Pam kerberos vs. Kinit

Luis Daniel Lucio Quiroz dlucio at okay.com.mx
Fri Mar 18 19:43:23 EST 2005


Yest,

but you need 2 realms

host/fqdn at REALM  for the server 
and
ssh/fqdn at REALM for service  , I ask you if it is ssh or sshd or what

LD

Le Vendredi 18 Mars 2005 17:02, Douglas E. Engert a écrit :
> Luis Daniel Lucio Quiroz wrote:
> > btw, aht realm does openssh looksfor
> >
> > ssh/fqdn at REALM
>
> No
>   host/fqdn at REALM
>
> > ??
> >
> > Le Vendredi 18 Mars 2005 14:25, Douglas E. Engert a écrit :
> >>Ethan Bearman wrote:
> >>>You're right - it was right on the cutover - if I add enough groups to
> >>>the account, I cannot login via ssh with it, nor can I use kinit.
> >>>
> >>>I have had success - finally - getting krb5-1.4 to compile.
> >>
> >>But does it run? Can you use the 1.4.0 kinit? I had some problems
> >>with this in 11.0
> >>
> >>>How do I
> >>>get source code to compile a pam kerberos library based on kerberos
> >>>1.3.5 or later?
> >>
> >>If you only need the pam_krb5 for use with OpenSSH you may not need
> >>the PAM at all. OpenSSH can accept Kerberos user and passwords or
> >>can call PAM to do the same. So if you compile OpenSSH with
> >>  --with-kerberos5=<path>  and set in the sshd_config file:
> >>
> >>PasswordAuthentication yes
> >>KerberosAuthentication yes
> >>KerberosOrLocalPasswd yes   to accept both or no to accept only Kerberos
> >>passwords usePAM no
> >>
> >>If you still need PAM we are using an old modified version from F.
> >> Cusack. I had started looking at using the pam_krb5-1.3-rc7.tar.gz from
> >> RedHat. (Drop me a private note if you need more on this.)
> >>
> >>One problenm with HP PAM is it does not support pem_env.
> >>
> >>>Thanks.
> >>>
> >>>At 12:51 PM 3/17/2005, you wrote:
> >>>>Ethan Bearman wrote:
> >>>>>At 07:14 AM 3/17/2005, you wrote:
> >>>>>>Ethan Bearman wrote:
> >>>>>>>I'm getting kerberos error 52 when I try to kinit from hp-ux (11.0
> >>>>>>>running on 9000 series system) to our Windows 2003 AD domain.  It
> >>>>>>>works for certain admin accounts that have few group memberships,
> >>>>>>>but not for regular users.
> >>>>>>>I understand this to be due to the large PAC headers Windows is
> >>>>>>>using for authorization data, which causes Windows to use TCP
> >>>>>>>rather than UDP.  Apparently versions of MIT kerberos earlier than
> >>>>>>>1.3.1 do not support TCP.
> >>>>>
> >>>>>I've just run another test and discovered that I can successfully log
> >>>>>into the host initially (via PAM kerberos library and SSH), and I
> >>>>>don't get error 52.  I've got a ticket in my cache and everything.
> >>>>>Kerb error 52 only occurs if I'm using kinit from the shell.
> >>>>
> >>>>You could be right on the cut over point, and maybe addressless vs
> >>>>with address
> >>>>tickets keep the ticket just small enough.
> >>>>
> >>>>A way to see what is going on would be to do a network trace of the
> >>>>traffic
> >>>>to the host. Ethereal works well with Kerberos, and is claimed
> >>>>to be available for HP, but I have not tried it on HP.
> >>>>http://www.ethereal.com/download.html
> >>>>
> >>>>>How could this be?  I believe the PAM kerberos library that HP
> >>>>>supplies is based on Krb1.1, which I thought would not be able to
> >>>>>communicate via TCP to our W2k3 KDC's.  Does anyone know why this is
> >>>>>working through PAM, and not at the shell?
> >>>>>Our users are not going to need to do kinit at the shell, but I just
> >>>>>wonder if ignorance is bliss, or if I'm going to encounter problems
> >>>>>anyway with this configuration.
> >>>>>Thanks.
> >>>>>Ethan Bearman
> >>>>>Systems Analyst
> >>>>>USCard Operations
> >>>>>University of Southern California
> >>>>>213.821.2287
> >>>>>213.740.7253 Fax
> >>>>>________________________________________________
> >>>>>Kerberos mailing list           Kerberos at mit.edu
> >>>>>https://mailman.mit.edu/mailman/listinfo/kerberos
> >>>>
> >>>>--
> >>>>
> >>>> Douglas E. Engert  <DEEngert at anl.gov>
> >>>> Argonne National Laboratory
> >>>> 9700 South Cass Avenue
> >>>> Argonne, Illinois  60439
> >>>> (630) 252-5444
> >>>
> >>>Ethan Bearman
> >>>Systems Analyst
> >>>USCard Operations
> >>>University of Southern California
> >>>213.821.2287
> >>>213.740.7253 Fax
> >>>
> >>>________________________________________________
> >>>Kerberos mailing list           Kerberos at mit.edu
> >>>https://mailman.mit.edu/mailman/listinfo/kerberos
> >
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos



More information about the Kerberos mailing list