Fedora Security :: Can't Forward My Kerberos Credentials To A Computing Resource
Aug 23, 2011
I can't forward my kerberos credentials to a computing resource before connecting to the resource for which I have kerberos credentials. In other words, from my machine at work I obtain my ticket with kinit -f to a computing facility off in some lab somewhere.
Then, I want to ssh to another machine in another department (I don't have control over the krb5.conf file or this would have been easy) where I work. It is on this machine I want to be able to ssh,scp, etc to this far off lab. I've tried several options around this barrier, but I'm a total failure thus far. I checked that GSSAPIAuthentication is set to yes.
I have configured 'passwordless' SSH between our machines using GSSAPI authentication which is all working beautifully (Active Directory KDC).I now want to make sure that the user's kerberos crednetials are forwarded as well using the 'GSSAPIDelegateCredentials yes' on the SSH client.However, it seems as though the openssh server on Red Hat 4.8 has not been compiled to support this, because if I run sshd in debug mode, I see the client 'delegating credentials' but nothing appears in the debug log on the server to suggest the the credentials have been received, and sure enough a quick 'klist' shows that the user does not have any tickets.So two questions:1. Am I right about openssh-server on Red Hat Enterprise 4.8 not supporting delegated credentials
I wish to setup a network that works like windows but for with lunix of course!. It will need to be able to handle security/DNS/DHCP & Document store from one location. I've been doing some reading and have found that I think I need to be using one of the following:
LDAP NIS Kerberos
I have looked at a few Linux based OS's. I did notice that when you install fedora live desktop it gives you the option to connect to one of the above. So I am looking for a complete solution.
1. How to setup fedora to act as server for my needs (or other Linux build)
2. Add fedora/linux mint machines to server to use new security settings. (or other linux build)
I have an environment with multiple projects that have a variety of government and commercial sponsors. We have been satisfied to this point with a netapp serving nfs/cifs and keeping a tight reign on nfs exports.Some of these projects have started asking us to provide access restricted sub-folders of the project space based on different groups that contain a user subset of the primary group.
We have a linux machine that serves as a version control front end to the netapp, mounting the project spaces via nfs. People are now mounting their project space via sshfs to this "front end" and sharing the root password of this sshfs client with everyone in their project, in turn creating a security hole to access the so called restricted sub-folders. I know all the obligatory responses referring to irresponsible user behavior but would like to see how others have addressed something like this where user behavior seems out of control.
I have some important cgi files run on top of Apache inside cgi-bin directory.My requirement is to once user try to access the cgi file authenticate using Active Directory username/password. If user enter the correct domain credentials only user aloow access to the page in any time user trying to access otherwise not. I configured this using htaccess and htpasswd.But in this case I need to manually configure username/password for htpasswd file. Instead of this I want to authenticate with the Active Directory.
I am integrating my Unix box to the Windows AD using PAM_LDAP and Kerberos enabled. I was wondering, since Kerberos is enabled is there any point to enable SSL on my LDAP.conf? My understanding is that since Kerberos is enabled, therefore the username/password is sent securely there isn't any benefit of enabling SSL on the LDAP.conf? It's one of or another.
Is it possible to secure samba server with kerberos? I want to know whether we can use kerberos authentication to secure samba user name and password so that mo one can sniff that information. configuration or any URL link from I can get the exact configuration.
I have Ubuntu 10.04 configured to login with Kerberos (as in [url]). Everything works fine, except gnome-keyring-daemon:
-If I login with a local user, gnome-keyring-daemon works right. Besides, the keyring is automatically unlocked with the login password.
-If I login with a Kerberos user:
- The session startup is considerably slower.
- /var/log/auth.log says something like:
Code:
- If I execute a program that needs the gnome-keyring (like Evolution), is desperately slow, and it says:
Code:
Message: secret service operation failed: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
- If I kill all gnome-keyring-daemon (killall gnome-keyring-daemon), start a new one (gnome-keyring-daemon), and restart the application that uses the gnome-keyring, it works fine, but it ask me for the password to unlock the keyring (I think that this is the normal behaviour if gnome-keyring-daemon did not start before).
I have seen the configurations in /etc/pam.d and everything looks fine (with pam_gnome_keyring.so). Indeed, I think that if something was wrong here, the local user would not have the keyring unlocked automatically.
I'm trying to login to a server using gssapi-with-mic authentication against one of my school's machines that supports this mode of authentication. I have these kerberos packages installed:
batrick@menzoberranzan:~$ dpkg -l | grep krb ii krb5-config 2.2 Configuration files for Kerberos Version 5
Is there a way to use kerberos (or baring that a trusted CA) to allow users to ssh across machines in an environment isntead of having to manage the hash keys per user/server? I'm using kerberos+ldap to log folks in and get their settings but I'd like to take it a step further. I've been reading a lot but still can't quite get it all to come together.
Do I need to create a SPN for each host to do this? Sorry if I am asking a dumb question, I am returning to the *nix fold after a decade+ in the Microsoft world, be gentle with me.
I have installed keberos on my suse machine, but after installation now I am not able to login in it even with the root password. I search over the internet but could not find the solution. What to do now and how to configure Kerberos on a local machine with only local users authentication. I mean client and server both are on the same machine.
