Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
network logins
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
melts
n00b
n00b


Joined: 21 Feb 2004
Posts: 52

PostPosted: Mon Mar 15, 2004 5:51 am    Post subject: network logins Reply with quote

Hey, i need some help :D

I've started a pilot program where I work to install linux on desktops. I'm at an Australian high school as the sole IT lacky and i wanted to do something different, so i've done this.

Since this isn't the first time i've installed gentoo I've done all the initial stuff and got a working pc, everything is cool 8)

but now i have to choose a login system that will work for, ideally, the entire school - and i haven't covered a lot in linux network logins :/

PAM + Kerberos seemed good, but i can't compile pam_krb5 (note: i had to compile mit-krb5 during stage two since heimdal-0.6 wouldn't compile, and still won't :?)

on top of that, i've seen one mention of using a program to interface windows domain with something kerbertised, but it was brief and lacked any info, i could of even misunderstod what he was interfacing.

The school has a windows 2000 domain controller and some 600 users in the AD. while it doesn't bother me so much if i can't use the windows controller to do the authentication, it'd certainly help things along.
I also have a gentoo box doing firewall stuff that can happily run any auth daemons as required.

I'm intending to write the whole project up for other schools to use (i'm hoping i can get a bit of a job change being a in house linux implementer :wink:) as well as convince the department that it can be done. I'll happily post the howto here once i have a working one - no doubt handy as it seems pretty hard to find a full guide to kerberos authentication systems

anyway, i'm after some help to figure out why the pam component won't compile, and any info people have on what they might have done so i can start building a login system. (oh and if anyone thinks i should be using something like radius instead, post that up too, i don't know if kerberos is the way to go, yet)
_________________
=== === === === === ===
doh
=== === === === === ===
Back to top
View user's profile Send private message
Grathol
n00b
n00b


Joined: 08 Nov 2003
Posts: 33

PostPosted: Mon Mar 15, 2004 5:58 am    Post subject: Reply with quote

I had trouble compiling heimdal as well. Ended up with mit-krb5, not that I really care. Here's how to compile pam_krb5:

https://bugs.gentoo.org/show_bug.cgi?id=35059

I'm also in the middle of working on a project like this to enable a common set of logins in both web applications and for ssh logins to a set of machines. A good explanation of all the underlying technologies can be found here:

http://www.linuxgeek.net/index.pl/authentication

I haven't had much luck getting the PAM modules to properly allow users in the Kerberos database to connect, so if you make any progress with that, please post :) I'll do the same.
Back to top
View user's profile Send private message
melts
n00b
n00b


Joined: 21 Feb 2004
Posts: 52

PostPosted: Thu Mar 18, 2004 12:38 am    Post subject: Reply with quote

Well going along I've snagged another problem, but i got pam_krb5 compiled and working at least

emerge mod_auth_kerb-4.11 just seems to fall over for me, and the bug isn't listed yet. Rather a new version is talked about but they seem to have copyright problems :/

Code:
emerge -v mod_auth_kerb
Calculating dependencies ...done!
>>> emerge (1 of 1) net-www/mod_auth_kerb-4.11 to /
>>> md5 src_uri ;-) mod_auth_kerb-4.11.tar.gz
>>> Unpacking source...
>>> Unpacking mod_auth_kerb-4.11.tar.gz to /var/tmp/portage/mod_auth_kerb-4.11/work
 * Applying mod_auth_kerb_register.patch...                                                                            [ ok ]
>>> Source unpacked.
/usr/lib/apache2/build/libtool --silent --mode=compile gcc -prefer-pic -O3 -march=pentium4 -funroll-loops -pipe -fomit-frame-pointer -DAP_HAVE_DESIGNATED_INITIALIZER -DLINUX=2 -D_REENTRANT -D_XOPEN_SOURCE=500 -D_BSD_SOURCE -D_SVID_SOURCE -D_GNU_SOURCE -pthread -I/usr/include/apache2  -I/usr/include/apache2   -I/usr/include/apache2  -DAPXS2 -DKRB5 -DKRB5_SAVE_CREDENTIALS -DKRB_DEF_REALM=\"MANDURAHHS.WA.EDU.AU\"  -c -o mod_auth_kerb.lo mod_auth_kerb.c && touch mod_auth_kerb.slo
mod_auth_kerb.c:379:23: missing terminating " character
mod_auth_kerb.c:380:60: missing terminating " character
apxs:Error: Command failed with rc=65536
.

