Kerberos + SSH question - Kerberos

This is a discussion on Kerberos + SSH question - Kerberos ; I've currently got a Heimdal KDC setup for testing. From the testing network, I can succesfully get tickets via kinit, and ssh with the ticket between servers. Now, I'm trying to get the Windows desktop side working. Right now, I ...

+ Reply to Thread
Results 1 to 14 of 14

Thread: Kerberos + SSH question

  1. Kerberos + SSH question

    I've currently got a Heimdal KDC setup for testing. From the testing network, I
    can succesfully get tickets via kinit, and ssh with the ticket between servers.
    Now, I'm trying to get the Windows desktop side working. Right now, I can
    authenticate (using SecureCRT with Kerberos support) but only when I use kinit
    from the Windows XP desktop.
    What I'm trying to do is get the ssh server on the machine I'm accessing to
    carry out the kerberos authentication, so I don't have to install kerberos
    software on all our support staff's desktops, and put everyone's desktop in the
    realm. Basically, ssh to the server with my kerberos password, and have the
    server carry out the kerberos work for me.
    Any suggestions on how I could go about doing this? I've found some vague
    references suggesting this should be possible, but I'm unsure where to start.

  2. Re: Kerberos + SSH question

    >>>>> "Nod" == Nod writes:

    Nod> I've currently got a Heimdal KDC setup for testing. From the
    Nod> testing network, I can succesfully get tickets via kinit, and ssh
    Nod> with the ticket between servers. Now, I'm trying to get the
    Nod> Windows desktop side working. Right now, I can authenticate
    Nod> (using SecureCRT with Kerberos support) but only when I use kinit
    Nod> from the Windows XP desktop. What I'm trying to do is get the
    Nod> ssh server on the machine I'm accessing to carry out the kerberos
    Nod> authentication, so I don't have to install kerberos software on
    Nod> all our support staff's desktops, and put everyone's desktop in
    Nod> the realm. Basically, ssh to the server with my kerberos
    Nod> password, and have the server carry out the kerberos work for me.

    So, you want to do two entirely different things. When you kinit on
    Windows, you are using ticket-based authentication and you have
    single-signon. Now, you do not want to use Kerberos on the clients; you
    want to use password authentication (no single-signon), and have the SSH
    server validate the password against Kerberos.

    You have not said what SSH server you're using, or what server OS, or
    indeed anything about the server at all. Assuming it's OpenSSH on Unix,
    you can use this:

    PasswordAuthentication yes
    KerberosAuthentication yes

    or, use keyboard-interactive authentication and configure PAM to use
    Kerberos.

    --
    Richard Silverman
    res@qoxp.net


  3. Re: Kerberos + SSH question

    On 19 Jun 2006 11:09:25 -0400, "Richard E. Silverman" wrote:

    >>>>>> "Nod" == Nod writes:

    >
    > Nod> I've currently got a Heimdal KDC setup for testing. From the
    > Nod> testing network, I can succesfully get tickets via kinit, and ssh
    > Nod> with the ticket between servers. Now, I'm trying to get the
    > Nod> Windows desktop side working. Right now, I can authenticate
    > Nod> (using SecureCRT with Kerberos support) but only when I use kinit
    > Nod> from the Windows XP desktop. What I'm trying to do is get the
    > Nod> ssh server on the machine I'm accessing to carry out the kerberos
    > Nod> authentication, so I don't have to install kerberos software on
    > Nod> all our support staff's desktops, and put everyone's desktop in
    > Nod> the realm. Basically, ssh to the server with my kerberos
    > Nod> password, and have the server carry out the kerberos work for me.
    >
    >So, you want to do two entirely different things. When you kinit on
    >Windows, you are using ticket-based authentication and you have
    >single-signon. Now, you do not want to use Kerberos on the clients; you
    >want to use password authentication (no single-signon), and have the SSH
    >server validate the password against Kerberos.
    >
    >You have not said what SSH server you're using, or what server OS, or
    >indeed anything about the server at all. Assuming it's OpenSSH on Unix,
    >you can use this:
    >
    >PasswordAuthentication yes
    >KerberosAuthentication yes
    >
    >or, use keyboard-interactive authentication and configure PAM to use
    >Kerberos.


    OpenSSH_4.3p2, FreeBSD 6.0, in this case.

