Re: Kerberos authenticatino and ldap authorization
there are many difficulties and YES there is the documentation on FreeBSD handbook but it does not helped me so much I Still ahve difficulties. I isntalled MIT krb5 also and I Am using kadmin from MIT to manage krb5 server. First problem kadmin: ktadd -k /etc/krb5.keytab host/host.domain kadmin: Unsupported key table format version number while adding key to keytab I can't undertand this message i touched /etc/krb5.keytab but via kadmin it is unable to export the krb5 key I added before with addprinc -randkey host/host.domain i also chmod 777 krb5.keytab nothing to do at the end I exported it from the kdc and copied it by hand in /etc/krb5.keytab on my client FreeBSD box, but I do not know if in this way it will work. anyway now I have another problem. I am not able to configure ssh to login via kerberos. I tryed everything KerberosAuthentication yes KerberosOrLocalPasswd yes KerberosTicketCleanup yes Then I changed /etc/pam.d/sshd # auth authrequiredpam_nologin.so no_warn authsufficient pam_opie.so no_warn no_fake_prompts authrequisite pam_opieaccess.so no_warn allow_local authsufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass authrequiredpam_unix.so no_warn try_first_pass # account account requiredpam_krb5.so account requiredpam_login_access.so account requiredpam_unix.so # session #sessionoptionalpam_ssh.so session requiredpam_permit.so # password passwordsufficient pam_krb5.so no_warn try_first_pass passwordrequiredpam_unix.so no_warn try_first_pass and ssh won't authenticate via kerberos: Mar 7 10:27:24 bastionbox1 sshd[1019]: Invalid user myself from 131.x.y.z Mar 7 10:27:33 bastionbox1 sshd[1019]: error: PAM: authentication error for illegal user myself from mylapdop.domain I must miss something I do not know what... Actually I do not think this scenario on BSD users is commonly used, and I Cannot find documentation to help myself, anyway I need this scenario that was implemented on Linux before. I do not want to use Linux anyway for this porpouse (bastion SSH box for public login via krb5/ldap) At the end anyway the scenario needs to be krb5 for authentication and LDAP for authorization For now I am not able to authenticate via krb5 any hints ? thanks Rick On Tue, 6 Mar 2007, Tillman Hodgson wrote: On Tue, Mar 06, 2007 at 10:07:57AM -0700, RJ45 wrote: for example I would like to installa MIT krb5 implementation from ports instead of using heidmal default this because the kerberos server on my network is a MIT server and I can't use kadmin on FreeBSD to administrer the kerberos server remotely using heidmal implementation. Anyone has experience of MIT krb5 implementation on FreeBSD ? The handbook has a chapter on setting up Kerberos, albeit focused on Heimdal. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kerberos5.html In section 14.8.6 it notes that the kadmin protocol differs between Kerberos implementations -- you have to use the MIT kadmin to administer a remote MIT KDC. Other than the kadmin bits (which are fairly different between the two but isn't used by end-users anyway), it's pretty much transparent to a Kerberos-enabled workstation which implementation it's using. I typically install both (to different paths to avoid file conflicts) because I like using the newest Heimdal rather than the one in base and also because the included client applications differ. For example, MIT has Kerberos rsh whereas the base Heimdal doesn't for some of the platforms that I use. If you run into any specific issues when setting it up, please post back to the list and cc me and I'll give you a hand. -T -- I once bought a cellphone that had a little sticker on the box that said 'DO NOT EAT PACKAGING MATERIAL'. There went another freebie snack at the office. - A.S.R. quote (Andreas Buzh Skau) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Kerberos authenticatino and ldap authorization
On Wed, Mar 07, 2007 at 02:43:15AM -0700, RJ45 wrote: there are many difficulties and YES there is the documentation on FreeBSD handbook but it does not helped me so much I Still ahve difficulties. I isntalled MIT krb5 also and I Am using kadmin from MIT to manage krb5 server. So no possibility of $PATH problems? First problem kadmin: ktadd -k /etc/krb5.keytab host/host.domain kadmin: Unsupported key table format version number while adding key to keytab I can't undertand this message i touched /etc/krb5.keytab but via kadmin it is unable to export the krb5 key I added before with Touching it ahead of time shouldn't be necessary. Your syntax might be off, I'm not sure because it looks like you've made it generic for purposes of posting it to the list. Here's a cut'n'paste of live data of me doing it (the host has been decommissioned recently, and I haven't yet deleted the host key from the KDC, which I'll do shortly): [EMAIL PROTECTED] ~]# ls -l /etc/test.keytab ls: /etc/test.keytab: No such file or directory [EMAIL PROTECTED] ~]# kadmin.local Authenticating as principal toor/[EMAIL PROTECTED] with password. kadmin.local: getprinc -terse host/[EMAIL PROTECTED] host/[EMAIL PROTECTED]0 1037304860 0 2419200 toor/[EMAIL PROTECTED]1037300 kadmin.local: ktadd -k /etc/test.keytab host/[EMAIL PROTECTED] Entry for principal host/[EMAIL PROTECTED] with kvno 6, encryption type Triple DES cbc mode with HMAC/sha1 Entry for principal host/[EMAIL PROTECTED] with kvno 6, encryption type DES cbc mode with CRC-32 added to keytab kadmin.local: exit [EMAIL PROTECTED] ~]# ls -l /etc/test.keytab -rw--- 1 root wheel 164 Mar 7 19:15 /etc/test.keytab [EMAIL PROTECTED] ~]# ktutil ktutil: read_kt /etc/test.keytab ktutil: list slot KVNO Principal - 16 host/[EMAIL PROTECTED] 26 host/[EMAIL PROTECTED] ktutil: exit So it does indeed work. addprinc -randkey host/host.domain i also chmod 777 krb5.keytab nothing to do chmod 777 on a keytab is a very very bad thing to do :-) If someone can read your