Chinaunix首页 | 论坛 | 博客
  • 博客访问: 7740044
  • 博文数量: 637
  • 博客积分: 10265
  • 博客等级: 上将
  • 技术积分: 6165
  • 用 户 组: 普通用户
  • 注册时间: 2004-12-12 22:00
文章分类

全部博文(637)

文章存档

2011年(1)

2010年(1)

2009年(3)

2008年(12)

2007年(44)

2006年(156)

2005年(419)

2004年(1)

分类: BSD

2005-12-15 18:18:16

This is a rather quick manual and I foresee that you have basic UNIX skills.

First off is /etc/krb5.conf, modify it so it suits you:

------
[libdefaults]
# Set the realm of this host here
default_realm = MYREALM.NET
[realms]
MYREALM.NET = {
# Specify KDC here
kdc = host.myrealm.net
# Administration server, used for creating users etc.
admin_server = host.myrealm.net
}
[domain_realm]
.myrealm.net = MYREALM.NET

[logging]
kadmind = FILE:/var/heimdal/kadmind.log

------
Next we will issue some commands for setting up Heimdal, I will not explain these commands in particular instead you can read about them with the man command.
# kstash
# kadmin -l
kadmin> init MYREALM.NET
kadmin> add me
kadmin> add --random-key host/host.myrealm.net
# /usr/sbin/kdc &
# kinit me
# klist
# ktutil list

Thats it for Heimdal. Now make sure your OpenSSH server is up to date (3.9 or newer) and GSSAPIAuthentication and KerberosAuthentication is set to yes in your sshd_config and GSSAPIAuthentication is set to yes in the authenticating clients ssh_config. If you want to cleanup your cedentials on logout you can set GSSAPICleanupCredentials to yes in your sshd_config.

You should now try to authenticate to Heimdal via kauth or as in my case I use the built-in Kerberos client in Mac OS X. Now try to ssh to the host and use verbose mode (-vv) to check if GSSAPI works.

# ssh -vv me@host.myrealm.net

Check for these lines:

debug1: Authentications that can continue: gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentication succeeded (gssapi-with-mic).

If you found those lines then GSSAPI works and you will automatically login!

You can check how long your ticket is alive with:

# klist
Default Principal: me@MYREALM.NET
Valid Starting Expires Service Principal
05/28/05 01:12:58 05/28/05 11:12:59 krbtgt/MYREALM.NET@MYREALM.NET
renew until 06/04/05 01:12:59
05/28/05 01:13:10 05/28/05 11:12:59 host/host.myrealm.net@MYREALM.NET
renew until 06/04/05 01:13:00

You now have a working OpenSSH with support for Heimdal authentication. If you have any questions about this howto just lookup my contact information . For more information about Heimdal you can visit .

阅读(2163) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~