    PAM config for ssh
    u2:~# cat /etc/pam.d/sshd | grep krb
    auth sufficient pam_krb5.so no_warn try_first_pass
    account required pam_krb5.so
    password sufficient pam_krb5.so no_warn try_first_pass

    SSHD config
    PermitRootLogin yes
    PasswordAuthentication yes
    ChallengeResponseAuthentication yes
    KerberosAuthentication yes
    KerberosOrLocalPasswd yes
    KerberosTicketCleanup yes
    GSSAPIAuthentication yes
    GSSAPICleanupCredentials yes
    UsePAM yes
    Subsystem sftp /usr/libexec/sftp-server



    SSH debug of connection attempt, in keyboard interactive mode.

    Invalid user nod@test.myrealm.com from ip
    input_userauth_request: invalid user nod@test.myrealm.com
    debug1: PAM: initializing for "nod@test.myrealm.com"
    debug1: PAM: setting PAM_RHOST to "nt1.myrealm.com"
    Failed none for invalid user nod@test.myrealm.com from ip port 3727 ssh2
    Failed none for invalid user nod@test.myrealm.com from ip port 3727 ssh2
    debug1: userauth-request for user nod@test.myrealm.com service ssh-connection
    method keyboard-interactive
    debug1: attempt 1 failures 1
    debug1: keyboard-interactive devs
    debug1: auth2_challenge: user=nod@test.myrealm.com devs=
    debug1: kbdint_alloc: devices 'pam'
    debug1: auth2_challenge_start: trying authentication method 'pam'
    Postponed keyboard-interactive for invalid user nod@test.myrealm.com from ip
    port 3727 ssh2
    PAM: authentication error for illegal user nod@test.myrealm.com from
    nt1.myrealm.com
    Failed keyboard-interactive/pam for invalid user nod@test.myrealm.com from ip
    port 3727 ssh2
    Failed keyboard-interactive/pam for invalid user nod@test.myrealm.com from ip
    port 3727 ssh2
    Received disconnect from ip: 13: The user canceled authentication.

    This doesn't appear to have work, perhaps I'm missing something?

  4. Re: Kerberos + SSH question

    >
    > On 19 Jun 2006 11:09:25 -0400, "Richard E. Silverman" wrote:
    > >>>>>> "Nod" == Nod writes:

    > >
    > > Nod> I've currently got a Heimdal KDC setup for testing. From the
    > > Nod> testing network, I can succesfully get tickets via kinit, and ssh
    > > Nod> with the ticket between servers. Now, I'm trying to get the
    > > Nod> Windows desktop side working. Right now, I can authenticate
    > > Nod> (using SecureCRT with Kerberos support) but only when I use kinit
    > > Nod> from the Windows XP desktop. What I'm trying to do is get the
    > > Nod> ssh server on the machine I'm accessing to carry out the kerberos
    > > Nod> authentication, so I don't have to install kerberos software on
    > > Nod> all our support staff's desktops, and put everyone's desktop in
    > > Nod> the realm. Basically, ssh to the server with my kerberos
    > > Nod> password, and have the server carry out the kerberos work for me.
    > >
    > >So, you want to do two entirely different things. When you kinit on
    > >Windows, you are using ticket-based authentication and you have
    > >single-signon. Now, you do not want to use Kerberos on the clients; you
    > >want to use password authentication (no single-signon), and have the SSH
    > >server validate the password against Kerberos.
    > >
    > >You have not said what SSH server you're using, or what server OS, or
    > >indeed anything about the server at all. Assuming it's OpenSSH on Unix,
    > >you can use this:
    > >
    > >PasswordAuthentication yes
    > >KerberosAuthentication yes
    > >
    > >or, use keyboard-interactive authentication and configure PAM to use
    > >Kerberos.

    >
    > OpenSSH_4.3p2, FreeBSD 6.0, in this case.
    >
    > PAM config for ssh
    > u2:~# cat /etc/pam.d/sshd | grep krb
    > auth sufficient pam_krb5.so no_warn try_first_pass
    > account required pam_krb5.so
    > password sufficient pam_krb5.so no_warn try_first_pass


    Since the PAM config is order-dependent, grepping out certain lines does
    not show whether it would work, or even if these lines would be consulted
    at all.

