From owner-freebsd-questions@FreeBSD.ORG Wed Mar 7 09:43:16 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 38EF916A404 for ; Wed, 7 Mar 2007 09:43:16 +0000 (UTC) (envelope-from rj45@slacknet.com) Received: from slacknet.com (slacknet.com [166.70.153.62]) by mx1.freebsd.org (Postfix) with ESMTP id 1CACD13C48E for ; Wed, 7 Mar 2007 09:43:16 +0000 (UTC) (envelope-from rj45@slacknet.com) Received: from rj45 (helo=localhost) by slacknet.com with local-esmtp (Exim 4.50 #1 (Debian)) id 1HOsfz-0004xz-BR; Wed, 07 Mar 2007 02:43:15 -0700 Date: Wed, 7 Mar 2007 02:43:15 -0700 (MST) From: RJ45 To: freebsd-questions@freebsd.org In-Reply-To: <20070306190034.GA21811@seekingfire.com> Message-ID: References: <20070306190034.GA21811@seekingfire.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: rj45@slacknet.com X-SA-Exim-Scanned: No (on slacknet.com); SAEximRunCond expanded to false Cc: Subject: Re: Kerberos authenticatino and ldap authorization X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Mar 2007 09:43:16 -0000 there are many difficulties and YES there is the documentation on FreeBSD handbook but it does not helped me so much I Still ahve difficulties. I isntalled MIT krb5 also and I Am using kadmin from MIT to manage krb5 server. First problem kadmin: ktadd -k /etc/krb5.keytab host/host.domain kadmin: Unsupported key table format version number while adding key to keytab I can't undertand this message i touched /etc/krb5.keytab but via kadmin it is unable to export the krb5 key I added before with addprinc -randkey host/host.domain i also chmod 777 krb5.keytab nothing to do at the end I exported it from the kdc and copied it by hand in /etc/krb5.keytab on my client FreeBSD box, but I do not know if in this way it will work. anyway now I have another problem. I am not able to configure ssh to login via kerberos. I tryed everything KerberosAuthentication yes KerberosOrLocalPasswd yes KerberosTicketCleanup yes Then I changed /etc/pam.d/sshd # auth auth required pam_nologin.so no_warn auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account account required pam_krb5.so account required pam_login_access.so account required pam_unix.so # session #session optional pam_ssh.so session required pam_permit.so # password password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass and ssh won't authenticate via kerberos: Mar 7 10:27:24 bastionbox1 sshd[1019]: Invalid user myself from 131.x.y.z Mar 7 10:27:33 bastionbox1 sshd[1019]: error: PAM: authentication error for illegal user myself from mylapdop.domain I must miss something I do not know what... Actually I do not think this scenario on BSD users is commonly used, and I Cannot find documentation to help myself, anyway I need this scenario that was implemented on Linux before. I do not want to use Linux anyway for this porpouse (bastion SSH box for public login via krb5/ldap) At the end anyway the scenario needs to be krb5 for authentication and LDAP for authorization For now I am not able to authenticate via krb5 any hints ? thanks Rick On Tue, 6 Mar 2007, Tillman Hodgson wrote: > On Tue, Mar 06, 2007 at 10:07:57AM -0700, RJ45 wrote: >> for example I would like to installa MIT krb5 implementation from ports >> instead of using heidmal default this because the kerberos server >> on my network is a MIT server and I can't use kadmin on FreeBSD >> to administrer the kerberos server remotely using heidmal implementation. >> Anyone has experience of MIT krb5 implementation on FreeBSD ? > > The handbook has a chapter on setting up Kerberos, albeit focused on Heimdal. > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kerberos5.html > > In section 14.8.6 it notes that the kadmin protocol differs between > Kerberos implementations -- you have to use the MIT kadmin to administer > a remote MIT KDC. > > Other than the kadmin bits (which are fairly different between the two > but isn't used by end-users anyway), it's pretty much transparent to a > Kerberos-enabled workstation which implementation it's using. I > typically install both (to different paths to avoid file conflicts) > because I like using the newest Heimdal rather than the one in base and > also because the included client applications differ. For example, MIT > has Kerberos rsh whereas the base Heimdal doesn't for some of the > platforms that I use. > > If you run into any specific issues when setting it up, please post back > to the list and cc me and I'll give you a hand. > > -T > > > -- > "I once bought a cellphone that had a little sticker on the box that said > 'DO NOT EAT PACKAGING MATERIAL'. There went another freebie snack at the > office." > - A.S.R. quote (Andreas "Buzh" Skau) > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >