Security :: Permitting Users To Ssh With Out Typing Their Passwords Via Kerberos?

May 24, 2010

Is there a way to use kerberos (or baring that a trusted CA) to allow users to ssh across machines in an environment isntead of having to manage the hash keys per user/server? I'm using kerberos+ldap to log folks in and get their settings but I'd like to take it a step further. I've been reading a lot but still can't quite get it all to come together.

Do I need to create a SPN for each host to do this? Sorry if I am asking a dumb question, I am returning to the *nix fold after a decade+ in the Microsoft world, be gentle with me.

View 3 Replies


ADVERTISEMENT

Security :: Users Subverting Security On Purpose / Kerberos Only Answer?

May 12, 2010

I have an environment with multiple projects that have a variety of government and commercial sponsors. We have been satisfied to this point with a netapp serving nfs/cifs and keeping a tight reign on nfs exports.Some of these projects have started asking us to provide access restricted sub-folders of the project space based on different groups that contain a user subset of the primary group.

We have a linux machine that serves as a version control front end to the netapp, mounting the project spaces via nfs. People are now mounting their project space via sshfs to this "front end" and sharing the root password of this sshfs client with everyone in their project, in turn creating a security hole to access the so called restricted sub-folders. I know all the obligatory responses referring to irresponsible user behavior but would like to see how others have addressed something like this where user behavior seems out of control.

View 12 Replies View Related

Security :: Preventing Users From Downloading Files From Sever By Typing URL

Sep 11, 2010

how the file is generated or what it contains is not important at this point.The important question is how to prevent the file from being downloaded and its contents from being displayed in the browser window?Since it is not recognized by the web browser so it is downloaded on the system. That way, what the script does is exposed to the outside world.Okay, I usually keep such scripts in../cgi-bin/. But for files (text files, in the example) which are being uploaded by a user should not be downloaded by another user.

View 10 Replies View Related

Security :: Setup A Kerberos + OpenLDAP Server To Manage Users For Our Samba Shares

Feb 13, 2011

Trying to setup a Kerberos + OpenLDAP server to manage users for our Samba shares (was going to use just OpenLDAP, but apparently it is less secure than using Kerberos with it). (Distro: CentOS 5.5) Haven't even gotten to the point of connecting either to Samba yet. I have set up a Kerberos server, and configured it as necessary. I am happy that it is working as intended, as I can login and manage principals from both the local terminal and remotely on other clients.

I have setup a server (sv1.myhost.net), and configured it to talk to Kerberos (auth.myhost.net). I have created both a [URL] principal, and a testuser principal. I have set the password on the testuser but not on the host/sv1.myhost.net. I have added the keys for both users to the keytab file on the sv1.myhost.net. I am at a Windows 7 machine (on the same internal network), and have installed the Network Identity Manager. It is able to request a ticket successfully for the testuser account.

When I use putty w/GSSAPI (0.58) to remote login to the system, it says using 'testuser' and then just hangs there. Eventually putty connection times out. The fact that both machines can connect to the auth server to communicate with kerberos correctly suggests firewalls are correct. The relevant entries in sshd_config have been uncommented to tell srv1 to use Kerberos authentication.

View 3 Replies View Related

Security :: Kerberos And LDAP - Users Will Be Able To Login In To A Server On The Edge Of The LAN And Establish A SSH Connection

Feb 19, 2010

I am trying to deploy Kerberos and LDAP so users will be able to login in to a server on the edge of the LAN, and afterwards be able to establish a SSH connection to all the computers in that LAN without the need to type any passwords, and without the need for me to manage SSH keys [beside the SSH keys on the login server] and local user accounts.

1. When i create the users in OpenLDAP i use a template that i created by reading documentation from the Internet. In the template one piece of information that is neede is the UID. Is there any clever way the keep track of the numbers so i do not assign the same UID to two users, besides using a pen and paper?

