Am Donnerstag, 7. August 2008 02:01:30 schrieb Norberto Bensa:
> I'm doing my first steps into Kerberos V and I got it working but not
> the way I dreamed.
>
> My network:
>
> zeddmore (kdc)
> venkman (client)
> melnitz (client)
>
> Login on into zeddmore, ssh to venkman (or melnitz) doesn't show
> tickets neither _unless_ I copy /etc/krb5.keytab from zeddmore to
> venkman (and/or melnitz)
>
> After copying the mentioned file, I get delegation in every box and it
> works.
>
> Is that the way it should be or am I missing something?
Not quite. From the Kerberos V documentation:
"A keytab is a host's copy of its own keylist, which is analogous to a user's
password. An application server that needs to authenticate itself to the KDC
has to have a keytab that contains its own principal and key. Just as it is
important for users to protect their passwords, it is equally important for
hosts to protect their keytabs. You should always store keytab files on local
disk, and make them readable only by root, and you should never send a keytab
file over a network in the clear. Ideally, you should run the kadmin command
to extract a keytab on the host on which the keytab is to reside."
That means: On each of your machines, login to kadmin, create a host principal
(addprinc -randkey host/yourhost.yourdomain) and extract its key to a keytab.
HTH...
Dirk
