1 |
Am Donnerstag, 7. August 2008 02:01:30 schrieb Norberto Bensa: |
2 |
|
3 |
> I'm doing my first steps into Kerberos V and I got it working but not |
4 |
> the way I dreamed. |
5 |
> |
6 |
> My network: |
7 |
> |
8 |
> zeddmore (kdc) |
9 |
> venkman (client) |
10 |
> melnitz (client) |
11 |
> |
12 |
> Login on into zeddmore, ssh to venkman (or melnitz) doesn't show |
13 |
> tickets neither _unless_ I copy /etc/krb5.keytab from zeddmore to |
14 |
> venkman (and/or melnitz) |
15 |
> |
16 |
> After copying the mentioned file, I get delegation in every box and it |
17 |
> works. |
18 |
> |
19 |
> Is that the way it should be or am I missing something? |
20 |
|
21 |
Not quite. From the Kerberos V documentation: |
22 |
|
23 |
"A keytab is a host's copy of its own keylist, which is analogous to a user's |
24 |
password. An application server that needs to authenticate itself to the KDC |
25 |
has to have a keytab that contains its own principal and key. Just as it is |
26 |
important for users to protect their passwords, it is equally important for |
27 |
hosts to protect their keytabs. You should always store keytab files on local |
28 |
disk, and make them readable only by root, and you should never send a keytab |
29 |
file over a network in the clear. Ideally, you should run the kadmin command |
30 |
to extract a keytab on the host on which the keytab is to reside." |
31 |
|
32 |
That means: On each of your machines, login to kadmin, create a host principal |
33 |
(addprinc -randkey host/yourhost.yourdomain) and extract its key to a keytab. |
34 |
|
35 |
HTH... |
36 |
|
37 |
Dirk |