Erik Williamson wrote:
> Hi All,
>
> Could anyone point me to any good resources on configuring OpenSSH to
> use Kerberos? I'm verrrry new to kerberos - Everything that I'm finding
> is a little dated and says that it's not doable. I'm attempting this on
> 40rolling - Thanks for any pointers!
>
> Best,
> Erik.
>
Hi Erik,
It's definatly doable. We've been doing it for years.
There's a few things you need to know to make sense though.
First is gssapi authentication. This isn't really a way to
authenticate, but more a protocol that kerberos uses to authenticate.
Hmmm ... I'm probrubly not the best person to explain it. The short of
it is that if your openssh doesn't support gssapi authentication, it's
not going to do kerberos right.
Second is gssapi authentication. Hmm ... I thought I said that already.
Well here's the trouble. There is the 'old' gssapi authentication,
that had been a patch for older openssh's up though openssh 3.8. Then
there is the 'new' gssapi authentication, that is built into openssh 3.9
and above. Would it be nice if they were compatible with each other.
Well, they arn't. Sorry about that. Again, I'm sure others can explain
this much better than I.
OK, enough background, what does gssapi have to do with openssh.
Well, up until openssh 3.9, there wasn't any gssapi built into openssh.
You had to apply a patch.
Now RedHat did a clever thing. They didn't ever officially apply the
gssapi patch in their openssh, but they did include it in their source.
So if you just recompiled openssh with the letters gss in the release
version, then it applied the patch and your openssh then worked with
kerberos.
For a look at those you can get some at
ftp://linux.fnal.gov/linux/contrib/openssh/
look in the appropriate directories.
But along comes openssh 3.9, with it's non-backward compatible gssapi.
It just plain doesn't work out of the box with these previously patched
openssh's.
Can't that be patched?
Yup.
If you look at the above link, you'll see an openssh for S.L. 4.x. This
is basically the 3.9 openssh with a patch to make it backward compatible.
I've been asked to possible put that in contrib, or even as the default
openssh, but the patch doesn't apply cleanly to redhat's openssh. So
each security update would be a mess to have to redo the patch. But
until I get a cleaner patch, this works quite well. Just know that I
had to disable the SE Linux part.
Now, there's also the sshd_config file. The default configuration does
both password and kerberos authentication. If you want it to be
kerberos only, you'll have to edit it, but I think this e-mail is
already long enough ;)
Hope this helps
Troy
--
__________________________________________________
Troy Dawson [log in to unmask] (630)840-6468
Fermilab ComputingDivision/CSS CSI Group
__________________________________________________
|