2. For the users to be able to establish SSH connections between the computers, the host is going to be added to the keytab like this: ktadd host/client.example.com Is is possible to replace client with something genric so i do not need to mange these keytab files between the hosts?

3. Users will be logging on the the server on the edge of LAN by using SSH keys. How can i configure the setup so the users will recieve a ticket automatically when the logon without executing kinit and without entering a password, just by having a valid SSH key?

4. krb5kdc is running on all the network interfaces in the server i want it to only run on eth1, how can this be done?

View 2 Replies View Related

Security :: Console Users Logging In Without Passwords?

Jul 19, 2010

Sitting at the console, I log in with any user name and NO PASSWORD IS REQUESTED. I get logged in automatically without entering the user's password.

I did:
passwd joeuser

To change his password and still he goes right in without being asked for a password!

Possibly related- 10 days ago, my smtp server was breached as a spam relay. The username they cracked was deleted. I added fail2ban for postfix. The logs show no further intrusion.

View 14 Replies View Related

Security :: Make The Same Users And Passwords For Several Machines?

Aug 11, 2010

How to make users, groups, paswords and their IDs be the same on several computers (for example, on cluster)?

View 6 Replies View Related

Security :: Centralize Users And Passwords And Also Create Controls For User Access To Some Equipment?

May 12, 2011

I'm planning to centralize users and passwords and also create controls for user access to some equipment, for example, Linux Servers, Switches, routers and firewalls. In case of failure of the link between the ACS and AD or equipment to the ACS, this device would use local username and password.

At the moment, my AD structure is a Microsoft, Cisco ACS servers and Linux Standalone. I wish that both linuxs servers and network equipment were authorized by Cisco ACS on the accounts that are in Microsoft AD.

The configuration of the Cisco ACS to use the AD is done and no problems, the network equipment is OK too, but am having difficulties configuring the server for this solution.

View 1 Replies View Related

Ubuntu Security :: Multiple Passwords \ Possible To Have Two Passwords For One User Account In 9.10?

Jan 7, 2010

I wonder if it is possible to have two passwords for one user account in 9.10. I have a long login password (5 words about 45 characters with spaces caps). I would like to set a shorter password for Authentication, sudo, etc. While retaining the original for logging in.In short:Have long password to login to computer.Have short password for everything after login.

View 6 Replies View Related

Ubuntu :: 3 Users Only Want Passwords For 2?

Mar 2, 2010

I am trying to set up Ubuntu like I had on my windows PC. I have my account, my wifes account and my kids account. I want passwords set for both myself and my wife but I don't want the kids to be required to have a password to log in. When setting up Ubuntu, it looks like it was all or none. I have dabbled with Linux off and on for years and am sure there is a way to set this up but I have no idea how.

View 8 Replies View Related

Ubuntu Security :: Security, Passwords & Encryption Keys?

Jun 7, 2011

I am not very security minded...I'm aware of it, and always made sure I had up-to-date overall protection in Windows but firewalls, and the blasted passwords are largely a thorn in my side!When I got my iPhone last year I suddenly discovered password managers & "wallets" to keep all that kind of information in and syncable across different devices. My life got so much easier. Of course now I need to figure out encryption keys, and how they work (I'm clueless). I also need to find a program or system that I can move my existing low-tech info (mailnly user name & passwords) that will also accomodate the increased needs of Ubuntu security and still be sync-able. I started a little research weeks ago, but my current "wallet" only exports .csv so I quit since I'm going to have to do a lot of data entry whatever I go with.So here goes:

1) what is the difference (bare bones) between using an encryption key (e.k.) vs. a standard user created password? what situations are better suited for e.k.?

2) I have seahorse (default intall with Ubuntu I guess) but the only thing in it is Login under passwords which leads to a login keyring (?) and a drop-down list of about 6-10 of the gazillon passwords I use daily. The other tabs are for keys which I don't have any concept of.

