Manualshelf

Datasheet

ManualsBrandsNovell ManualsSoftware00662644465449-OEM
701702703704705706707708709710
“main” (Installation and Administration) 2004/6/25 13:29 page 676 #702
i
i
i
i
i
i
i
i
26.6.9 Enabling PAM Support for Kerberos
SUSE LINUX comes with a PAM module named pam_krb5, which sup-
ports Kerberos login and password update. This module can be used by
applications, such as console login, su, and graphical login applications like
KDM, where the user presents a password and would like the authenticat-
ing application to obtain an initial Kerberos ticket on his behalf.
The pam_unix module, too, supports Kerberos authentication and pass-
word update. To enable Kerberos support in pam_unix, edit the file
/etc/security/pam_unix2.conf so it contains the following lines:
auth: use_krb5 nullok
account: use_krb5
password: use_krb5 nullok
session: none
After that, all programs evaluating the entries in this file use Kerberos for
user authentication. For a user that does not have a Kerberos principal,
pam_unix falls back on the normal password authentication mechanism.
For those users who have a principal, it should now be possible to change
their Kerberos passwords transparently using the passwd command.
To make fine adjustments to the way in which pam_krb5 is used, edit the
file /etc/krb5.conf and add default applications to pam. For details re-
fer to the manual page with man 5 pam_krb5.
The pam_krb5 module was specifically not designed for network services
that accept Kerberos tickets as part of user authentication. This is an en-
tirely different matter, which is discussed below.
26.6.10 Configuring SSH for Kerberos Authentication
OpenSSH supports Kerberos authentication in both protocol version 1 and
2. In version 1, there are special protocol messages to transmit Kerberos
tickets. Version 2 does not use Kerberos directly anymore, but relies on
GSSAPI, the General Security Services API. This is a programming inter-
face that is not specific to Kerberos it was designed to hide the peculiar-
ities of the underlying authentication system, be it Kerberos, a public-key
authentication system like SPKM, or others. The GSSAPI library included
in SUSE LINUX supports only Kerberos, however.
676
26.6. Installing and Administering Kerberos