[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heimdal and r* client programs

On Thu, Aug 15, 2002 at 01:34:15PM -0500, Douglas E. Engert wrote:
> Tillman Hodgson wrote:
> > I'm more interested in the built-in supports for kerberos v5 in the ssh
> > version 1 protocol. I'm trying to move away from hand-rolled ssh
> > packages to ease maintainence issues :-)
> Yes and so am I!
> Simon's excellent mods to OpenSSH implement the IETF ssh working groups GSSAPI
> authentication 
> protocols. See:  http://www.ietf.org/internet-drafts/draft-ietf-secsh-gsskeyex-04.txt
> The draft is close to being adopted. Hopefully the OPenSSH people will then
> add Simon's mods to their distribution, addressing your comment about maintenance issues.
> Since they are using the GSS-API, so you don't deal with MIT or Hiemdal API issues either. 
> So using the GSSAPI is about as standard as you can get. 

Sounds great! Avoiding the API mess would be great. I suppose that until
the patches become mainstream, I only need to roll a custom package for
a single perimeter machine - and that's reasonably maintainable.

Speaking of different interfaces, the kadmin differences between Heimdal
and MIT is biting me. I have a RedHat Linux 7.3 box with the MIT krb5
RPM's installed and I'd like to kerberize it's services. To do this, I'm
going to need a keytab. Unfortunately, it appears to me that kadmin
stuff isn't interoperable. Is there another way to get a working keytab?

I had thought that if I created the host principal with a known password
that I might be able to use the MIT ktutil's add_entry command to create
the appropriate keytab, but all I get from add_entry is a usage
statement regardless of what arguements I pass it.

- Tillman

Waking a person unnecessarily should not be considered a capital crime.
For a first offense, that is.
	- Robert Heinlein