# network logins

## melts

Hey, i need some help   :Very Happy: 

I've started a pilot program where I work to install linux on desktops. I'm at an Australian high school as the sole IT lacky and i wanted to do something different, so i've done this.

Since this isn't the first time i've installed gentoo I've done all the initial stuff and got a working pc, everything is cool   :Cool: 

but now i have to choose a login system that will work for, ideally, the entire school - and i haven't covered a lot in linux network logins :/

PAM + Kerberos seemed good, but i can't compile pam_krb5 (note: i had to compile mit-krb5 during stage two since heimdal-0.6 wouldn't compile, and still won't   :Confused: )

on top of that, i've seen one mention of using a program to interface windows domain with something kerbertised, but it was brief and lacked any info, i could of even misunderstod what he was interfacing.

The school has a windows 2000 domain controller and some 600 users in the AD. while it doesn't bother me so much if i can't use the windows controller to do the authentication, it'd certainly help things along.

I also have a gentoo box doing firewall stuff that can happily run any auth daemons as required.

I'm intending to write the whole project up for other schools to use (i'm hoping i can get a bit of a job change being a in house linux implementer    :Wink: ) as well as convince the department that it can be done. I'll happily post the howto here once i have a working one - no doubt handy as it seems pretty hard to find a full guide to kerberos authentication systems

anyway, i'm after some help to figure out why the pam component won't compile, and any info people have on what they might have done so i can start building a login system. (oh and if anyone thinks i should be using something like radius instead, post that up too, i don't know if kerberos is the way to go, yet)

----------

## Grathol

I had trouble compiling heimdal as well.  Ended up with mit-krb5, not that I really care.  Here's how to compile pam_krb5:

https://bugs.gentoo.org/show_bug.cgi?id=35059

I'm also in the middle of working on a project like this to enable a common set of logins in both web applications and for ssh logins to a set of machines.  A good explanation of all the underlying technologies can be found here:

http://www.linuxgeek.net/index.pl/authentication

I haven't had much luck getting the PAM modules to properly allow users in the Kerberos database to connect, so if you make any progress with that, please post   :Smile:  I'll do the same.

----------

## melts

Well going along I've snagged another problem, but i got pam_krb5 compiled and working at least

emerge mod_auth_kerb-4.11 just seems to fall over for me, and the bug isn't listed yet. Rather a new version is talked about but they seem to have copyright problems :/

```
emerge -v mod_auth_kerb

Calculating dependencies ...done!

>>> emerge (1 of 1) net-www/mod_auth_kerb-4.11 to /

>>> md5 src_uri ;-) mod_auth_kerb-4.11.tar.gz

>>> Unpacking source...

>>> Unpacking mod_auth_kerb-4.11.tar.gz to /var/tmp/portage/mod_auth_kerb-4.11/work

 * Applying mod_auth_kerb_register.patch...                                                                            [ ok ]

>>> Source unpacked.

/usr/lib/apache2/build/libtool --silent --mode=compile gcc -prefer-pic -O3 -march=pentium4 -funroll-loops -pipe -fomit-frame-pointer -DAP_HAVE_DESIGNATED_INITIALIZER -DLINUX=2 -D_REENTRANT -D_XOPEN_SOURCE=500 -D_BSD_SOURCE -D_SVID_SOURCE -D_GNU_SOURCE -pthread -I/usr/include/apache2  -I/usr/include/apache2   -I/usr/include/apache2  -DAPXS2 -DKRB5 -DKRB5_SAVE_CREDENTIALS -DKRB_DEF_REALM=\"MANDURAHHS.WA.EDU.AU\"  -c -o mod_auth_kerb.lo mod_auth_kerb.c && touch mod_auth_kerb.slo

mod_auth_kerb.c:379:23: missing terminating " character

mod_auth_kerb.c:380:60: missing terminating " character

apxs:Error: Command failed with rc=65536

.

!!! ERROR: net-www/mod_auth_kerb-4.11 failed.

!!! Function src_compile, Line 27, Exitcode 1

!!! (no error message)
```

i thought it had to do with the \"MANDURAHHS.WA.EDU.AU\" section, but taking out the \" (yeah i know why the \ is there, to stop problems like this  :Razz: ) does nothing

I have been looking at samba PDC work too, and i might have a test to see if it'd work like that, that would surely be good (but then i have to find out if samba can authenticate users from a realm, last time i used it it needed a sepperate passwd file :/)

----------

## Grathol

Samba I think still uses a separate password file (hence the 'smbpasswd' utility).

