I have tried opening all the kerberos ports listed in /etc/services but
it did not help. Unless I open all the ports in the range 33000:34000,
kinit simply hangs and times out after a minute or so.
Another weird thing is happening, difference in ssh'ing to different
servers. Once I have run "kinit -f [log in to unmask]" I ssh to cmsuaf and
cmswn055. I am logged in without cryptocard or password on both, but
while I can read/write to my home dir from cmswn055, not so from cmsuaf.
I am wondering if people from other Universities also experience the
same. Are you people doing some thing different?
Vinod
Vinod Gupta wrote:
> Hi Troy,
>
> Thanks for correct URL of the RPMs.
> I had followed instructions for Scientific Linux 4.x and RHEL 4
> I don't know how I reached SLF directory for krb5 and openssh rpms but
> now that I have downloaded SL rpms (including server), all installed
> normally and I can ssh to FNAL as well as into my workstation using
> other RHEL-distributed ssh clients.
>
> As far as firewall is concerned, our external firewall is fairly open
> but we have tighter local iptables. I played a little bit more with port
> range and found that if I open 100 ports in the range 33700:33800 to
> FNAL network then I can do kinit without problems.
>
> Thanks for your help.
> Vinod
>
> On 2007-01-03 09:17, Troy Dawson wrote:
>> Hi Vinod,
>> Since I maintain that page, why don't I see what needs to be changed
>> so that it works better. You're comments below help, but I need more
>> clarification on a few things.
>>
>> First off, which set of instructions did you use? And why?
>>
>> I ask that so I know which one's need to be fine-tuned, and if you
>> were using the wrong one's, I need to know how to better send you to
>> the right instructions.
>>
>> Vinod Gupta wrote:
>>> I tried to follow your instructions at:
>>> http://www-oss.fnal.gov/projects/fermilinux/common/kerberos.html,
>>> installed all the 8 rpms on a RHEL4 workstation at Princeton but ssh
>>> to Fermilab unix systems did not work. I am sure other people must
>>> have experienced similar problems. I would to share how I made it
>>> working and would welcome ideas to improve the steps:
>>>
>>> a) All the three krb5 rpms installed fine but kinit -Af [log in to unmask]
>>> would not work until I opened all the ports from FNAL
>>> (131.225.0.0/16) network. I don't think we need to open all the
>>> ports, if you know precisely which ones please let me know.
>>>
>>
>> Are you talking about poking holes in an external firewall (such as a
>> router) or the local firewall on the machine?
>> We hadn't had any problems with RHEL4's local firewall, so I hadn't
>> thought of that.
>> But I believe our security team has written a page on what holes are
>> needed, I think a link to their web page would be in order.
>>
>>> b) When I installed all the openssh-*.SLF.*.rpm on my workstation, I
>>> was no longer able to ssh into my workstation using other
>>> RHEL-distributed ssh clients. I tried installing only openssh-clients
>>> SLF package but it failed due to dependency problems. I used --nodeps
>>> switch:
>>> rpm -U --nodeps openssh-clients-3.9p1-8.SLF.4.18.i386.rpm
>>> The package installed fine and seems to be working with existing
>>> RHEL-distributed dependent rpms. I had the impression that RHEL and
>>> FNAL ssh rpms install in their own sub-dirs and can co-exist, but
>>> apparently not.
>>>
>>
>> Here is where I think you were reading the wrong instructions, which
>> is why I need to know how to better direct people to the right
>> instructions.
>> the openssh*SLF* rpm's are designed to be completely kerberized,
>> outgoing and incomming.
>> There are a set of openssh*SL* rpm's, which have all the necessary
>> patches to work with old and new kerberos authentication, but the
>> configuration files are set so to be the same as the default redhat
>> configuration files. These are the rpm's that you really want, they
>> are found at
>> ftp://linux.fnal.gov/linux/contrib/openssh/sl4x/
>>
>>> Only after these variations from the doc in the above referred
>>> webpage, kinit worked and I could ssh to FNAL Unix systems without
>>> password/cryptocard.
>>>
>>> Vinod
>>> Princeton
>>
>> Thank you for your help.
>> Troy Dawson
|