Pam, Host Keys

Ido Levy IDOL at il.ibm.com
Fri Jul 27 13:42:26 EDT 2007


I had this problem two weeks ago and I would be happy to help.

I work with kerberized LDAP so our environments are not similar but I hope
the principals for single sign on are the same.

Make sure you have configured the following:

1) You have created a principal for the user who login to the machine
2) You have created a principal for the hosts you want to perform single
sign on - host/hostname.domain at REALM
3) For SSH validate the following

      3.1) /etc/hosts - Comment the line that refers to the localhost (
This was my major problem with SSH single sign on )
      3.2) Set the following option for ssh client in the file
/etc/ssh/ssh_config

               GSSAPIAuthentication yes
               GSSAPIDelegateCredentials yes

      3.3) Set the following option for ssh server in the file
/etc/ssh/sshd_config

            GSSAPIAuthentication yes
            GSSAPICleanupCredentials no

4) SSH PAM configuration

      /etc/pam.d/sshd

      auth       required     pam_stack.so service=system-auth
      auth       required     pam_nologin.so
      account    required     pam_stack.so service=system-auth
      password   required     pam_stack.so service=system-auth
      session    required     pam_stack.so service=system-auth
      session    required     pam_loginuid.so

      /etc/pam.d/system-auth

      auth       required     pam_env.so
      auth       sufficient   pam_unix.so likeauth nullok
      auth       sufficient   /lib/security/pam_krb5.so use_first_pass
      auth       equired     pam_deny.so

      account    sufficient   pam_unix.so
      account sufficient /lib/security/pam_krb5.so
      account    sufficient   pam_ldap.so

      password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2
ocredit=2 retry=3
      password   sufficient   pam_unix.so nullok md5 shadow use_authtok
      password   sufficient   /lib/security/pam_krb5.so use_authtok
      password   sufficient   pam_ldap.so use_first_pass
      password   required     pam_deny.so

      session    required     pam_limits.so
      session    required     pam_unix.so
      session    optional    /lib/security/pam_krb5.so
      session    optional     pam_ldap.so


Hope it will help you, please let me know if you still have problems.

Ido Levy
IBM Haifa Labs, Israel



                                                                           
             Roman S                                                       
             <kleinerroemer at ho                                             
             tmail.com>                                                 To 
             Sent by:                  <kerberos at mit.edu>                  
             kerberos-bounces@                                          cc 
             mit.edu                                                       
                                                                   Subject 
                                       Pam, Host Keys                      
             27/07/2007 11:06                                              
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           






Hey Guys!I've got the quest of kerberising a network and got into some
problems.I've set up a testnetwork with 2 mashines running Red Hat
Enterprise Linux WS release 4 (Nahant Update 4).The goal is, to set up a
working KDC and Admin Server and Kerberised SSH, with single sign on.I've
accomplished to set up the KDC, Admin Server and SSH is also working over
Kerberos, so the only problem right now is single-sign on.It may be good to
mention, that user accounts are centralized over NIS (should be kerberised
ldap in future).Those are the problems I have right now:If I rlogin on one
of the two mashines (from a third host), rlogin lets me in with either the
NIS pwd (secend pwd prompt, because first one fails) or the kerberos pwd.
In both cases, I don't get a TGT.I've run system-config-authentication and
activated Kerberos Authentication, which has abolutely NO effect on the
login process, no matter where and how I login.If I add "auth
sufficient   pam_krb5.so" in the /etc/pam.d/gdm file, I get a TGT after the
login in Gnome. But this also works, if I dissable Kerberos Authentication
in system-config-authentication. This was the only approge I made for
single-sign-on.This whole pam thing seems quite messy to me.The other thing
is, that I don't quite get why I have to administrate my known-host-files
for ssh. Each host has his own principal, so why does SSH prompts the user
in case of changed/unknown HostKeys.I hope someone can help me out with
these things, because they're starting to drive me crazy!Best
regardskleinerroemer
_________________________________________________________________
Testen Sie Live.com - die schnelle, personalisierte Homepage, über die Sie
auf alle für Sie relevanten Inhalte zentral zugreifen können.
http://www.live.com/getstarted
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos






More information about the Kerberos mailing list