As far as emerging mod_auth_kerb goes, this is what I had to do (as root, with my working directory as /root/):

```
1.  emerge -f mod_auth_kerb

2.  cp /usr/portage/distfiles/mod_auth_kerb-4.11.tar.gz /root/

3.  tar -xvzf mod_auth_kerb-4.11.tar.gz

4.  cd src/modules/kerberos

5.  vi mod_auth_kerb.c

6.  Remove the extra newline at/around line 380

7.  :wq

8.  cd

9.  tar cvzf mod_auth_kerb-4.11.tar.gz src/*

10. cp mod_auth_kerb-4.11.tar.gz /usr/portage/distfiles/

11. md5sum -b /usr/portage/distfiles/mod_auth_kerb-4.11.tar.gz >

/usr/portage/net-www/mod_auth_kerb/files/digest-mod_auth_kerb-4.11

12. ls -lta /usr/portage/distfiles/mod_auth_kerb-4.11.tar.gz

13. Record the file size (in bytes)

14. vi

/usr/portage/net-www/mod_auth_kerb/files/digest-mod_auth_kerb-4.11

15. Format the line in the following manner:

MD5 96be90c0e037571a57298d23c73f3ddf mod_auth_kerb-4.11.tar.gz 14025

"MD5" is static, "mod_auth_kerb-4.11.tar.gz" is the name of the file,

and "14025" is the file size (in bytes)

16. emerge --resume mod_auth_kerb
```

Hope this helps.  I still haven't made any progress on figuring out how to use PAM to authenticate kerberos SSH logins without necessarily having a local account on the machine - any experience with something like this?

----------

## melts

thanks for that, up til now i didn't know quite how you could go about editing an ebuild. Would be handy if there were an option to prevent compilation work deletion on errors so you could just edit it and then resume (but then maybe that exists and i just don't know it)

i'm looking at kerberos auth systems now, but treading slowly as i don't want to break the current domain i have - it looks like i'm going to run all the linux systems on a seperate VLAN just to avoid these problems.

As a bit of advice from what i gleamed from setting up One Time Passwords, SSHD seems to act reasonably weird with authentications and i could enter my username, leave the first password field blank and send that, and -then- get the OTP(S/Key) password prompt. If you have a user in your kerberos realm but not on your test box try login and leave the password blank at first, and see what it prompts you for.

I haven't figured out how to shuffle what PAM it uses first, but the /etc/ssh/sshd_config has all the config options in order

```
# To disable tunneled clear text passwords, change to no here!

#PasswordAuthentication yes

#PermitEmptyPasswords no

# Change to no to disable s/key passwords

ChallengeResponseAuthentication yes

# Kerberos options

#KerberosAuthentication no

#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes

# GSSAPI options

#GSSAPIAuthentication no

#GSSAPICleanupCreds yes

# Set this to 'yes' to enable PAM authentication (via challenge-response)

# and session processing. Depending on your PAM configuration, this may

# bypass the setting of 'PasswordAuthentication'

UsePAM yes
```

could it be the order of the file dictates what it asks for first?

i'll probably hack up an kerberos auth system today since these machines are now on their vlan, hopefully i'll have results

this is the link to the OTP too, in case you want to look at whats being done there - https://forums.gentoo.org/viewtopic.php?p=968053#968053

----------

## gsurbey

Thank You Grathol!

The e-build for mod_auth_kerb needs fixing so I posted the bug at https://bugs.gentoo.org/show_bug.cgi?id=91313

Also becuasee of new extra security in portage you'll have to

```
ebuild /usr/portage/net-www/mod_auth_kerb/mod_auth_kerb-4.11.ebuild digest
```

BTW here's a nice HowTo https://forums.gentoo.org/viewtopic-t-205972.html

----------