!!! ERROR: net-www/mod_auth_kerb-4.11 failed.
!!! Function src_compile, Line 27, Exitcode 1
!!! (no error message)


i thought it had to do with the \"MANDURAHHS.WA.EDU.AU\" section, but taking out the \" (yeah i know why the \ is there, to stop problems like this :P) does nothing

I have been looking at samba PDC work too, and i might have a test to see if it'd work like that, that would surely be good (but then i have to find out if samba can authenticate users from a realm, last time i used it it needed a sepperate passwd file :/)
_________________
=== === === === === ===
doh
=== === === === === ===
Back to top
View user's profile Send private message
Grathol
n00b
n00b


Joined: 08 Nov 2003
Posts: 33

PostPosted: Thu Mar 18, 2004 4:11 pm    Post subject: Reply with quote

Samba I think still uses a separate password file (hence the 'smbpasswd' utility).

As far as emerging mod_auth_kerb goes, this is what I had to do (as root, with my working directory as /root/):

Code:
1.  emerge -f mod_auth_kerb
2.  cp /usr/portage/distfiles/mod_auth_kerb-4.11.tar.gz /root/
3.  tar -xvzf mod_auth_kerb-4.11.tar.gz
4.  cd src/modules/kerberos
5.  vi mod_auth_kerb.c
6.  Remove the extra newline at/around line 380
7.  :wq
8.  cd
9.  tar cvzf mod_auth_kerb-4.11.tar.gz src/*
10. cp mod_auth_kerb-4.11.tar.gz /usr/portage/distfiles/
11. md5sum -b /usr/portage/distfiles/mod_auth_kerb-4.11.tar.gz >
/usr/portage/net-www/mod_auth_kerb/files/digest-mod_auth_kerb-4.11
12. ls -lta /usr/portage/distfiles/mod_auth_kerb-4.11.tar.gz
13. Record the file size (in bytes)
14. vi
/usr/portage/net-www/mod_auth_kerb/files/digest-mod_auth_kerb-4.11
15. Format the line in the following manner:
MD5 96be90c0e037571a57298d23c73f3ddf mod_auth_kerb-4.11.tar.gz 14025
"MD5" is static, "mod_auth_kerb-4.11.tar.gz" is the name of the file,
and "14025" is the file size (in bytes)
16. emerge --resume mod_auth_kerb


Hope this helps. I still haven't made any progress on figuring out how to use PAM to authenticate kerberos SSH logins without necessarily having a local account on the machine - any experience with something like this?
Back to top
View user's profile Send private message
melts
n00b
n00b


Joined: 21 Feb 2004
Posts: 52

PostPosted: Fri Mar 19, 2004 3:03 am    Post subject: Reply with quote

thanks for that, up til now i didn't know quite how you could go about editing an ebuild. Would be handy if there were an option to prevent compilation work deletion on errors so you could just edit it and then resume (but then maybe that exists and i just don't know it)

i'm looking at kerberos auth systems now, but treading slowly as i don't want to break the current domain i have - it looks like i'm going to run all the linux systems on a seperate VLAN just to avoid these problems.

As a bit of advice from what i gleamed from setting up One Time Passwords, SSHD seems to act reasonably weird with authentications and i could enter my username, leave the first password field blank and send that, and -then- get the OTP(S/Key) password prompt. If you have a user in your kerberos realm but not on your test box try login and leave the password blank at first, and see what it prompts you for.
I haven't figured out how to shuffle what PAM it uses first, but the /etc/ssh/sshd_config has all the config options in order

Code:
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCreds yes

# Set this to 'yes' to enable PAM authentication (via challenge-response)
# and session processing. Depending on your PAM configuration, this may
# bypass the setting of 'PasswordAuthentication'
UsePAM yes


could it be the order of the file dictates what it asks for first?
i'll probably hack up an kerberos auth system today since these machines are now on their vlan, hopefully i'll have results

this is the link to the OTP too, in case you want to look at whats being done there - https://forums.gentoo.org/viewtopic.php?p=968053#968053
_________________
=== === === === === ===
doh
=== === === === === ===
Back to top
View user's profile Send private message
gsurbey
Apprentice
Apprentice


Joined: 24 Mar 2003
Posts: 212
Location: Nashua, NH

PostPosted: Tue May 03, 2005 3:19 pm    Post subject: Reply with quote

Thank You Grathol!
The e-build for mod_auth_kerb needs fixing so I posted the bug at https://bugs.gentoo.org/show_bug.cgi?id=91313

Also becuasee of new extra security in portage you'll have to
Code:
ebuild /usr/portage/net-www/mod_auth_kerb/mod_auth_kerb-4.11.ebuild digest

BTW here's a nice HowTo https://forums.gentoo.org/viewtopic-t-205972.html
_________________
-Greg Surbey
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum