Pam kerberos vs. Kinit

Douglas E. Engert deengert at anl.gov
Fri Mar 18 18:02:36 EST 2005



Luis Daniel Lucio Quiroz wrote:

> btw, aht realm does openssh looksfor
> 
> ssh/fqdn at REALM

No
  host/fqdn at REALM


> ??
> 
> Le Vendredi 18 Mars 2005 14:25, Douglas E. Engert a écrit :
> 
>>Ethan Bearman wrote:
>>
>>>You're right - it was right on the cutover - if I add enough groups to
>>>the account, I cannot login via ssh with it, nor can I use kinit.
>>>
>>>I have had success - finally - getting krb5-1.4 to compile.
>>
>>But does it run? Can you use the 1.4.0 kinit? I had some problems
>>with this in 11.0
>>
>>
>>>How do I
>>>get source code to compile a pam kerberos library based on kerberos
>>>1.3.5 or later?
>>
>>If you only need the pam_krb5 for use with OpenSSH you may not need
>>the PAM at all. OpenSSH can accept Kerberos user and passwords or
>>can call PAM to do the same. So if you compile OpenSSH with
>>  --with-kerberos5=<path>  and set in the sshd_config file:
>>
>>PasswordAuthentication yes
>>KerberosAuthentication yes
>>KerberosOrLocalPasswd yes   to accept both or no to accept only Kerberos
>>passwords usePAM no
>>
>>If you still need PAM we are using an old modified version from F. Cusack.
>>I had started looking at using the pam_krb5-1.3-rc7.tar.gz from RedHat.
>>(Drop me a private note if you need more on this.)
>>
>>One problenm with HP PAM is it does not support pem_env.
>>
>>
>>>Thanks.
>>>
>>>At 12:51 PM 3/17/2005, you wrote:
>>>
>>>>Ethan Bearman wrote:
>>>>
>>>>>At 07:14 AM 3/17/2005, you wrote:
>>>>>
>>>>>>Ethan Bearman wrote:
>>>>>>
>>>>>>>I'm getting kerberos error 52 when I try to kinit from hp-ux (11.0
>>>>>>>running on 9000 series system) to our Windows 2003 AD domain.  It
>>>>>>>works for certain admin accounts that have few group memberships,
>>>>>>>but not for regular users.
>>>>>>>I understand this to be due to the large PAC headers Windows is
>>>>>>>using for authorization data, which causes Windows to use TCP
>>>>>>>rather than UDP.  Apparently versions of MIT kerberos earlier than
>>>>>>>1.3.1 do not support TCP.
>>>>>
>>>>>I've just run another test and discovered that I can successfully log
>>>>>into the host initially (via PAM kerberos library and SSH), and I
>>>>>don't get error 52.  I've got a ticket in my cache and everything.
>>>>>Kerb error 52 only occurs if I'm using kinit from the shell.
>>>>
>>>>You could be right on the cut over point, and maybe addressless vs
>>>>with address
>>>>tickets keep the ticket just small enough.
>>>>
>>>>A way to see what is going on would be to do a network trace of the
>>>>traffic
>>>>to the host. Ethereal works well with Kerberos, and is claimed
>>>>to be available for HP, but I have not tried it on HP.
>>>>http://www.ethereal.com/download.html
>>>>
>>>>
>>>>>How could this be?  I believe the PAM kerberos library that HP
>>>>>supplies is based on Krb1.1, which I thought would not be able to
>>>>>communicate via TCP to our W2k3 KDC's.  Does anyone know why this is
>>>>>working through PAM, and not at the shell?
>>>>>Our users are not going to need to do kinit at the shell, but I just
>>>>>wonder if ignorance is bliss, or if I'm going to encounter problems
>>>>>anyway with this configuration.
>>>>>Thanks.
>>>>>Ethan Bearman
>>>>>Systems Analyst
>>>>>USCard Operations
>>>>>University of Southern California
>>>>>213.821.2287
>>>>>213.740.7253 Fax
>>>>>________________________________________________
>>>>>Kerberos mailing list           Kerberos at mit.edu
>>>>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>>>
>>>>--
>>>>
>>>> Douglas E. Engert  <DEEngert at anl.gov>
>>>> Argonne National Laboratory
>>>> 9700 South Cass Avenue
>>>> Argonne, Illinois  60439
>>>> (630) 252-5444
>>>
>>>Ethan Bearman
>>>Systems Analyst
>>>USCard Operations
>>>University of Southern California
>>>213.821.2287
>>>213.740.7253 Fax
>>>
>>>________________________________________________
>>>Kerberos mailing list           Kerberos at mit.edu
>>>https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444


More information about the Kerberos mailing list