First i draftet these features, looking for a all-in-one authentication/directory solution to allow users to use singlesignon and some other features:

1. sensitive network-traffic is encrypted
2. mutual authentication of the involved servers and clients
3. use OpenSource software (reusable, auditable, extandable.. no other options than that)

1. verify users on linux/solaris10/hpux/aix/windows to a dir/auth-server
2. resolve uids/gids with the help of a dir/auth-server (nsswitch)
3. restrict in the directory what users can use what services/log on which servers
4. manage sudo-lists in central directory
5. make the dir/auth-server usable to authenticate users on apache (for trac, subversion etc.)
6. provide single sign on (user has to autheticate only one time and can use all services after that)
7. user can change his password on commandline

After some tries the path became clear: OpenLDAP/bind/MIT-kerberos on a server. The common setup in corporations is windows-workplaced hooked into a AD-domain. The setup described here establishes a trust between the AD-server and the OpenLDAP/bind/MIT-kerberos-server, allowing the AD-domain users to use services from the MIT-kerberosrealm like logging in via ssh. Should set this up later using FreeIPA for hosting the LDAP/kerberos services.

With this solution all linux/unix servers are serviced by open software, to ease debugging and operation. Using those components from i.e. RedHat one can get support if needed. Handling of windows-workplaces is done by AD-servers, a crossrealm-setup run by the MIT is apparently supported by Microsoft.

• Setup of the linux-server with MIT-Kerberos (old: handcompiling kerberos)
• Setup and configuration of OpenLDAP (old: handcompiling OpenLdap / pgsql backend / pki)
• Setup and configuration of bind - optional (old: handcompiling bind)
• Configure a rhel5-client to use our ldap/kerberos services
• configure solaris10 to use kerberos
• Configure a WindowsXP-client to use kerberos services (join the realm)
• Setup crossrealm trust MIT-realm <-> AD-domain - users in a AD-domain and can use services from the kerberized applications in the MIT-realm
• Configuring netgroups - restrict what users can log onto which clients
• Setup sudo so it pulls informations from the ldap
• setting up Kerberized apache and linux/windows browser

• slave kdc
• ldap-backend for the kdc

• http://web.mit.edu/kerberos/www/krb5-1.6 - general kerberos docs
• http://www.ofb.net/~jheiss/krbldap/howto.html – Replacing NIS with Kerberos and LDAP HOWTO
• http://directory.fedora.redhat.com/wiki/Howto:Netgroups – netgroups explained
• http://bugzilla.mindrot.org/attachment.cgi?id=1182 – adds GSSAPIStrictAcceptorCheck: allow more than one hostname with ssh
• http://www.cromwell-intl.com/unix/kerberos.html – joining unix/linux-boxes into a AD-domain (principal generation)
• http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html – the kerberos faq
• http://www.ietf.org/rfc/rfc4120.txt – the kerberos protocoll explained, current rfc
• http://www.ibm.com/developerworks/db2/library/techarticle/dm-0809govindarajan/ – setting up a kdc and app-interaction

• http://freeipa.org/ – nice replacementproject offering ldap/kerberos/radius in one place, pushed by red hat - great stuff!
• http://www.likewisesoftware.com/products/likewise_open/ - likewise open joins linux into AD-domains, konfigures kerberos etc. and caches userpasswords for logins withou AD-servers reachable
• http://www.pgina.org/ – pGina - free authentication-framework for windows - enables pure ldap-auth, nis etc.
• http://rc.quest.com/topics/putty – quest putty - another windows-kerberos ssh-client
• http://www.alphaworks.ibm.com/tech/nasgui – a gui from ibm for managing kerberos-principals

• http://www.usenix.org/events/lisa-nt2000/hill/hill_html/ – presentation in MITs crossrealm setup
• http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/kerbstep.mspx – procedures for interaction MIT-kdc ↔ AD-domain
• http://technet2.microsoft.com/WindowsServer/en/library/f5c70774-25cd-4481-8b7a-3d65c86e69b11033.mspx?mfr=true – ms explains trusts
• http://www-128.ibm.com/developerworks/aix/library/au-kerbauthent - winclients on ibm-kdc
• http://freshmeat.net/projects/pam_krb5_migrate – change passwords i.e. both in ldap and kerberos, slowly filling the kerberos-db
• http://sweb.cz/v_t_m/ – putty + gssapi-patches
• http://sourceforge.net/projects/sc-ap – windows can auth directly at a kerberos-KDC, with this it can also get the other userinfo from an ldap-server
• http://calnetad.berkeley.edu/documentation/test_environment/kerb_interop_trip-ups.html – notes on MIT-kdc ↔ AD-domain interop
• http://www.windowsdevcenter.com/pub/a/windows/excerpt/swarrior_ch14/index1.html – explanation of crossrealm ticketflow

• http://wiki.samba.org/index.php/Samba4 – samba4 roadmap, will directly emulate an AD-server. Now part of samba 3.x

One can use ”{SASL}<user>@<REALM>” in the “userPassword” attribute of the users so OpenLDAP uses the saslauthd which is configured with Kerberos as backend. Passwordchanging can be done with the pam_krb5 module.

Host with name1.asd.net and name2.def.org dns-named. Create principals host/name1.asd.net and host/name2.def.org, store them in the keytab. Try setting 'GSSAPIStrictAcceptorCheck no' in sshd_config (this enables sshd to use the principal with name different from the hostname). Also this patch can be used with OpenSSH: http://scripts.mit.edu/trac/browser/trunk/server/common/patches/openssh-5.0p1-multihomed.patch?format=txt . Link from freeipa-mailinglist. Quest is also distributing an OpenSSH-version with such a patch.