<rt id="bn8ez"></rt>
<label id="bn8ez"></label>

  • <span id="bn8ez"></span>

    <label id="bn8ez"><meter id="bn8ez"></meter></label>

    ivaneeo's blog

    自由的力量,自由的生活。

      BlogJava :: 首頁(yè) :: 聯(lián)系 :: 聚合  :: 管理
      669 Posts :: 0 Stories :: 64 Comments :: 0 Trackbacks

    From a convenience perspective, I want to authenticate as infrequently as possible. However, security requirements suggest that I should be authenticated for all sorts of services. This means that Single Sign On and forwardable authentication credentials would be useful.

    Within an individual organisation at least, it is useful and fairly straightforward to have centralised control for authentication services. More and more authorisation and applications services are able to use centralised authentication services such as Kerberos.

    This document will demonstrate how to configure a machine running OpenSSH server to use GSSAPI so that users can log in if they have authorised kerberos tickets. This is not the place for extensive explanations about tickets or how to set up the Key Distribution Center(KDC) in the first place or how to build or install the necessary software on various different unixlike systems. Likely, your distribution's package management system can provide you with what you need.

    Kerberos

    All destination machines should have /etc/krb5.conf modified to allow forwardable tickets:

    [libdefaults]     default_realm = ALLGOODBITS.ORG     forwardable = TRUE [realms]     ALLGOODBITS.ORG = {                     kdc = kerberos.allgoodbits.org                     } 

    Using kadmin, create a principal for a user:

    kadmin> ank <username>@<REALM> 

    Here the process differs depending upon whether you're using MIT Kerberos (probably) or Heimdal.

    MIT

    Create a principal for the host:

    kadmin> ank -randkey host/<FQDN>@<REALM> 

    Extract the key for the host principal to a keytab file and locate it correctly on the ssh server:

    kadmin> ktadd -k /tmp/<FQDN>.keytab host/<FQDN> 

    Heimdal

    Create a principal for the host:

    kadmin> ank -r host/<FQDN>@<REALM> 

    Extract the key for the host principal to a keytab file and locate it correctly on the ssh server:

    kadmin> ext -k /tmp/<FQDN>.keytab host/<FQDN>@<REALM> 

    SSH

    Then we need to take the keytab file into which you extracted the key for the host principal and copy it to the location on the ssh server where sshd will look for it, probably /etc/krb5.keytab.

    We need to configure sshd_config(5). The important options start with GSSAPI, not to be confused with the Kerberos options which are merely for KDC-validated password authentication; the GSSAPI method allows authentication and login based upon existing tickets. In other words, the "Kerberos" method requires you to enter your password (again), GSSAPI will allow login based on upon the tickets you already have.

    sshd_config:

    GSSAPIAuthentication yes GSSAPICleanupCredentials yes PermitRootLogin without-password 

    ssh_config:

    GSSAPIAuthentication yes GSSAPIDelegateCredentials yes 

    PAM

    Linux Pluggable Authentication Modules(PAM) provide a common framework for authentication/authorisation for applications.

    /etc/pam.d/common-account:

    account sufficient      pam_krb5.so     use_first_pass 

    /etc/pam.d/common-auth:

    auth    sufficient      pam_krb5.so     use_first_pass 

    /etc/pam.d/common-password:

    password        sufficient      pam_krb5.so 

    /etc/pam.d/common-session:

    session optional      pam_krb5.so 

    This is sufficient to allow OpenAFS based home directories because although AFS uses Kerberosv4, MIT Kerberos does 5 to 4 ticket conversion on the fly.

    Troubleshooting

    • As with anything concerned with kerberos, make sure you have NTP and DNS working properly before you even start.
    • ssh -v can give you a lot of valuable information.
    • read your logs.
    posted on 2013-10-12 18:12 ivaneeo 閱讀(319) 評(píng)論(0)  編輯  收藏 所屬分類: GNU牛力
    主站蜘蛛池模板: 91av视频免费在线观看| 亚洲6080yy久久无码产自国产| 亚洲成A人片77777国产| 亚洲国产成人久久综合碰| 亚洲欧美aⅴ在线资源| 日韩久久无码免费毛片软件| 四虎国产精品免费永久在线| 国产精品免费高清在线观看| 国产乱码免费卡1卡二卡3卡| jjzz亚洲亚洲女人| 亚洲一区二区成人| 亚洲日韩国产欧美一区二区三区 | 久久香蕉国产线看观看亚洲片| 77777_亚洲午夜久久多人| 亚洲欧美精品午睡沙发| 在线观看免费大黄网站| 亚洲精品视频久久久| 亚洲女人18毛片水真多| 无套内射无矿码免费看黄| 亚洲 综合 国产 欧洲 丝袜| 一区二区三区视频免费观看| 美女网站免费福利视频| 亚洲中文字幕在线观看| 亚洲免费观看在线视频| 国产精品美女免费视频观看| 野花高清在线电影观看免费视频| 亚洲av永久无码精品三区在线4 | 亚洲一区二区三区电影| 日本片免费观看一区二区| 国产亚洲精品无码拍拍拍色欲| 亚洲码和欧洲码一码二码三码| 国产精品色午夜视频免费看| 亚洲精品网站在线观看你懂的| 一级毛片a免费播放王色| 国产亚洲精久久久久久无码| 国产亚洲蜜芽精品久久| 亚洲欧洲免费无码| 羞羞漫画登录页面免费| 在线观看91精品国产不卡免费| 亚洲明星合成图综合区在线| 免费黄色大片网站|