Manualshelf

Datasheet

ManualsBrandsNovell ManualsSoftware00662644465449-OEM
691692693694695696697698699700
“main” (Installation and Administration) 2004/6/25 13:29 page 672 #698
i
i
i
i
i
i
i
i
Adjusting the Clock Skew
The clock skew is the tolerance for accepting tickets with time stamps that
do not exactly match the host’s system clock. Usually, the clock skew is set
to 300 seconds (five minutes). This means a ticket can have a time stamp
somewhere between five minutes ago and five minutes in the future from
the server’s point of view.
When using NTP to synchronize all hosts, you can reduce this value to
about one minute. The clock skew value can be set in /etc/krb5.conf
like this:
[libdefaults]
clockskew = 120
Configuring a Kerberos Client with YaST
As an alternative to the manual configuration described above, you can
also use YaST to configure a Kerberos client. To do so, in the YaST Control
Center select ‘Network Services’ ‘Kerberos Client’. When the dialog has
opened, select ‘Use Kerberos’. To set up a DNS-based client, it is sufficient
to confirm the ‘Basic Kerberos Settings’ as displayed. If your domain does
not support this kind of configuration, provide the correct values for the
‘Default Domain’, the ‘Default Realm’, and the ‘KDC Server Address’ your-
self. Selecting ‘Advanced Settings’ opens another YaST dialog in which to
modify options related to tickets, OpenSSH support, and time synchro-
nization.
The dialog opened with ‘Advanced Settings’ includes all the settings re-
lated to ticket attributes. To forward your complete identity to use your
tickets on other hosts, select ‘Tickets Are Forwardable’. To enable the trans-
fer of certain tickets only, select ‘Tickets Are Proxiable’. Tickets can be kept
available by a PAM module even after a session has ended by enabling ‘Re-
tain Tickets’. The ‘Default Ticket Lifetime’ can be specified in days, hours,
or minutes (using the units of measurement d, h, and m, with no blank
space between the value and the unit). To enable Kerberos authentication
support for your OpenSSH client, select the corresponding check box. The
client then uses Kerberos tickets to authenticate with the SSH server. You
Exclude a range of user accounts from using Kerberos authentication by
providing a value for the ‘Minimum UID’ that a user of this feature must
have. For instance, you may want to exclude the system administrator
(root). Lastly, use ‘Clock Skew’ to set a value for the allowable difference
between the time stamps and your host’s system time.
672
26.6. Installing and Administering Kerberos