From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 14:34:47 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BB1441065670 for ; Tue, 16 Sep 2008 14:34:47 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [64.7.153.18]) by mx1.freebsd.org (Postfix) with ESMTP id 6CA7A8FC1C for ; Tue, 16 Sep 2008 14:34:47 +0000 (UTC) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smarthost1.sentex.ca (8.14.2/8.14.2) with ESMTP id m8GEYike050705; Tue, 16 Sep 2008 10:34:44 -0400 (EDT) (envelope-from mike@sentex.net) Received: from mdt-xp.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.13.8/8.13.3) with ESMTP id m8GEYi0Y037839 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 16 Sep 2008 10:34:44 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <200809161434.m8GEYi0Y037839@lava.sentex.ca> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Tue, 16 Sep 2008 10:34:51 -0400 To: Gunnar Flygt From: Mike Tancsa In-Reply-To: <20080910063408.GA99970@sr.se> References: <200809071155.m87BtS2H082832@lava.sentex.ca> <20080910063408.GA99970@sr.se> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Scanned-By: MIMEDefang 2.64 on 64.7.153.18 Cc: freebsd-security@freebsd.org Subject: Re: Heimdal or MIT for kerberos? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2008 14:34:47 -0000 At 02:34 AM 9/10/2008, Gunnar Flygt wrote: >I'm very pleased with heimdal 1.1. I compile it from sources. No big >problem. Compile on one machine and copy the file structure to the other >at the same OS level. Then using openssh-gssapi-overwrite-base-5.0.p1,1 >with the KRB5_HOME flag set to the directory of heimdal. Same thing >there, compile and make a package on one machine. The KDC's run FreeBSD >7 and the same release of heimdal as the others. Hi, Thanks for the response! When you installed heimdal 1.1 from the source, did you overwrite the local libs, or did you keep everything in /usr/local ? Also, do you use hx509 at all and certs for pre-auth ? ---Mike >On Sun, Sep 07, 2008 at 07:55:26AM -0400, Mike Tancsa wrote: > > We are looking at deploying Kerberos for better user management (SSO) > > and 2 factor authentication via pkcs#11 etokens. The servers are all > > FreeBSD and the machines principals will login from a mix of FreeBSD, > > Windows and MAC OSX using ssh and openvpn. As part of our compliance > > project, access must be 2 factor. The Heimdal in RELENG_7 is a > > rather old version and doesnt seem to have all the bits needed for > > x509 pre-auth so I would probably need to install from the ports > > anyways. Does anyone have any suggestions as to which > > implementation to use ? We are in Canada so it doesnt matter > > regulation wise. Is one better maintained than the other ? There are > > no legacy v4 apps > > Thanks, > > > > ---Mike > > > > -------------------------------------------------------------------- > > Mike Tancsa, tel +1 519 651 3400 > > Sentex Communications, mike@sentex.net > > Providing Internet since 1994 www.sentex.net > > Cambridge, Ontario Canada www.sentex.net/mike > > > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"