[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heimdal and r* client programs

Tillman Hodgson wrote:
> On Thu, Aug 15, 2002 at 01:34:15PM -0500, Douglas E. Engert wrote:
> > Tillman Hodgson wrote:
> > > I'm more interested in the built-in supports for kerberos v5 in the ssh
> > > version 1 protocol. I'm trying to move away from hand-rolled ssh
> > > packages to ease maintainence issues :-)
> >
> > Yes and so am I!
> >
> > Simon's excellent mods to OpenSSH implement the IETF ssh working groups GSSAPI
> > authentication
> > protocols. See:  http://www.ietf.org/internet-drafts/draft-ietf-secsh-gsskeyex-04.txt
> > The draft is close to being adopted. Hopefully the OPenSSH people will then
> > add Simon's mods to their distribution, addressing your comment about maintenance issues.
> > Since they are using the GSS-API, so you don't deal with MIT or Hiemdal API issues either.
> > So using the GSSAPI is about as standard as you can get.
> Sounds great! Avoiding the API mess would be great. I suppose that until
> the patches become mainstream, I only need to roll a custom package for
> a single perimeter machine - and that's reasonably maintainable.
> Speaking of different interfaces, the kadmin differences between Heimdal
> and MIT is biting me. I have a RedHat Linux 7.3 box with the MIT krb5
> RPM's installed and I'd like to kerberize it's services. To do this, I'm
> going to need a keytab. Unfortunately, it appears to me that kadmin
> stuff isn't interoperable. Is there another way to get a working keytab?

Generate it on a different machine and copy it over securly.

> I had thought that if I created the host principal with a known password
> that I might be able to use the MIT ktutil's add_entry command to create
> the appropriate keytab, but all I get from add_entry is a usage
> statement regardless of what arguements I pass it.

I use the MIT code, so can not speak for what Hiemdal has, but this should 
have worked. Yyou have to use the same key, knvo and enctype. This is in effect 
what you have to do  with a W2K domain as a KDC too.

If you have a question about the MIT code, send a note to kerberos@mit.edu 
What version?

> - Tillman
> --
> Waking a person unnecessarily should not be considered a capital crime.
> For a first offense, that is.
>         - Robert Heinlein


 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444