Tjener does Kerberos...
Hi boys and girls :)
I've set up my testserver to use kerberos (MIT v5) for authentication.
That was rather easy and I think, it is possible to automate the
installation; I'll look into the details these days.
It would be very nice if someone could exchange "ssh" with "ssh-krb5",
which will give every user and server the power to use Kerberos based
ssh (and is one step into the right direction)
Before you try out the following description please generate a set
of ssh-keys without password and put the priv. and pub key into
/root/.ssh on tjener and distribute the public key (->
/root/authorized_keys) to all maschines, you want to play with
(including tjener); this allow you to access every maschine as root
without typing a password. (Needed to distribute keytabs)
I did the following:
1. dpkg-reconfigure debconf
Set debconf level to medium to get the right questions at the following
installation (not neccassary if you have a valid config)
2. apt-get install krb5-admin-server krb5-kdc krb5-config krb5-user
ssh-krb5 libpam-krb5
Install the server daemons, a client config and the basic client
tools (kinit, klist ..) and nice stuff :)
Realm: SKOLELINUX
adminserver/KDC: kerberos.intern
krb4: nopreauth
3. vi /etc/bind/debian-edu/db.intern && /usr/sbin/rndc reload
Put a cname kerberos -> tjener into the file (don't forget serial)
4. kdb5_util create -s
This create a nearly blank kerberos database (the interactive password
question should be avoidable)
5. kadmin.local -q "ktadd -k /etc/krb5kdc/kadm5.keytab kadmin/admin"
kadmin.local -q "ktadd -k /etc/krb5kdc/kadm5.keytab kadmin/changepw"
Create two needed principals
6. /etc/init.d/krb5-kdc start; /etc/init.d/krb5-admin-server start
Start the daemons
7. I used the scripts newKrbHost to create and put the keytab for tjener
at the right place. (./newKrbHost tjener)
8. Added a kerberos-principal to an existing user via
newKrbUser <username> <pw>
hint: use a different <pw> that in ldap is wise to test it :)
9. Tested via kinit <username> and klist, if it works
10. Editet /etc/ssh/sshd_config and put there in the following
# To change Kerberos options
KerberosAuthentication yes
KerberosOrLocalPasswd yes
(line 58 ff.)
11. Edited /etc/pam.d/ssh
So there is now:
auth sufficient pam_unix.so
auth sufficient pam_krb5.so use_first_pass
auth required pam_ldap.so use_first_pass
12. Restarted ssh
13. Tried to ssh <username>@tjener with kerberos-pw and ticked.
14. Were happy that it worked.
If I missed something, please tell me.
I consider this description to work :)
Ciao
Max
--
Follow the white penguin.
#!/bin/bash
#
# :vim:ft=sh
#
# Where to put the client keytabs
PRINC_DIR="/root/krb5"
[ -d ${PRINC_DIR} ] || mkdir -p ${PRINC_DIR}
kadmin.local -q "addprinc -randkey host/$1.intern"
kadmin.local -q "addprinc -randkey ssh/$1.intern"
kadmin.local -q "ktadd -k ${PRINC_DIR}/$1.keytab host/$1.intern"
kadmin.local -q "ktadd -k ${PRINC_DIR}/$1.keytab ssh/$1.intern"
scp ${PRINC_DIR}/$1.keytab $1:/etc/krb5.keytab
#!/bin/bash
#
#
# Create a new user principal
#
if [ "$#" != "2" ]; then
echo "Usage: $0 [username] [password]" >&2
exit 1
else
kadmin.local -q "addprinc -pw $2 $1"
fi
Reply to: