[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heimdal and r* client programs

To: "Douglas E. Engert" <deengert@anl.gov>
Subject: Re: Heimdal and r* client programs
From: Tillman Hodgson <tillman@seekingfire.com>
Date: Thu, 15 Aug 2002 13:15:44 -0600
Cc: heimdal-discuss@sics.se
In-Reply-To: <3D5BF426.4F3FDAE1@anl.gov>; from deengert@anl.gov on Thu, Aug 15, 2002 at 01:34:15PM -0500
References: <20020813103903.A7957@seekingfire.com> <xofptwmekh6.fsf@blubb.pdc.kth.se> <20020813132300.A8064@seekingfire.com> <20020813134958.A8135@seekingfire.com> <20020813190036.C42791@got.wedgie.org> <20020814001038.L10073@seekingfire.com> <3D5A7831.46C9A252@anl.gov> <20020815113024.B17499@seekingfire.com> <3D5BF426.4F3FDAE1@anl.gov>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Mutt/1.2.5.1i

On Thu, Aug 15, 2002 at 01:34:15PM -0500, Douglas E. Engert wrote:
> Tillman Hodgson wrote:
> > I'm more interested in the built-in supports for kerberos v5 in the ssh
> > version 1 protocol. I'm trying to move away from hand-rolled ssh
> > packages to ease maintainence issues :-)
> 
> Yes and so am I!
> 
> Simon's excellent mods to OpenSSH implement the IETF ssh working groups GSSAPI
> authentication 
> protocols. See:  http://www.ietf.org/internet-drafts/draft-ietf-secsh-gsskeyex-04.txt
> The draft is close to being adopted. Hopefully the OPenSSH people will then
> add Simon's mods to their distribution, addressing your comment about maintenance issues.
> Since they are using the GSS-API, so you don't deal with MIT or Hiemdal API issues either. 
> So using the GSSAPI is about as standard as you can get. 

Sounds great! Avoiding the API mess would be great. I suppose that until
the patches become mainstream, I only need to roll a custom package for
a single perimeter machine - and that's reasonably maintainable.

Speaking of different interfaces, the kadmin differences between Heimdal
and MIT is biting me. I have a RedHat Linux 7.3 box with the MIT krb5
RPM's installed and I'd like to kerberize it's services. To do this, I'm
going to need a keytab. Unfortunately, it appears to me that kadmin
stuff isn't interoperable. Is there another way to get a working keytab?

I had thought that if I created the host principal with a known password
that I might be able to use the MIT ktutil's add_entry command to create
the appropriate keytab, but all I get from add_entry is a usage
statement regardless of what arguements I pass it.

- Tillman

-- 
Waking a person unnecessarily should not be considered a capital crime.
For a first offense, that is.
	- Robert Heinlein

Follow-Ups:
- Re: Heimdal and r* client programs
  - From: "Douglas E. Engert" <deengert@anl.gov>
- Re: Heimdal and r* client programs
  - From: Andreas Hasenack <andreas@conectiva.com.br>

References:
- Heimdal and r* client programs
  - From: Tillman Hodgson <tillman@seekingfire.com>
- Re: Heimdal and r* client programs
  - From: joda@pdc.kth.se (Johan Danielsson)
- Re: Heimdal and r* client programs
  - From: Tillman Hodgson <tillman@seekingfire.com>
- Re: Heimdal and r* client programs
  - From: Tillman Hodgson <tillman@seekingfire.com>
- Re: Heimdal and r* client programs
  - From: Jason Garman <jgarman@wedgie.org>
- Re: Heimdal and r* client programs
  - From: Tillman Hodgson <tillman@seekingfire.com>
- Re: Heimdal and r* client programs
  - From: "Douglas E. Engert" <deengert@anl.gov>
- Re: Heimdal and r* client programs
  - From: Tillman Hodgson <tillman@seekingfire.com>
- Re: Heimdal and r* client programs
  - From: "Douglas E. Engert" <deengert@anl.gov>

Prev by Date: Re: Heimdal and r* client programs
Next by Date: Re: Heimdal and r* client programs
Prev by thread: Re: Heimdal and r* client programs
Next by thread: Re: Heimdal and r* client programs
Index(es):
- Date
- Thread