Re: [Freeipa-users] kerberized vsftpd login problem
I may be wrong on this but I don't remember an option in vsftps.conf to specify a keytab file which is a good indication that its not supported there is a kerberized ftp server in the krb5 applications rpm however its not widely used and is more likely than not lacking features and may have bugs.-- Sent from my HP Pre3On Mar 27, 2014 22:13, Dmitri Pal wrote: On 03/27/2014 04:47 PM, John Obaterspok wrote: > 2014-03-23 19:45 GMT-04:00 Dmitri Pal >> 2014-03-23 9:01 GMT+01:00 John Obaterspok: >>> Hello, >>> >>> How do I get vsftpd login to work with an existing ticket? >>> I've added ftp as an identity service (ftp/ipaserver.my@my.lan) >>> Is there anything else I need to do to allow ftp login to vsftpd? >> What ftp client and server are you using? >> Do you know whether they are actually supporting Kerberos? >> May be consider other tools like scp instead? > I'm using vsftpd with default settings in Fedora 20 + ftp client from > krb5-appl-clients. vsftpd is linked to pam, gssapi_krb5, and more. > /etc/pam.d/vsftpd looks like this: > > #%PAM-1.0 > sessionoptional pam_keyinit.soforce revoke > auth required pam_listfile.so item=user sense=deny > file=/etc/vsftpd/ftpusers _onerr_=succeed > auth required pam_shells.so > auth include password-auth > accountinclude password-auth > sessionrequired pam_loginuid.so > sessioninclude password-auth > > Perhaps I need to change something in the pam file in order to allow sso? > > -- john If you want SSO the ftp server should be configured to use GSSAPI and not use PAM (or fail over to PAM if client does not have a ticket). A search of the man pages for vsftpd did not render such option. I suspect it is either undocumented or some other Kerberos enables ftp server needs to be used. Does krb-appl package provide one? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] kerberized vsftpd login problem
On 03/27/2014 04:47 PM, John Obaterspok wrote: 2014-03-23 19:45 GMT-04:00 Dmitri Pal 2014-03-23 9:01 GMT+01:00 John Obaterspok: Hello, How do I get vsftpd login to work with an existing ticket? I've added ftp as an identity service (ftp/ipaserver.my@my.lan) Is there anything else I need to do to allow ftp login to vsftpd? What ftp client and server are you using? Do you know whether they are actually supporting Kerberos? May be consider other tools like scp instead? I'm using vsftpd with default settings in Fedora 20 + ftp client from krb5-appl-clients. vsftpd is linked to pam, gssapi_krb5, and more. /etc/pam.d/vsftpd looks like this: #%PAM-1.0 sessionoptional pam_keyinit.soforce revoke auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed auth required pam_shells.so auth include password-auth accountinclude password-auth sessionrequired pam_loginuid.so sessioninclude password-auth Perhaps I need to change something in the pam file in order to allow sso? -- john If you want SSO the ftp server should be configured to use GSSAPI and not use PAM (or fail over to PAM if client does not have a ticket). A search of the man pages for vsftpd did not render such option. I suspect it is either undocumented or some other Kerberos enables ftp server needs to be used. Does krb-appl package provide one? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] kerberized vsftpd login problem
2014-03-23 19:45 GMT-04:00 Dmitri Pal > 2014-03-23 9:01 GMT+01:00 John Obaterspok : > > > > Hello, > > > > How do I get vsftpd login to work with an existing ticket? > > I've added ftp as an identity service (ftp/ipaserver.my@my.lan) > > Is there anything else I need to do to allow ftp login to vsftpd? > > What ftp client and server are you using? > Do you know whether they are actually supporting Kerberos? > May be consider other tools like scp instead? I'm using vsftpd with default settings in Fedora 20 + ftp client from krb5-appl-clients. vsftpd is linked to pam, gssapi_krb5, and more. /etc/pam.d/vsftpd looks like this: #%PAM-1.0 sessionoptional pam_keyinit.soforce revoke auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed auth required pam_shells.so auth include password-auth accountinclude password-auth sessionrequired pam_loginuid.so sessioninclude password-auth Perhaps I need to change something in the pam file in order to allow sso? -- john ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] kerberized vsftpd login problem
On 03/23/2014 04:01 AM, John Obaterspok wrote: Hello, How do I get vsftpd login to work with an existing ticket? I've added ftp as an identity service (ftp/ipaserver.my@my.lan) Is there anything else I need to do to allow ftp login to vsftpd? What ftp client and server are you using? Do you know whether they are actually supporting Kerberos? May be consider other tools like scp instead? -- john ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] kerberized vsftpd login problem
Hello, How do I get vsftpd login to work with an existing ticket? I've added ftp as an identity service (ftp/ipaserver.my@my.lan) Is there anything else I need to do to allow ftp login to vsftpd? -- john ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users