[Gllug] LDAP and Kerberos
Daniel P. Berrange
dan at berrange.com
Tue Jan 31 18:01:23 UTC 2006
On Tue, Jan 31, 2006 at 05:04:29PM +0000, John Hearns wrote:
> On Tue, 2006-01-31 at 16:23 +0000, John Edwards wrote:
>
> >
> > > I mean, I have the impression that has always been here, and now it's
> > > not as easy as adding pam-kerberos to /etc/pam.d/* and "Voila! Single
> > > sign on and cental authentication!".
> >
> > Not all systems are able to run PAM, and some you would not want to run
> > PAM (eg Apache). Then you either need to compile with Kerberos support
> > (eg SSH) or use a module (Apache).
With SSH the situation is 'complicated'. For the simple stuff adding kerberos
to the sshd PAM config file will do the trick, resulting in users being
password authenticated against the kerberos domain. But if you actually compile
OpenSSH with GSSAPI, then the ssh daemon/client will co-operate to automatically
forward kerberos tickets, giving you password-less login.
Yes, you can get similar password-less login with a public key pair & an
ssh agent, however, some organizations may prefer the kerboros tickets since
they can be set to expire after a certain time. The ticket passing is also
useful if you're crazy enough to run AFS.
Dan.
--
|=- GPG key: http://www.berrange.com/~dan/gpgkey.txt -=|
|=- Perl modules: http://search.cpan.org/~danberr/ -=|
|=- Projects: http://freshmeat.net/~danielpb/ -=|
|=- berrange at redhat.com - Daniel Berrange - dan at berrange.com -=|
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20060131/32ef8d11/attachment.pgp>
-------------- next part --------------
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list