From owner-freebsd-security@FreeBSD.ORG Wed Sep 10 06:46:03 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C0A091065675 for ; Wed, 10 Sep 2008 06:46:03 +0000 (UTC) (envelope-from gunnar@bsd-gf.sr.se) Received: from dart.sr.se (dart.SR.SE [134.25.0.132]) by mx1.freebsd.org (Postfix) with ESMTP id 4EFA58FC13 for ; Wed, 10 Sep 2008 06:46:03 +0000 (UTC) (envelope-from gunnar@bsd-gf.sr.se) Received: from honken.sr.se (honken.sr.se [134.25.128.27]) by dart.sr.se (8.14.2/8.14.2) with ESMTP id m8A6Y9iY074404 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 10 Sep 2008 08:34:14 +0200 (CEST) (envelope-from gunnar@bsd-gf.sr.se) Received: from bsd-gf.sr.se (bsd-gf.sr.se [134.25.191.27]) by honken.sr.se (8.14.2/8.14.2) with ESMTP id m8A6Y9xC025777; Wed, 10 Sep 2008 08:34:09 +0200 (CEST) (envelope-from gunnar@bsd-gf.sr.se) Received: from bsd-gf.sr.se (localhost [127.0.0.1]) by bsd-gf.sr.se (8.14.2/8.14.2) with ESMTP id m8A6Y9ji000200; Wed, 10 Sep 2008 08:34:09 +0200 (CEST) (envelope-from gunnar@bsd-gf.sr.se) Received: (from gunnar@localhost) by bsd-gf.sr.se (8.14.2/8.14.2/Submit) id m8A6Y8Yf000199; Wed, 10 Sep 2008 08:34:08 +0200 (CEST) (envelope-from gunnar) Date: Wed, 10 Sep 2008 08:34:08 +0200 From: Gunnar Flygt To: Mike Tancsa Message-ID: <20080910063408.GA99970@sr.se> References: <200809071155.m87BtS2H082832@lava.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200809071155.m87BtS2H082832@lava.sentex.ca> User-Agent: Mutt/1.4.2.3i Cc: freebsd-security@freebsd.org Subject: Re: Heimdal or MIT for kerberos? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Gunnar Flygt List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Sep 2008 06:46:03 -0000 I'm very pleased with heimdal 1.1. I compile it from sources. No big problem. Compile on one machine and copy the file structure to the other at the same OS level. Then using openssh-gssapi-overwrite-base-5.0.p1,1 with the KRB5_HOME flag set to the directory of heimdal. Same thing there, compile and make a package on one machine. The KDC's run FreeBSD 7 and the same release of heimdal as the others. On Sun, Sep 07, 2008 at 07:55:26AM -0400, Mike Tancsa wrote: > We are looking at deploying Kerberos for better user management (SSO) > and 2 factor authentication via pkcs#11 etokens. The servers are all > FreeBSD and the machines principals will login from a mix of FreeBSD, > Windows and MAC OSX using ssh and openvpn. As part of our compliance > project, access must be 2 factor. The Heimdal in RELENG_7 is a > rather old version and doesnt seem to have all the bits needed for > x509 pre-auth so I would probably need to install from the ports > anyways. Does anyone have any suggestions as to which > implementation to use ? We are in Canada so it doesnt matter > regulation wise. Is one better maintained than the other ? There are > no legacy v4 apps > Thanks, > > ---Mike > > -------------------------------------------------------------------- > Mike Tancsa, tel +1 519 651 3400 > Sentex Communications, mike@sentex.net > Providing Internet since 1994 www.sentex.net > Cambridge, Ontario Canada www.sentex.net/mike > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"