From owner-freebsd-hackers@FreeBSD.ORG Tue Jun 20 16:21:36 2006 Return-Path: X-Original-To: freebsd-hackers@freebsd.org Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EFFB516A474 for ; Tue, 20 Jun 2006 16:21:35 +0000 (UTC) (envelope-from tillman@seekingfire.com) Received: from mail.seekingfire.com (caliban.seekingfire.com [24.89.83.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7BEC143D48 for ; Tue, 20 Jun 2006 16:21:34 +0000 (GMT) (envelope-from tillman@seekingfire.com) Received: by mail.seekingfire.com (Postfix, from userid 500) id 2D700104; Tue, 20 Jun 2006 10:21:34 -0600 (CST) Date: Tue, 20 Jun 2006 10:21:33 -0600 From: Tillman Hodgson To: freebsd-hackers@freebsd.org Message-ID: <20060620162132.GW96797@seekingfire.com> References: <4497647A.8080909@centurytel.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4497647A.8080909@centurytel.net> X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to . X-GPG-Key-ID: 828AFC7B X-GPG-Fingerprint: 5584 14BA C9EB 1524 0E68 F543 0F0A 7FBC 828A FC7B X-GPG-Key: http://www.seekingfire.com/personal/gpg_key.asc X-Urban-Legend: There is lots of hidden information in headers X-Tillman-rules: yes he does User-Agent: Mutt/1.5.11 Cc: keramida@ceid.upatras.gr Subject: Re: MIT kerberos and ssh X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Jun 2006 16:21:36 -0000 On Mon, Jun 19, 2006 at 09:59:06PM -0500, Michael D. Norwick wrote: > I didn't get any replies on freebsd-questions for this one maybe > someone here could help? (Your line-wrap appears to be broken, I've reformatted it below) I recommend checkign with the kerberos at mit dot edu list, this topic comes up often there. > ------------------------------------------------------------------- > I have been trying to get a working MIT Kerberos KDC on a server > running 6.1-Release. I have been able to keep the heimdal version > from being built during several past 'make worlds' and I have compiled > and installed MIT krb5 from /usr/ports (current per portmanager). I leave the standard Heimdal stuff in place. In /etc/make.conf, I define KRB5_HOME=/usr/local/krb5, and MIT Kerberos installs into that location. I then use $PATH. This results in me being able to use Heimdal and MIT clients more or less interchangeably. > I have been getting an error tryiing to start sshd (also built from > /usr/ports), it complains about not finding 'libkrb5.so.8' then exits. > I have been able to start the KDC but have not gotten much further as > I would like to fix the ssh problem first. Do the standard Kerberos clients work? Can you kinit and telnet -x? Does remote kadmin work? > 3. Why are there two different directories i.e; /usr/src and > /usr/ports for the same source? The Heimdal included in base isn't complete, and may lag a dot release or behind the "official" version. > 4. How do I get 'kerberized' ssh and give configure directives to the > krb5 make to include GSSAPI support? I don't use ssh with Kerberos (telent -x and rcp -x work for me) so unfortunately I can't help you much with this. I know that OpenSSH 3.7.x and 3.8+ use incompatible methods and won't work together, so keep the OpenSSH version the same on both ends. Another item I seem to vaguely recall is that the older Kerberos config items (instead of the newer GSSAPI config items) only work with 'ssh -1'. > I have read both the Handbook and the 'Complete' book on this subject > and have not been able to glean enough information to get me going, > Google didn't help much either. I have 6 Debian clients, 2 WinXP > clients, and 1 Debian KDC slave and wanted this machine to be an > MIT-KDC master and yet avoid the apparent 'kadmin' server > incompatibility between Heimdal and MIT Kerberos (which all the Debian > clients run). I am also very comfortable with the MIT version. Any > words of wisdom would be greatly appreciated. A long time ago I started working on an update to the Kerberos5 chapter, which unfortunately I never completed and the "official" chapter in the Handbook may have moved on (creating a doc fork of sorts, I suppose). Anyway, my mostly-finished-but-not-polished revised version is at http://www.seekingfire.com/freebsd-doc/kerberos5.html if you want to take a peek at it to see if it's helpful. (My apologies to Giorgos Keramidas, I totally dropped the ball on this) The type of KDC won't matter -- I do cross-realm authentication between MIT and Heimdal and all my Kerberos client apps handle it fine. The only incompatibility is in the kadmin tool to manage the KDC. Since I perform management at the secured console it's never really affected me. I keep some Kerberos info online a http://www.seekingfire.com/projects/kerberos/ that you might fine useful. I haven't added to it in a while, but Kerberos isn't exactly a fast-moving target anyway ;-) The link http://shankerbalan.net/tech/freebsd_kerberos.txt in particular includes what looks like useful SSH info. -T -- "Statistics are the triumph of the quantitative method, and the quantitative method is the victory of sterility and death." -- Hillaire Belloc, _The Silence of the Sea_