Continuing on my battle to get 50 hosts under central administration, I've
now gotten heimdal working. Wow, I can klist, kinit and kdestroy.
Interesting, but logging into other machines is *more* interesting :-)
I've configured SSH with the following attributes enabled (those different
from default).
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication yes
KerberosAuthentication yes
KerberosOrLocalPasswd no
KerberosTicketCleanup yes
KerberosGetAFSToken no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
In my ~/.ssh/config file, I have...
Host *
GSSAPIDelegateCredentials yes
Next, I have the following configured in kerberos.
kadmin> list *
[EMAIL PROTECTED]
[EMAIL PROTECTED]
kadmin/[EMAIL PROTECTED]
kadmin/[EMAIL PROTECTED]
plonk/[EMAIL PROTECTED]
kadmin/[EMAIL PROTECTED]
changepw/[EMAIL PROTECTED]
krbtgt/[EMAIL PROTECTED]
Then I added a host in the database
kadmin> add --random-key host/somehost.example.net
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
kadmin> quit
And my /etc/login.conf file has the following...
staff:\
:ignorenologin:\
:requirehome@:\
:auth=krb5:
("plonk" is a local user who is part of the "staff" login class).
When I try and login via SSH, I get the following sequence of events.
somehost.example.net$ ssh -v kdc.example.net
[snip]
debug1: Authentications that can continue: publickey,gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug1: Delegating credentials
debug1: Authentications that can continue: publickey,gssapi-with-mic
debug1: Next authentication method: publickey
debug1: Offering public key: /home/staff/eric/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-with-mic
debug1: Trying private key: /home/staff/eric/.ssh/identity
debug1: Trying private key: /home/staff/eric/.ssh/id_dsa
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-with-mic).
I've also tried this with "UseLogin yes" enabled in sshd to no luck.
Here's my /etc/kerberosV/krb5.conf
[libdefaults]
default_realm = SG.DEPAUL.EDU
clockskew = 300
ticket_lifetime = 1560
[appdefaults]
default_lifetime = 7d
encrypt = true
forward = true
forwardable = true
renewable = true
login = {
forwardable = true
krb5_get_tickets = true
}
kinit = {
forwardable = true
}
[realms]
SG.DEPAUL.EDU = {
kdc = kdc.depaul.edu
#kdc = kdc1.sg.depaul.edu
#kdc = kdc2.sg.depaul.edu
#kdc = kdc3.sg.depaul.edu
admin_server = palladium.sg.depaul.edu
kpasswd_server = palladium.sg.depaul.edu
}
[domain_realm]
.sg.depaul.edu = SG.DEPAUL.EDU
sg.depaul.edu = SG.DEPAUL.EDU
[kadmin]
default_keys = v5
Also, in addition to the above, is there a way to enable sudo(8) or
su(8) to use kerberos? I think, in a former life, I recall this being
possible....though it's been quite a while. I'm really just looking to get
rid of accounts, if possible. Or at least change account management to be
only done through one mechanism.
Both machines above are 3.7-RELEASE running GENERIC.
Thanks.
- Eric
