分类: BSD
2005-12-15 18:18:16
First off is /etc/krb5.conf, modify it so it suits you:
------
[libdefaults]
# Set the realm of this host here
default_realm = MYREALM.NET
[realms]
MYREALM.NET = {
# Specify KDC here
kdc = host.myrealm.net
# Administration server, used for creating users etc.
admin_server = host.myrealm.net
}
[domain_realm]
.myrealm.net = MYREALM.NET
[logging]
kadmind = FILE:/var/heimdal/kadmind.log
------
| Next we will issue some commands for setting up Heimdal, I will not explain these commands in particular instead you can read about them with the man command. |
# kstash
# kadmin -l
kadmin> init MYREALM.NET
kadmin> add me
kadmin> add --random-key host/host.myrealm.net
# /usr/sbin/kdc &
# kinit me
# klist
# ktutil list
|
Thats it for Heimdal. Now make sure your OpenSSH server is up to date (3.9 or newer) and GSSAPIAuthentication and KerberosAuthentication is set to yes in your sshd_config and GSSAPIAuthentication is set to yes in the authenticating clients ssh_config. If you want to cleanup your cedentials on logout you can set GSSAPICleanupCredentials to yes in your sshd_config. You should now try to authenticate to Heimdal via kauth or as in my case I use the built-in Kerberos client in Mac OS X. Now try to ssh to the host and use verbose mode (-vv) to check if GSSAPI works. |
# ssh -vv me@host.myrealm.net
Check for these lines:
debug1: Authentications that can continue: gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentication succeeded (gssapi-with-mic).
If you found those lines then GSSAPI works and you will automatically login!
You can check how long your ticket is alive with:
# klist
Default Principal: me@MYREALM.NET
Valid Starting Expires Service Principal
05/28/05 01:12:58 05/28/05 11:12:59 krbtgt/MYREALM.NET@MYREALM.NET
renew until 06/04/05 01:12:59
05/28/05 01:13:10 05/28/05 11:12:59 host/host.myrealm.net@MYREALM.NET
renew until 06/04/05 01:13:00
You now have a working OpenSSH with support for Heimdal authentication. If you have any questions about this howto just lookup my contact information . For more information about Heimdal you can visit .
