Pam kerberos vs. Kinit

Luis Daniel Lucio Quiroz dlucio at okay.com.mx
Fri Mar 18 16:03:30 EST 2005


btw, aht realm does openssh looksfor

ssh/fqdn at REALM
??

Le Vendredi 18 Mars 2005 14:25, Douglas E. Engert a écrit :
> Ethan Bearman wrote:
> > You're right - it was right on the cutover - if I add enough groups to
> > the account, I cannot login via ssh with it, nor can I use kinit.
> >
> > I have had success - finally - getting krb5-1.4 to compile.
>
> But does it run? Can you use the 1.4.0 kinit? I had some problems
> with this in 11.0
>
> > How do I
> > get source code to compile a pam kerberos library based on kerberos
> > 1.3.5 or later?
>
> If you only need the pam_krb5 for use with OpenSSH you may not need
> the PAM at all. OpenSSH can accept Kerberos user and passwords or
> can call PAM to do the same. So if you compile OpenSSH with
>   --with-kerberos5=<path>  and set in the sshd_config file:
>
> PasswordAuthentication yes
> KerberosAuthentication yes
> KerberosOrLocalPasswd yes   to accept both or no to accept only Kerberos
> passwords usePAM no
>
> If you still need PAM we are using an old modified version from F. Cusack.
> I had started looking at using the pam_krb5-1.3-rc7.tar.gz from RedHat.
> (Drop me a private note if you need more on this.)
>
> One problenm with HP PAM is it does not support pem_env.
>
> > Thanks.
> >
> > At 12:51 PM 3/17/2005, you wrote:
> >> Ethan Bearman wrote:
> >>> At 07:14 AM 3/17/2005, you wrote:
> >>>> Ethan Bearman wrote:
> >>>>> I'm getting kerberos error 52 when I try to kinit from hp-ux (11.0
> >>>>> running on 9000 series system) to our Windows 2003 AD domain.  It
> >>>>> works for certain admin accounts that have few group memberships,
> >>>>> but not for regular users.
> >>>>> I understand this to be due to the large PAC headers Windows is
> >>>>> using for authorization data, which causes Windows to use TCP
> >>>>> rather than UDP.  Apparently versions of MIT kerberos earlier than
> >>>>> 1.3.1 do not support TCP.
> >>>
> >>> I've just run another test and discovered that I can successfully log
> >>> into the host initially (via PAM kerberos library and SSH), and I
> >>> don't get error 52.  I've got a ticket in my cache and everything.
> >>> Kerb error 52 only occurs if I'm using kinit from the shell.
> >>
> >> You could be right on the cut over point, and maybe addressless vs
> >> with address
> >> tickets keep the ticket just small enough.
> >>
> >> A way to see what is going on would be to do a network trace of the
> >> traffic
> >> to the host. Ethereal works well with Kerberos, and is claimed
> >> to be available for HP, but I have not tried it on HP.
> >> http://www.ethereal.com/download.html
> >>
> >>> How could this be?  I believe the PAM kerberos library that HP
> >>> supplies is based on Krb1.1, which I thought would not be able to
> >>> communicate via TCP to our W2k3 KDC's.  Does anyone know why this is
> >>> working through PAM, and not at the shell?
> >>> Our users are not going to need to do kinit at the shell, but I just
> >>> wonder if ignorance is bliss, or if I'm going to encounter problems
> >>> anyway with this configuration.
> >>> Thanks.
> >>> Ethan Bearman
> >>> Systems Analyst
> >>> USCard Operations
> >>> University of Southern California
> >>> 213.821.2287
> >>> 213.740.7253 Fax
> >>> ________________________________________________
> >>> Kerberos mailing list           Kerberos at mit.edu
> >>> https://mailman.mit.edu/mailman/listinfo/kerberos
> >>
> >> --
> >>
> >>  Douglas E. Engert  <DEEngert at anl.gov>
> >>  Argonne National Laboratory
> >>  9700 South Cass Avenue
> >>  Argonne, Illinois  60439
> >>  (630) 252-5444
> >
> > Ethan Bearman
> > Systems Analyst
> > USCard Operations
> > University of Southern California
> > 213.821.2287
> > 213.740.7253 Fax
> >
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos



More information about the Kerberos mailing list