I'm trying to login to a server using gssapi-with-mic authentication against one of my school's machines that supports this mode of authentication. I have these kerberos packages installed:
batrick@menzoberranzan:~$ dpkg -l | grep krb
ii krb5-config 2.2 Configuration files for Kerberos Version 5
[code]....
I have a Kerberos/LDAP/OpenAFS server running on Debian lenny, set up according to Davor Ocelic's excellent guide here (url). SSHd has ben configured to use GSSAPI auth and the clients have been configured to pass auth tokens through to the server.
My clients are all Ubuntu 9.10 x86 fully patched. On the clients, OpenAFS has been compiled and installed as a kernel module and git 1.6.6 has been compiled from source and installed. Otherwise, all software is stock Ubuntu repository-ware.
The setup is working fine as long as I connect to the primary server using its hostname:
peter@client01:~$ ssh nana
<connection goes through seamlessly without prompting>
peter@nana:~$
If I try to connect via a DNS alias (actually a second CNAME record), I get:
peter@client01:~$ ssh git1
peter@git1's password:
<connection completes>
peter@nana:~$
I need both passwordless auth and the DNS alias working, as it's internal policy that user connections are only ever made to service names, not real hostnames.
I have tried adding a second host principal to Kerberos for the alias (git1.darling.local) in addition to the host principal for the hostname (nana.darling.local).
If I turn off PasswordAuthentication in sshd_config, then "ssh git1" doesn't even fall through to passwords; it just denies logins. So it looks like it's not even using GSSAPI for the DNS alias.
So:
1) Is what I want even possible? I can't find anything that indicates that there's anything odd about DNS aliases such that this should happen.
2) Which config files should I post to help debug this? There's a lot and I didn't want to start blarfing them here if they aren't helpful.
I am trying to get kerberos ticket forwarding via SSH to work between RHEL and Ubuntu. It is working, when connecting from Ubuntu to RHEL, but not the other way round. (It also works between RHEL machines.) I have enabled the GSSAPI features in both SSH client and server, checked keytabs and verified, that my ticket is forwardable.
Any idea, how to get more information? Could it have s. th. to do with using allow_weak_crypto=yes in our krb5.conf? I have to use that, because our kerberos server only supports DES encryption.
I am trying to deploy Kerberos and LDAP so users will be able to login in to a server on the edge of the LAN, and afterwards be able to establish a SSH connection to all the computers in that LAN without the need to type any passwords, and without the need for me to manage SSH keys [beside the SSH keys on the login server] and local user accounts.
1. When i create the users in OpenLDAP i use a template that i created by reading documentation from the Internet. In the template one piece of information that is neede is the UID. Is there any clever way the keep track of the numbers so i do not assign the same UID to two users, besides using a pen and paper?
2. For the users to be able to establish SSH connections between the computers, the host is going to be added to the keytab like this: ktadd host/client.example.com Is is possible to replace client with something genric so i do not need to mange these keytab files between the hosts?
3. Users will be logging on the the server on the edge of LAN by using SSH keys. How can i configure the setup so the users will recieve a ticket automatically when the logon without executing kinit and without entering a password, just by having a valid SSH key?
4. krb5kdc is running on all the network interfaces in the server i want it to only run on eth1, how can this be done?
everytime i try to vnc to my box, it pops up the keyring authentication, which is obviously a huge problem when logging in remotely.how do i change my keyring password to match my login password?
View 4 Replies View RelatedI'm seeing really bad user login format under a standard installation and am wondering why ubuntu does this as default. I have noticed that the graphical login for gnome sizes itself to accommodate a user's exact password length. This indicates to me that somewhere on the unencrypted part of a standard installation with user encryption contains at least some indication of the content of the password length which seems a security flaw even if not a complete hole, it majorly reduces the number of attempts a cracker would have to cycle through.
And that's assuming that *only* the length is contained. Furthermore it seems that it would be MUCH better to simply display the number of characters entered into the pw field and allowing the gui to expand itself from an fixed size as the field is filled out so the the user still receives visual feedback for entering characters. Either a simple character count display should be entered into the field or a 10 dot to new line so that one can visually quickly count the number enter by multiplying from a 10base graphical observation.
