Hi Troy,

Thanks for correct URL of the RPMs.
I had followed instructions for Scientific Linux 4.x and RHEL 4
I don't know how I reached SLF directory for krb5 and openssh rpms but 
now that I have downloaded SL rpms (including server), all installed 
normally and I can ssh to FNAL as well as into my workstation using 
other RHEL-distributed ssh clients.

As far as firewall is concerned, our external firewall is fairly open 
but we have tighter local iptables. I played a little bit more with port 
range and found that if I open 100 ports in the range 33700:33800 to 
FNAL network then I can do kinit without problems.

Thanks for your help.
Vinod

On 2007-01-03 09:17, Troy Dawson wrote:
> Hi Vinod,
> Since I maintain that page, why don't I see what needs to be changed 
> so that it works better.  You're comments below help, but I need more 
> clarification on a few things.
>
> First off, which set of instructions did you use?  And why?
>
> I ask that so I know which one's need to be fine-tuned, and if you 
> were using the wrong one's, I need to know how to better send you to 
> the right instructions.
>
> Vinod Gupta wrote:
>> I tried to follow your instructions at: 
>> http://www-oss.fnal.gov/projects/fermilinux/common/kerberos.html, 
>> installed all the 8 rpms on a RHEL4 workstation at Princeton but ssh 
>> to Fermilab unix systems did not work. I am sure other people must 
>> have experienced similar problems. I would to share how I made it 
>> working and would welcome ideas to improve the steps:
>>
>> a) All the three krb5 rpms installed fine but kinit -Af [log in to unmask] 
>> would not work until I opened all the ports from FNAL 
>> (131.225.0.0/16) network. I don't think we need to open all the 
>> ports, if you know precisely which ones please let me know.
>>
>
> Are you talking about poking holes in an external firewall (such as a 
> router) or the local firewall on the machine?
> We hadn't had any problems with RHEL4's local firewall, so I hadn't 
> thought of that.
> But I believe our security team has written a page on what holes are 
> needed, I think a link to their web page would be in order.
>
>> b) When I installed all the openssh-*.SLF.*.rpm on my workstation, I 
>> was no longer able to ssh into my workstation using other 
>> RHEL-distributed ssh clients. I tried installing only openssh-clients 
>> SLF package but it failed due to dependency problems. I used --nodeps 
>> switch:
>> rpm -U --nodeps openssh-clients-3.9p1-8.SLF.4.18.i386.rpm
>> The package installed fine and seems to be working with existing 
>> RHEL-distributed dependent rpms. I had the impression that RHEL and 
>> FNAL ssh rpms install in their own sub-dirs and can co-exist, but 
>> apparently not.
>>
>
> Here is where I think you were reading the wrong instructions, which 
> is why I need to know how to better direct people to the right 
> instructions.
> the openssh*SLF* rpm's are designed to be completely kerberized, 
> outgoing and incomming.
> There are a set of openssh*SL* rpm's, which have all the necessary 
> patches to work with old and new kerberos authentication, but the 
> configuration files are set so to be the same as the default redhat 
> configuration files.  These are the rpm's that you really want, they 
> are found at
> ftp://linux.fnal.gov/linux/contrib/openssh/sl4x/
>
>> Only after these variations from the doc in the above referred 
>> webpage, kinit worked and I could ssh to FNAL Unix systems without 
>> password/cryptocard.
>>
>> Vinod
>> Princeton
>
> Thank you for your help.
> Troy Dawson