MIT kerberos and ssh
Tillman Hodgson
tillman at seekingfire.com
Tue Jun 20 16:21:36 UTC 2006
On Mon, Jun 19, 2006 at 09:59:06PM -0500, Michael D. Norwick wrote:
> I didn't get any replies on freebsd-questions for this one maybe
> someone here could help?
(Your line-wrap appears to be broken, I've reformatted it below)
I recommend checkign with the kerberos at mit dot edu list, this topic
comes up often there.
> -------------------------------------------------------------------
> I have been trying to get a working MIT Kerberos KDC on a server
> running 6.1-Release. I have been able to keep the heimdal version
> from being built during several past 'make worlds' and I have compiled
> and installed MIT krb5 from /usr/ports (current per portmanager).
I leave the standard Heimdal stuff in place. In /etc/make.conf, I define
KRB5_HOME=/usr/local/krb5, and MIT Kerberos installs into that location.
I then use $PATH. This results in me being able to use Heimdal and MIT
clients more or less interchangeably.
> I have been getting an error tryiing to start sshd (also built from
> /usr/ports), it complains about not finding 'libkrb5.so.8' then exits.
> I have been able to start the KDC but have not gotten much further as
> I would like to fix the ssh problem first.
Do the standard Kerberos clients work? Can you kinit and telnet -x? Does
remote kadmin work?
> 3. Why are there two different directories i.e; /usr/src and
> /usr/ports for the same source?
The Heimdal included in base isn't complete, and may lag a dot release
or behind the "official" version.
> 4. How do I get 'kerberized' ssh and give configure directives to the
> krb5 make to include GSSAPI support?
I don't use ssh with Kerberos (telent -x and rcp -x work for me) so
unfortunately I can't help you much with this. I know that OpenSSH 3.7.x
and 3.8+ use incompatible methods and won't work together, so keep the
OpenSSH version the same on both ends. Another item I seem to vaguely
recall is that the older Kerberos config items (instead of the newer
GSSAPI config items) only work with 'ssh -1'.
> I have read both the Handbook and the 'Complete' book on this subject
> and have not been able to glean enough information to get me going,
> Google didn't help much either. I have 6 Debian clients, 2 WinXP
> clients, and 1 Debian KDC slave and wanted this machine to be an
> MIT-KDC master and yet avoid the apparent 'kadmin' server
> incompatibility between Heimdal and MIT Kerberos (which all the Debian
> clients run). I am also very comfortable with the MIT version. Any
> words of wisdom would be greatly appreciated.
A long time ago I started working on an update to the Kerberos5 chapter,
which unfortunately I never completed and the "official" chapter in the
Handbook may have moved on (creating a doc fork of sorts, I suppose).
Anyway, my mostly-finished-but-not-polished revised version is at
http://www.seekingfire.com/freebsd-doc/kerberos5.html if you want to
take a peek at it to see if it's helpful.
(My apologies to Giorgos Keramidas, I totally dropped the ball on this)
The type of KDC won't matter -- I do cross-realm authentication between
MIT and Heimdal and all my Kerberos client apps handle it fine. The only
incompatibility is in the kadmin tool to manage the KDC. Since I
perform management at the secured console it's never really affected
me.
I keep some Kerberos info online a
http://www.seekingfire.com/projects/kerberos/ that you might fine
useful. I haven't added to it in a while, but Kerberos isn't exactly a
fast-moving target anyway ;-)
The link http://shankerbalan.net/tech/freebsd_kerberos.txt in particular
includes what looks like useful SSH info.
-T
--
"Statistics are the triumph of the quantitative method, and the
quantitative method is the victory of sterility and death."
-- Hillaire Belloc, _The Silence of the Sea_
More information about the freebsd-hackers
mailing list