Kerberos Confusion / Design Questions
Rodrick Brown
rodrick.brown at gmail.com
Tue Jan 10 23:25:44 EST 2006
I'm planning on deploying Sun-Kerberos with LDAP I have a few design
questions
It seems SSO between all hosts will only work if Ievery server is added to
each servers keytab? Right now my KDC can log into every server via
gssapi-keyex SSO and other servers can log back into my KDC but from server
to server this isn't possible until their keytab is updated is this by
design?
We are running a mixture of Solaris, BSD, and Linux hosts one thing that is
puzzling me is how to handle Kerberos access, we don't really plan to sync
with AD so administrators and developers will log into servers using
(putty/securecrt) as they do normally all authentication will basically be
provided through LDAP at this point once they are on a server they can
manually issue a kinit, or I'm guessing have pam configured to grant them a
ticket upon login? And from then on be free to access what ever servers
they have authorization to through (ldap/netgroups) w/o being prompted for a
password until their ticket has expired.
One thing I'm worried about though is will anyone really care if there
ticket expired if they can still access systems via LDAP authentication?
Would it make sense to only grant access to servers from users who have a
valid ticket? That would force every user to use Kerberos based
authentication but if I don't sync my NT desktop accounts how will users be
able get their tickets initially? (so confused here)
As you can tell I'm not really sure how to fit LDAP and Kerberos in together
I know I still have a lot to learn and read up on but if anyone can just
help me go down the right path it will save many long hours.
If anyone is doing this can you please provide some insight thanks.
--
Rodrick R. Brown
Forex Capital Markets - http://www.fxcm.com
http://www.rodrickbrown.com
rodrick.brown[<@>]gmail.com
When in 1986 Apple bought a Cray X-MP and announced that they would use it
to design the next Apple Macintosh, Seymour Cray replied, "This is very
interesting because I am using an Apple Macintosh to design the Cray-2
supercomputer."
More information about the Kerberos
mailing list