I'm having a remote server running SSH, I use the scp from my local computer like this:scp filename.txt username@IP:Port:home/usernameit asks for the password, I supply it, he doesn't accept it for 3 times and then I get "Permission denied (publickey,gssapi-with-mic,password)"
View 1 Replies View RelatedI have an environment with multiple projects that have a variety of government and commercial sponsors. We have been satisfied to this point with a netapp serving nfs/cifs and keeping a tight reign on nfs exports.Some of these projects have started asking us to provide access restricted sub-folders of the project space based on different groups that contain a user subset of the primary group.
We have a linux machine that serves as a version control front end to the netapp, mounting the project spaces via nfs. People are now mounting their project space via sshfs to this "front end" and sharing the root password of this sshfs client with everyone in their project, in turn creating a security hole to access the so called restricted sub-folders. I know all the obligatory responses referring to irresponsible user behavior but would like to see how others have addressed something like this where user behavior seems out of control.
We have an employee that left our place of business on bad terms and his computer has been locked out since. The comp runs Ubuntu 10.10.
We have followed the regular password reset methods online but the Kerberos password seems to be getting in the way. We have no idea was this password is and it seems impossible to work around. Does anybody know a way?
Were were about to gain access as the root user but cannot access other user accounts as the root user.
I installed linux system into a USB stick, but it never asks me to enter login password (i am the default user "root") when booting. I checked the settings in "User and Group" panel, and found everything there is OK. What additional settings should I make to this problem?
View 4 Replies View RelatedHow can I disable the password request when i login? Not the password for the user but the password to connect to the net?
View 5 Replies View RelatedSecond off, I'm trying to capture a user password on login (through gdm) such that I can re-use it for a service like Kerberos or AFS. The idea is that the user has to log in only once, and then I renew the tickets and tokens until they log out again. If there's a better way to do this
View 4 Replies View RelatedI'm the only user of my PC and as of upgrading to 10.04, I get a login screen, that requests only a password, when the PC goes idle.
View 8 Replies View RelatedI just installed Fedora 10 on my laptop 2 days ago. I dont seem to remember the password i userd for my username. Is there a way to reset or change the password? I cannot login to the system.
View 4 Replies View RelatedFound a major security hole in one of my more crucial linux servers today. (Only locally) I can use the user name "root" and any string for the password. So I can literally type "poop" as the password and the server lets me in. I know how to set root password settings for SSH and sudo, but where are settings located for local access that would allow something like this?
View 14 Replies View RelatedKernel 2.6.21.5, Slackware 12.0
GNU bash 3.11.17
Being in a text console (VT, that is, the screen with 25 x80 chars), say tty1, and just after booting linux, I logged in as usual,typing my password.What happened then astonished me. In Slackware distros, a small quotation from some book is written on screen just after typing the correct password. Well, after typing my password, I could see it split into two halves instead of the quotation.
There is this one server running CentOS5.4 Final which has certain application like Bugzilla. I have setup ssh on it and setup is for password less authentication. Have also setup PasswordAuthentication to no. So with password authentication should succeed. But it is. Though password less authentication is working fine, but I am also able to login using password.
Code:
RSAAuthentication yes
PubkeyAuthentication yes
PermitEmptyPasswords no
PasswordAuthentication no
I was just wondering about logging in to my remote server via SSHv2.
But I want to set a passphase key but not make the server ask for it when logging in, would this at all be possible?
I am well aware I may leave it blank but doesnt this pose a security threat possibly?
I have heard somewhere that you can get Linux Centos 4.8 to do this
When installing the latest Distro of Mint (I believe this is not much different, if at all, from Ubuntu as far as this goes) I chose to have my Home folder encrypted using the login password. This was a function of the installation. What I was wondering about was how secure this was and if I should maybe use something to do a better encryption or not.
View 1 Replies View RelatedI have a problem with my ubuntu account. I am running 4 virtual machines, based on jeos-8.04 and I am using a public key authentication to login to my account (via ssh). This is not the problem, I have the key and the passphrase. But when I am logged in, I can't sudo, because I forgot the password for the accout.
