[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heimdal versus Krb4 versus AFS

Martin MOKREJŠ <mmokrejs@natur.cuni.cz> writes:

> On Thu, 18 Sep 2003, Love wrote:
>> Martin MOKREJ? <mmokrejs@natur.cuni.cz> writes:
>> > Please release it. OpenSSH-3.7.1p1 nor 3.6.1p2 works neither with
>> > heimdal nor krb4. Actually, OpenSSH-3.7.1p1 does not have the krb4 code at
>> > all, but the krb5 code does not work for me. Unfortunately, also 3.6.1p2
>> > doe snot run with heimdal/krb4 for me.
>> >
>> > I'm curious how is openssh-3.7.1p1 supposed to work with AFS, when there's
>> > not krb4 support. Can you explain me that?
>> what afs support are you talking about, ssh token forwarding or something
> Sorry, I'm not much expert in this, but yes, I think I meant token
> forwarding, but mainly should say krb4 support as I thought it is
> *required* in AFS autentication.

gssapi and krb4 are the same in the sense that they have the same problem,
both doesn't verify the session identifier and becomes a one time password
like system. The proposed "gssapi-mic" userauth (on ietf-secsh-wg) fixes
this problem.

>> else? heimdal have a libkafs that supports AFS without krb4, ie working
>> there is a working afslog.
> OK, so I turn off all the kerberos4 related variables in krb5.conf,
> compile heimdal with kaserver emulation and user autentication to AFS will
> still work?

Now I understand what you are trying to do.

Openssh as of 3.7 got all the krb4 and krb5 kerberos authentication pulled
out of it, it was replaced by the gssapi userauth. gssapi userauth have the
problem as I wrote about above. But still, krb5 and krb4 also have this

Note that there is a diffrent between the krb5/krb4/afs userauth and the
password userauth, openssh 3.7.1 still supports verifing a user's kerberos

Heimdal includes support for AFS, afs in that send that it will fetch you
the afs@REALM ticket and convert it into a afs token afs store it in the

There is no support for making AFS or krb4 userauth working in openssh.

> How should I proceed with:
> [kadmin]
> kdc =
> dns_lookup_realm = false
> dns_lookup_kdc = false
> #default_keys = v4 v5 afs3
> #default_keys = v4 afs3
> default_keys = des:pw-salt v4
> #supported_enctypes = des-cbc-crc:normal des-cbc-crc:v4
> default_etypes = des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:

The two latest is MIT syntax.

If you want to have kerberos 4 and kerberos 5 support you should use

default_keys = v5 v4 

> default_etypes_des = des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
> des-cbc-crc:
> afs-cell = gsf.de
> v4-realm = GSF.DE
> How should I set `default_keys', `default_etypes' and `default_etypes_des'.
> Should I regenerate /etc/krb5.keytab on machines?
> I imagine in that scenario users will have only krb5 tickets,
> there won't be /etc/srvtab etc. However, /usr/vice/etc/UserList will still
> contain principal names in krb4 format with dot ...

yes, (open)afs contains enough compatiblty code that converts that for you.


PGP signature