Heimdal or MIT for kerberos?

Mike Tancsa mike at sentex.net
Tue Sep 16 14:34:47 UTC 2008


At 02:34 AM 9/10/2008, Gunnar Flygt wrote:
>I'm very pleased with heimdal 1.1. I compile it from sources. No big
>problem. Compile on one machine and copy the file structure to the other
>at the same OS level. Then using openssh-gssapi-overwrite-base-5.0.p1,1
>with the KRB5_HOME flag set to the directory of heimdal. Same thing
>there, compile and make a package on one machine. The KDC's run FreeBSD
>7 and the same release of heimdal as the others.

Hi,
         Thanks for the response!  When you installed heimdal 1.1 
from the source, did you overwrite the local libs, or did you keep 
everything in /usr/local ?  Also, do you use hx509 at all and certs 
for pre-auth ?

         ---Mike


>On Sun, Sep 07, 2008 at 07:55:26AM -0400, Mike Tancsa wrote:
> > We are looking at deploying Kerberos for better user management (SSO)
> > and 2 factor authentication via pkcs#11 etokens.  The servers are all
> > FreeBSD and the machines principals will login from a mix of FreeBSD,
> > Windows and MAC OSX using ssh and openvpn.  As part of our compliance
> > project, access must be 2 factor.  The Heimdal in RELENG_7 is a
> > rather old version and doesnt seem to have all the bits needed for
> > x509 pre-auth so I would probably need to install from the ports
> > anyways.   Does anyone have any suggestions as to which
> > implementation to use ? We are in Canada so it doesnt matter
> > regulation wise. Is one better maintained than the other ?  There are
> > no legacy v4 apps
> > Thanks,
> >
> >         ---Mike
> >
> > --------------------------------------------------------------------
> > Mike Tancsa,                                      tel +1 519 651 3400
> > Sentex Communications,                            mike at sentex.net
> > Providing Internet since 1994                    www.sentex.net
> > Cambridge, Ontario Canada                         www.sentex.net/mike
> >
> > _______________________________________________
> > freebsd-security at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-security
> > To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"



More information about the freebsd-security mailing list