From owner-freebsd-security Sun Apr 7 3:53:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtpzilla5.xs4all.nl (smtpzilla5.xs4all.nl [194.109.127.141]) by hub.freebsd.org (Postfix) with ESMTP id 3F01737B417 for ; Sun, 7 Apr 2002 03:53:39 -0700 (PDT) Received: from list1.xs4all.nl (list1.xs4all.nl [194.109.6.52]) by smtpzilla5.xs4all.nl (8.12.0/8.12.0) with ESMTP id g37ArYKx029433 for ; Sun, 7 Apr 2002 12:53:38 +0200 (CEST) Received: (from root@localhost) by list1.xs4all.nl (8.9.3/8.9.3) id MAA05190; Sun, 7 Apr 2002 12:53:34 +0200 (CEST) From: Rob Frohwein To: freebsd-security@freebsd.org X-Via: imploder /usr/local/lib/mail/news2mail/news2mail at list1.xs4all.nl Subject: heimdal kerberos problems Date: Sun, 07 Apr 2002 11:53:59 +0200 Organization: XS4ALL Internet BV Message-ID: <3CB01737.6050001@frohwein.xs4all.nl> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi , I am trying to get heimdal kerbereros5 running on freeBSD4.5. The KDC seems to function , I can obtain a ticket from the kdc. But the application clients and services like login/logind and telnet/telnetd and pam doesnt seem to function after the heimdal install. Has anyone had any success with using heimdal on freeBSD. I cant get the 'official' MIT version because of US export limitations. I am using freeBSD STABLE 4.5 There are 3 machines K(dc) S(erver) end C(lient). In fact K and S are the same machine. To install kerberos I did: 1 make -DMAKE_KERBEROS5 buildworld (is this necessary ??) 2 make & install heimdal (/usr/ports/security/heimdal) 3 On all machines added /etc/krb5.conf ----------------------------------- [libdefaults] default_realm = RFKERB clockskew = 300 [realms] RFKERB = { kdc = vhfbsd45-3.frohwein.xs4all.nl. } [domain_realm] frohwein.xs4all.nl = RFKERB ----------------------------------- (vhfbsd45-3 is the name of Kdc/Server) 4 On K: k5admin -l kadmin> init RFKERB kadmin> add myself ... kadmin> add --random-key host/vhfbsd45-3.frohwein.xs4all.nl. kadmin> ext host/vhfbsd45-3.frohwein.xs4all.nl. So i added some users + a keytab file for Server role. 6 On S (==K): /etc/pam.conf klogin auth required pam_krb5.so try_first_pass And commented out the other login lines 7 On S (==K): /etc/inetd.conf klogin stream tcp nowait root /usr/libexec/rlogind rlogind -k 8 From C rlogin -k RFKERB -l user1 vhfbsd45-3 rlogin: illegal option -- k This rlogin does not comply to the man page. So what has heimdal installed? When i just do: rlogin -l user1 vhfbsd45-3 I see that (ethereal) that a standard (port 513) rlogin request attempt is made. 9 Telnet In the manpage about telnetd i see no options for kerberos. I tried: pam.conf: telnetd auth required pam_krb5.so try_first_pass inetd.conf normal Result: telnet -l user1 vhfbsd45-3 A normal SRA login is the result, no kerberos involved. So i think something is wrong with the heimdal install for the applications like telnet and login. 10 I go to /usr/ports/security/heimdal/work/heimdal-0.4e/appl/telnet And use the telnet client there. When i do a login attempt i see on K in the logging: Apr 7 02:43:59 vhfbsd45-3 login: no modules loaded for `login' service Apr 7 02:43:59 vhfbsd45-3 login: pam_open_session: Permission denied Because I can acquire a tgt on C and indeed with k5list I can see the ticket, I think only the installation of the kdc is ok , the rest fails. thanks for some advice. Rob Frohwein To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message