I have a Kerberos/LDAP/OpenAFS server running on Debian lenny, set up according to Davor Ocelic's excellent guide here (url). SSHd has ben configured to use GSSAPI auth and the clients have been configured to pass auth tokens through to the server.
My clients are all Ubuntu 9.10 x86 fully patched. On the clients, OpenAFS has been compiled and installed as a kernel module and git 1.6.6 has been compiled from source and installed. Otherwise, all software is stock Ubuntu repository-ware.
The setup is working fine as long as I connect to the primary server using its hostname:
peter@client01:~$ ssh nana <connection goes through seamlessly without prompting> peter@nana:~$
If I try to connect via a DNS alias (actually a second CNAME record), I get:
I need both passwordless auth and the DNS alias working, as it's internal policy that user connections are only ever made to service names, not real hostnames.
I have tried adding a second host principal to Kerberos for the alias (git1.darling.local) in addition to the host principal for the hostname (nana.darling.local).
If I turn off PasswordAuthentication in sshd_config, then "ssh git1" doesn't even fall through to passwords; it just denies logins. So it looks like it's not even using GSSAPI for the DNS alias.
So:
1) Is what I want even possible? I can't find anything that indicates that there's anything odd about DNS aliases such that this should happen.
2) Which config files should I post to help debug this? There's a lot and I didn't want to start blarfing them here if they aren't helpful.
I am bit curious about Cluster Computing. I don't know much about it.Here is Some thing which I wanted to know.1) How can I configure fedora for Cluster computing .2) Is it possible to connect computer of different configuration(like AMD + Intel )? and also for different architecture ( like i386 + x86_64 ) for cluster computing.
Trying to setup a Kerberos + OpenLDAP server to manage users for our Samba shares (was going to use just OpenLDAP, but apparently it is less secure than using Kerberos with it). (Distro: CentOS 5.5) Haven't even gotten to the point of connecting either to Samba yet. I have set up a Kerberos server, and configured it as necessary. I am happy that it is working as intended, as I can login and manage principals from both the local terminal and remotely on other clients.
I have setup a server (sv1.myhost.net), and configured it to talk to Kerberos (auth.myhost.net). I have created both a [URL] principal, and a testuser principal. I have set the password on the testuser but not on the host/sv1.myhost.net. I have added the keys for both users to the keytab file on the sv1.myhost.net. I am at a Windows 7 machine (on the same internal network), and have installed the Network Identity Manager. It is able to request a ticket successfully for the testuser account.
When I use putty w/GSSAPI (0.58) to remote login to the system, it says using 'testuser' and then just hangs there. Eventually putty connection times out. The fact that both machines can connect to the auth server to communicate with kerberos correctly suggests firewalls are correct. The relevant entries in sshd_config have been uncommented to tell srv1 to use Kerberos authentication.
I am trying to deploy Kerberos and LDAP so users will be able to login in to a server on the edge of the LAN, and afterwards be able to establish a SSH connection to all the computers in that LAN without the need to type any passwords, and without the need for me to manage SSH keys [beside the SSH keys on the login server] and local user accounts.
1. When i create the users in OpenLDAP i use a template that i created by reading documentation from the Internet. In the template one piece of information that is neede is the UID. Is there any clever way the keep track of the numbers so i do not assign the same UID to two users, besides using a pen and paper?
2. For the users to be able to establish SSH connections between the computers, the host is going to be added to the keytab like this: ktadd host/client.example.com Is is possible to replace client with something genric so i do not need to mange these keytab files between the hosts?
3. Users will be logging on the the server on the edge of LAN by using SSH keys. How can i configure the setup so the users will recieve a ticket automatically when the logon without executing kinit and without entering a password, just by having a valid SSH key?
4. krb5kdc is running on all the network interfaces in the server i want it to only run on eth1, how can this be done?
I'm tasked with creating a base image of ubuntu (one for server, one for workstation) that is locked down and has all the fluff taken out (naturally workstation will have more fluff left in it than server). Task list looks about like this:
1. Create list of deb packages "allowed", write script to list/uninstall everything else.
2. Hook the logins into either enterprise kerberos or Active Directory (yuck).
3. Write scripts to check things like setuid/setguid, disabling su, checking sudo permissions, configure iptables, etc.
4. Use a scanner to scan the system from outside the system (was thinking of using backtrace).
5. Custom-compile the kernel to strip out all the unneeded modules.
Before embarking on this awesome task I figured I'd check with you guys to see if you know of some resources that would make this task easier/quicker. I'm sure someone out there has already headed down this branch.
PS My boss *loves* ubuntu and isn't to keen on going with a deb (or other) distro that is already "security trimmed" without some serious convincing. I'm sure there are some out there, and if you want to pass along a couple for consideration, I'll check them out, but no guarantees he'll let me use it.
I want to set up a cluster for scientific computing (mainly statistical stuff with R). I have a few conceptual questions. First, is there a difference between a Beowulf cluster and a cluster that has single-system image ("SSI," e.g. using openSSI or LinuxPMI)? If so, what's the difference? Second, if there is a difference between Beowulf and SSI, which one is better for scientific computing? Third, does using Eucalyptus make sense for scientific computing or is this more suitable for IO-oriented operations such as web service or databases
ISC joined other key participants of the internet technical community in celebrating the achievement of a significant milestone for the Domain Name System today as the root zone was digitally signed for the first time. This marked the deployment of the DNS Security Extensions (DNSSEC) at the top level of the DNS hierarchy and ushers the way forward for further roll-out of DNSSEC in the top level domains and DNS Service Providers.
I have just installed openldap on my Red Hat server and it is running:
[code]...
However when I try to add my first ldif file base.ldif, no matter how many time I enter in the correct password I get invalid credentials [root@server init.d]# ldapadd -D "cn=Manager,dc=mathcs.duq,dc=edu" -W -f /home/oberlanderm/base.ldif Enter LDAP Password: ldap_bind: Invalid credentials (49) I have to be forgetting someting simple,
I just took a job and the admin password for the AFS is missing. How do I find/reset this password? I have the root password for the machine it is installed on.
I recently upgraded my video card from a GeForce4 MX 440 AGP 8X to a GeForce FX 5500 AGP 8X. After that my 1360x768 monitor was stuck on a 1024x768 resolution. I ran system-config-display and under Hardware tab I changed the monitor setting from "Generic LCD Screen" to "1360x768 LCD Screen" with the acknowledgment that /etc/X11/xorg.conf file was been modified. After reboot the boot process stuck on:tarting kojid: Kerberos authentication failed. "Resource temporary unavailable" (11) [FAILED]I tried that with both 2.6.34.6-54 and 2.6.34.6-47 kernels available on my system.I use the latest KDE version available for Fedora.
I have set up a 389 DS server and a kdc. However there is not a howto or any document concerning setting up the DS as a Kerberos database back-end. Nor is there a 389 DS forum, so I am asking here and hopefully some of you could possibly help or throw in some light as to this kind of setup.I have read the 389 DS features page and the Redhat documents but there is no reference to this feature.
I'd like to know if network-manager applet could be run on gdm login menu. Cause i would like to get connected on my network to reach kerberos serveur to login. nm-applet on gdm
I am trying to configure windbind and kerberos on my Fedora 15 to connet to my Windows 2003 server environment. But I keep getting this message:
Code: libads/kerberos.c:333(ads_kinit_password) kerberos_kinit_password ECP01BCA$@MSA.MDSA.NET failed: Client not found in Kerberos database Heres my krb5.conf: Code: [logging] default = FILE10000:/var/log/krb5lib.log
After upgrading to fedora 15, I have problems mounting XFS filesystem.
The short tale: Code: 08:01:38 localhost root>mount -t xfs -vv /dev/sdb1 /data/disks/old mount: /dev/sdb1 already mounted or /data/disks/old busy 08:01:39 localhost root>fuser /data/disks/old 08:01:41 localhost root>lsof /data/disks/old 08:01:44 localhost root>xfs_repair -t 1 /dev/sdb1 xfs_repair: cannot open /dev/sdb1: Device or resource busy 08:01:48 localhost root>fuser -mu /dev/sdb1 08:02:08 localhost root>dmesg | tail -n 5 [1655779.759764] SGI XFS Quota Management subsystem [1659275.905756] SGI XFS with ACLs, security attributes, large block/inode numbers, no debug enabled [1659275.908745] SGI XFS Quota Management subsystem [1659389.154986] SGI XFS with ACLs, security attributes, large block/inode numbers, no debug enabled [1659389.156519] SGI XFS Quota Management subsystem
Device is not mounted, and directory is not in use, it has just been created. There is nothing in log files that could remotely point the cause. After removing device (echo 1 > /sys/block/sdb/device/delete) and reattaching it, disk started working.
Linux OS Version/Release: Red Hat Enterprise Linux Server release 5.5 (Tikanga) Linux <hostname> 2.6.18-194.8.1.el5 #1 SMP Wed Jun 23 10:52:51 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux I have a server that hosts 30+ Oracle databases. Each database has its own set of scripts that shuts down the database and start the database. Things has been working "smoothly" in the last couple of months until this week.
My log in most cases shows errors like the ones below:cannot fork [Resource temporarily unavailable] Connection reset by peer I am 100% sure that the scripts are not at fault since it has been working with no errors for months. I want to monitor the server for what resource or configurations I have to tweak to get around this problem if possible, am I exceeding my ulimit settings running out of process,out of memory/swap space etc?
I wish I could stay up 24x7 to monitor to monitor the server but I can't. Can anyone please advise if there is any monitoring script available somewhere that I can put in cron to temporarily monitor the server for resource issues, for example memory used/left, swap space used/left, ulimit-num-process used/left, nofiles used/left etc.
I am running the default Gnome 3 Fedora distribution with Exaile installed in the place of the default media player. When I restart Exaile gives error that the resource is not found. However I can open and play a file with VLC media player, and afterwards exaile works just fine. I have installed a program call Fedoraplus and used the option to install most codecs, when everything is working I can play just about anything.
