James, Douglas has outlined pretty much what we do at our site which is extremely effective. We manage well over 1000 machines, all of which have a .k5login file in the root user's home directory.
What you need is a common .k5login file which contains the principals of each member of your team who is allowed to administer these machines. When one member leaves the team, you remove their name from the common .k5login file. Once the file is set up, you can login as root without knowing a root password, provided you have properly authenticated yourself as one of the principals listed in root's .k5login file. For example: host1 [~](SHARK)(100)> klist Ticket cache: FILE:/tmp/krb5cc_9999 Default principal: [EMAIL PROTECTED] Valid starting Expires Service principal 02/12/04 12:00:01 02/13/04 12:00:01 krbtgt/[EMAIL PROTECTED] host1 [~](SHARK)(101)> ssh host2 -l root Last login: Mon Feb 9 23:44:35 2004 from host1.example.com [EMAIL PROTECTED] ~]# Hope that helps. -- Tom Thomas A. La Porte, Dreamworks SKG <mailto:[EMAIL PROTECTED]> On Thu, 12 Feb 2004, James Walthall wrote: >My apologies for the bad example. I drafted it up rather quickly. >I guess my real question wasnt stated very clearly. > >We have around 1000 machines here that will be running the exact >same configuration, and will be used for load testing. >Every time an employee comes or goes, we have to change the password >on each machine for security purposes. This obviously >is very tedious when running a windows platform without >a dns authentication. We want to convert all of these >same or similar hardware machines to redhate linux 8, and >have them authenticate using kerberos. > >We need ONE user that can login using the same user name >and password from any machine, namely Administrator and the password. >The goal is the be able to just change the password in the >Master KDC Database instead of manually going machine >to machine changing the password. This is my job... > >I would like to set up kerberos so that there is 1 user with 1 >password with all priviledges that root has. That user will be >Administrator. I would like for my team members to be able >to login from any machine using this same user name and >password, and for kerberos to issue a token. Using red hat >8 configuration, how do you think I would go about doing this? >I'm learning linux, but coming from a windows background. >The simpler this can be explained, the better. Thanks in advance... > > > >Regards, > >James Walthall Jr >IBM - Host Integration Server Test IDD and BETA >Outside: (919) 254-8869 >Tieline: 444-8869 >Research Triangle Park >Raleigh, North Carolina > > > > >"Douglas E. Engert" <[EMAIL PROTECTED]> >02/12/2004 11:01 AM > > To: James Walthall/Durham/[EMAIL PROTECTED] > cc: [EMAIL PROTECTED] > Subject: Re: Authentication In Redhat > > >Rather then use a shared root account across all 1000 machnes, >consider authorizing selected individuals to become/login as root. >on each machine. > >You can do this using the $HOME/.k5login file on each machine listing >the principals that can use the local acount. i.e. root's home >is "/" thus /.k5login would be used for root. (This also give you >some auditing information, as you can see who got tickets for >which machine and who logged in. > > >James Walthall wrote: >> >> When you login to a kerberos integrated redhat machine, what information >> is sent for tickets? > >Passwords are not sent. if thats your question. >> >> Let's say I login as root with password ****, which should be considered >> valid for our example. >> We are working from machine with host name HOSTNAME > >Keep in mind that your local unix account name like root does not have to >match the principal name use in network authentication or the local unix >account >name on the remote machine. > >So you could login to a locla machine as joe, do a kinit >[EMAIL PROTECTED], >and do a ssh -l root remote.ibm.com > >If the /.k5login on remote.host has [EMAIL PROTECTED] listed, >it will let you in. (ssh may have other restrictions on root logins.) > >> >> When kerberos searches for this user in the database, what key is it >> searching for? > > >There are two principals, the user and the server. Thyere are actually >two tickets, a TGT for the user, which is used to geta ticket >for the server. So in my example there is [EMAIL PROTECTED] and >host/[EMAIL PROTECTED] > >> >> realm: RALEIGH.IBM.COM >> >> is it HOSTNAME/[EMAIL PROTECTED] ? >> >> is there a way to just insert a key for /[EMAIL PROTECTED] >> so that there need not be a key for EVERY host, since we have over 1000 >of >> them? > >Does not work like that. Each host has a principal. and the .k5login in >each >home directory can server as a ACL for the local account listing which >principals can use the account. > >Try and avoid a [EMAIL PROTECTED] principal. UNIX considers root as local >to each machine. Its more of a role, then an account. Even NFS treats root >special. If you have a root principal, you don't know who is using it. > >> >> also, if there is a way, please be specific as to how I can go about >> setting that up. >> >> Regards, >> >> James Walthall Jr >> IBM - Host Integration Server Test IDD and BETA >> Outside: (919) 254-8869 >> Tieline: 444-8869 >> Research Triangle Park >> Raleigh, North Carolina >> ________________________________________________ >> Kerberos mailing list [EMAIL PROTECTED] >> https://mailman.mit.edu/mailman/listinfo/kerberos > >-- > > Douglas E. Engert <[EMAIL PROTECTED]> > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 > >________________________________________________ >Kerberos mailing list [EMAIL PROTECTED] >https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
