Re: Secure clustering: kerberos issues

From: P Gentry (rdgentry1_at_cablelynx.com)
Date: 08/27/04


Date: 27 Aug 2004 09:41:22 -0700

Sensei <noone@nowhere.org> wrote in message news:<2p8dupFh1pifU1@uni-berlin.de>...
> P Gentry wrote:
> > It sounds like you want secure, remote access to the cluster.
> > Especially if you know where the remote access will be from, I think
> > you need to look at VPN -- it's not restricted to use across the
> > internet ;-)
>
> As said, the clients are on a VPN.

(Open)SSH and (Open)VPN are different beasts completely though with
some similarities (both use ssl).

> > Kerborizng a setup/app on your own is "challenging" and time
> > consuming. If ssh doesn't give you what you need then Kerborized
> > versions of the others won't either. They all work at the app level
> > -- the nice thing about VPN is that it connects _networks_ securely
> > and allows you to use whatever apps you need.
>
> Yes, but my question was: would you use telnet or rsh? Kerberos gives in
> the standard installation the kerberized replacement for telnet, rsh,
> rlogin...
>
> Moreover, I have to gain AFS tokens, and I do it with
> pam_openafs_session. Would it work with rlogin/rsh?

Sorry ... I didn't fully appreciate your setup/needs in first reply --
duh ;-)
I would first suggest you check with :-)
comp.protocols.kereros
http://groups.google.com/groups?hl=en&lr=lang_en&ie=UTF-8&group=comp.protocols.kerberos
This is where X-posting is OK -- much preferred to multi-posting ...

It's been quite a while since I played with this stuff, but
ssh/kerberos/afs _should_ work. In the past couple of years people
have sorted out the problems much better, and I _think_ you can find
the correct means to get you going.

But ... (as always)

If you need to get up quickly and feel the kerberized rlogin/rsh will
provide for your needs, it may be the way to go -- at least to start.
If you or only a small number of people require access it very well
could be sufficient. If the number of people and other authentication
requirements grow you _probably_ want to consider using a ssh remote
access.

There are some incompatibilities and configs that must be worked out.
Since I'm so rusty as to get you into more trouble than not, I suggest
this Google web search:
"kerberos 5" + AFS ssh ticket token forward
"kerberos 5" + AFS krsh ticket token forward
"kerberos 5" + AFS krsh krlogin

Also check out MIT Kerberos, eg,
http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#v5vsafs
http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#kerbafs

Most all seem useful to some degree -- much will depend on your
specific software/net setup. It _is_ a pain to get these working, but
is worth the trouble.

Using kerberized rlogin/rsh used to be used because getting the
ssh/kerberos/afs tickets and tokens authenticated and passed around
correctly (and "transparently") was _very_ problematic -- think today
there are reasonable ways to get it working.

Your best bet is to get on one of the mailing lists -- OpenAFS ? --
with some specifics. You will need some concrete, hands-on experience
from someone who can diagnose your setup -- there are innumerable ways
of getting it wrong :-(

Ah, and almost forgot -- we used to get bitten when first setting up
because of inadequate ntp/clock updating -- so many things to keep an
eye on ... ;-)

good luck,
prg
email above disabled



Relevant Pages

  • Re: login question
    ... >> I looked at Kerberos briefly in the handbook, but that only appeared to be ... >> for remote access. ... > This is exactly what Kerberos is good at. ... but doesn't require as much trust of the client machines. ...
    (freebsd-questions)
  • Re: Windows GSSAPI ssh connection via cross-realm authentication problems
    ... I think you misunderstand the role of Kerberos here. ... If the SSH service is in realm ... The non-Windows KDC needs to trust any user ... kdcadmin user's home directory and that one can authenticate just fine. ...
    (comp.protocols.kerberos)
  • Fwd: Re: zfs send/recv invalid data
    ... If I copy the stream it works, but piping through ssh does NOT. ... # Kerberos options ... # Set this to 'no' to disable PAM authentication, account processing, ... # the setting of "PermitRootLogin without-password". ...
    (freebsd-current)
  • Fwd: Re: zfs send/recv invalid data
    ... If I copy the stream it works, but piping through ssh does NOT. ... # Kerberos options ... # Set this to 'no' to disable PAM authentication, account processing, ... # the setting of "PermitRootLogin without-password". ...
    (freebsd-stable)
  • Re: OpenSSH, Telnet, Windows Authentication and double-hops
    ... >> ssh -L) ... JM> in seperate DOS console windows in this order: ... I'm using the 3.8 version of OpenSSH. ... >> Kerberos ticket, or your password in order to acquire one. ...
    (comp.security.ssh)