Hi,
I'd like to add few questions in this topic!
I'm going to install Scientific Linux Fermi 4.4 on my laptop and I'm going
to use it outside FNAL (INFN Bologna, Italy).

Is kerberos automatically installed?

In previous releases I remember that it was asked how to configure the
firewall during the installation (I mean http, ssh, ... and SELinux)! Which
is the best setting to use?

Once done this, can I kinit from anywhere to get a valid ticket? Even using
a standard ADSL connection instead the INFN one?

Thanks a lot! A couple of years ago I tried to install a Fermi distro but
kerberos didn't work at all; this time I'd like to be able to use it!

Bye...

> -----Original Message-----
> From: [log in to unmask] [mailto:owner-
> [log in to unmask]] On Behalf Of Troy Dawson
> Sent: Wednesday, January 03, 2007 15:18
> To: Vinod Gupta
> Cc: [log in to unmask]
> Subject: Re: kerberos and ssh to fermilab
> 
> Hi Vinod,
> Since I maintain that page, why don't I see what needs to be changed so
> that it works better.  You're comments below help, but I need more
> clarification on a few things.
> 
> First off, which set of instructions did you use?  And why?
> 
> I ask that so I know which one's need to be fine-tuned, and if you were
> using the wrong one's, I need to know how to better send you to the
> right instructions.
> 
> Vinod Gupta wrote:
> > I tried to follow your instructions at:
> > http://www-oss.fnal.gov/projects/fermilinux/common/kerberos.html,
> > installed all the 8 rpms on a RHEL4 workstation at Princeton but ssh to
> > Fermilab unix systems did not work. I am sure other people must have
> > experienced similar problems. I would to share how I made it working and
> > would welcome ideas to improve the steps:
> >
> > a) All the three krb5 rpms installed fine but kinit -Af [log in to unmask]
> > would not work until I opened all the ports from FNAL (131.225.0.0/16)
> > network. I don't think we need to open all the ports, if you know
> > precisely which ones please let me know.
> >
> 
> Are you talking about poking holes in an external firewall (such as a
> router) or the local firewall on the machine?
> We hadn't had any problems with RHEL4's local firewall, so I hadn't
> thought of that.
> But I believe our security team has written a page on what holes are
> needed, I think a link to their web page would be in order.
> 
> > b) When I installed all the openssh-*.SLF.*.rpm on my workstation, I was
> > no longer able to ssh into my workstation using other RHEL-distributed
> > ssh clients. I tried installing only openssh-clients SLF package but it
> > failed due to dependency problems. I used --nodeps switch:
> > rpm -U --nodeps openssh-clients-3.9p1-8.SLF.4.18.i386.rpm
> > The package installed fine and seems to be working with existing
> > RHEL-distributed dependent rpms. I had the impression that RHEL and FNAL
> > ssh rpms install in their own sub-dirs and can co-exist, but apparently
> > not.
> >
> 
> Here is where I think you were reading the wrong instructions, which is
> why I need to know how to better direct people to the right instructions.
> the openssh*SLF* rpm's are designed to be completely kerberized,
> outgoing and incomming.
> There are a set of openssh*SL* rpm's, which have all the necessary
> patches to work with old and new kerberos authentication, but the
> configuration files are set so to be the same as the default redhat
> configuration files.  These are the rpm's that you really want, they are
> found at
> ftp://linux.fnal.gov/linux/contrib/openssh/sl4x/
> 
> > Only after these variations from the doc in the above referred webpage,
> > kinit worked and I could ssh to FNAL Unix systems without
> > password/cryptocard.
> >
> > Vinod
> > Princeton
> 
> Thank you for your help.
> Troy Dawson
> --
> __________________________________________________
> Troy Dawson  [log in to unmask]  (630)840-6468
> Fermilab  ComputingDivision/CSS  CSI Group
> __________________________________________________