keytab, it opens the door to impersonating that principal. at the end I exported it from the kdc and copied it by hand in /etc/krb5.keytab on my client FreeBSD box, but I do not know if in this way it will work. I'm never tried it -- it definitely doesn't sound like it'd be fun to type in, however :-) I tend to extract my keytabs right on the KDC and then scp them to the appropriate host. I don't use kadmin for remote admin -- if I need to admin the KDC, I log in via the serial console and use kadmin.local to keep everything off the network. anyway now I have another problem. I am not able to configure ssh to login via kerberos. I tryed everything KerberosAuthentication yes KerberosOrLocalPasswd yes KerberosTicketCleanup yes Kerberos* is, counterintuitively, not what you want. Google for sshd_config GSSAPI. At the end anyway the scenario needs to be krb5 for authentication and LDAP for authorization I use Kerberos for authentication and NIS-over-IPsec (transport mode), which is very similar. I have a cross-realm trust to another Realm that uses Kerberos and flat files, also on BSD. It's definitely doable. For now I am not able to authenticate via krb5 any hints ? Get some basic troubleshooting information in place by trying the following tests and posting the results to the list: * Have a running KDC computer, a workstation computer, and a server computer that can run a Kerberos service (let's say it's the kerberos telnetd for this example). Ensure that all their clocks are in sync. Ensure that all computers have full naem resolution correctly working. * Confirm the KDC is running and that you ave at least one valid user principal and one valid host principal created. The user principal should also exist in /etc/passwd and the other flat files on both the workstation and the server computer. * Confirm that your /etc/krb5.conf on the KDC sets your default realm and gives the hostname of the KDC * From the KDC, confirm that you can kinit and obtain a TGT (test with klist) * From a workstation with the krb5.conf installed, confirm that you can kinit and obtain a TGT (test with klist) * From a workstation with the krb5.conf, attempt to use a kerberos service on the host that has the valid host principal. Confirm with klist that you're able to obtain the host service ticket. * On the KDC, extract (ktadd) the server principal to a keytab file. Securely copy it (scp is fine) to the server host and ensure it's named /etc/krb5.keytab. Permissions should be 600 and owned by root. * Attempt to use the kerberos telnet client to connect to the kerberos host with the valid host principal (i.e., `telnet -x server_host`). You should be able to connect and login passwordless. If any of those steps don't work, please post back to the
RE: Kerberos authenticatino and ldap authorization
-Original Message- From: [EMAIL PROTECTED] [mailto:owner-freebsd- [EMAIL PROTECTED] On Behalf Of RJ45 Sent: Tuesday, March 06, 2007 9:08 AM To: freebsd-questions@freebsd.org Subject: Kerberos authenticatino and ldap authorization Hello, I would liek to use FreeBSD as a login ox using krb5 authentication and ldap authorization. The KDC kerberos server is another machine as well hte LDAP server, this freebsd box is a kerberos and ldap client. Anyone could give me some good hint on hoe to configure hte FreeBSD box in this way ? I tryed to search for infoes but could only get partial informations. for example I would like to installa MIT krb5 implementation from ports instead of using heidmal default this because the kerberos server on my network is a MIT server and I can't use kadmin on FreeBSD to administrer the kerberos server remotely using heidmal implementation. Anyone has experience of MIT krb5 implementation on FreeBSD ? as well hoe to enable LDAP authorization for logins on FreeBSD ? thanks Rick Hello Rick: Check out http://joseph.randomnetworks.com/archives/2004/06/21/active-directory-wi th-nss_ldap-and-pam_ldap/. It doesn't address your question regarding MIT Kerberos specifically, but it does give a good overview of using LDAP for authentication. Granted, you won't be using it to access an Active Directory, but the other configuration parameters will apply (nsswitch.conf, ldap.conf, PAM modules, etc.). Regards, Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Kerberos authenticatino and ldap authorization
On Tue, Mar 06, 2007 at 10:07:57AM -0700, RJ45 wrote: for example I would like to installa MIT krb5 implementation from ports instead of using heidmal default this because the kerberos server on my network is a MIT server and I can't use kadmin on FreeBSD to administrer the kerberos server remotely using heidmal implementation. Anyone has experience of MIT krb5 implementation on FreeBSD ? The handbook has a chapter on setting up Kerberos, albeit focused on Heimdal. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kerberos5.html In section 14.8.6 it notes that the kadmin protocol differs between Kerberos implementations -- you have to use the MIT kadmin to administer a remote MIT KDC. Other than the kadmin bits (which are fairly different between the two but isn't used by end-users anyway), it's pretty much transparent to a Kerberos-enabled workstation which implementation it's using. I typically install both (to different paths to avoid file conflicts) because I like using the newest Heimdal rather than the one in base and also because the included client applications differ. For example, MIT has Kerberos rsh whereas the base Heimdal doesn't for some of the platforms that I use. If you run into any specific issues when setting it up, please post back to the list and cc me and I'll give you a hand. -T -- I once bought a cellphone that had a little sticker on the box that said 'DO NOT EAT PACKAGING MATERIAL'. There went another freebie snack at the office. - A.S.R. quote (Andreas Buzh Skau) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
