[23982] in Kerberos
Re: Single sign-on with ssh (only unix)
daemon@ATHENA.MIT.EDU (Nathan Ollerenshaw)
Thu Jun 2 21:31:45 2005
Mime-Version: 1.0 (Apple Message framework v730)
In-Reply-To: <62B7F64F-6E63-430F-A824-33352CE6B97B@valuecommerce.co.jp>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-Id: <EB9D21B7-6A58-406E-94FB-C0924217598A@valuecommerce.co.jp>
Content-Transfer-Encoding: 7bit
From: Nathan Ollerenshaw <nathan@valuecommerce.co.jp>
Date: Fri, 3 Jun 2005 10:30:38 +0900
To: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu
Hi,
Please, can someone help me? Every other kid on the block has
Kerberos working but me. Its embarrassing. Even my mum has Kerberos
working and when I ask her for help, she just laughs at me down the
phone. :(
I have 3 machines that I'm testing with.
dns1.sys.intra: kdc
monster.sys.intra: a client
nuts.sys.intra: a client
I want to be able to kinit on either monster or nuts and then ssh
without password between the client machines. The OS on the clients
is FC3 and the server is FC2.
After installation, I had the following principles:
K/M@VALUECOMMERCE.COM
chrome@VALUECOMMERCE.COM
kadmin/admin@VALUECOMMERCE.COM
kadmin/changepw@VALUECOMMERCE.COM
kadmin/history@VALUECOMMERCE.COM
krbtgt/VALUECOMMERCE.COM@VALUECOMMERCE.COM
At this point, pam authentication with kerberos works if I go into
authconfig on the FC3 machinees and set the kerberos option to 'on'.
All this does is create a (bad) krb5.conf file and enable the pam
entries I think.
All machines have a 'chrome' account, so when I ssh to monster or
nuts with my kerberos password, it would work. Using my old password
also works. Doing a klist on the machine I ssh to shows the tickets:
Ticket cache: FILE:/tmp/krb5cc_5002
Default principal: chrome@VALUECOMMERCE.COM
Valid starting Expires Service principal
06/02/05 17:36:09 06/03/05 17:36:09 krbtgt/
VALUECOMMERCE.COM@VALUECOMMERCE.COM
renew until 06/02/05 17:36:09
But this ticket doesn't let me into the other machine. I assumed this
was due to not having host keys and a bad sshd config, so I then
installed host principles for the machines involved. First dns1:
kadmin.local: ank -randkey host/dns1.sys.intra
WARNING: no policy specified for host/
dns1.sys.intra@VALUECOMMERCE.COM; defaulting to no policy
Principal "host/dns1.sys.intra@VALUECOMMERCE.COM" created.
kadmin.local: ktadd host/dns1.sys.intra
Entry for principal host/dns1.sys.intra with kvno 3, encryption type
Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/
krb5.keytab.
Entry for principal host/dns1.sys.intra with kvno 3, encryption type
ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/dns1.sys.intra with kvno 3, encryption type
DES with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/dns1.sys.intra with kvno 3, encryption type
DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5.keytab.
Then monster:
kadmin.local: ank -randkey host/monster.sys.intra
WARNING: no policy specified for host/
monster.sys.intra@VALUECOMMERCE.COM; defaulting to no policy
Principal "host/monster.sys.intra@VALUECOMMERCE.COM" created.
kadmin.local: ktadd
kadmin.local: ktadd -k /root/monster.sys.intra.keytab host/
monster.sys.intra
Entry for principal host/monster.sys.intra with kvno 3, encryption
type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/root/
monster.sys.intra.keytab.
Entry for principal host/monster.sys.intra with kvno 3, encryption
type ArcFour with HMAC/md5 added to keytab WRFILE:/root/
monster.sys.intra.keytab.
Entry for principal host/monster.sys.intra with kvno 3, encryption
type DES with HMAC/sha1 added to keytab WRFILE:/root/
monster.sys.intra.keytab.
Entry for principal host/monster.sys.intra with kvno 3, encryption
type DES cbc mode with RSA-MD5 added to keytab
Then nuts:
WRFILE:/root/monster.sys.intra.keytab.
kadmin.local: ank -randkey host/nuts.sys.intra
WARNING: no policy specified for host/
nuts.sys.intra@VALUECOMMERCE.COM; defaulting to no policy
Principal "host/nuts.sys.intra@VALUECOMMERCE.COM" created.
kadmin.local: ktadd -k /root/nuts.sys.intra.keytab
Usage: ktadd [-k[eytab] keytab] [-q] [-e keysaltlist] [principal | -
glob princ-exp] [...]
kadmin.local: ktadd -k /root/nuts.sys.intra.keytab host/nuts.sys.intra
Entry for principal host/nuts.sys.intra with kvno 3, encryption type
Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/root/
nuts.sys.intra.keytab.
Entry for principal host/nuts.sys.intra with kvno 3, encryption type
ArcFour with HMAC/md5 added to keytab WRFILE:/root/
nuts.sys.intra.keytab.
Entry for principal host/nuts.sys.intra with kvno 3, encryption type
DES with HMAC/sha1 added to keytab WRFILE:/root/nuts.sys.intra.keytab.
Entry for principal host/nuts.sys.intra with kvno 3, encryption type
DES cbc mode with RSA-MD5 added to keytab WRFILE:/root/
nuts.sys.intra.keytab.
I then scp'd the keytab for monster and nuts over to them and moved
them to /etc/krb5.keytab.
And it didn't work. I messed around, turning off GSSAPI, turning off
KerberosAuthentication and having GSSAPI ... nothing worked.
Do I need to create service keys? Can anyone tell me what the sshd
server should be set as?
Messing about with any of this doesn't have any affect at the moment:
ChallengeResponseAuthentication yes
KerberosAuthentication no
KerberosOrLocalPasswd no
KerberosTicketCleanup yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
I assume thats because it's using PAM and not the sshd' kerberos
support.
The Kerberos howtos that I've read go all the way through to setting
up ktelnet etc but not ssh! I havn't been able to find a single piece
of documentation on setting up sshd with kerberos tickets with
forwarding etc. I must be blind.
Can anyone please help? I'll owe you beer. In fact, if you're in/
around San Jose in a week's time, I'll even BUY you REAL BEER, not
this virtual stuff. Honest!
Regards,
Nathan.
--
Nathan Ollerenshaw / Systems Engineer
Systems Engineering
ValueCommerce Co., Ltd.
Tokyo Bldg 4F 3-32-7 Hongo Bunkyo-ku Tokyo 113-0033 Japan
Tel. +81.3.3817.8995 Fax. +81.3.3812.4051
mailto:nathan@valuecommerce.co.jp
"I do not feel obliged to believe that the same God who has
endowed us with sense, reason, and intellect has intended
us to forgo their use." - Galileo Galilei
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