View 6 Replies View RelatedLucid Lynx clean install.I do not seem to get the login screen from powerdown now. I do after logging off and logging back in again.From switched off, I get taken to my desktop and it is only a little while later, usually when starting Thunderbird or FireFox that I get asked for my password with this massagePlease Unlock The Login KeyringThe Login Keyring Did Not Get Unlocked When You Logged On
View 2 Replies View RelatedI have installed servers(10.04 LTS Server) with Kerberos + LDAP, now I can ssh to all those servers and login with kerberos principle. But when I want to change password, I got such error:
Code:
Current Kerberos password:
Enter new Kerberos password:
Retype new Kerberos password:
Password change rejected: Password not changed.
Kerberos database constraints violated while trying to change password.
passwd: Authentication token manipulation error
passwd: password unchanged
I have search this issue but cannot any useful information. Would someone give me a direction?
Can't seem to do it, wondering if anyone knows how? Normally there's something in sshd_config that can be switched to true or yes to allow root login but I can't see it in fedora 12.I can login via root at a terminal no problem, just not via ssh, I get access denied every time. Also, I need to login using password authentication.I've done: 227169 but that's just for GUI which I don't really need since I rarely ever log into the GUI.I have also searched through here and mostly only found info such as above, how to enable root login for GUI, or billions of posts about how logingin as root is bad but I cannotswer to my question.DISCLAIMER: Please do not reply to this thread if all you can contribute is the question of why I need root or to put some message telling me I can do everything using su, etc, etc. Please only contribute if you can answer my question. A: My machine and a valid quesiton. B: Spirit of Linux is open, not restrictive
View 3 Replies View RelatedI found a way some times ago to mount a truecrypt volume when opening the session by insertion of the login password in the mounting script instead of putting it in clear in the script. I don't remember to command to read/transfer the password.
View 2 Replies View RelatedI just took a job and the admin password for the AFS is missing. How do I find/reset this password? I have the root password for the machine it is installed on.
View 4 Replies View RelatedMy goal is this: Allow a user to connect to a server via SSH with any login name or password without checking to see if that account exists on that server. Their account would be captured by a universal account say, 'generic_user', and then they would be directed to one of my python scripts with the username and password they supplied for initial login. At this point my script would capture their SSHD process ID and allow/deny their existence based upon a MySQL/Subscription check.
The part I'm having trouble with is with PAM and allowing the user to login with any credentials and be successfully authenticated under the generic account. Beyond that, everything is great.
I have set up my KDC and telnet in the same server.
I am trying to telnet from a local PC . This is the output I am getting ..
[sudip@kdcclient root]$ telnet -a -F -x kdc
Trying 192.168.1.3...
Connected to kdc.example.local (192.168.1.3).
Escape character is '^]'.
[Code]....
So why it is asking for password ? What I am missing here ?
Following the instructions listed here:[URL].. I have a machine set up to use Kerberos authentication for logins. The problem is, logins are now incredibly slow and any user from the AD fails to log in.Here's the output from the server in debug mode:
[Code]...
What I want to do is use a Windows AD with the UNIX extensions to control user logins on CentOS 5.5 servers. Previously I've used OpenLDAP and AD, but that was still two separate auth methods and I just want one.
I have an NIS server that is working well, and I want to use Kerberos to improve the overall security.I have already installed Kerberos client and server on two machines respectively.Currently the NIS server, Kerberos server, and KDC are running on the same box, and every box is in the same private network.I am having trouble logging in using the user account defined in Kerberos database. Here's /etc/krb5.conf on the client side:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
[code].....
I have now been trying to find an answer for the following for a while and can't seem to get anything.On previous linux distros we had the option available "passwd -e" which allowed us to force the user to change their passwords upon the next login.s functionality however seems to be excluded from latest linux distros (currently using RHEL 5.4)...Does anybody know how the same effect can be achieved and perhaps any idea on why this option was removed as it was great for securing passwords
View 5 Replies View Related