From owner-freebsd-questions Sun Nov 24 10: 7:20 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A308437B401 for ; Sun, 24 Nov 2002 10:07:18 -0800 (PST) Received: from net2.dinoex.sub.org (net2.dinoex.de [212.184.201.182]) by mx1.FreeBSD.org (Postfix) with ESMTP id 260E843E9C for ; Sun, 24 Nov 2002 10:07:16 -0800 (PST) (envelope-from citylink.dinoex.sub.org!pmc@citylink.dinoex.sub.org) Received: from net2.dinoex.sub.org (uucp@net2.dinoex.de [212.184.201.182]) by net2.dinoex.sub.org (8.12.6/8.12.6) with ESMTP id gAOI6Zn8029877 for ; Sun, 24 Nov 2002 19:06:36 +0100 (CET) (envelope-from citylink.dinoex.sub.org!pmc@citylink.dinoex.sub.org) X-MDaemon-Deliver-To: X-Authentication-Warning: net2.dinoex.sub.org: Host uucp@net2.dinoex.de [212.184.201.182] claimed to be net2.dinoex.sub.org Received: from citylink.dinoex.sub.org (uucp@localhost) by net2.dinoex.sub.org (8.12.6/8.12.6/Submit) with UUCP id gAOI6YPT029876 for freebsd.org!freebsd-questions; Sun, 24 Nov 2002 19:06:34 +0100 (CET) (envelope-from citylink.dinoex.sub.org!pmc@citylink.dinoex.sub.org) Received: from disp.oper.dinoex.org by citylink.dinoex.sub.org (8.8.5/PMuch-B3b) with ESMTP id FAA18952 for ; Sun, 24 Nov 2002 05:45:51 +0100 (CET) Received: (from pmc@localhost) by disp.oper.dinoex.org (8.11.6/8.11.6) id gAO4mOk10009 for freebsd-questions@freebsd.org; Sun, 24 Nov 2002 05:48:24 +0100 (CET) (envelope-from pmc) From: Peter Much Message-Id: <200211240448.gAO4mOk10009@disp.oper.dinoex.org> Subject: Re: Kerberos is set up - now what? To: freebsd-questions@freebsd.org Date: Sun, 24 Nov 2002 05:48:22 +0100 (CET) X-Mailer: ELM [version 2.5 PL5] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi all, as it seems to me, Kerberos5 is mostly unsupported in FreeBSD. Yes, this is going to be a rant. If you have an appropriate Kerberos support, no rsh, rlogin, ftp, telnet or elsewhat will ever ask you for a password, if you login to an account where you are allowed to do so via its .klogin file. This means, that support for Kerberos5 needs to be built into the servers and clients for ftp, telnet, rsh, rlogin, etc. It is not enough to just run a kerberos5 server (aka kdc) and make logins kerberos-aware via PAM. This was already implemented with FreeBSD 2.2 and kerberos4 at least for rsh and rlogin, but now(*) with Kerberos5, if I connect to the kshell port, I just get: rshd[8654]: usage: rshd [-alnDL] Furthermore, it is possible to do session encryption based on the principal, so essentially we could throw ssh etc. and all that crap completely into the wastebasket, and instead had a third-party based authentication scheme with single-sign-on over the whole network and a central (and replicateable) server that can optionally be adminstered remotely. (Supposed the crypt stuff inside kerberos5 is hardened enough for today's purposes.) Ok, I do not know of any unix distribution that actually engages these possibilities, but they are there. Well, AIX got fairly far with 4.3.3, telnet and ftp and all the rsh stuff actually works without passwords there, and K4 and K5 and standard logins all do work simultaneously. But when I asked the support how to run telnet with session encryption based on my DCE/K5 principal (aka "packet-level privacy" as documented for DCE and practically used in DFS), they shrugged and suggested me to install ssh! (*) "now" means FreeBSD 4.4, I didnt get the time to upgrade further yet. No doubt the PAM integration has evolved since then, but it doesnt look like a really substantial progress to what I described above. PMc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message