| 1 |
Am Donnerstag, 7. August 2008 02:01:30 schrieb Norberto Bensa: |
| 2 |
|
| 3 |
> I'm doing my first steps into Kerberos V and I got it working but not |
| 4 |
> the way I dreamed. |
| 5 |
> |
| 6 |
> My network: |
| 7 |
> |
| 8 |
> zeddmore (kdc) |
| 9 |
> venkman (client) |
| 10 |
> melnitz (client) |
| 11 |
> |
| 12 |
> Login on into zeddmore, ssh to venkman (or melnitz) doesn't show |
| 13 |
> tickets neither _unless_ I copy /etc/krb5.keytab from zeddmore to |
| 14 |
> venkman (and/or melnitz) |
| 15 |
> |
| 16 |
> After copying the mentioned file, I get delegation in every box and it |
| 17 |
> works. |
| 18 |
> |
| 19 |
> Is that the way it should be or am I missing something? |
| 20 |
|
| 21 |
Not quite. From the Kerberos V documentation: |
| 22 |
|
| 23 |
"A keytab is a host's copy of its own keylist, which is analogous to a user's |
| 24 |
password. An application server that needs to authenticate itself to the KDC |
| 25 |
has to have a keytab that contains its own principal and key. Just as it is |
| 26 |
important for users to protect their passwords, it is equally important for |
| 27 |
hosts to protect their keytabs. You should always store keytab files on local |
| 28 |
disk, and make them readable only by root, and you should never send a keytab |
| 29 |
file over a network in the clear. Ideally, you should run the kadmin command |
| 30 |
to extract a keytab on the host on which the keytab is to reside." |
| 31 |
|
| 32 |
That means: On each of your machines, login to kadmin, create a host principal |
| 33 |
(addprinc -randkey host/yourhost.yourdomain) and extract its key to a keytab. |
| 34 |
|
| 35 |
HTH... |
| 36 |
|
| 37 |
Dirk |
Archives