[OpenAFS] dynamic hostnames...
Douglas E. Engert
deengert@anl.gov
Thu, 29 Aug 2002 09:03:59 -0500
With a Kerberos login using your password, you need to not only get
the TGT, you need to use the TGT to get a service ticket for the host.
This avoids an attack where the user attacks the machine using a fake
network with a fake KDC.
The pam-login is most likely using the hostname to determine what
is the principal name for the service. Since it most likely does not
have a matching key in the srvtab or keytab file for this principal,
the login will fail.
The pam-login could be change to request a service ticket for one of
the principals it does have in the srvtab or keytab file. In effect you
would create a service principal for the host not based on its current
DNS name, but on some long term name.
Daniel Swärd wrote:
>
> I've set up a Debian workstation image and I want the workstations to
> get names from dns. I'm using this for setting the ip:
>
> ------
> #!/bin/bash
>
> ipadress=$(/sbin/ifconfig eth0 | /bin/grep inet | /usr/awk '{print $2}'
> | /usr/bin/cut -d : -2)
>
> wsname=$(dig -x $ipadress | /bin/grep PTR | /usr/bin/awk '{print $5}' |
> /usr/bin/cut -d . -f 1)
>
> /bin/hostname $wsname
> ------
>
> The hostname is correct but I can't login with the pam-modules for
> kerberos and openafs anymore. I have no problems with local login to the
> workstation and getting tickets/tokens for any principal but the
> pam-login fails...
>
> Any ideas of what may be wrong?
>
> /Daniel
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444