Date: Sun, 24 Nov 2002 23:46:03 +0200 From: Dancho Penev <dpenev@mail.bg> To: Peter Much <pmc@citylink.dinoex.sub.org> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Kerberos is set up - now what? Message-ID: <20021124214603.GA249@earth.dpsca.bg> In-Reply-To: <200211240448.gAO4mOk10009@disp.oper.dinoex.org> References: <200211240448.gAO4mOk10009@disp.oper.dinoex.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Nov 24, 2002 at 05:48:22AM +0100, Peter Much wrote: >From: Peter Much <pmc@citylink.dinoex.sub.org> >Subject: Re: Kerberos is set up - now what? >To: freebsd-questions@freebsd.org >Date: Sun, 24 Nov 2002 05:48:22 +0100 (CET) > > >Hi all, > > as it seems to me, Kerberos5 is mostly unsupported in FreeBSD. It's not very correct(it's totally incorrect). If kerberos is installed (port or one in the base system) you have all services that you want to use. They are not enabled by default but it isn't mean that FreeBSD hasn't support for kerberos. Scroll down in inetd.conf and look for kerberos services. I use pam_krb5 and MIT Kerberos for a year without any problems, with single login to workstation and access to other computers via telnet, rlogin etc. If you can't configure kerberos services to work then ask for help and don't make conclusion has or hasn't FreeBSD support for something. BTW Kerberos5 access control file is .k5login(5) not .klogin. > >Yes, this is going to be a rant. > >If you have an appropriate Kerberos support, no rsh, rlogin, >ftp, telnet or elsewhat will ever ask you for a password, if >you login to an account where you are allowed to do so via its >.klogin file. >This means, that support for Kerberos5 needs to be built into >the servers and clients for ftp, telnet, rsh, rlogin, etc. It >is not enough to just run a kerberos5 server (aka kdc) and >make logins kerberos-aware via PAM. > >This was already implemented with FreeBSD 2.2 and kerberos4 >at least for rsh and rlogin, but now(*) with Kerberos5, if I >connect to the kshell port, I just get: >rshd[8654]: usage: rshd [-alnDL] > >Furthermore, it is possible to do session encryption based >on the principal, so essentially we could throw ssh etc. and all >that crap completely into the wastebasket, and instead had >a third-party based authentication scheme with single-sign-on >over the whole network and a central (and replicateable) server >that can optionally be adminstered remotely. (Supposed the >crypt stuff inside kerberos5 is hardened enough for today's >purposes.) > >Ok, I do not know of any unix distribution that actually engages >these possibilities, but they are there. Well, AIX got fairly >far with 4.3.3, telnet and ftp and all the rsh stuff actually >works without passwords there, and K4 and K5 and standard >logins all do work simultaneously. But when I asked the support >how to run telnet with session encryption based on my DCE/K5 >principal (aka "packet-level privacy" as documented for DCE >and practically used in DFS), they shrugged and suggested me >to install ssh! > > >(*) "now" means FreeBSD 4.4, I didnt get the time to upgrade > further yet. No doubt the PAM integration has evolved since > then, but it doesnt look like a really substantial progress to > what I described above. > >PMc > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message -- Regards, D. Penev To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021124214603.GA249>