Barry Allard wrote: > Hi Wyllys, > > Primary goal: Kerberize ssh keyboard interactive logins in > enterprise-administration-friendly way.
The ability to use Kerberos tickets to authenticate with SSH is already documented and explained in several places. Look at docs.sun.com under Security Administration (or search for SEAM, Kerberos). Also do a 'man sshd_config' - you should see that the GSSAPIAuthentication and GSSAPIKeyExchange values are "yes" by default. What is your definition of "enterprise-administration-friendly" ? > > Secondary objective #A: manage user authorization (who can login) > through Active Directory instead of locally (hacking a bunch of text > files for each new user). create home directory, etc. This is a whole different problem. Today, you can manage your users with AD, but you still need to have some way for the Unix system (Solaris or Linux) to map from the AD user attributes to something recognizable on the *nix platform - uid, gid, and home directory being the most important attributes needed to establish a Unix login session. Typically, Unix admins set up user databases with NIS or LDAP containing all of the users that they want to allow to access the Unix systems. Kerberos auth can still be done against the AD server, but the AD principals must map to Unix usernames that the local system can then lookup once the authentication is completed to do authorization. Basically - you cannot have an empty /etc/password and shadow database (without NIS or LDAP) and expect that everything will "just work". You have to provide some method for the Unix system to get the user attributes it needs to establish a session. Microsoft offers their "services for Unix" feature that might help if you are trying to get everything from AD, but I've not used that myself. There are also ways to configure the LDAP on the *nix side to get the information from AD. Look for an LDAP expert explain the details of that process, I haven't done it myself. > > Secondary objective #B: ssh (putty) from windows -> sol 10 box ... > automagically login by Active Directory's kerb ticket (not hostkeys). > I have seen it working using Centrify ($) PAM mod on the Linux, and > no mods to windows box. Does putty support GSSAPI authentication for SSH and can it get the users credentials from Active Directory? If so, it should "just work" with the stock Solaris 10 sshd or the OpenSSH server with the GSSAPI patches applied. If you have to have a special PAM module on the server side, then you aren't really doing Kerberos single-sign on authentication and you most likely have to reenter your name/password when you try to login to the other system. You could do that much with standard pam_krb5 on Solaris or Linux. I'm not familiar with the Centrify product. -Wyllys ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