    > SSHD config
    > PermitRootLogin yes
    > PasswordAuthentication yes
    > ChallengeResponseAuthentication yes
    > KerberosAuthentication yes
    > KerberosOrLocalPasswd yes
    > KerberosTicketCleanup yes
    > GSSAPIAuthentication yes
    > GSSAPICleanupCredentials yes
    > UsePAM yes
    > Subsystem sftp /usr/libexec/sftp-server
    >
    >
    >
    > SSH debug of connection attempt, in keyboard interactive mode.
    >
    > Invalid user nod@test.myrealm.com from ip
    > input_userauth_request: invalid user nod@test.myrealm.com
    > debug1: PAM: initializing for "nod@test.myrealm.com"
    > debug1: PAM: setting PAM_RHOST to "nt1.myrealm.com"
    > Failed none for invalid user nod@test.myrealm.com from ip port 3727 ssh2
    > Failed none for invalid user nod@test.myrealm.com from ip port 3727 ssh2
    > debug1: userauth-request for user nod@test.myrealm.com service ssh-connection
    > method keyboard-interactive
    > debug1: attempt 1 failures 1
    > debug1: keyboard-interactive devs
    > debug1: auth2_challenge: user=nod@test.myrealm.com devs=
    > debug1: kbdint_alloc: devices 'pam'
    > debug1: auth2_challenge_start: trying authentication method 'pam'
    > Postponed keyboard-interactive for invalid user nod@test.myrealm.com from ip
    > port 3727 ssh2
    > PAM: authentication error for illegal user nod@test.myrealm.com from
    > nt1.myrealm.com
    > Failed keyboard-interactive/pam for invalid user nod@test.myrealm.com from ip
    > port 3727 ssh2
    > Failed keyboard-interactive/pam for invalid user nod@test.myrealm.com from ip
    > port 3727 ssh2
    > Received disconnect from ip: 13: The user canceled authentication.


    > This doesn't appear to have work, perhaps I'm missing something?


    The various references to "illegal user" and "invalid user" suggest an
    independent reason why sshd or PAM don't like this account. You'd get
    this if, for example, you had set AllowUsers and this account were not
    listed. Perhaps there's something else wrong with this account that PAM
    checks, e.g. it has a shell not in /etc/shells?

    This seems familiar to me...

    --
    Richard Silverman
    res@qoxp.net


  5. Re: Kerberos + SSH question

    On 19 Jun 2006 23:09:01 -0400, "Richard E. Silverman" wrote:

    >>
    >> On 19 Jun 2006 11:09:25 -0400, "Richard E. Silverman" wrote:
    >> >>>>>> "Nod" == Nod writes:
    >> >
    >> > Nod> I've currently got a Heimdal KDC setup for testing. From the
    >> > Nod> testing network, I can succesfully get tickets via kinit, and ssh
    >> > Nod> with the ticket between servers. Now, I'm trying to get the
    >> > Nod> Windows desktop side working. Right now, I can authenticate
    >> > Nod> (using SecureCRT with Kerberos support) but only when I use kinit
    >> > Nod> from the Windows XP desktop. What I'm trying to do is get the
    >> > Nod> ssh server on the machine I'm accessing to carry out the kerberos
    >> > Nod> authentication, so I don't have to install kerberos software on
    >> > Nod> all our support staff's desktops, and put everyone's desktop in
    >> > Nod> the realm. Basically, ssh to the server with my kerberos
    >> > Nod> password, and have the server carry out the kerberos work for me.
    >> >
    >> >So, you want to do two entirely different things. When you kinit on
    >> >Windows, you are using ticket-based authentication and you have
    >> >single-signon. Now, you do not want to use Kerberos on the clients; you
    >> >want to use password authentication (no single-signon), and have the SSH
    >> >server validate the password against Kerberos.
    >> >
    >> >You have not said what SSH server you're using, or what server OS, or
    >> >indeed anything about the server at all. Assuming it's OpenSSH on Unix,
    >> >you can use this:
    >> >
    >> >PasswordAuthentication yes
    >> >KerberosAuthentication yes
    >> >
    >> >or, use keyboard-interactive authentication and configure PAM to use
    >> >Kerberos.

    >>
    >> OpenSSH_4.3p2, FreeBSD 6.0, in this case.
    >>
    >> PAM config for ssh
    >> u2:~# cat /etc/pam.d/sshd | grep krb
    >> auth sufficient pam_krb5.so no_warn try_first_pass
    >> account required pam_krb5.so
    >> password sufficient pam_krb5.so no_warn try_first_pass

    >
    >Since the PAM config is order-dependent, grepping out certain lines does
    >not show whether it would work, or even if these lines would be consulted
    >at all.
    >
    >> SSHD config
    >> PermitRootLogin yes
    >> PasswordAuthentication yes
    >> ChallengeResponseAuthentication yes
    >> KerberosAuthentication yes
    >> KerberosOrLocalPasswd yes
    >> KerberosTicketCleanup yes
    >> GSSAPIAuthentication yes
    >> GSSAPICleanupCredentials yes
    >> UsePAM yes
    >> Subsystem sftp /usr/libexec/sftp-server
    >>
    >>
    >>
    >> SSH debug of connection attempt, in keyboard interactive mode.
    >>
    >> Invalid user nod@test.myrealm.com from ip
    >> input_userauth_request: invalid user nod@test.myrealm.com
    >> debug1: PAM: initializing for "nod@test.myrealm.com"
    >> debug1: PAM: setting PAM_RHOST to "nt1.myrealm.com"
    >> Failed none for invalid user nod@test.myrealm.com from ip port 3727 ssh2
    >> Failed none for invalid user nod@test.myrealm.com from ip port 3727 ssh2
    >> debug1: userauth-request for user nod@test.myrealm.com service ssh-connection
    >> method keyboard-interactive
    >> debug1: attempt 1 failures 1
    >> debug1: keyboard-interactive devs
    >> debug1: auth2_challenge: user=nod@test.myrealm.com devs=
    >> debug1: kbdint_alloc: devices 'pam'
    >> debug1: auth2_challenge_start: trying authentication method 'pam'
    >> Postponed keyboard-interactive for invalid user nod@test.myrealm.com from ip
    >> port 3727 ssh2
    >> PAM: authentication error for illegal user nod@test.myrealm.com from
    >> nt1.myrealm.com
    >> Failed keyboard-interactive/pam for invalid user nod@test.myrealm.com from ip
    >> port 3727 ssh2
    >> Failed keyboard-interactive/pam for invalid user nod@test.myrealm.com from ip
    >> port 3727 ssh2
    >> Received disconnect from ip: 13: The user canceled authentication.

    >
    >> This doesn't appear to have work, perhaps I'm missing something?

    >
    >The various references to "illegal user" and "invalid user" suggest an
    >independent reason why sshd or PAM don't like this account. You'd get
    >this if, for example, you had set AllowUsers and this account were not
    >listed. Perhaps there's something else wrong with this account that PAM
    >checks, e.g. it has a shell not in /etc/shells?
    >
    >This seems familiar to me...



    Here's the whole pam config for ssh:

    # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $
    #
    # PAM configuration for the "sshd" service
    #

    # auth
    auth required pam_nologin.so no_warn
    auth sufficient pam_opie.so no_warn no_fake_prompts
    auth requisite pam_opieaccess.so no_warn allow_local
    auth sufficient pam_krb5.so no_warn try_first_pass
    #auth sufficient pam_ssh.so no_warn try_first_pass
    auth required pam_unix.so no_warn try_first_pass

    # account
    account required pam_krb5.so
    account required pam_login_access.so
    account required pam_unix.so

    # session
    #session optional pam_ssh.so
    session required pam_permit.so

    # password
    password sufficient pam_krb5.so no_warn try_first_pass
    password required pam_unix.so no_warn try_first_pass

    As for the user, no, it doesn't exist on the box. This might be where I'm
    running into a problem. Right now, this box only has its' root user and various
    system accounts on it. Here's what I'm trying to do:
    - Set up kerberos users for my various support techs. This is done, and I can
    kinit from the servers as those users.
    - Allow the kerberos users login access to the servers, and eventually, sudo
    access. Right now, I've not added any local users to the servers themselves, as
    I was under the impression that having them in Kerberos would make them a
    'virtual' user of sorts.

    Am I missing something here, or do I have a fundemental misunderstanding on
    something? Your input is greatly appreciated.

  6. Re: Kerberos + SSH question

    Nod writes:

    > As for the user, no, it doesn't exist on the box. This might be where
    > I'm running into a problem. Right now, this box only has its' root user
    > and various system accounts on it. Here's what I'm trying to do:


    > - Set up kerberos users for my various support techs. This is done, and
    > I can kinit from the servers as those users.