3) I know FF also "remembers" user id & passwords as you choose to have it do so. Is that information transferable into seahorse or another program?

4)I'm also (today) getting ready to really set up my system for user names & security across my little home network. How can I integrate that into whichever program/app I go with to store my pwds and keys?

5)give me links to fairly current documentation on this stuff?

6) Any program/app recommendations.Pros/cons uses, what they can & can't do or be used for, etc.

View 9 Replies View Related

Fedora :: Delete Restrictions For Users' Passwords

Dec 22, 2009

I have Fedora 10 installed. I want my users to be able to use any password they want. So I edited /etc/pam.d/system-auth, the password section.
Was:

Code:
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so
Become:

[Code].....

View 2 Replies View Related

Ubuntu Installation :: Restore Users & Passwords?

May 4, 2011

I upgraded from 10.10 to 11.04 (32 bit) with a clean install as the "upgrade" option in update manager failed. I'm setting up the system again and want to restore the backup I took prior to upgrading, however due to the upgrade I don't want to just re install everything. The following have been backed up

/etc
/home
/usr/local
/var

Now there are various things that are different such as firefox 3.x has become firefox 4 Open office is gone, long live LibreOffice, my proprietary Nvidia drivers don't seem to be trusted yet, all the repositories will be different etc. I will re install all the applications fresh from the software centre, but I would like to restore all the users and passwords and their home directories,

So I don't I want to restore /etc or /usr/local en masse. I guess /var is not worth restoring either /home gets me their files but how do I restore the users and passwords? (there are about 8 registered users some of whom have different privileges) and the user ID need to be the same as they all access a NAS through nfs)

View 1 Replies View Related

General :: Viewing Counts Of Old Passwords Associated With Users

Aug 19, 2010

I'm configuring a CentOS 5.4 workstation. I have been able to apply most of the security that is required. I have met all but one logging requirement. How do you get the count of old passwords associated with users? I don't need to see their passwords just how many times they have changed them. I have set remember to 24 in the /etc/pam.d/system-auth file. I don't know where the file is that contains this information.

View 1 Replies View Related

Security :: Kerberos Versus LDAP SSL

Apr 21, 2011

I am integrating my Unix box to the Windows AD using PAM_LDAP and Kerberos enabled. I was wondering, since Kerberos is enabled is there any point to enable SSL on my LDAP.conf? My understanding is that since Kerberos is enabled, therefore the username/password is sent securely there isn't any benefit of enabling SSL on the LDAP.conf? It's one of or another.

View 1 Replies View Related

Debian Configuration :: Migrate The Users Without Resetting Their Passwords?

Aug 13, 2010

I have an old server running CentOS 5. The encription method used was the default MD5 for the shadow file. I would like to migrate the server to Debian Squeeze which uses SHA512. I have already copied the passwd, group and shadow file with the user accounts information but the Debian machine doesn't let the users login. I have already looked in the pam files to make it accept the MD5 encryption without any luck. how can i migrate the users without resetting their passwords?

View 1 Replies View Related

Server :: Program For Squid To Allow Users Change Passwords

Jan 8, 2011

I am using squid + dansguardian for web and content filtering. And it is working fine. I am forcing users to use proxy through browser configuration. Now I am planning to add another layer to controlling access using ncsa_auth program. I know it is not the most secured but I am fine with it. Plain passwords are fine with me.

I will be giving users some default passwords but I want some program for allowing users to change the passwords for the respective users if they want. Is there any perl script or something web based for the purpose that anyone is using or know of?

View 3 Replies View Related

Security :: Secure Samba Server With Kerberos?

Jul 17, 2010

Is it possible to secure samba server with kerberos? I want to know whether we can use kerberos authentication to secure samba user name and password so that mo one can sniff that information. configuration or any URL link from I can get the exact configuration.

View 1 Replies View Related

Ubuntu Servers :: 10.10 - Cannot Save Multiple Users And Passwords With Htdigest

Dec 12, 2010

On other editions of ubuntu server I had no problem saving multiple users and passwords with htdigest but now it seems it is only possible to save one user and password.
Code:
sudo htdigest -c /etc/apache2/passwords directory user
When I add a second username and password for the same directory it overwrites the first.

View 1 Replies View Related

Ubuntu Security :: Gnome-keyring-daemon And Kerberos

Jul 12, 2010

I have Ubuntu 10.04 configured to login with Kerberos (as in [url]). Everything works fine, except gnome-keyring-daemon:

-If I login with a local user, gnome-keyring-daemon works right. Besides, the keyring is automatically unlocked with the login password.

-If I login with a Kerberos user:

- The session startup is considerably slower.

- /var/log/auth.log says something like:

Code:

- If I execute a program that needs the gnome-keyring (like Evolution), is desperately slow, and it says:

Code:

Message: secret service operation failed: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.

- If I kill all gnome-keyring-daemon (killall gnome-keyring-daemon), start a new one (gnome-keyring-daemon), and restart the application that uses the gnome-keyring, it works fine, but it ask me for the password to unlock the keyring (I think that this is the normal behaviour if gnome-keyring-daemon did not start before).

I have seen the configurations in /etc/pam.d and everything looks fine (with pam_gnome_keyring.so). Indeed, I think that if something was wrong here, the local user would not have the keyring unlocked automatically.

View 1 Replies View Related

Ubuntu Security :: [SSH] Gssapi-with-mic Password-less Kerberos Login?

May 13, 2011

I'm trying to login to a server using gssapi-with-mic authentication against one of my school's machines that supports this mode of authentication. I have these kerberos packages installed:

batrick@menzoberranzan:~$ dpkg -l | grep krb
ii krb5-config 2.2 Configuration files for Kerberos Version 5

[code]....

View 1 Replies View Related

Security :: SuSe Authentication Failed After Installation Of Kerberos

Jun 3, 2010

I have installed keberos on my suse machine, but after installation now I am not able to login in it even with the root password. I search over the internet but could not find the solution. What to do now and how to configure Kerberos on a local machine with only local users authentication. I mean client and server both are on the same machine.

View 2 Replies View Related

Server :: Web Based Simple Page To Change Passwords Of Squid Users?

Jun 3, 2010

just now i have installed squid, it works fine with authentication . I created this authentication in a simple text file by using htpasswd . my question is that is there any web based simple page to change passwords of squid users, because each and every time i cant give direct access to server for my squid users .

View 1 Replies View Related

Software :: Proxy Server That Will Support Having Authenticated Users / Passwords In MySQL?

Nov 29, 2010

Im trying to set up a Proxy server on my CentOS server and I have been looking at Squid, however I wondered if there is a proxy server that will support having authenticated users and passwords in a MySQL database?I wanted to do this so I have good control over who is connected through my proxy.

View 6 Replies View Related

Fedora Security :: Can't Forward My Kerberos Credentials To A Computing Resource

Aug 23, 2011

I can't forward my kerberos credentials to a computing resource before connecting to the resource for which I have kerberos credentials. In other words, from my machine at work I obtain my ticket with kinit -f to a computing facility off in some lab somewhere.

Then, I want to ssh to another machine in another department (I don't have control over the krb5.conf file or this would have been easy) where I work. It is on this machine I want to be able to ssh,scp, etc to this far off lab. I've tried several options around this barrier, but I'm a total failure thus far. I checked that GSSAPIAuthentication is set to yes.

[Code]...

View 2 Replies View Related

Software :: Import Windows Users / Passwords Into Openldap Server - Ldap Migrate Migration?

Nov 18, 2009

I am looking for ideas for getting windows users into an ldap server. I am currently running a Linux server for my department and need to create an LDAP server which mirrors the username/password information for all of us as they are stored in the windows server here. I have the openldap server up and running on Ubuntu 8.04 and it works great; I now need to find some way to import user info into this from windows. I've seen discussions of using ldifde.exe to export the AD users into an ldif file. Is this the simplest way to go about it?

