LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 08-03-2012, 11:36 AM   #1
Amalfy Vargas
LQ Newbie
 
Registered: Aug 2012
Posts: 2

Rep: Reputation: Disabled
Configuring Kerberos - LDAP for use with SSH


Distributor ID: Debian
Description: Debian GNU/Linux 6.0.5 (squeeze)
Release: 6.0.5
Codename: squeeze

I'm a noob but catch up really quick.

I followed this guide to setting up the kerberos and ldap: http://www.rjsystems.nl/en/2100-d6-k...p-provider.php

and the ssh part is pretty straight forward so I guess my first question is..., is the guide I'm following correct for the kerberos and ldap installation and configuration?

here I will post some of my problems so you can get questions going and lead me to my mistake please.

Im not really interested in the gssapi, certificates or what not, all I'm trying to do is create a user in kerberos via kadmin and be able to access such server via ssh..., and eventually get tacacs running using kerberos for authentication.

root@zirconium:/etc/pam.d# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: avargas@TEST.COM

Valid starting Expires Service principal
08/03/12 10:54:01 08/04/12 10:54:01 krbtgt/TEST.COM@TEST.COM
root@zirconium:/etc/pam.d# kadmin -p admin
Authenticating as principal admin with password.
Password for admin@TEST.COM:
kadmin: listprincs
K/M@TEST.COM
krbtgt/TEST.COM@TEST.COM
kadmin/admin@TEST.COM
kadmin/changepw@TEST.COM
kadmin/history@TEST.COM
kadmin/zirconium.test.com@TEST.COM
admin@TEST.COM
ldap/zirconium.test.com@TEST.COM
avargas@TEST.COM
kadmin: exit
root@zirconium:/etc/pam.d# users
root root
root@zirconium:/etc/pam.d# domainname -f
zirconium.test.com
root@zirconium:/etc/pam.d# domainname
test.com
root@zirconium:/etc/pam.d# dnsdomainname
test.com
root@zirconium:/etc/pam.d# hostname
zirconium
root@zirconium:/etc/pam.d#

avargas@10.10.10.10's password:
Permission denied, please try again.
avargas@10.10.10.10's password:


I am aware of ntp sync is important and I have not added the user using useradd cuz that would defeat the purpose and I will be able to log in using local created accounts.

root@zirconium:/home# ls /home

Please, I've been reading for like 2 weeks non-stop and apparently I'm messing up somewhere.., kindness and help..., no sarcasm please.

Thanks

Amalfy Vargas
 
Old 08-03-2012, 01:17 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
At the risk of missing your motivations, do you really *want* to use kerberos in the first place? Is there a specific reason you wouldn't prefer to just bind using ldap? It's *so so so* much easier and less confounding that kerberos, and as you don't appear to be looking at domain access and SSO, seems totally preferable.
 
Old 08-03-2012, 01:29 PM   #3
Amalfy Vargas
LQ Newbie
 
Registered: Aug 2012
Posts: 2

Original Poster
Rep: Reputation: Disabled
If it works for what I want..., point me in the right direction and I'll follow through. So far my intentions are:

a user DB in linux that tacacs would be able to talk to for AAA, and access to the server where all this would be configured at through SSH.


client ---> ssh---->tacacs ---> router


Lead the way!, links to specifics would be fine..., If I get stuck, I'll start another thread with the new problem; hopefully none.


Thanks for your response

PS I do not want a user DB in tacacs.conf nor on the server like useradd, i guess thats why I was going for kerberos..., though we have a windows AD that could be used as well if access to the server and the routers could be managed by windows AD

Last edited by Amalfy Vargas; 08-03-2012 at 01:35 PM.
 
Old 08-03-2012, 03:56 PM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
If you only want password verification, then LDAP (on AD if you wish) is *very* simple to use. I've not configured a tacacs server before, but it's easy for a service like freeradius.

I imagine you could generically use the linux nss calls to authenticate users on the server, but generally I wouldn't as you're validating users onto a network, not logging into the box. So I say configure Tacacs+ access totally independently to SSH and other system level logins. For Tacacs+ you won't need POSIX details (i.e. uid, gid and other details for a proper unix login) but you will elsewhere, and IF you're using AD, you probably won't have those available by default. You can add unix extensions for AD, I forget what M$ are calling them this year though, used to be MSSFU
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh and kerberos error: Server not found in Kerberos database Felipe Linux - Server 1 01-17-2011 03:12 AM
Kerberos LDAP avatardeviva Linux - Server 0 05-29-2010 10:00 AM
LDAP and Kerberos? kja_007700 Linux - Security 2 02-20-2010 07:52 AM
combine LDAP and Kerberos? licht Linux - Server 0 07-12-2007 12:35 PM
LDAP and Kerberos the right tools? labratmatt Linux - Software 4 05-30-2006 09:46 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 04:13 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration