In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Harry R�ter) writes: > Hi, > > i'm interested in changing my login > on my LINUX-running computer to a kerberized one. > > So, is there a page on the web, which describes the tings i > have to do step by step ? > Or can someone on the list tell me the necessary steps ?
I don't know of a Web site that provides step-by-step instructions for doing this, although it's possible to piece it together from various standard Kerberos Web sites and documentation that comes with Kerberos. It's covered in my book, _Advanced Linux Networking_, as well (see http://www.rodsbooks.com/adv-net/ for more information). > The problem is, that a misconfguration could make the > computer unaccessible. Is there a fallback ? You could leave yourself logged in as root (ideally at the console), make changes, and test the changes. That way, if anything goes wrong, you can correct the problem from the existing root login. In a worst-case scenario, you may need to boot with an emergency boot disk to recover the system, so have such a disk ready and tested. > Do i have to use klogin or is there a PAM-solution > (which would provide the fallback) ? The Kerberized login program (I've usually seen it called login.krb5, but it may be klogin, as you say, in some packages) should work for text-mode logins and is fairly straightforward to install, once Kerberos is up and running -- the latter is much harder than installing the kerberized login program itself. There are several PAM solutions. I haven't tried all of them, but some I've run across include: - Brashier's module -- Check ftp://ftp.dementia.org/pub/pam/ for files beginning pam_krb4. These work with Kerberos V4, in case you're still running that. - King's module -- The ftp://ftp.dementia.org/pub/pam/ site hosts files beginning pam_krb5 which work with Kerberos V5. I had problems compiling these when I tried, but you may have more luck. - Cusack's module -- check http://www.nectar.com/zope/krb/ for a package that was written for Solaris but that reportedly also works with Linux. This module works with Kerberos V5. I'm getting DNS errors on that domain at the moment, though; perhaps this Web page has moved. - Red Hat's module -- Red Hat has made precompiled Kerberos PAM modules available. I'm not positive, but I think they're based on Cusack's work. Look for an RPM called pam_krb5. If you're using Red Hat, this is the easiest way to go. If not, you might still be able to use the package, although you may need to muck with PAM configuration files. - Debian's module -- Debian has made PAM modules available; check on http://ftp.nl.debian.org/debian/pool/non-US/main/libp/libpam-heimdal. These should work with Debian's Heimdal packages. I'm not sure if they could be adapted for use with other Kerberos systems. The PAM solution will, of course, work with any PAM-using login or other password-using authentication method, including the conventional login program, most XDMCP servers for Linux, su and sudo, xlock, etc. Servers like FTP may be configured to use Kerberos, but they'll still send passwords as cleartext; it's better to use explicitly kerberized servers in such cases. If you just need a Kerberized XDMCP package, I gather that such things exist, but I don't have any URLs, offhand. IMHO, it's better to use PAM if you want to Kerberize more than a couple of login methods; that's why PAM was created, and although it'll be harder to set up than a single explicitly Kerberized login program, it may be simpler than setting up several Kerberized login programs. -- Rod Smith, [EMAIL PROTECTED] http://www.rodsbooks.com Author of books on Linux, networking, & multi-OS configuration ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