Our Linux server is currently providing us with much needed services using apache, and apache is authenticating using LDAP to our windows server (Using our windows username / password is required functionality). This windows server has some problem which causes it to delay for inordinate amounts of time between authentication requests and responses. The situation is such that this problem will not be addressed by IT staff. However, I have control over the Linux server so I am looking to just mirror the windows server on an LDAP server of my own. I could get away with updating the passwords in the Linux server.

View 1 Replies View Related

Ubuntu Security :: SSH To Server Using GSSAPI/Kerberos Prompts For Password When Using DNS Alias?

Jan 15, 2010

I have a Kerberos/LDAP/OpenAFS server running on Debian lenny, set up according to Davor Ocelic's excellent guide here (url). SSHd has ben configured to use GSSAPI auth and the clients have been configured to pass auth tokens through to the server.

My clients are all Ubuntu 9.10 x86 fully patched. On the clients, OpenAFS has been compiled and installed as a kernel module and git 1.6.6 has been compiled from source and installed. Otherwise, all software is stock Ubuntu repository-ware.

The setup is working fine as long as I connect to the primary server using its hostname:

peter@client01:~$ ssh nana
<connection goes through seamlessly without prompting>
peter@nana:~$

If I try to connect via a DNS alias (actually a second CNAME record), I get:

peter@client01:~$ ssh git1
peter@git1's password:
<connection completes>
peter@nana:~$

I need both passwordless auth and the DNS alias working, as it's internal policy that user connections are only ever made to service names, not real hostnames.

I have tried adding a second host principal to Kerberos for the alias (git1.darling.local) in addition to the host principal for the hostname (nana.darling.local).

If I turn off PasswordAuthentication in sshd_config, then "ssh git1" doesn't even fall through to passwords; it just denies logins. So it looks like it's not even using GSSAPI for the DNS alias.

So:

1) Is what I want even possible? I can't find anything that indicates that there's anything odd about DNS aliases such that this should happen.

2) Which config files should I post to help debug this? There's a lot and I didn't want to start blarfing them here if they aren't helpful.

View 1 Replies View Related

Ubuntu :: Click On A Text Box To Write And Star Typing Only To Find Out Typing Somewhere Other Than Where Clicked?

Jun 17, 2010

Half the time I click on a text box to write and star typing only to find out I'm typing somewhere other than where I clicked.It's not dwell click and the active text box seems to be related to mouseover.

View 2 Replies View Related

Fedora Installation :: LDAP - NIS - Kerberos - Add Mint Machines To Server To Use New Security Settings

Dec 10, 2009

I wish to setup a network that works like windows but for with lunix of course!. It will need to be able to handle security/DNS/DHCP & Document store from one location. I've been doing some reading and have found that I think I need to be using one of the following:

LDAP
NIS
Kerberos

I have looked at a few Linux based OS's. I did notice that when you install fedora live desktop it gives you the option to connect to one of the above. So I am looking for a complete solution.

1. How to setup fedora to act as server for my needs (or other Linux build)

2. Add fedora/linux mint machines to server to use new security settings. (or other linux build)

View 3 Replies View Related

General :: Disable Passwords And Security?

Dec 15, 2010

I use Ubuntu on my netbook, which I uses for browsing and email. It's way faster than the Windows which came on the machine. That's a nice feature, as is the price.

I like it except for the constant, perpetual, ever-present, super-annoying need to be entering passwords and "becoming root user" and so on. I am the only one using this appliance. I don't even care if someone steals it, really. There must be some way (I hope) of disabling this idea that I am a CIA agent with TopSecret materials.

I just want a simple, easy to use appliance. If not Ubuntu, is there any distro that is aimed at normal people?

View 14 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved