Date: Tue, 22 May 2001 20:27:22 -0500 From: "Jacques A. Vidrine" <n@nectar.com> To: Peter Losher <Peter.Losher@nominum.com> Cc: freebsd-stable@freebsd.org Subject: Re: OpenSSH and Krb5, FreeBSD style... Message-ID: <20010522202722.B449@shade.nectar.com> In-Reply-To: <20010522201628.A449@shade.nectar.com>; from n@nectar.com on Tue, May 22, 2001 at 08:16:28PM -0500 References: <Pine.NEB.4.33.0105221438430.6439-100000@shell1.nominum.com> <20010522201628.A449@shade.nectar.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[Sorry, I fat-fingered my previous message. Here I try again.] On Tue, May 22, 2001 at 08:16:28PM -0500, Jacques A. Vidrine wrote: > On Tue, May 22, 2001 at 03:47:49PM -0700, Peter Losher wrote: > > O.k., after banging my head against the wall with Heimdal and MIT > > libs fighting over each other, I cam across this closed PR: > > > > http://www.freebsd.org/cgi/query-pr.cgi?pr=20504 > > > > Which seems to indicate that the branch of OpenSSH that FreeBSD uses now > > (as of March 6th) has support for Krb5 Authentication on both the server > > and client ends workng with the integrated Heimdal libs. Is this true? > > Yes. though I am not certain of the date. FreeBSD 4.3-RELEASE and later definately have the right bits, though. > > If so, is there a web site (or man pages) describing what config variables > > etc. are needed to set this up? I can't find it in the example ssh_config > > and sshd_config. You didn't look hard enough :-) Look around line 49 of sshd_config. You want to set `KerberosAuthentication yes' in both the client and the server. > > Also, is there a man page (or web site) which describes how to get up Krb5 > > using the integrated Heimdal package? (I have previously used only MIT Krb5 > > from ports), All the Kerberos stuff I have seen on the 4.3-STABLE system so > > far is all Krb4 (Project Athena, etc) and no Krb5 binaries (kinit, kadmin, > > ksu, etc.) although the libkrb5* libraries are in /usr/lib/ > > > > And ideas, suggestions where to look? Unfortunately, the `integrated Heimdal' package is still far from complete. You can find some of what you are looking for as /usr/bin/k5init, k5admin, k5su, and so on. However, notably missing is a KDC and integration with any of the standard clients/daemons such as TELNET and FTP. For these additional pieces, install Heimdal from the ports system (/usr/ports/security/heimdal). If you've never set up Kerberos before, you have some reading to do. Start with http://www.isi.edu/gost/brian/security/kerberos.html, and peruse the info files included in the Heimdal port and possibly the MIT Kerberos 5 port. Documentation on implementation and system administration details is sparse for MIT Kerberos and sparser still for Heimdal. Cheers, -- Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010522202722.B449>