[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 0.6.4 krb4 / kaserver redux

On Sat, 2005-06-04 at 14:49 +0200, Love Hörnquist Åstrand wrote:
> "Brandon S. Allbery KF8NH" <allbery@ece.cmu.edu> writes:
> > - add automatic reauthentication to kinit
> >   * unlike John Bucy's original patch for 0.6.3, this one saves the
> >     password in a pipe so it's only in process memory while it's being
> >     used
> >   * probably a future version should get a max-renewable-life ticket
> >     and renew it periodically, instead of this hack
> This functionallity is already in 0.7 snapshot, please test it and see that
> it does what you want.

First I need to find a way to upgrade openssl without breaking the
world :) since the 0.7 snapshots I tried didn't like openssl 0.9.6.
It'll happen eventually but not right now.

> > - su now gets (well, 524s) a krb4 ticket as well as the krb5 ticket and
> >   token
> >   * ideally this patch will become obsolete here when I put this stuff
> >     into wide distribution, but during testing I prefer not to need to
> >     kinit after su in order to connect to older systems
> I'm considering to include this. But can't those site admins that really
> have to deal with Kerberos 4 just type "kinit -9" ?

In our case, it's a matter of having things work as much as possible the
way they did with the krb4 world.  It's bad enough that I need to keep a
krb4-based OpenSSH around on the newer systems so we can authenticate to
the old machines that aren't being upgraded to krb5....

brandon s. allbery   [linux,solaris,freebsd,perl]      allbery@kf8nh.com
system administrator      [WAY too many hats]        allbery@ece.cmu.edu
electrical and computer engineering, carnegie mellon univ.         KF8NH