URN Logo
UNIX Resources » Linux » Linux Forum » Linux Security » Page.21 » Secure clustering: kerberos issues
announcement The content of this page is collected from Linux Forum, All copyrights and other associated rights are reserved by the original authors of the articles.
Resources
China Linux Forum(finished)
Linux Forum(finished)
FreeBSD China(finished)
linuxforum.com
  LinuxForum General Chat
  Linux Advocacy
  LinuxForum Polls
  Introductions
  Linux Kernel Support
  Patch Management
  Development Release
  Linux Programming
  Linux Security
  Linux Software
  Linux Hardware Problems
    Linux Video Problems
    Linux Sound Problems
  Linux Networking Support
  Linux Printing Support
  Linux Human Interface Devices Support
  Linux Data Storage Support
  Linux Applications Support
  Linux Installation Support
  Linux Laptops Support
  Linux Motherboard, Chipsets, CPU, Memory
  Miscellaneous
  Debian Linux Support
  Ubuntu Linux Support
  LiveCD Discussions
  Gentoo Linux Support
  Mandrake Linux Support
  Redhat / Fedora Linux Support
  Slackware Linux Support
  SuSE Linux Support
  CentOS Linux Support
  Linux Web Servers
  Linux DNS Servers
  Linux Database Servers
  Linux Email Servers
  Linux FTP Servers
  Linux Squid Proxy Server
  Linux Samba Help
  Linux cPanel Help
  Linux Ensim Help
  Linux Plesk Help
  Linux Webmin / Usermin Help
  Qmail Toaster Help
  Linux Games
  Windows Game Emulation
  Linux Discussions
  General Linux Discussions
  Red Hat Linux Discussions
  More Red Hat Linux Discussions
  Mandrake Linux Discussions
  Slackware Linux Discussions
  SuSE Linux Discussions
  Debian Discussions
  Samba Help
  Linux Security
  Linux Networking
  Gentoo Help
  Operating System Rant Forum
  Hardware Rants
   
Secure clustering: kerberos issues
Subject: Secure clustering: kerberos issues
Author: Sensei    Posted: 2004-08-25 10:28:28    Length: 911 byte(s)
[Original] [Print] [Top]
Hi. I've set up a secure cluster, but now I'm facing some issues about
kerberos 5 / AFS and ssh: simply, ticket/token forwarding with
passwordless login doesn't work... so I'm looking for a different solution.

I have a central server A and 8 clients A1 .. A8. A is on a public ip
and A? are on a private network, unreachable from outside the network.
I'd like to use ssh for parallel calculus but since it doesn't work,
would you enable kerberized versions of rlogin, rsh, telnet and rcp?
Anyway, those applications are secure? Or, in other words, are the
password sent in some crypted way or better they use directly kerberos
authentication?


--
Sensei [mailto:senseiwa@tin.it]

The optimist says "Tomorrow is sunday".
The pessimist says "The day after tomorrow is monday". (Gustave Flaubert)

[Original] [Print] [Top]
Subject: Secure clustering: kerberos issues
Author: P Gentry    Posted: 2004-08-25 16:51:35    Length: 2,327 byte(s)
[Original] [Print] [Top]
Sensei [noone@nowhere.org] wrote in message news:[2p3t1dFg7v8hU1@uni-berlin.de]...
QUOTE
Hi. I've set up a secure cluster, but now I'm facing some issues about
kerberos 5 / AFS and ssh: simply, ticket/token forwarding with
passwordless login doesn't work... so I'm looking for a different solution.

I have a central server A and 8 clients A1 .. A8. A is on a public ip
and A? are on a private network, unreachable from outside the network.
I'd like to use ssh for parallel calculus but since it doesn't work,
would you enable kerberized versions of rlogin, rsh, telnet and rcp?
Anyway, those applications are secure? Or, in other words, are the
password sent in some crypted way or better they use directly kerberos
authentication?

Your present setup and your needs are somewhat vague at my end -- I'm
cluster challenged ...

It sounds like you want secure, remote access to the cluster.
Especially if you know where the remote access will be from, I think
you need to look at VPN -- it's not restricted to use across the
internet ;-)

You might look at this (dated) article where VPN is used to
connect/combine two clusters.
http://www.linuxjournal.com/article.php?sid=6142

Googling showed a number of setups using VPN for remotely
combining/accessing clusters -- all very specific, so you should look
for yourself.

Kerborizng a setup/app on your own is "challenging" and time
consuming.  If ssh doesn't give you what you need then Kerborized
versions of the others won't either.  They all work at the app level
-- the nice thing about VPN is that it connects _networks_ securely
and allows you to use whatever apps you need.

Google provides:
52,100 English pages for
linux vpn cluster

7,240 English pages for
linux vpn parallel cluster

Refine as needed ...

hth,
prg
email above disabled

[Original] [Print] [Top]
Subject: Secure clustering: kerberos issues
Author: Sensei    Posted: 2004-08-27 03:41:45    Length: 1,519 byte(s)
[Original] [Print] [Top]
P Gentry wrote:
QUOTE
It sounds like you want secure, remote access to the cluster.
Especially if you know where the remote access will be from, I think
you need to look at VPN -- it's not restricted to use across the
internet ;-)

As said, the clients are on a VPN.

QUOTE
Kerborizng a setup/app on your own is "challenging" and time
consuming.  If ssh doesn't give you what you need then Kerborized
versions of the others won't either.  They all work at the app level
-- the nice thing about VPN is that it connects _networks_ securely
and allows you to use whatever apps you need.

Yes, but my question was: would you use telnet or rsh? Kerberos gives in
the standard installation the kerberized replacement for telnet, rsh,
rlogin...

Moreover, I have to gain AFS tokens, and I do it with
pam_openafs_session. Would it work with rlogin/rsh?

--
Sensei [mailto:senseiwa@tin.it]

The optimist says "Tomorrow is sunday".
The pessimist says "The day after tomorrow is monday". (Gustave Flaubert)

[Original] [Print] [Top]
Subject: Secure clustering: kerberos issues
Author: P Gentry    Posted: 2004-08-27 10:41:22    Length: 4,349 byte(s)
[Original] [Print] [Top]
Sensei [noone@nowhere.org] wrote in message news:[2p8dupFh1pifU1@uni-berlin.de]...
QUOTE
P Gentry wrote:
It sounds like you want secure, remote access to the cluster.
Especially if you know where the remote access will be from, I think
you need to look at VPN -- it's not restricted to use across the
internet ;-)

As said, the clients are on a VPN.

(Open)SSH and (Open)VPN are different beasts completely though with
some similarities (both use ssl).

QUOTE
Kerborizng a setup/app on your own is "challenging" and time
consuming.  If ssh doesn't give you what you need then Kerborized
versions of the others won't either.  They all work at the app level
-- the nice thing about VPN is that it connects _networks_ securely
and allows you to use whatever apps you need.

Yes, but my question was: would you use telnet or rsh? Kerberos gives in
the standard installation the kerberized replacement for telnet, rsh,
rlogin...

Moreover, I have to gain AFS tokens, and I do it with
pam_openafs_session. Would it work with rlogin/rsh?

Sorry ... I didn't fully appreciate your setup/needs in first reply --
duh ;-)
I would first suggest you check with :-)
comp.protocols.kereros
http://groups.google.com/groups?hl=en&lr=l...tocols.kerberos
This is where X-posting is OK -- much preferred to multi-posting ...

It's been quite a while since I played with this stuff, but
ssh/kerberos/afs _should_ work.  In the past couple of years people
have sorted out the problems much better, and I _think_ you can find
the correct means to get you going.

But ... (as always)

If you need to get up quickly and feel the kerberized rlogin/rsh will
provide for your needs, it may be the way to go -- at least to start.
If you or only a small number of people require access it very well
could be sufficient.  If the number of people and other authentication
requirements grow you _probably_ want to consider using a ssh remote
access.

