Network, Kerberos and openssh on F12

Firstly we need to deactivate the nastiness that is NetworkManager and switch to configuring the network interface so that it comes up at boot time and uses DHCP to get an address and DNS configuration. This is done by using the system-config-network tool as root and doing an “Edit” on the eth0 device. After finishing the alterations the networking needs restarting with /etc/init.d/network restart

To make sure this continues to work after a reboot, as root, do:

chkconfig --levels 2345 NetworkManager off
chkconfig --levels 2345 network on

As well as this, to get the machine to have the correct hostname and domain name, I had to edit /etc/hosts to look like:

127.0.0.1   localhost
::1         localhost
129.215.24.207 bowmore.inf.ed.ac.uk bowmore

and set the domainname like:

domainname inf.ed.ac.uk

The next step is to start using kerberos for authentication and LDAP for user info. That is done using the system-config-authentication tool, again as root. The LDAP base DN is dc=inf,dc=ed,dc=ac,dc=uk and I used ldap://infdir.inf.ed.ac.uk for the server.

For kerberos authentication the realm is INF.ED.AC.UK, I didn’t list any KDCs but rather ticked both options to use DNS. The admin server is kdc.inf.ed.ac.uk:749.

If you don’t have AFS available then on the “Options” tab you probably want to select “Create home directories on first login”.

I can never be bothered with typing in my password all the time so the next step is to get kerberos up and running and then configure openssh appropriately. Nicely Fedora finally includes all the patches provided by Simon which we have been applying locally for years so no rebuilding is necessary.

The next step is to grab the hostclient and host principals for the specific machine. If it is a new machine you will need to create it first, if it already exists then (as root) you can do something like:

kadmin -p squinney/admin \
            -q 'ktadd -k /etc/krb5.keytab host/foo.inf.ed.ac.uk'
kadmin -p squinney/admin \
            -q 'ktadd -k /etc/krb5.keytab hostclient/foo.inf.ed.ac.uk'

You can now configure openssh to work like a normal DICE machine. You will need to copy over /etc/ssh/ssh_config and /etc/ssh/sshd_config to your f12 machine. Note that the daemon config file is only visible by root. After reconfiguration restart the sshd.

It should now be possible to ssh in without a password!

Comments are closed.