From owner-freebsd-security Thu Oct 21 7:44:25 1999 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id C1DED14E23 for ; Thu, 21 Oct 1999 07:44:21 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id KAA47465 for ; Thu, 21 Oct 1999 10:44:21 -0400 (EDT) (envelope-from robert@cyrus.watson.org) Date: Thu, 21 Oct 1999 10:44:21 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: security@freebsd.org Subject: Kerberos integration into ports--in particular, SSH Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It looks like many ports still don't use PAM for authentication. This is not something I have time to address, it's just a comment that it would be nice if now that we have PAM, things used PAM :-). Also, it's a little funky to have an /etc/auth.conf and a /etc/pam.conf -- auth.conf seems only to affect su? The real gist of my email is that I'd like to see the K4 patches incorporated into the SSH port when the user has K4 enabled into /etc/make.conf, or if they give a particular command line argument. The SSH K4 patches (with AFS, etc) are found at: http://www.monkey.org/~dugsong/ssh-afs/ The 1.2.27 patch applies cleanly and easily over 1.2.27, although it seems not to be compatible with our local patches in the ports tree--I assume just includes and weird things with the patches covering the same area, but I haven't checked. To enable K4 support, you just do --with-krb4 on configure, and it works. This adds support for authenticating logins using passed authenticators, ticket-passing with AFS, autologin using .klogin as with rsh, etc. Very convenient. :-) I suppose the ideal solution is we go to K5 sometime soon and then the support is built-in? Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message