Hi Troy,
Thanks for correct URL of the RPMs.
I had followed instructions for Scientific Linux 4.x and RHEL 4
I don't know how I reached SLF directory for krb5 and openssh rpms but
now that I have downloaded SL rpms (including server), all installed
normally and I can ssh to FNAL as well as into my workstation using
other RHEL-distributed ssh clients.
As far as firewall is concerned, our external firewall is fairly open
but we have tighter local iptables. I played a little bit more with port
range and found that if I open 100 ports in the range 33700:33800 to
FNAL network then I can do kinit without problems.
Thanks for your help.
Vinod
On 2007-01-03 09:17, Troy Dawson wrote:
> Hi Vinod,
> Since I maintain that page, why don't I see what needs to be changed
> so that it works better. You're comments below help, but I need more
> clarification on a few things.
>
> First off, which set of instructions did you use? And why?
>
> I ask that so I know which one's need to be fine-tuned, and if you
> were using the wrong one's, I need to know how to better send you to
> the right instructions.
>
> Vinod Gupta wrote:
>> I tried to follow your instructions at:
>> http://www-oss.fnal.gov/projects/fermilinux/common/kerberos.html,
>> installed all the 8 rpms on a RHEL4 workstation at Princeton but ssh
>> to Fermilab unix systems did not work. I am sure other people must
>> have experienced similar problems. I would to share how I made it
>> working and would welcome ideas to improve the steps:
>>
>> a) All the three krb5 rpms installed fine but kinit -Af [log in to unmask]
>> would not work until I opened all the ports from FNAL
>> (131.225.0.0/16) network. I don't think we need to open all the
>> ports, if you know precisely which ones please let me know.
>>
>
> Are you talking about poking holes in an external firewall (such as a
> router) or the local firewall on the machine?
> We hadn't had any problems with RHEL4's local firewall, so I hadn't
> thought of that.
> But I believe our security team has written a page on what holes are
> needed, I think a link to their web page would be in order.
>
>> b) When I installed all the openssh-*.SLF.*.rpm on my workstation, I
>> was no longer able to ssh into my workstation using other
>> RHEL-distributed ssh clients. I tried installing only openssh-clients
>> SLF package but it failed due to dependency problems. I used --nodeps
>> switch:
>> rpm -U --nodeps openssh-clients-3.9p1-8.SLF.4.18.i386.rpm
>> The package installed fine and seems to be working with existing
>> RHEL-distributed dependent rpms. I had the impression that RHEL and
>> FNAL ssh rpms install in their own sub-dirs and can co-exist, but
>> apparently not.
>>
>
> Here is where I think you were reading the wrong instructions, which
> is why I need to know how to better direct people to the right
> instructions.
> the openssh*SLF* rpm's are designed to be completely kerberized,
> outgoing and incomming.
> There are a set of openssh*SL* rpm's, which have all the necessary
> patches to work with old and new kerberos authentication, but the
> configuration files are set so to be the same as the default redhat
> configuration files. These are the rpm's that you really want, they
> are found at
> ftp://linux.fnal.gov/linux/contrib/openssh/sl4x/
>
>> Only after these variations from the doc in the above referred
>> webpage, kinit worked and I could ssh to FNAL Unix systems without
>> password/cryptocard.
>>
>> Vinod
>> Princeton
>
> Thank you for your help.
> Troy Dawson
|