Date: Tue, 20 Jun 2006 10:21:33 -0600 From: Tillman Hodgson <tillman@seekingfire.com> To: freebsd-hackers@freebsd.org Cc: keramida@ceid.upatras.gr Subject: Re: MIT kerberos and ssh Message-ID: <20060620162132.GW96797@seekingfire.com> In-Reply-To: <4497647A.8080909@centurytel.net> References: <4497647A.8080909@centurytel.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jun 19, 2006 at 09:59:06PM -0500, Michael D. Norwick wrote: > I didn't get any replies on freebsd-questions for this one maybe > someone here could help? (Your line-wrap appears to be broken, I've reformatted it below) I recommend checkign with the kerberos at mit dot edu list, this topic comes up often there. > ------------------------------------------------------------------- > I have been trying to get a working MIT Kerberos KDC on a server > running 6.1-Release. I have been able to keep the heimdal version > from being built during several past 'make worlds' and I have compiled > and installed MIT krb5 from /usr/ports (current per portmanager). I leave the standard Heimdal stuff in place. In /etc/make.conf, I define KRB5_HOME=/usr/local/krb5, and MIT Kerberos installs into that location. I then use $PATH. This results in me being able to use Heimdal and MIT clients more or less interchangeably. > I have been getting an error tryiing to start sshd (also built from > /usr/ports), it complains about not finding 'libkrb5.so.8' then exits. > I have been able to start the KDC but have not gotten much further as > I would like to fix the ssh problem first. Do the standard Kerberos clients work? Can you kinit and telnet -x? Does remote kadmin work? > 3. Why are there two different directories i.e; /usr/src and > /usr/ports for the same source? The Heimdal included in base isn't complete, and may lag a dot release or behind the "official" version. > 4. How do I get 'kerberized' ssh and give configure directives to the > krb5 make to include GSSAPI support? I don't use ssh with Kerberos (telent -x and rcp -x work for me) so unfortunately I can't help you much with this. I know that OpenSSH 3.7.x and 3.8+ use incompatible methods and won't work together, so keep the OpenSSH version the same on both ends. Another item I seem to vaguely recall is that the older Kerberos config items (instead of the newer GSSAPI config items) only work with 'ssh -1'. > I have read both the Handbook and the 'Complete' book on this subject > and have not been able to glean enough information to get me going, > Google didn't help much either. I have 6 Debian clients, 2 WinXP > clients, and 1 Debian KDC slave and wanted this machine to be an > MIT-KDC master and yet avoid the apparent 'kadmin' server > incompatibility between Heimdal and MIT Kerberos (which all the Debian > clients run). I am also very comfortable with the MIT version. Any > words of wisdom would be greatly appreciated. A long time ago I started working on an update to the Kerberos5 chapter, which unfortunately I never completed and the "official" chapter in the Handbook may have moved on (creating a doc fork of sorts, I suppose). Anyway, my mostly-finished-but-not-polished revised version is at http://www.seekingfire.com/freebsd-doc/kerberos5.html if you want to take a peek at it to see if it's helpful. (My apologies to Giorgos Keramidas, I totally dropped the ball on this) The type of KDC won't matter -- I do cross-realm authentication between MIT and Heimdal and all my Kerberos client apps handle it fine. The only incompatibility is in the kadmin tool to manage the KDC. Since I perform management at the secured console it's never really affected me. I keep some Kerberos info online a http://www.seekingfire.com/projects/kerberos/ that you might fine useful. I haven't added to it in a while, but Kerberos isn't exactly a fast-moving target anyway ;-) The link http://shankerbalan.net/tech/freebsd_kerberos.txt in particular includes what looks like useful SSH info. -T -- "Statistics are the triumph of the quantitative method, and the quantitative method is the victory of sterility and death." -- Hillaire Belloc, _The Silence of the Sea_
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060620162132.GW96797>