Re: Solaris 10 ssh logins + w2k3 AD native mode
- From: wyllys.ingersoll@xxxxxxx (Wyllys Ingersoll)
- Date: Thu, 16 Mar 2006 13:35:29 -0500
Barry Allard wrote:
Hi Wyllys,
Primary goal: Kerberize ssh keyboard interactive logins in
enterprise-administration-friendly way.
The ability to use Kerberos tickets to authenticate with
SSH is already documented and explained in several places.
Look at docs.sun.com under Security Administration (or search for
SEAM, Kerberos). Also do a 'man sshd_config' - you should
see that the GSSAPIAuthentication and GSSAPIKeyExchange
values are "yes" by default.
What is your definition of "enterprise-administration-friendly" ?
Secondary objective #A: manage user authorization (who can login)
through Active Directory instead of locally (hacking a bunch of text
files for each new user). create home directory, etc.
This is a whole different problem. Today, you can manage your
users with AD, but you still need to have some way for the
Unix system (Solaris or Linux) to map from the AD user attributes
to something recognizable on the *nix platform - uid, gid, and home
directory being the most important attributes needed to establish
a Unix login session. Typically, Unix admins set up user databases
with NIS or LDAP containing all of the users that they want to allow to
access the Unix systems. Kerberos auth can still be done
against the AD server, but the AD principals must map to
Unix usernames that the local system can then lookup once
the authentication is completed to do authorization.
Basically - you cannot have an empty /etc/password and shadow
database (without NIS or LDAP) and expect that everything will
"just work". You have to provide some method for the Unix
system to get the user attributes it needs to establish a session.
Microsoft offers their "services for Unix" feature that might
help if you are trying to get everything from AD, but I've not
used that myself.
There are also ways to configure the LDAP on the *nix side to get
the information from AD. Look for an LDAP expert explain the details
of that
process, I haven't done it myself.
Secondary objective #B: ssh (putty) from windows -> sol 10 box ...
automagically login by Active Directory's kerb ticket (not hostkeys).
I have seen it working using Centrify ($) PAM mod on the Linux, and
no mods to windows box.
Does putty support GSSAPI authentication for SSH and can it
get the users credentials from Active Directory? If so, it should "just
work"
with the stock Solaris 10 sshd or the OpenSSH server with the GSSAPI
patches
applied.
If you have to have a special PAM module on the server side, then you
aren't really doing Kerberos single-sign on authentication and you most
likely
have to reenter your name/password when you try to login to the
other system. You could do that much with standard pam_krb5
on Solaris or Linux. I'm not familiar with the Centrify product.
-Wyllys
________________________________________________
Kerberos mailing list Kerberos@xxxxxxx
https://mailman.mit.edu/mailman/listinfo/kerberos
.
- References:
- Solaris 10 ssh logins + w2k3 AD native mode
- From: Barry Allard
- Re: Solaris 10 ssh logins + w2k3 AD native mode
- From: Wyllys Ingersoll
- Re: Solaris 10 ssh logins + w2k3 AD native mode
- From: Barry Allard
- Solaris 10 ssh logins + w2k3 AD native mode
- Prev by Date: Re: SSH Problem with Kerberos
- Next by Date: Re: Solaris 10 ssh logins + w2k3 AD native mode
- Previous by thread: Re: Solaris 10 ssh logins + w2k3 AD native mode
- Next by thread: Re: Solaris 10 ssh logins + w2k3 AD native mode
- Index(es):
Relevant Pages
|
