Date: Sun, 24 Nov 2002 05:48:22 +0100 (CET) From: Peter Much <pmc@citylink.dinoex.sub.org> To: freebsd-questions@freebsd.org Subject: Re: Kerberos is set up - now what? Message-ID: <200211240448.gAO4mOk10009@disp.oper.dinoex.org>
next in thread | raw e-mail | index | archive | help
Hi all,
as it seems to me, Kerberos5 is mostly unsupported in FreeBSD.
Yes, this is going to be a rant.
If you have an appropriate Kerberos support, no rsh, rlogin,
ftp, telnet or elsewhat will ever ask you for a password, if
you login to an account where you are allowed to do so via its
.klogin file.
This means, that support for Kerberos5 needs to be built into
the servers and clients for ftp, telnet, rsh, rlogin, etc. It
is not enough to just run a kerberos5 server (aka kdc) and
make logins kerberos-aware via PAM.
This was already implemented with FreeBSD 2.2 and kerberos4
at least for rsh and rlogin, but now(*) with Kerberos5, if I
connect to the kshell port, I just get:
rshd[8654]: usage: rshd [-alnDL]
Furthermore, it is possible to do session encryption based
on the principal, so essentially we could throw ssh etc. and all
that crap completely into the wastebasket, and instead had
a third-party based authentication scheme with single-sign-on
over the whole network and a central (and replicateable) server
that can optionally be adminstered remotely. (Supposed the
crypt stuff inside kerberos5 is hardened enough for today's
purposes.)
Ok, I do not know of any unix distribution that actually engages
these possibilities, but they are there. Well, AIX got fairly
far with 4.3.3, telnet and ftp and all the rsh stuff actually
works without passwords there, and K4 and K5 and standard
logins all do work simultaneously. But when I asked the support
how to run telnet with session encryption based on my DCE/K5
principal (aka "packet-level privacy" as documented for DCE
and practically used in DFS), they shrugged and suggested me
to install ssh!
(*) "now" means FreeBSD 4.4, I didnt get the time to upgrade
further yet. No doubt the PAM integration has evolved since
then, but it doesnt look like a really substantial progress to
what I described above.
PMc
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200211240448.gAO4mOk10009>