Pam, Host Keys
Ido Levy
IDOL at il.ibm.com
Fri Jul 27 13:42:26 EDT 2007
I had this problem two weeks ago and I would be happy to help.
I work with kerberized LDAP so our environments are not similar but I hope
the principals for single sign on are the same.
Make sure you have configured the following:
1) You have created a principal for the user who login to the machine
2) You have created a principal for the hosts you want to perform single
sign on - host/hostname.domain at REALM
3) For SSH validate the following
3.1) /etc/hosts - Comment the line that refers to the localhost (
This was my major problem with SSH single sign on )
3.2) Set the following option for ssh client in the file
/etc/ssh/ssh_config
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
3.3) Set the following option for ssh server in the file
/etc/ssh/sshd_config
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
4) SSH PAM configuration
/etc/pam.d/sshd
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session required pam_loginuid.so
/etc/pam.d/system-auth
auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_krb5.so use_first_pass
auth equired pam_deny.so
account sufficient pam_unix.so
account sufficient /lib/security/pam_krb5.so
account sufficient pam_ldap.so
password required pam_cracklib.so difok=2 minlen=8 dcredit=2
ocredit=2 retry=3
password sufficient pam_unix.so nullok md5 shadow use_authtok
password sufficient /lib/security/pam_krb5.so use_authtok
password sufficient pam_ldap.so use_first_pass
password required pam_deny.so
session required pam_limits.so
session required pam_unix.so
session optional /lib/security/pam_krb5.so
session optional pam_ldap.so
Hope it will help you, please let me know if you still have problems.
Ido Levy
IBM Haifa Labs, Israel
Roman S
<kleinerroemer at ho
tmail.com> To
Sent by: <kerberos at mit.edu>
kerberos-bounces@ cc
mit.edu
Subject
Pam, Host Keys
27/07/2007 11:06
Hey Guys!I've got the quest of kerberising a network and got into some
problems.I've set up a testnetwork with 2 mashines running Red Hat
Enterprise Linux WS release 4 (Nahant Update 4).The goal is, to set up a
working KDC and Admin Server and Kerberised SSH, with single sign on.I've
accomplished to set up the KDC, Admin Server and SSH is also working over
Kerberos, so the only problem right now is single-sign on.It may be good to
mention, that user accounts are centralized over NIS (should be kerberised
ldap in future).Those are the problems I have right now:If I rlogin on one
of the two mashines (from a third host), rlogin lets me in with either the
NIS pwd (secend pwd prompt, because first one fails) or the kerberos pwd.
In both cases, I don't get a TGT.I've run system-config-authentication and
activated Kerberos Authentication, which has abolutely NO effect on the
login process, no matter where and how I login.If I add "auth
sufficient pam_krb5.so" in the /etc/pam.d/gdm file, I get a TGT after the
login in Gnome. But this also works, if I dissable Kerberos Authentication
in system-config-authentication. This was the only approge I made for
single-sign-on.This whole pam thing seems quite messy to me.The other thing
is, that I don't quite get why I have to administrate my known-host-files
for ssh. Each host has his own principal, so why does SSH prompts the user
in case of changed/unknown HostKeys.I hope someone can help me out with
these things, because they're starting to drive me crazy!Best
regardskleinerroemer
_________________________________________________________________
Testen Sie Live.com - die schnelle, personalisierte Homepage, über die Sie
auf alle für Sie relevanten Inhalte zentral zugreifen können.
http://www.live.com/getstarted
________________________________________________
Kerberos mailing list Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list