Re: Secure clustering: kerberos issues
From: P Gentry (rdgentry1_at_cablelynx.com)
Date: 27 Aug 2004 09:41:22 -0700
Sensei <email@example.com> wrote in message news:<2p8dupFh1pifU1@uni-berlin.de>...
> P Gentry wrote:
> > It sounds like you want secure, remote access to the cluster.
> > Especially if you know where the remote access will be from, I think
> > you need to look at VPN -- it's not restricted to use across the
> > internet ;-)
> As said, the clients are on a VPN.
(Open)SSH and (Open)VPN are different beasts completely though with
some similarities (both use ssl).
> > Kerborizng a setup/app on your own is "challenging" and time
> > consuming. If ssh doesn't give you what you need then Kerborized
> > versions of the others won't either. They all work at the app level
> > -- the nice thing about VPN is that it connects _networks_ securely
> > and allows you to use whatever apps you need.
> Yes, but my question was: would you use telnet or rsh? Kerberos gives in
> the standard installation the kerberized replacement for telnet, rsh,
> Moreover, I have to gain AFS tokens, and I do it with
> pam_openafs_session. Would it work with rlogin/rsh?
Sorry ... I didn't fully appreciate your setup/needs in first reply --
I would first suggest you check with :-)
This is where X-posting is OK -- much preferred to multi-posting ...
It's been quite a while since I played with this stuff, but
ssh/kerberos/afs _should_ work. In the past couple of years people
have sorted out the problems much better, and I _think_ you can find
the correct means to get you going.
But ... (as always)
If you need to get up quickly and feel the kerberized rlogin/rsh will
provide for your needs, it may be the way to go -- at least to start.
If you or only a small number of people require access it very well
could be sufficient. If the number of people and other authentication
requirements grow you _probably_ want to consider using a ssh remote
There are some incompatibilities and configs that must be worked out.
Since I'm so rusty as to get you into more trouble than not, I suggest
this Google web search:
"kerberos 5" + AFS ssh ticket token forward
"kerberos 5" + AFS krsh ticket token forward
"kerberos 5" + AFS krsh krlogin
Most all seem useful to some degree -- much will depend on your
specific software/net setup. It _is_ a pain to get these working, but
is worth the trouble.
Using kerberized rlogin/rsh used to be used because getting the
ssh/kerberos/afs tickets and tokens authenticated and passed around
correctly (and "transparently") was _very_ problematic -- think today
there are reasonable ways to get it working.
Your best bet is to get on one of the mailing lists -- OpenAFS ? --
with some specifics. You will need some concrete, hands-on experience
from someone who can diagnose your setup -- there are innumerable ways
of getting it wrong :-(
Ah, and almost forgot -- we used to get bitten when first setting up
because of inadequate ntp/clock updating -- so many things to keep an
eye on ... ;-)
email above disabled