There are also system-config tools to simplify this procedure.
vi /etc/sysconfig/network # set HOSTNAME to fqdn, here rhel5.fluxcoil.net cat >/etc/resolv.conf <<EOT domain fluxcoil.net nameserver 10.0.22.19 EOT cat >/etc/openldap/ldap.conf <<EOT URI ldap://fed10.fluxcoil.net BASE dc=fluxcoil,dc=net TLS_CACERTDIR /etc/openldap/cacerts TLS_CACERT /etc/openldap/cacerts/cacert.pem EOT scp fed10:/etc/pki/tls/cacert.pem /etc/openldap/cacerts/ # copy cacert from directory-server over: vi /etc/ldap.conf ---------------------------------- host sid64.fluxcoil.net base dc=fluxcoil,dc=net pam_groupdn cn=server0,ou=logins,dc=fluxcoil,dc=net pam_member_attribute memberUid pam_password md5 ssl start_tls tls_checkpeer yes tls_cacertfile /etc/openldap/cacerts/cacert.pem tls_cacertdir /etc/openldap/cacerts ---------------------------------- vi /etc/nsswitch.conf ---------------------------------- passwd: files ldap group: files ldap hosts: files dns ldap ---------------------------------- # check it: getent passwd getent group
yum install krb5-workstation vi /etc/krb5.conf ------------------ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = FLUXCOIL.NET default_etypes = des3-hmac-sha1 default_tkt_enctypes = des3-hmac-sha1 default_tgs_enctypes = des3-hmac-sha1 dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes # permitted_enctypes = des3-hmac-sha1 rc4-hmac des-cbc-crc [realms] FLUXCOIL.NET = { admin_server = fed10.fluxcoil.net:749 default_domain = fluxcoil.net kdc = fed10.fluxcoil.net:88 } [domain_realm] .fluxcoil.net = FLUXCOIL.NET fluxcoil.net = FLUXCOIL.NET [appdefaults] pam = { validate = true # yes, we want mutual authentication debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } kinit = { forwardable = true } ------------------ # on the ssh-server: generate principal for host/ssh kinit chorn/admin kadmin > addprinc -randkey host/rhel5.fluxcoil.net > ktadd -k /etc/krb5.tab host/rhel5.fluxcoil.net # configure pam, i.e. call system-config-authentication # configure sshd with 'GSSAPIAuthentication yes' and 'GSSAPICleanupCredentials yes' and restart it # now start on a client sshd with 'GSSAPIAuthentication yes' and 'GSSAPICleanupCredentials yes' # now from some other host 'kinit user0' and you can # ssh -o'GSSAPIAuthentication yes' -o'GSSAPIDelegateCredentials yes' user0@rhel5 # or kerberized telnet... # debugging: # ktutil - show principals in keytabs # kvno - get tickets # set the hostname to the one mentioned in the principal