is allowed to
administer these machines. When one member leaves the team, you
remove their name from the common .k5login file.
Once the file is set up, you can login as root without knowing a
root password, provided you have properly authenticated yourself
as one of the principals listed in root's .k5login file.
For example:
host1 [~](SHARK)(100)> klist
Ticket cache: FILE:/tmp/krb5cc_9999
Default principal: tlaporte at EXAMPLE.COM
Valid starting Expires Service principal
02/12/04 12:00:01 02/13/04 12:00:01 krbtgt/EXAMPLE.COM at EXAMPLE.COM
host1 [~](SHARK)(101)> ssh host2 -l root
Last login: Mon Feb 9 23:44:35 2004 from host1.example.com
[root at host2 ~]#
Hope that helps.
-- Tom
Thomas A. La Porte, Dreamworks SKG
<mailto:tlaporte at dreamworks.com>
On Thu, 12 Feb 2004, James Walthall wrote:
>My apologies for the bad example. I drafted it up rather quickly.
>I guess my real question wasnt stated very clearly.
>
>We have around 1000 machines here that will be running the exact
>same configuration, and will be used for load testing.
>Every time an employee comes or goes, we have to change the password
>on each machine for security purposes. This obviously
>is very tedious when running a windows platform without
>a dns authentication. We want to convert all of these
>same or similar hardware machines to redhate linux 8, and
>have them authenticate using kerberos.
>
>We need ONE user that can login using the same user name
>and password from any machine, namely Administrator and the password.
>The goal is the be able to just change the password in the
>Master KDC Database instead of manually going machine
>to machine changing the password. This is my job...
>
>I would like to set up kerberos so that there is 1 user with 1
>password with all priviledges that root has. That user will be
>Administrator. I would like for my team members to be able
>to login from any machine using this same user name and
>password, and for kerberos to issue a token. Using red hat
>8 configuration, how do you think I would go about doing this?
>I'm learning linux, but coming from a windows background.
>The simpler this can be explained, the better. Thanks in advance...
>
>
>
>Regards,
>
>James Walthall Jr
>IBM - Host Integration Server Test IDD and BETA
>Outside: (919) 254-8869
>Tieline: 444-8869
>Research Triangle Park
>Raleigh, North Carolina
>
>
>
>
>"Douglas E. Engert" <deengert at anl.gov>
>02/12/2004 11:01 AM
>
> To: James Walthall/Durham/IBM at IBMUS
> cc: kerberos at mit.edu
> Subject: Re: Authentication In Redhat
>
>
>Rather then use a shared root account across all 1000 machnes,
>consider authorizing selected individuals to become/login as root.
>on each machine.
>
>You can do this using the $HOME/.k5login file on each machine listing
>the principals that can use the local acount. i.e. root's home
>is "/" thus /.k5login would be used for root. (This also give you
>some auditing information, as you can see who got tickets for
>which machine and who logged in.
>
>
>James Walthall wrote:
>>
>> When you login to a kerberos integrated redhat machine, what information
>> is sent for tickets?
>
>Passwords are not sent. if thats your question.
>>
>> Let's say I login as root with password ****, which should be considered
>> valid for our example.
>> We are working from machine with host name HOSTNAME
>
>Keep in mind that your local unix account name like root does not have to
>match the principal name use in network authentication or the local unix
>account
>name on the remote machine.
>
>So you could login to a locla machine as joe, do a kinit
>tom at RALEIGH.IBM.COM,
>and do a ssh -l root remote.ibm.com
>
>If the /.k5login on remote.host has tom at RALEIGH.IBM.COM listed,
>it will let you in. (ssh may have other restrictions on root logins.)
>
>>
>> When kerberos searches for this user in the database, what key is it
>> searching for?
>
>
>There are two principals, the user and the server. Thyere are actually
>two tickets, a TGT for the user, which is used to geta ticket
>for the server. So in my example there is tom at RALEIGH.IBM.COM and
>host/remote.ibm.com at RALEIGH.IBM.COM
>
>>
>> realm: RALEIGH.IBM.COM
>>
>> is it HOSTNAME/root at RALEIGH.IBM.COM ?
>>
>> is there a way to just insert a key for /root at RALEIGH.IBM.COM
>> so that there need not be a key for EVERY host, since we have over 1000
>of
>> them?
>
>Does not work like that. Each host has a principal. and the .k5login in
>each
>home directory can server as a ACL for the local account listing which
>principals can use the account.
>
>Try and avoid a root at realm principal. UNIX considers root as local
>to each machine. Its more of a role, then an account. Even NFS treats root
>special. If you have a root principal, you don't know who is using it.
>
>>
>> also, if there is a way, please be specific as to how I can go about
>> setting that up.
>>
>> Regards,
>>
>> James Walthall Jr
>> IBM - Host Integration Server Test IDD and BETA
>> Outside: (919) 254-8869
>> Tieline: 444-8869
>> Research Triangle Park
>> Raleigh, North Carolina
>> ________________________________________________
>> Kerberos mailing list Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>--
>
> Douglas E. Engert <DEEngert at anl.gov>
> Argonne National Laboratory
> 9700 South Cass Avenue
> Argonne, Illinois 60439
> (630) 252-5444
>
>________________________________________________
>Kerberos mailing list Kerberos at mit.edu
>https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list