If you kerberize your host - that is to say, you have stuff like your
ssh client using kerberos-compatible versions, and your authentication
happening against kerberos, then it works something like this:
I sit down at my favorite Linux workstation and open a shell so I can
ssh to some other host on my network. Assuming I have not done so
recently, the host I'm trying to reach won't be able to verify me.
Instead, both my local host and the target host will rely on an
authentication server to generate a new encryption key and distribute it
to both parties. This is the session key. A Kerberos ticket is used to
distribute the session key which includes info about me / my host that
will be used by the target host to verify my connection. When the
server passes this back to me, I forward it on to the target host as
part of my authentication request. So, the ticket will be encrypted in
a server key, which is known only by the server and the target host.
nifty huh?
The ticket-granting-ticket just extends this to make life a little
easier. We assume that some period of time is an acceptable amount for
ticket granting without requiring the user to type in a password every
time a ticket is needed. In short, I authenticate myself once to the
server, and it allows me to perform any number of permitted
authentications during the allowed time period. The ports used are
likely going to be 88 for the kdc and possibly 749 for the admin server.
This is all a very brief description of what is going on, but it covers
the basic ideas.
On Thu, 2006-03-02 at 06:07 -0800, Joseph Mack NA3T wrote:
> On Wed, 1 Mar 2006, Ryan Leathers wrote:
>
> > If you are asking if it is possible to have a system be kerberized and
> > also tackle some lvs chores, then yes, you can do that. Its a bit like
> > asking if one can comb their hair and eat an ice-cream. The two don't
> > have much to do with one another, but there is certainly nothing
> > preventing it.
>
> Someone setup kerberos under LVS a while ago. From what I
> remember they were doing all their kerberos inside an ssh
> tunnel so only port 22 was involved in the LVS part of it. I
> had wondered how they managed to LVS all the ports involved,
> since (I think) some of them are callbacks from clients the
> realserver, which LVS won't know about, but it seems they
> didn't tackle this problem.
>
> > Now if you are asking if lvs can be used for your kerberos
> > servers, the answer is still yes, but it doesn't make
> > sense to do so. You can only have one kerberos server
> > active at any one time for a realm. You would never
> > balance the load, so you may as well just let them fail
> > over normally without trying to tie lvs into the mix.
>
> (I've never used kerberos). If say my workplace was
> kerberosized and I log'ed into various machines, are the
> machines I'm logging into all calling the same single
> kerberos server for tickets and then contacting my machine
> in a connection that requires about 4 ports?
>
> Thanks
> Joe
|