There are some incompatibilities and configs that must be worked out.
Since I'm so rusty as to get you into more trouble than not, I suggest
this Google web search:
"kerberos 5" + AFS ssh ticket token forward   
"kerberos 5" + AFS krsh ticket token forward
"kerberos 5" + AFS krsh krlogin

Also check out MIT Kerberos, eg,
http://www.cmf.nrl.navy.mil/CCS/people/ken...aq.html#v5vsafs
http://www.cmf.nrl.navy.mil/CCS/people/ken...aq.html#kerbafs

Most all seem useful to some degree -- much will depend on your
specific software/net setup.  It _is_ a pain to get these working, but
is worth the trouble.

Using kerberized rlogin/rsh used to be used because getting the
ssh/kerberos/afs tickets and tokens authenticated and passed around
correctly (and "transparently") was _very_ problematic -- think today
there are reasonable ways to get it working.

Your best bet is to get on one of the mailing lists -- OpenAFS ? --
with some specifics.  You will need some concrete, hands-on experience
from someone who can diagnose your setup -- there are innumerable ways
of getting it wrong :-(

Ah, and almost forgot -- we used to get bitten when first setting up
because of inadequate ntp/clock updating -- so many things to keep an
eye on ... ;-)

good luck,
prg
email above disabled

[Original] [Print] [Top]
Subject: Secure clustering: kerberos issues
Author: Sensei    Posted: 2004-08-30 10:01:27    Length: 3,901 byte(s)
[Original] [Print] [Top]
P Gentry wrote:
QUOTE
Sorry ... I didn't fully appreciate your setup/needs in first reply --
duh ;-)
I would first suggest you check with :-)
comp.protocols.kereros
http://groups.google.com/groups?hl=en&lr=l...tocols.kerberos
This is where X-posting is OK -- much preferred to multi-posting ...

Already did. Seems that ssh is a pretty ugly beast...

QUOTE
It's been quite a while since I played with this stuff, but
ssh/kerberos/afs _should_ work.  In the past couple of years people
have sorted out the problems much better, and I _think_ you can find
the correct means to get you going.

It used to work... now it's a pain :(

QUOTE
If you need to get up quickly and feel the kerberized rlogin/rsh will
provide for your needs, it may be the way to go -- at least to start.
If you or only a small number of people require access it very well
could be sufficient.  If the number of people and other authentication
requirements grow you _probably_ want to consider using a ssh remote
access.


I have few people using the cluster. Should rlogin/rsh fit my needs?
And, will it gain tickets and tokens?

QUOTE
Using kerberized rlogin/rsh used to be used because getting the
ssh/kerberos/afs tickets and tokens authenticated and passed around
correctly (and "transparently") was _very_ problematic -- think today
there are reasonable ways to get it working.

I will also try the rsh way!

QUOTE
Your best bet is to get on one of the mailing lists -- OpenAFS ? --
with some specifics.  You will need some concrete, hands-on experience
from someone who can diagnose your setup -- there are innumerable ways
of getting it wrong :-(

I can setup kerberos + kerberized openafs + openldap if few hours. The
problem still is to make many clients go from one to another via ssh
without any problem. With debian stable is really straightforward, the
only thing you need is ssh-krb5 --- but with other clients, or better
with something newer than a 2-years-old-distro... well... I wouldn't
post here if it were simple :)

QUOTE
Ah, and almost forgot -- we used to get bitten when first setting up
because of inadequate ntp/clock updating -- so many things to keep an
eye on ... ;-)

We have our time servers for this issues :)
--
Sensei [mailto:senseiwa@tin.it]

The optimist says "Tomorrow is sunday".
The pessimist says "The day after tomorrow is monday". (Gustave Flaubert)

[Original] [Print] [Top]
« Previous thread
User Agents Analysis Report
Linux Security
Page. 21
Next thread »
sshd: lock password intruders
     

Copyright © 2007 UNIX Resources Network, All Rights Reserved.      About URN | Privacy & Legal | Help | Contact us
Powered by FreeBSD    webmaster: webmaster@unixresources.net
This page created on 2007-08-01 13:10:44, cost 0.064702033996582 ms.