<rt id="bn8ez"></rt>
<label id="bn8ez"></label>

  • <span id="bn8ez"></span>

    <label id="bn8ez"><meter id="bn8ez"></meter></label>

    ivaneeo's blog

    自由的力量,自由的生活。

      BlogJava :: 首頁(yè) :: 聯(lián)系 :: 聚合  :: 管理
      669 Posts :: 0 Stories :: 64 Comments :: 0 Trackbacks

    From a convenience perspective, I want to authenticate as infrequently as possible. However, security requirements suggest that I should be authenticated for all sorts of services. This means that Single Sign On and forwardable authentication credentials would be useful.

    Within an individual organisation at least, it is useful and fairly straightforward to have centralised control for authentication services. More and more authorisation and applications services are able to use centralised authentication services such as Kerberos.

    This document will demonstrate how to configure a machine running OpenSSH server to use GSSAPI so that users can log in if they have authorised kerberos tickets. This is not the place for extensive explanations about tickets or how to set up the Key Distribution Center(KDC) in the first place or how to build or install the necessary software on various different unixlike systems. Likely, your distribution's package management system can provide you with what you need.

    Kerberos

    All destination machines should have /etc/krb5.conf modified to allow forwardable tickets:

    [libdefaults]     default_realm = ALLGOODBITS.ORG     forwardable = TRUE [realms]     ALLGOODBITS.ORG = {                     kdc = kerberos.allgoodbits.org                     } 

    Using kadmin, create a principal for a user:

    kadmin> ank <username>@<REALM> 

    Here the process differs depending upon whether you're using MIT Kerberos (probably) or Heimdal.

    MIT

    Create a principal for the host:

    kadmin> ank -randkey host/<FQDN>@<REALM> 

    Extract the key for the host principal to a keytab file and locate it correctly on the ssh server:

    kadmin> ktadd -k /tmp/<FQDN>.keytab host/<FQDN> 

    Heimdal

    Create a principal for the host:

    kadmin> ank -r host/<FQDN>@<REALM> 

    Extract the key for the host principal to a keytab file and locate it correctly on the ssh server:

    kadmin> ext -k /tmp/<FQDN>.keytab host/<FQDN>@<REALM> 

    SSH

    Then we need to take the keytab file into which you extracted the key for the host principal and copy it to the location on the ssh server where sshd will look for it, probably /etc/krb5.keytab.

    We need to configure sshd_config(5). The important options start with GSSAPI, not to be confused with the Kerberos options which are merely for KDC-validated password authentication; the GSSAPI method allows authentication and login based upon existing tickets. In other words, the "Kerberos" method requires you to enter your password (again), GSSAPI will allow login based on upon the tickets you already have.

    sshd_config:

    GSSAPIAuthentication yes GSSAPICleanupCredentials yes PermitRootLogin without-password 

    ssh_config:

    GSSAPIAuthentication yes GSSAPIDelegateCredentials yes 

    PAM

    Linux Pluggable Authentication Modules(PAM) provide a common framework for authentication/authorisation for applications.

    /etc/pam.d/common-account:

    account sufficient      pam_krb5.so     use_first_pass 

    /etc/pam.d/common-auth:

    auth    sufficient      pam_krb5.so     use_first_pass 

    /etc/pam.d/common-password:

    password        sufficient      pam_krb5.so 

    /etc/pam.d/common-session:

    session optional      pam_krb5.so 

    This is sufficient to allow OpenAFS based home directories because although AFS uses Kerberosv4, MIT Kerberos does 5 to 4 ticket conversion on the fly.

    Troubleshooting

    • As with anything concerned with kerberos, make sure you have NTP and DNS working properly before you even start.
    • ssh -v can give you a lot of valuable information.
    • read your logs.
    posted on 2013-10-12 18:12 ivaneeo 閱讀(319) 評(píng)論(0)  編輯  收藏 所屬分類: GNU牛力
    主站蜘蛛池模板: 永久免费AV无码国产网站| 亚洲欧美aⅴ在线资源| 成人A毛片免费观看网站| 国产国产人免费视频成69大陆| 亚洲1区1区3区4区产品乱码芒果| 99久久精品国产免费| 亚洲无线电影官网| 最近2019中文字幕免费直播| 97亚洲熟妇自偷自拍另类图片| 日韩免费无码一区二区三区| 久久精品国产亚洲av麻豆小说| 久久精品一区二区免费看| 精品亚洲aⅴ在线观看| 成人午夜免费福利视频| 亚洲熟女精品中文字幕| 噜噜嘿在线视频免费观看| 亚洲日韩精品无码专区加勒比☆ | 国产色婷婷精品免费视频| 豆国产96在线|亚洲| 国产一级高清免费观看| 九九免费精品视频在这里| 亚洲人成伊人成综合网久久久 | 波多野结衣一区二区免费视频| 亚洲1区2区3区精华液| 亚洲精品国产精品国自产观看 | 97公开免费视频| 亚洲五月综合缴情婷婷| 日本成人免费在线| 中文字幕免费观看全部电影| 日韩亚洲AV无码一区二区不卡 | 免费H网站在线观看的| 欧洲亚洲国产精华液| 中文字幕精品亚洲无线码二区 | 亚洲三级在线免费观看| 亚洲熟妇无码一区二区三区 | 中美日韩在线网免费毛片视频| 亚洲av永久无码精品古装片| 免费无码肉片在线观看| 黄床大片免费30分钟国产精品| 亚洲黄网在线观看| 免费va在线观看|