Either way, the options you want to enable are:
On the client system (in this case, the same system) you can either modify ~/.ssh/options to specify the exact hosts to use Kerberos (GSSAPI) authentication with, or you can modify the system-wide /etc/ssh/ssh_config file. The appropriate sections of sshd_config would look like:Įssentially, you can leave the Kerberos options commented out, but enable the GSSAPIAuthentication and GSSAPICleanupCredentials options. On other distributions, you may need to edit sshd_config on the server and comment out all of the Kerberos* options and enable some GSSAPI options. On Red Hat Enterprise Linux 5, OpenSSH is configured by default with the appropriate GSSAPI options. OpenSSH 4.0 and higher provides support for GSSAPI (Generic Security Services Application Programming Interface) with allows for the use of Kerberos with SSH2 protocols. When you next login, if you open terminal and type klist you should see that a ticket-granting ticket has been obtained. The final step is to reboot the computer. for SSH logins), you will need to create the /etc/krb5.keytab file and edit /etc/sshd_config as noted elsewhere in this article. Next, if you want to allow kerberized access to this system (i.e. A working /etc/pam.d/authorization file follows:Īuth optional pam_krb5.so use_first_pass use_kcminit default_principalĪuth required pam_opendirectory.so use_first_pass nullok You will, however, need to add the "default_principal" string to the pam_krb5.so line for auth. OS X now uses PAM to handle Kerberos authentication, and has the required pam_krb5 module already noted. This is done instead of editing /etc/authorization as was done in the past. The next step is to edit /etc/pam.d/authorization. The one thing to note is that you will almost definitely need to set "allow_weak_crypto = yes", unfortunately. A working example will look like:Īdmin_server = FILE:/var/log/krb5kdc/kadmin.log Typically, the /Library/Preferences/ settings will be similar, however you must make certain that none of the variables are enclosed in quotes.
#Mac os x kerberos mac os x
This section illustrates the differences in setting up an OS X computer as a Kerberos client using Mac OS X 10.7 (Lion). Mac OS X changed from using MIT Kerberos to using Heimdal, and how Kerberos is configured has changed quite a bit as well. Likewise, the output from below will show an exit status of "1" (error) rather than "0" (success): Without the "-R" change (from "-B") noted earlier, the LastExitStatus noted in the output above will likely be 256. It seems that the ticket obtained by logging in is not renewable, so there is nothing to renew even with the above changes (but using kinit directly will obtain a renewable ticket). Unfortunately, there doesn't seem to be a way that I have found to specify obtaining a renewable ticket at login, so you will need to open a terminal to kinit manually regardless of any changes to /etc/authorization. If you then look at the output of klist you will see that the ticket is being renewed (if you have a renewable ticket - this will only work if you can obtain renewable tickets). $ launchctl load /System/Library/LaunchAgents/.plist $ launchctl unload /System/Library/LaunchAgents/.plist
You then need to unload and reload the file using launchctl: In the file change -B to -R then save the file. This can be edited to use the documented kinit -R rather than the default kinit -B that it is using by editing /System/Library/LaunchAgents/.plist as root (so sudo vim or something). In Mac OS X 10.6, there is a Launch Agent called .plist that is supposed to renew tickets automatically. Once the above is done, reboot the system and when you login you will obtain a Kerberos ticket provided the local username/password match that in the Kerberos database. For 10.4, the string you want to change is "authinternal" instead of "builtin:authenticate", however the end result must look the same (in other words, on 10.4 the resulting line must still read "builtin:krb5authnoverify,privileged".
#Mac os x kerberos for mac os x
The above will work for Mac OS X 10.5 and 10.6. (emphasis shown for the line in question) > builtin:krb5authnoverify,privileged loginwindow:success 1.6.1 Adding New Users and Hosts to the Database.1 Using Kerberos 5 for Single Sign-On Authentication.
0 kommentar(er)
