[KLUG Members] Kerberos Presentation Posted

Adam Williams members@kalamazoolinux.org
11 Jul 2003 05:51:32 -0400 

> > Tonights Kerberos presentation has been posted to the KLUG FTP server
> > and past presentations page.
> Adam: one question. How does an LDAP/Kerberos Laptop boot away from
> home? Is it a PAM configuration?

The PAM /etc/pam.d/system-auth file explains it best -

auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/pam_krb5.so realm=WHITEMICE.ORG
auth        sufficient    /lib/security/pam_krb5.so
realm=MORRISON-IND.COM
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        required      /lib/security/$ISA/pam_unix.so likeauth nullok
try_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

1. Try the default Kerberos realm (WHITEMICE.ORG).  Here I specify it
just for clarity, if I didn't say anything realm= that is what it would
use.  If I get tickets - I'm done.

2. Try the Kerberos realm MORRISON-IND.COM.  If I get tickets - I'm
done.

3. Ok, neither one of those worked, try the LDAP server (in this case
running on localhost).  If that accepts my password - I'm done.

4. Huh, all of those failed.  Try /etc/passwd.  This is where "root" is
so I can still login in LDAP & Kerberos are broken.

When I'm off a Kerbized net - 1 & 2 fail very quickly, so they don't
present any problem.  They don't transmit any credential information
unless they can establish a connection with a KDC, so they don't pose a
problem that way either (I checked with ethereal).

Most people wouldn't have #3, just proceed directly to #4, but all my
scripts/tools assume an LDAP server so it is easier to have one on the
laptop than not.
                                                                               .....
account     sufficient    /lib/security/$ISA/pam_ldap.so
account     required      /lib/security/$ISA/pam_unix.so
account     [default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so
                                                                                password    required      /lib/security/$ISA/pam_cracklib.so retry=3 type=
password    optional      /lib/security/pam_krb5.so realm=WHITEMICE.ORG
password    optional      /lib/security/pam_krb5.so
realm=MORRISON-IND.COM
password    sufficient    /lib/security/$ISA/pam_ldap.so
password    sufficient    /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password    required      /lib/security/$ISA/pam_deny.so
                                                                                
session     required      /lib/security/$ISA/pam_limits.so
session     optional      /lib/security/pam_krb5.so realm=WHITEMICE.ORG
session     optional      /lib/security/pam_krb5.so
realm=MORRISON-IND.COM
session     sufficient    /lib/security/$ISA/pam_ldap.so
session     required      /lib/security/$ISA/pam_unix.so