[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Heimdal versus Krb4 versus AFS

To: krb4@sics.se
Subject: Heimdal versus Krb4 versus AFS
From: Martin MOKREJŠ <mmokrejs@natur.cuni.cz>
Date: Wed, 17 Sep 2003 23:59:19 +0200 (CEST)
cc: heimdal-discuss@sics.se
In-Reply-To: <xofoey01uwp.fsf@blubb.pdc.kth.se>
References: <Pine.OSF.4.51.0309041617460.382176@tao.natur.cuni.cz><xofoey01uwp.fsf@blubb.pdc.kth.se>
Sender: owner-heimdal-discuss@sics.se

On Thu, 4 Sep 2003, Johan Danielsson wrote:

Hi,
  I'm sorry for the cross-posting, but I'm getting lost without
documentation. Reading krb5.conf's through google and reading debian
heimdal-* packages containing krb5.conf where is explicitly written that
those option are there only for MIT krb5 and do not work with heimdal make
me curious who actually will update docs for heimdal and make things clear.

> OpenSSL 0.9.7 changed the DES API, which unfortunately was also part
> of the Kerberos 4 API. The solution would be to use old libdes with
> Kerberos 4; this is what NetBSD has done. We might be convinced to
> release a 1.3, that would at least somewhat remedy the situation.

Please release it. OpenSSH-3.7.1p1 nor 3.6.1p2 works neither with
heimdal nor krb4. Actually, OpenSSH-3.7.1p1 does not have the krb4 code at
all, but the krb5 code does not work for me. Unfortunately, also 3.6.1p2
doe snot run with heimdal/krb4 for me.

I'm curious how is openssh-3.7.1p1 supposed to work with AFS, when there's
not krb4 support. Can you explain me that?

> You could also argue that YOU SHOULD NOT USE KERBEROS 4 SINCE IT'S
> INSECURE, but you knew that.

So how does heimdal support AFS? What are those neccessary configure flags
and krb5.conf entries?

OpenSHH-3.7.1p1 does not work on Irix and Tru64 Unix, one has to edit
config.h to get it running at least in password authmode.
To make ssh try  GSSAPI mode, one has to uncomment two GSS* lines in
sshd_config and run "ssh -o PreferredAuthentications=gssapi host" (note
trailing "s"). Unfortunately, it sshd says gssapi method is unknown and
refuses to work.

See

http://bugzilla.mindrot.org/show_bug.cgi?id=635
http://bugzilla.mindrot.org/show_bug.cgi?id=659
http://bugzilla.mindrot.org/show_bug.cgi?id=653

I don't believe anyone tried OpenSHH-3.7.1p1 on Irix/Tru64 even with
password autentication, but that's another story. Definitely no kerberos
support.
-- 
Martin Mokrejs <mmokrejs@natur.cuni.cz>, <m.mokrejs@gsf.de>
PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs
MIPS / Institute for Bioinformatics <http://mips.gsf.de>
GSF - National Research Center for Environment and Health
Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany
tel.: +49-89-3187 3683 , fax: +49-89-3187 3585

Follow-Ups:
- Re: Heimdal versus Krb4 versus AFS
  - From: Love <lha@stacken.kth.se>

Prev by Date: Incomplete documentation
Next by Date: Re: Incomplete documentation
Prev by thread: Re: Incomplete documentation
Next by thread: Re: Heimdal versus Krb4 versus AFS
Index(es):
- Date
- Thread