LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

January 2007

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS January 2007

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: kerberos and ssh to fermilab
From:	Vinod Gupta <[log in to unmask]>
Reply To:	Vinod Gupta <[log in to unmask]>
Date:	Mon, 8 Jan 2007 01:18:17 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (99 lines)

I have tried opening all the kerberos ports listed in /etc/services but 
it did not help. Unless I open all the ports in the range 33000:34000, 
kinit simply hangs and times out after a minute or so.

Another weird thing is happening, difference in ssh'ing to different 
servers. Once I have run "kinit -f [log in to unmask]" I ssh to cmsuaf and 
cmswn055. I am logged in without cryptocard or password on both, but 
while I can read/write to my home dir from cmswn055, not so from cmsuaf.

I am wondering if people from other Universities also experience the 
same. Are you people doing some thing different?

Vinod

Vinod Gupta wrote:
> Hi Troy,
> 
> Thanks for correct URL of the RPMs.
> I had followed instructions for Scientific Linux 4.x and RHEL 4
> I don't know how I reached SLF directory for krb5 and openssh rpms but 
> now that I have downloaded SL rpms (including server), all installed 
> normally and I can ssh to FNAL as well as into my workstation using 
> other RHEL-distributed ssh clients.
> 
> As far as firewall is concerned, our external firewall is fairly open 
> but we have tighter local iptables. I played a little bit more with port 
> range and found that if I open 100 ports in the range 33700:33800 to 
> FNAL network then I can do kinit without problems.
> 
> Thanks for your help.
> Vinod
> 
> On 2007-01-03 09:17, Troy Dawson wrote:
>> Hi Vinod,
>> Since I maintain that page, why don't I see what needs to be changed 
>> so that it works better.  You're comments below help, but I need more 
>> clarification on a few things.
>>
>> First off, which set of instructions did you use?  And why?
>>
>> I ask that so I know which one's need to be fine-tuned, and if you 
>> were using the wrong one's, I need to know how to better send you to 
>> the right instructions.
>>
>> Vinod Gupta wrote:
>>> I tried to follow your instructions at: 
>>> http://www-oss.fnal.gov/projects/fermilinux/common/kerberos.html, 
>>> installed all the 8 rpms on a RHEL4 workstation at Princeton but ssh 
>>> to Fermilab unix systems did not work. I am sure other people must 
>>> have experienced similar problems. I would to share how I made it 
>>> working and would welcome ideas to improve the steps:
>>>
>>> a) All the three krb5 rpms installed fine but kinit -Af [log in to unmask] 
>>> would not work until I opened all the ports from FNAL 
>>> (131.225.0.0/16) network. I don't think we need to open all the 
>>> ports, if you know precisely which ones please let me know.
>>>
>>
>> Are you talking about poking holes in an external firewall (such as a 
>> router) or the local firewall on the machine?
>> We hadn't had any problems with RHEL4's local firewall, so I hadn't 
>> thought of that.
>> But I believe our security team has written a page on what holes are 
>> needed, I think a link to their web page would be in order.
>>
>>> b) When I installed all the openssh-*.SLF.*.rpm on my workstation, I 
>>> was no longer able to ssh into my workstation using other 
>>> RHEL-distributed ssh clients. I tried installing only openssh-clients 
>>> SLF package but it failed due to dependency problems. I used --nodeps 
>>> switch:
>>> rpm -U --nodeps openssh-clients-3.9p1-8.SLF.4.18.i386.rpm
>>> The package installed fine and seems to be working with existing 
>>> RHEL-distributed dependent rpms. I had the impression that RHEL and 
>>> FNAL ssh rpms install in their own sub-dirs and can co-exist, but 
>>> apparently not.
>>>
>>
>> Here is where I think you were reading the wrong instructions, which 
>> is why I need to know how to better direct people to the right 
>> instructions.
>> the openssh*SLF* rpm's are designed to be completely kerberized, 
>> outgoing and incomming.
>> There are a set of openssh*SL* rpm's, which have all the necessary 
>> patches to work with old and new kerberos authentication, but the 
>> configuration files are set so to be the same as the default redhat 
>> configuration files.  These are the rpm's that you really want, they 
>> are found at
>> ftp://linux.fnal.gov/linux/contrib/openssh/sl4x/
>>
>>> Only after these variations from the doc in the above referred 
>>> webpage, kinit worked and I could ssh to FNAL Unix systems without 
>>> password/cryptocard.
>>>
>>> Vinod
>>> Princeton
>>
>> Thank you for your help.
>> Troy Dawson

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV