VM Kerberos

From MyWiki

auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so

Possible problem with authconfig

There appears to be a bug in older versions of authconfig. Upon running authconfig-tui, if the following error message appears:

Traceback (most recent call last): File "/usr/sbin/authconfig-tui", line 738, in ? module.run() File "/usr/sbin/authconfig-tui", line 323, in run self.readAuthInfo() File "/usr/sbin/authconfig-tui", line 228, in readAuthInfo self.info = authinfo.read(self.printError) File "/usr/share/authconfig/authinfo.py", line 594, in read info.read() File "/usr/share/authconfig/authinfo.py", line 1342, in read self.readKerberos() File "/usr/share/authconfig/authinfo.py", line 831, in readKerberos if section == "libdefaults": UnboundLocalError: local variable 'section' referenced before assignment

authconfig needs to be updated. This can be done simply by running:

yum update authconfig

Kerberos Authentication to sshd (Optional)

If you want sshd to accept your kerberos ticket as an authentication mechanism, then you must:

Install krb5 package if necessary, but it should already be there on these VMs. You also need to use the NCSA krb5.conf or edit it your self.
Have your host added to the kerberos database. Details can be found here.
Set the options in /etc/ssh/sshd_config.

Instead of:

 # Kerberos options
 #KerberosAuthentication no
 #KerberosOrLocalPasswd yes
 #KerberosTicketCleanup yes
 #KerberosGetAFSToken no

Use:

 # Kerberos options
 KerberosAuthentication yes
 KerberosOrLocalPasswd yes
 KerberosTicketCleanup yes
 #KerberosGetAFSToken no

Fix the /etc/hosts file.

Instead of:

 # Do not remove the following line, or various programs                                                                            
 # that require network functionality will fail.                                                                                    
 127.0.0.1               localhost.localdomain localhost ncdir-dev1.ncsa.uiuc.edu ncdir-dev1
 ::1             localhost6.localdomain6 localhost6

Put something like this:

 # Do not remove the following line, or various programs                                                   
 # that require network functionality will fail.                                                           
 127.0.0.1               localhost.localdomain localhost
 141.142.234.124         ncdir-dev1.ncsa.uiuc.edu ncdir-dev1
 ::1                     localhost6.localdomain6 localhost6

Notes & Problems

On Centos 5 and Red Hat 5, if you have installed smart card components and the pcscd daemon is not running, you might receive this error when logging in or using sudo that requires a password:

 winscard_clnt.c:320:SCardEstablishContextTH() Cannot open public shared file: /var/run/pcscd.pub

The solution is to add this stanza to /etc/krb5.conf under the [appdefaults] section:

 pkinit = {
   allow_pkinit = false
 }

VM Kerberos

From MyWiki

Contents

Install Software

Configure Kerberos

Configure PAM

Kerberos Authentication to sshd (Optional)

Notes & Problems

Views

Personal tools

Navigation

Search

Toolbox