Date: Wed, 7 Mar 2007 02:43:15 -0700 (MST) From: RJ45 <rj45@slacknet.com> To: freebsd-questions@freebsd.org Subject: Re: Kerberos authenticatino and ldap authorization Message-ID: <Pine.LNX.4.61.0703070231040.18120@slacknet.com> In-Reply-To: <20070306190034.GA21811@seekingfire.com> References: <Pine.LNX.4.61.0703061004250.5931@slacknet.com> <20070306190034.GA21811@seekingfire.com>
next in thread | previous in thread | raw e-mail | index | archive | help
there are many difficulties and YES there is the documentation on FreeBSD handbook but it does not helped me so much I Still ahve difficulties. I isntalled MIT krb5 also and I Am using kadmin from MIT to manage krb5 server. First problem kadmin: ktadd -k /etc/krb5.keytab host/host.domain kadmin: Unsupported key table format version number while adding key to keytab I can't undertand this message i touched /etc/krb5.keytab but via kadmin it is unable to export the krb5 key I added before with addprinc -randkey host/host.domain i also chmod 777 krb5.keytab nothing to do at the end I exported it from the kdc and copied it by hand in /etc/krb5.keytab on my client FreeBSD box, but I do not know if in this way it will work. anyway now I have another problem. I am not able to configure ssh to login via kerberos. I tryed everything KerberosAuthentication yes KerberosOrLocalPasswd yes KerberosTicketCleanup yes Then I changed /etc/pam.d/sshd # auth auth required pam_nologin.so no_warn auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account account required pam_krb5.so account required pam_login_access.so account required pam_unix.so # session #session optional pam_ssh.so session required pam_permit.so # password password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass and ssh won't authenticate via kerberos: Mar 7 10:27:24 bastionbox1 sshd[1019]: Invalid user myself from 131.x.y.z Mar 7 10:27:33 bastionbox1 sshd[1019]: error: PAM: authentication error for illegal user myself from mylapdop.domain I must miss something I do not know what... Actually I do not think this scenario on BSD users is commonly used, and I Cannot find documentation to help myself, anyway I need this scenario that was implemented on Linux before. I do not want to use Linux anyway for this porpouse (bastion SSH box for public login via krb5/ldap) At the end anyway the scenario needs to be krb5 for authentication and LDAP for authorization For now I am not able to authenticate via krb5 any hints ? thanks Rick On Tue, 6 Mar 2007, Tillman Hodgson wrote: > On Tue, Mar 06, 2007 at 10:07:57AM -0700, RJ45 wrote: >> for example I would like to installa MIT krb5 implementation from ports >> instead of using heidmal default this because the kerberos server >> on my network is a MIT server and I can't use kadmin on FreeBSD >> to administrer the kerberos server remotely using heidmal implementation. >> Anyone has experience of MIT krb5 implementation on FreeBSD ? > > The handbook has a chapter on setting up Kerberos, albeit focused on Heimdal. > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kerberos5.html > > In section 14.8.6 it notes that the kadmin protocol differs between > Kerberos implementations -- you have to use the MIT kadmin to administer > a remote MIT KDC. > > Other than the kadmin bits (which are fairly different between the two > but isn't used by end-users anyway), it's pretty much transparent to a > Kerberos-enabled workstation which implementation it's using. I > typically install both (to different paths to avoid file conflicts) > because I like using the newest Heimdal rather than the one in base and > also because the included client applications differ. For example, MIT > has Kerberos rsh whereas the base Heimdal doesn't for some of the > platforms that I use. > > If you run into any specific issues when setting it up, please post back > to the list and cc me and I'll give you a hand. > > -T > > > -- > "I once bought a cellphone that had a little sticker on the box that said > 'DO NOT EAT PACKAGING MATERIAL'. There went another freebie snack at the > office." > - A.S.R. quote (Andreas "Buzh" Skau) > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.61.0703070231040.18120>