ask to configure kerberos

[netzerospace]

i want to ask several things about kerberos system

as far as i know kerberos is a ticketing authentication system

so if u want to login u have to ask for ticket first right...

-----

i've installed kerberos in my system and want to integrate it with openssh

i want to ask why if the ticket have expired the user that login through ssh doesn't logoff automaticly


thanks

[Hypnos]

http://www.cmf.nrl.navy.mil/ccs/people/kenh/kerberos-faq.html#ticketexp

You should read all the FAQs if you are kerberizing your network
_________________
Personal overlay | Simple backup scheme

[netzerospace]

ok

i know when the ticket expired

user cannot login anymore

but if the user already login (with ssh) the session would not closed eventhough the ticket is already exxpired

is there any way to make the session killed when the ticket expired

like a patch or something... ??

[Hypnos]

I'm sure you could write a patch, but I doubt anyone else would want it.

Your users would get pissed off if they got logged out automatically just because their ticket expired, killing the processes in the shell they might be using for some important work.

Moreover, you gain little in security. A user needs a valid ticket to log in, so if the ticket expires they were still authenticated at some point. If you need to delete their account, they just won't be allowed to log in again; if you need them removed from your system immediately, you can just kill their sessions.
_________________
Personal overlay | Simple backup scheme

[netzerospace]

is it possible for openssh to use only user that have been created on kerberos system and not read it from shadow file

May 23 09:21:27 sshserver sshd[18537]: Invalid user testusers from 192.168.112.1
May 23 09:21:27 sshserver sshd[18537]: error: Could not get shadow information for NOUSER
May 23 09:21:27 sshserver sshd[18537]: Failed none for invalid user testusers from 192.168.112.1 port 1208 ssh2
May 23 09:23:33 sshserver sshd[18513]: Received signal 15; terminating.
May 23 09:23:34 sshserver sshd[18628]: Server listening on 0.0.0.0 port 22.

[Hypnos]

If you read the manpage for sshd_config, you'll see that the default is to try kerberos first, then default to shadow ("KerberosOrLocalPasswd"). So, I don't know why it doesn't work for you. Maybe you need to turn on "KerberosAuthentication" and/or "GSSAPIAuthentication".
_________________
Personal overlay | Simple backup scheme

[netzerospace]

did the new version of ssh (openssh-5.2p1.tar.gz) support this kind of method ('use only kinit "username" and automatic login for ssh) ?

or is there something wrong with the patch

or should i use the old portage ?

because i cant use the GSSAPIKeyExchange option

it always display an error

[Hypnos]

I don't know; you might want to search https://bugs.gentoo.org

If you figure it out, you may want to open a bug.
_________________
Personal overlay | Simple backup scheme

[netzerospace]

do u think i should move to the old portage ?

but i'm currently using the latest snapshot

any idea ?

[Hypnos]

Create a local overlay with an ebuild with the correct behavior, then open a bug which explains the problem and post your solution.
_________________
Personal overlay | Simple backup scheme