[KLUG Members] Kerberos Presentation Posted
Adam Williams
members@kalamazoolinux.org
11 Jul 2003 05:51:32 -0400
> > Tonights Kerberos presentation has been posted to the KLUG FTP server
> > and past presentations page.
> Adam: one question. How does an LDAP/Kerberos Laptop boot away from
> home? Is it a PAM configuration?
The PAM /etc/pam.d/system-auth file explains it best -
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/pam_krb5.so realm=WHITEMICE.ORG
auth sufficient /lib/security/pam_krb5.so
realm=MORRISON-IND.COM
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_unix.so likeauth nullok
try_first_pass
auth required /lib/security/$ISA/pam_deny.so
1. Try the default Kerberos realm (WHITEMICE.ORG). Here I specify it
just for clarity, if I didn't say anything realm= that is what it would
use. If I get tickets - I'm done.
2. Try the Kerberos realm MORRISON-IND.COM. If I get tickets - I'm
done.
3. Ok, neither one of those worked, try the LDAP server (in this case
running on localhost). If that accepts my password - I'm done.
4. Huh, all of those failed. Try /etc/passwd. This is where "root" is
so I can still login in LDAP & Kerberos are broken.
When I'm off a Kerbized net - 1 & 2 fail very quickly, so they don't
present any problem. They don't transmit any credential information
unless they can establish a connection with a KDC, so they don't pose a
problem that way either (I checked with ethereal).
Most people wouldn't have #3, just proceed directly to #4, but all my
scripts/tools assume an LDAP server so it is easier to have one on the
laptop than not.
.....
account sufficient /lib/security/$ISA/pam_ldap.so
account required /lib/security/$ISA/pam_unix.so
account [default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so
password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
password optional /lib/security/pam_krb5.so realm=WHITEMICE.ORG
password optional /lib/security/pam_krb5.so
realm=MORRISON-IND.COM
password sufficient /lib/security/$ISA/pam_ldap.so
password sufficient /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session optional /lib/security/pam_krb5.so realm=WHITEMICE.ORG
session optional /lib/security/pam_krb5.so
realm=MORRISON-IND.COM
session sufficient /lib/security/$ISA/pam_ldap.so
session required /lib/security/$ISA/pam_unix.so