No extra configuration is needed if you are only using the openssh-client.
openssh-server
If you are planning on using the above openssh-server in kerberized mode then
you will need to
1) edit your /etc/ssh/sshd_config,
2) create a /etc/krb5.keytab,
3) run authconfig and select kerberos
4) edit /etc/pam.d/system-auth after running authconfig
---
1) The following settings in /etc/ssh/sshd_config will allow only kerberized
incomming sessions
----------------
RSAAuthentication no
PubkeyAuthentication no
PasswordAuthentication no
KerberosAuthentication yes
KerberosOrLocalPasswd no
KerberosTicketCleanup yes
KerberosTgtPassing yes
X11Forwarding yes
UsePrivilegeSeparation no
Subsystem sftp /usr/local/libexec/sftp-server
GssapiAuthentication yes
GssapiKeyExchange yes
GssapiUseSessionCredcache yes
GssapiCleanupCreds yes
------------------
---
2) Follow your sites instructions for creating a krb5.keytab
---
3) Pretty self explanitory. run /usr/sbin/authconfig and on the second screen you
select kerberos.
---
4) After you run authconfig and setup things for kerberos, you are going to find a
line in /etc/pam.d/system-auth that looks like
You need to delete the whole line. This is an extra line of security beyond the
authentication. This extra authentication can cause false negatives and lock people
out of accounts when they have valid credentials. It has been analyzed at Fermilab
and ruled that this extra authentication is not needed.
-----------
These rpm's were provided by Fermilab.
