Pam kerberos vs. Kinit

Douglas E. Engert deengert at anl.gov
Mon Mar 21 11:05:41 EST 2005



Luis Daniel Lucio Quiroz wrote:

> Yest,
> 
> but you need 2 realms

You mean two principals?

> 
> host/fqdn at REALM  for the server 
> and
> ssh/fqdn at REALM for service  , I ask you if it is ssh or sshd or what
>

No, SSH uses host/fqdn at REALM. the host principal represents
the services which allow a user to login to a host. ssh, rlogin,
telnet, all use the same service principal as they all do
esentially the same thing. "login" a user to a host.


> LD
> 
> Le Vendredi 18 Mars 2005 17:02, Douglas E. Engert a écrit :
> 
>>Luis Daniel Lucio Quiroz wrote:
>>
>>>btw, aht realm does openssh looksfor
>>>
>>>ssh/fqdn at REALM
>>
>>No
>>  host/fqdn at REALM
>>
>>
>>>??
>>>
>>>Le Vendredi 18 Mars 2005 14:25, Douglas E. Engert a écrit :
>>>
>>>>Ethan Bearman wrote:
>>>>
>>>>>You're right - it was right on the cutover - if I add enough groups to
>>>>>the account, I cannot login via ssh with it, nor can I use kinit.
>>>>>
>>>>>I have had success - finally - getting krb5-1.4 to compile.
>>>>
>>>>But does it run? Can you use the 1.4.0 kinit? I had some problems
>>>>with this in 11.0
>>>>
>>>>
>>>>>How do I
>>>>>get source code to compile a pam kerberos library based on kerberos
>>>>>1.3.5 or later?
>>>>
>>>>If you only need the pam_krb5 for use with OpenSSH you may not need
>>>>the PAM at all. OpenSSH can accept Kerberos user and passwords or
>>>>can call PAM to do the same. So if you compile OpenSSH with
>>>> --with-kerberos5=<path>  and set in the sshd_config file:
>>>>
>>>>PasswordAuthentication yes
>>>>KerberosAuthentication yes
>>>>KerberosOrLocalPasswd yes   to accept both or no to accept only Kerberos
>>>>passwords usePAM no
>>>>
>>>>If you still need PAM we are using an old modified version from F.
>>>>Cusack. I had started looking at using the pam_krb5-1.3-rc7.tar.gz from
>>>>RedHat. (Drop me a private note if you need more on this.)
>>>>
>>>>One problenm with HP PAM is it does not support pem_env.
>>>>
>>>>
>>>>>Thanks.
>>>>>
>>>>>At 12:51 PM 3/17/2005, you wrote:
>>>>>
>>>>>>Ethan Bearman wrote:
>>>>>>
>>>>>>>At 07:14 AM 3/17/2005, you wrote:
>>>>>>>
>>>>>>>>Ethan Bearman wrote:
>>>>>>>>
>>>>>>>>>I'm getting kerberos error 52 when I try to kinit from hp-ux (11.0
>>>>>>>>>running on 9000 series system) to our Windows 2003 AD domain.  It
>>>>>>>>>works for certain admin accounts that have few group memberships,
>>>>>>>>>but not for regular users.
>>>>>>>>>I understand this to be due to the large PAC headers Windows is
>>>>>>>>>using for authorization data, which causes Windows to use TCP
>>>>>>>>>rather than UDP.  Apparently versions of MIT kerberos earlier than
>>>>>>>>>1.3.1 do not support TCP.
>>>>>>>
>>>>>>>I've just run another test and discovered that I can successfully log
>>>>>>>into the host initially (via PAM kerberos library and SSH), and I
>>>>>>>don't get error 52.  I've got a ticket in my cache and everything.
>>>>>>>Kerb error 52 only occurs if I'm using kinit from the shell.
>>>>>>
>>>>>>You could be right on the cut over point, and maybe addressless vs
>>>>>>with address
>>>>>>tickets keep the ticket just small enough.
>>>>>>
>>>>>>A way to see what is going on would be to do a network trace of the
>>>>>>traffic
>>>>>>to the host. Ethereal works well with Kerberos, and is claimed
>>>>>>to be available for HP, but I have not tried it on HP.
>>>>>>http://www.ethereal.com/download.html
>>>>>>
>>>>>>
>>>>>>>How could this be?  I believe the PAM kerberos library that HP
>>>>>>>supplies is based on Krb1.1, which I thought would not be able to
>>>>>>>communicate via TCP to our W2k3 KDC's.  Does anyone know why this is
>>>>>>>working through PAM, and not at the shell?
>>>>>>>Our users are not going to need to do kinit at the shell, but I just
>>>>>>>wonder if ignorance is bliss, or if I'm going to encounter problems
>>>>>>>anyway with this configuration.
>>>>>>>Thanks.
>>>>>>>Ethan Bearman
>>>>>>>Systems Analyst
>>>>>>>USCard Operations
>>>>>>>University of Southern California
>>>>>>>213.821.2287
>>>>>>>213.740.7253 Fax
>>>>>>>________________________________________________
>>>>>>>Kerberos mailing list           Kerberos at mit.edu
>>>>>>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>>>>>
>>>>>>--
>>>>>>
>>>>>>Douglas E. Engert  <DEEngert at anl.gov>
>>>>>>Argonne National Laboratory
>>>>>>9700 South Cass Avenue
>>>>>>Argonne, Illinois  60439
>>>>>>(630) 252-5444
>>>>>
>>>>>Ethan Bearman
>>>>>Systems Analyst
>>>>>USCard Operations
>>>>>University of Southern California
>>>>>213.821.2287
>>>>>213.740.7253 Fax
>>>>>
>>>>>________________________________________________
>>>>>Kerberos mailing list           Kerberos at mit.edu
>>>>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>>________________________________________________
>>>Kerberos mailing list           Kerberos at mit.edu
>>>https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444


More information about the Kerberos mailing list