    > - Allow the kerberos users login access to the servers, and eventually,
    > sudo access. Right now, I've not added any local users to the servers
    > themselves, as I was under the impression that having them in Kerberos
    > would make them a 'virtual' user of sorts.


    > Am I missing something here, or do I have a fundemental misunderstanding
    > on something? Your input is greatly appreciated.


    Fundamental misunderstanding of sorts. All Kerberos does for you is
    handle the authentication. In order to allow a user to log on to the
    system, they still have to have a local account with a shell, home
    directory, etc. That information is generally supplied by the nsswitch
    service, which means that it normally comes from /etc/passwd but can also
    be provided by LDAP, NIS, etc.

    Kerberos doesn't store that sort of additional information about a user,
    only their authentication credentials. You have to set up both PAM *and*
    the appropriate nsswitch modules on a system.

    Many sites use Kerberos for authentication but store other user
    information in LDAP and use the LDAP nsswitch module. You can, of course,
    also just add users directly to /etc/passwd.

    --
    Russ Allbery (rra@stanford.edu)

  7. Re: Kerberos + SSH question

    >>>>> "RA" == Russ Allbery writes:

    RA> Nod writes:
    >> As for the user, no, it doesn't exist on the box. This might be
    >> where I'm running into a problem. Right now, this box only has its'
    >> root user and various system accounts on it. Here's what I'm trying
    >> to do:


    >> - Set up kerberos users for my various support techs. This is done,
    >> and I can kinit from the servers as those users.


    >> - Allow the kerberos users login access to the servers, and
    >> eventually, sudo access. Right now, I've not added any local users
    >> to the servers themselves, as I was under the impression that
    >> having them in Kerberos would make them a 'virtual' user of sorts.


    >> Am I missing something here, or do I have a fundemental
    >> misunderstanding on something? Your input is greatly appreciated.


    RA> Fundamental misunderstanding of sorts. All Kerberos does for you
    RA> is handle the authentication. In order to allow a user to log on
    RA> to the system, they still have to have a local account with a
    RA> shell, home directory, etc.

    To elaborate just a bit: Kerberos allows the server to believe that it is
    talking to a particular Kerberos principal, which is a point in a
    namespace entirely separate from the account space the host itself. The
    decision of what, if any, local resources to allow this principal access
    to is a separate matter. With SSH, you are asking for access to a
    resource (account) that doesn't exist. It doesn't matter who you're
    authenticated as; there's nothing to give you.

    --
    Richard Silverman
    res@qoxp.net


  8. Re: Kerberos + SSH question

    On 20 Jun 2006 22:27:38 -0400, "Richard E. Silverman" wrote:

    >>>>>> "RA" == Russ Allbery writes:

    >
    > RA> Nod writes:
    > >> As for the user, no, it doesn't exist on the box. This might be
    > >> where I'm running into a problem. Right now, this box only has its'
    > >> root user and various system accounts on it. Here's what I'm trying
    > >> to do:

    >
    > >> - Set up kerberos users for my various support techs. This is done,
    > >> and I can kinit from the servers as those users.

    >
    > >> - Allow the kerberos users login access to the servers, and
    > >> eventually, sudo access. Right now, I've not added any local users
    > >> to the servers themselves, as I was under the impression that
    > >> having them in Kerberos would make them a 'virtual' user of sorts.

    >
    > >> Am I missing something here, or do I have a fundemental
    > >> misunderstanding on something? Your input is greatly appreciated.

    >
    > RA> Fundamental misunderstanding of sorts. All Kerberos does for you
    > RA> is handle the authentication. In order to allow a user to log on
    > RA> to the system, they still have to have a local account with a
    > RA> shell, home directory, etc.
    >
    >To elaborate just a bit: Kerberos allows the server to believe that it is
    >talking to a particular Kerberos principal, which is a point in a
    >namespace entirely separate from the account space the host itself. The
    >decision of what, if any, local resources to allow this principal access
    >to is a separate matter. With SSH, you are asking for access to a
    >resource (account) that doesn't exist. It doesn't matter who you're
    >authenticated as; there's nothing to give you.


    Well, this makes a lot more sense now. Would you happen to know where I could
    find a good guide for integrating LDAP with ssh? I've been over a bunch of them,
    and just keep getting more confused by LDAP the more I read.

  9. Re: Kerberos + SSH question

    none@nospam.none (Nod) writes:

    Hello,

    >>To elaborate just a bit: Kerberos allows the server to believe that it is
    >>talking to a particular Kerberos principal, which is a point in a
    >>namespace entirely separate from the account space the host itself. The
    >>decision of what, if any, local resources to allow this principal access
    >>to is a separate matter. With SSH, you are asking for access to a
    >>resource (account) that doesn't exist. It doesn't matter who you're
    >>authenticated as; there's nothing to give you.

    >
    > Well, this makes a lot more sense now. Would you happen to know where
    > I could find a good guide for integrating LDAP with ssh? I've been
    > over a bunch of them, and just keep getting more confused by LDAP the
    > more I read.


    you don't have to use LDAP for the accounts service; you can
    authenticate via Kerberos and then use the /etc/passwd

    Regards,

    Sebastian

  10. Re: Kerberos + SSH question

    On 2006-06-22 19:41:31 +0200, none@nospam.none (Nod) said:

    > Well, this makes a lot more sense now. Would you happen to know where I could
    > find a good guide for integrating LDAP with ssh? I've been over a bunch
    > of them, and just keep getting more confused by LDAP the more I read.


    As a replacement of NIS, and as a good practice against rsync'ing
    /etc/{passwd, shadow} (yes, I've seen that...), you might take a look
    at the PADL documentation (name server sswitch ldap module). It has
    nothing to do with ssh though.

    --
    Sensei

    The optimist thinks this is the best of all possible worlds.
    The pessimist fears it is true. [J. Robert Oppenheimer]


  11. Re: Kerberos + SSH question

    On Thu, 22 Jun 2006 21:22:53 +0200, Sebastian Hanigk wrote:

    >none@nospam.none (Nod) writes:
    >
    >Hello,
    >
    >>>To elaborate just a bit: Kerberos allows the server to believe that it is
    >>>talking to a particular Kerberos principal, which is a point in a
    >>>namespace entirely separate from the account space the host itself. The
    >>>decision of what, if any, local resources to allow this principal access
    >>>to is a separate matter. With SSH, you are asking for access to a
    >>>resource (account) that doesn't exist. It doesn't matter who you're
    >>>authenticated as; there's nothing to give you.

    >>
    >> Well, this makes a lot more sense now. Would you happen to know where
    >> I could find a good guide for integrating LDAP with ssh? I've been
    >> over a bunch of them, and just keep getting more confused by LDAP the
    >> more I read.

    >
    >you don't have to use LDAP for the accounts service; you can
    >authenticate via Kerberos and then use the /etc/passwd
    >
    >Regards,
    >
    >Sebastian


    Indeed, but I'm trying to avoid deploying updated passwd files to 100+ servers.

  12. Re: Kerberos + SSH question

    none@nospam.none (Nod) writes:

    Hello,

    >>you don't have to use LDAP for the accounts service; you can
    >>authenticate via Kerberos and then use the /etc/passwd
    >>
    >>Regards,
    >>
    >>Sebastian

    >
    > Indeed, but I'm trying to avoid deploying updated passwd files to 100+
    > servers.


    Sure, I haven't read the (grand-)parent posts until now ...

    At my workplace we're currently switching to LDAP for distribution of
    user data and Kerberos for authentication; I would recommend the PADL
    homepage as one other poster already has.

    If one runs NIS on the network, I believe there is the possibility of
    switching to Kerberos for authentication while still using NIS for the
    name services.

    Regards,

    Sebastian

  13. Re: Kerberos + SSH question

    Sebastian Hanigk writes:

    > If one runs NIS on the network, I believe there is the possibility of
    > switching to Kerberos for authentication while still using NIS for the
    > name services.


    Yup, we did this for years before switching to LDAP.

    --
    Russ Allbery (rra@stanford.edu)

  14. Re: Kerberos + SSH question


    >At my workplace we're currently switching to LDAP for distribution of
    >user data and Kerberos for authentication; I would recommend the PADL
    >homepage as one other poster already has.


    Thanks, you can do this and even use Kerberos to authenticate the
    name service lookups themselves.

    But there are other options, too: many Unix vendors ship their own
    LDAP name service client, some of which might support Kerberos.

    -- Luke

    --
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread