SCIENTIFIC-LINUX-USERS Archives

March 2005

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: OpenSSH + Kerberos
From:
Troy Dawson <[log in to unmask]>
Reply To:
Troy Dawson <[log in to unmask]>
Date:
Wed, 30 Mar 2005 19:56:51 -0600
Content-Type:
text/plain
Parts/Attachments:
text/plain (71 lines) 
Erik Williamson wrote:
> Hi All,
> 
> Could anyone point me to any good resources on configuring OpenSSH to 
> use Kerberos?  I'm verrrry new to kerberos - Everything that I'm finding 
> is a little dated and says that it's not doable.  I'm attempting this on 
> 40rolling - Thanks for any pointers!
> 
> Best,
> Erik.
> 

Hi Erik,
It's definatly doable.  We've been doing it for years.
There's a few things you need to know to make sense though.

First is gssapi authentication.  This isn't really a way to 
authenticate, but more a protocol that kerberos uses to authenticate. 
Hmmm ... I'm probrubly not the best person to explain it.  The short of 
it is that if your openssh doesn't support gssapi authentication, it's 
not going to do kerberos right.

Second is gssapi authentication.  Hmm ... I thought I said that already. 
  Well here's the trouble.  There is the 'old' gssapi authentication, 
that had been a patch for older openssh's up though openssh 3.8.  Then 
there is the 'new' gssapi authentication, that is built into openssh 3.9 
and above.  Would it be nice if they were compatible with each other. 
Well, they arn't.  Sorry about that.  Again, I'm sure others can explain 
this much better than I.

OK, enough background, what does gssapi have to do with openssh.

Well, up until openssh 3.9, there wasn't any gssapi built into openssh. 
  You had to apply a patch.

Now RedHat did a clever thing.  They didn't ever officially apply the 
gssapi patch in their openssh, but they did include it in their source. 
  So if you just recompiled openssh with the letters gss in the release 
version, then it applied the patch and your openssh then worked with 
kerberos.
For a look at those you can get some at
ftp://linux.fnal.gov/linux/contrib/openssh/
look in the appropriate directories.

But along comes openssh 3.9, with it's non-backward compatible gssapi. 
It just plain doesn't work out of the box with these previously patched 
openssh's.
Can't that be patched?
Yup.
If you look at the above link, you'll see an openssh for S.L. 4.x.  This 
is basically the 3.9 openssh with a patch to make it backward compatible.
I've been asked to possible put that in contrib, or even as the default 
openssh, but the patch doesn't apply cleanly to redhat's openssh.  So 
each security update would be a mess to have to redo the patch.  But 
until I get a cleaner patch, this works quite well.  Just know that I 
had to disable the SE Linux part.

Now, there's also the sshd_config file.  The default configuration does 
both password and kerberos authentication.  If you want it to be 
kerberos only, you'll have to edit it, but I think this e-mail is 
already long enough ;)

Hope this helps
Troy

-- 
__________________________________________________
Troy Dawson  [log in to unmask]  (630)840-6468
Fermilab  ComputingDivision/CSS  CSI Group
__________________________________________________

ATOM RSS1 RSS2