Subject: | |
From: | |
Reply To: | |
Date: | Wed, 3 Jan 2007 08:17:35 -0600 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
Hi Vinod,
Since I maintain that page, why don't I see what needs to be changed so
that it works better. You're comments below help, but I need more
clarification on a few things.
First off, which set of instructions did you use? And why?
I ask that so I know which one's need to be fine-tuned, and if you were
using the wrong one's, I need to know how to better send you to the
right instructions.
Vinod Gupta wrote:
> I tried to follow your instructions at:
> http://www-oss.fnal.gov/projects/fermilinux/common/kerberos.html,
> installed all the 8 rpms on a RHEL4 workstation at Princeton but ssh to
> Fermilab unix systems did not work. I am sure other people must have
> experienced similar problems. I would to share how I made it working and
> would welcome ideas to improve the steps:
>
> a) All the three krb5 rpms installed fine but kinit -Af [log in to unmask]
> would not work until I opened all the ports from FNAL (131.225.0.0/16)
> network. I don't think we need to open all the ports, if you know
> precisely which ones please let me know.
>
Are you talking about poking holes in an external firewall (such as a
router) or the local firewall on the machine?
We hadn't had any problems with RHEL4's local firewall, so I hadn't
thought of that.
But I believe our security team has written a page on what holes are
needed, I think a link to their web page would be in order.
> b) When I installed all the openssh-*.SLF.*.rpm on my workstation, I was
> no longer able to ssh into my workstation using other RHEL-distributed
> ssh clients. I tried installing only openssh-clients SLF package but it
> failed due to dependency problems. I used --nodeps switch:
> rpm -U --nodeps openssh-clients-3.9p1-8.SLF.4.18.i386.rpm
> The package installed fine and seems to be working with existing
> RHEL-distributed dependent rpms. I had the impression that RHEL and FNAL
> ssh rpms install in their own sub-dirs and can co-exist, but apparently
> not.
>
Here is where I think you were reading the wrong instructions, which is
why I need to know how to better direct people to the right instructions.
the openssh*SLF* rpm's are designed to be completely kerberized,
outgoing and incomming.
There are a set of openssh*SL* rpm's, which have all the necessary
patches to work with old and new kerberos authentication, but the
configuration files are set so to be the same as the default redhat
configuration files. These are the rpm's that you really want, they are
found at
ftp://linux.fnal.gov/linux/contrib/openssh/sl4x/
> Only after these variations from the doc in the above referred webpage,
> kinit worked and I could ssh to FNAL Unix systems without
> password/cryptocard.
>
> Vinod
> Princeton
Thank you for your help.
Troy Dawson
--
__________________________________________________
Troy Dawson [log in to unmask] (630)840-6468
Fermilab ComputingDivision/CSS CSI Group
__________________________________________________
|
|
|