Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am trying to deploy Kerberos and LDAP so users will be able to login in to a server on the edge of the LAN, and afterwards be able to establish a SSH connection to all the computers in that LAN without the need to type any passwords, and without the need for me to manage SSH keys [beside the SSH keys on the login server] and local user accounts.
1. When i create the users in OpenLDAP i use a template that i created by reading documentation from the Internet. In the template one piece of information that is neede is the UID. Is there any clever way the keep track of the numbers so i do not assign the same UID to two users, besides using a pen and paper?
2. For the users to be able to establish SSH connections between the computers, the host is going to be added to the keytab like this:
ktadd host/client.example.com
Is is possible to replace client with something genric so i do not need to mange these keytab files between the hosts?
3. Users will be logging on the the server on the edge of LAN by using SSH keys. How can i configure the setup so the users will recieve a ticket automatically when the logon without executing kinit and without entering a password, just by having a valid SSH key?
4. krb5kdc is running on all the network interfaces in the server i want it to only run on eth1, how can this be done?
Thanks in advance.
Last edited by kja_007700; 02-20-2010 at 05:13 PM.
Reason: Making the questions more clear
to obtain the ticket you just need to run kinit on the destination server. AFAIK, a standard krb5 configured pam would cause a ticket to be requested upon login from an appropriate source, e.g. if sshd reference pam_stack or system_auth then the generic system wide config would apply.
I feel the urge to say that you called the thread "Integrating LDAP and Kerberos?" But there is no integration between the two. They have no common functionality at all, and it's only dleiberately duplicated data between the two environments in terms of user names that links them at all.
to obtain the ticket you just need to run kinit on the destination server. AFAIK, a standard krb5 configured pam would cause a ticket to be requested upon login from an appropriate source, e.g. if sshd reference pam_stack or system_auth then the generic system wide config would apply.
I feel the urge to say that you called the thread "Integrating LDAP and Kerberos?" But there is no integration between the two. They have no common functionality at all, and it's only dleiberately duplicated data between the two environments in terms of user names that links them at all.
I will try to read up on pam_stack and system_auth.
By doing research on Kerberos and LDAP for the last couple of days, i see your point is valid, i need to create the same information i two places and keep track of this. I have changed the titel of my thread and cleaned the question up a bit to make it more clear what my problem is.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.