LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (http://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Configuring Kerberos - LDAP for use with SSH (http://www.linuxquestions.org/questions/linux-newbie-8/configuring-kerberos-ldap-for-use-with-ssh-4175420206/)

Amalfy Vargas 08-03-2012 11:36 AM

Configuring Kerberos - LDAP for use with SSH
 
Distributor ID: Debian
Description: Debian GNU/Linux 6.0.5 (squeeze)
Release: 6.0.5
Codename: squeeze

I'm a noob but catch up really quick.

I followed this guide to setting up the kerberos and ldap: http://www.rjsystems.nl/en/2100-d6-k...p-provider.php

and the ssh part is pretty straight forward so I guess my first question is..., is the guide I'm following correct for the kerberos and ldap installation and configuration?

here I will post some of my problems so you can get questions going and lead me to my mistake please.

Im not really interested in the gssapi, certificates or what not, all I'm trying to do is create a user in kerberos via kadmin and be able to access such server via ssh..., and eventually get tacacs running using kerberos for authentication.

root@zirconium:/etc/pam.d# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: avargas@TEST.COM

Valid starting Expires Service principal
08/03/12 10:54:01 08/04/12 10:54:01 krbtgt/TEST.COM@TEST.COM
root@zirconium:/etc/pam.d# kadmin -p admin
Authenticating as principal admin with password.
Password for admin@TEST.COM:
kadmin: listprincs
K/M@TEST.COM
krbtgt/TEST.COM@TEST.COM
kadmin/admin@TEST.COM
kadmin/changepw@TEST.COM
kadmin/history@TEST.COM
kadmin/zirconium.test.com@TEST.COM
admin@TEST.COM
ldap/zirconium.test.com@TEST.COM
avargas@TEST.COM
kadmin: exit
root@zirconium:/etc/pam.d# users
root root
root@zirconium:/etc/pam.d# domainname -f
zirconium.test.com
root@zirconium:/etc/pam.d# domainname
test.com
root@zirconium:/etc/pam.d# dnsdomainname
test.com
root@zirconium:/etc/pam.d# hostname
zirconium
root@zirconium:/etc/pam.d#

avargas@10.10.10.10's password:
Permission denied, please try again.
avargas@10.10.10.10's password:


I am aware of ntp sync is important and I have not added the user using useradd cuz that would defeat the purpose and I will be able to log in using local created accounts.

root@zirconium:/home# ls /home

Please, I've been reading for like 2 weeks non-stop and apparently I'm messing up somewhere.., kindness and help..., no sarcasm please.

Thanks

Amalfy Vargas

acid_kewpie 08-03-2012 01:17 PM

At the risk of missing your motivations, do you really *want* to use kerberos in the first place? Is there a specific reason you wouldn't prefer to just bind using ldap? It's *so so so* much easier and less confounding that kerberos, and as you don't appear to be looking at domain access and SSO, seems totally preferable.

Amalfy Vargas 08-03-2012 01:29 PM

If it works for what I want..., point me in the right direction and I'll follow through. So far my intentions are:

a user DB in linux that tacacs would be able to talk to for AAA, and access to the server where all this would be configured at through SSH.


client ---> ssh---->tacacs ---> router


Lead the way!, links to specifics would be fine..., If I get stuck, I'll start another thread with the new problem; hopefully none.


Thanks for your response

PS I do not want a user DB in tacacs.conf nor on the server like useradd, i guess thats why I was going for kerberos..., though we have a windows AD that could be used as well if access to the server and the routers could be managed by windows AD

acid_kewpie 08-03-2012 03:56 PM

If you only want password verification, then LDAP (on AD if you wish) is *very* simple to use. I've not configured a tacacs server before, but it's easy for a service like freeradius.

I imagine you could generically use the linux nss calls to authenticate users on the server, but generally I wouldn't as you're validating users onto a network, not logging into the box. So I say configure Tacacs+ access totally independently to SSH and other system level logins. For Tacacs+ you won't need POSIX details (i.e. uid, gid and other details for a proper unix login) but you will elsewhere, and IF you're using AD, you probably won't have those available by default. You can add unix extensions for AD, I forget what M$ are calling them this year though, used to be MSSFU


All times are GMT -5. The time now is 05:15 AM.