Date: Sun, 07 Apr 2002 11:53:59 +0200 From: Rob Frohwein <rob@frohwein.xs4all.nl> To: freebsd-security@freebsd.org Subject: heimdal kerberos problems Message-ID: <3CB01737.6050001@frohwein.xs4all.nl>
next in thread | raw e-mail | index | archive | help
Hi ,
I am trying to get heimdal kerbereros5 running on freeBSD4.5.
The KDC seems to function , I can obtain a ticket from the kdc.
But the application clients and services like login/logind and
telnet/telnetd and pam doesnt seem to function after the heimdal install.
Has anyone had any success with using heimdal on freeBSD.
I cant get the 'official' MIT version because of US export limitations.
I am using freeBSD STABLE 4.5
There are 3 machines K(dc) S(erver) end C(lient).
In fact K and S are the same machine.
To install kerberos I did:
1 make -DMAKE_KERBEROS5 buildworld (is this necessary ??)
2 make & install heimdal (/usr/ports/security/heimdal)
3 On all machines added /etc/krb5.conf
-----------------------------------
[libdefaults]
default_realm = RFKERB
clockskew = 300
[realms]
RFKERB = {
kdc = vhfbsd45-3.frohwein.xs4all.nl.
}
[domain_realm]
frohwein.xs4all.nl = RFKERB
-----------------------------------
(vhfbsd45-3 is the name of Kdc/Server)
4 On K:
k5admin -l
kadmin> init RFKERB
kadmin> add myself
...
kadmin> add --random-key host/vhfbsd45-3.frohwein.xs4all.nl.
kadmin> ext host/vhfbsd45-3.frohwein.xs4all.nl.
So i added some users + a keytab file for Server role.
6 On S (==K):
/etc/pam.conf
klogin auth required pam_krb5.so try_first_pass
And commented out the other login lines
7 On S (==K):
/etc/inetd.conf
klogin stream tcp nowait root /usr/libexec/rlogind rlogind -k
8 From C
rlogin -k RFKERB -l user1 vhfbsd45-3
rlogin: illegal option -- k
This rlogin does not comply to the man page.
So what has heimdal installed?
When i just do:
rlogin -l user1 vhfbsd45-3
I see that (ethereal) that a standard (port 513) rlogin request attempt
is made.
9 Telnet
In the manpage about telnetd i see no options for kerberos.
I tried:
pam.conf:
telnetd auth required pam_krb5.so try_first_pass
inetd.conf normal
Result:
telnet -l user1 vhfbsd45-3
A normal SRA login is the result, no kerberos involved.
So i think something is wrong with the heimdal install for
the applications like telnet and login.
10
I go to
/usr/ports/security/heimdal/work/heimdal-0.4e/appl/telnet
And use the telnet client there.
When i do a login attempt i see on K in the logging:
Apr 7 02:43:59 vhfbsd45-3 login: no modules loaded for `login' service
Apr 7 02:43:59 vhfbsd45-3 login: pam_open_session: Permission denied
Because I can acquire a tgt on C and indeed with k5list I can see the
ticket, I think only the installation of the kdc is ok , the rest fails.
thanks for some advice.
Rob Frohwein
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3CB01737.6050001>