Single sign-on with ssh (only unix)
Nathan Ollerenshaw
nathan at valuecommerce.co.jp
Thu Jun 2 05:24:28 EDT 2005
Hi,
I've been banging my head against kerberos for the last few days, and
I just can't seem to get it working right.
What I want to do is use kerberos as a central authentication
database as well as for a single sign on solution for SSH, for our
system administrators to use.
Ideally, I want to be able to have a single machine that all our
admins can log into (either with kerberos credentials or ssh public
key auth) and then they kinit on that machine once, then they can log
into any of our servers transparently using kerberos.
I've been trying to set this up on some test servers, and so far all
I've managed to is is create a functional kerberos kdc (on Fedora
Core). I have another FC machine that I configure with 'authconfig'
to use kerberos - and it works - I can use my kerberos password to
log into this machine. And on this machine, if I do a klist, I see it
has a tgt.
But, I can't ssh from that machine to itself or to another machine -
ssh is not even looking at the tickets.
Has anyone got a better step-by-step guide they can point me at?
Do I need to create individual server principles? How do I do this?
Do I create sshd/domain principles for ssh? How? How do I log in with
kadmin on another machine? Where should I store keytabs? do I need to
export host keytabs?
The documentation is all very flimsy. ALL of the documentation that
I've seen is basically a copy of the MIT stuff, which doesn't really
explain any of this fully. For example the redhat documentation just
tells you how to set up a client and a server, but doesn't tell you
how to get kerberized sshd working, etc.
Can anyone help?
Regards,
Nathan.
--
Nathan Ollerenshaw / Systems Engineer
Systems Engineering
ValueCommerce Co., Ltd.
Tokyo Bldg 4F 3-32-7 Hongo Bunkyo-ku Tokyo 113-0033 Japan
Tel. +81.3.3817.8995 Fax. +81.3.3812.4051
mailto:nathan at valuecommerce.co.jp
"The man who carries a cat by the tail learns something
that can be learned in no other way." - Mark Twain
More information about the Kerberos
mailing list