Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 16 Sep 2008 10:34:51 -0400
From:      Mike Tancsa <mike@sentex.net>
To:        Gunnar Flygt <flygt@sr.se>
Cc:        freebsd-security@freebsd.org
Subject:   Re: Heimdal or MIT for kerberos?
Message-ID:  <200809161434.m8GEYi0Y037839@lava.sentex.ca>
In-Reply-To: <20080910063408.GA99970@sr.se>
References:  <200809071155.m87BtS2H082832@lava.sentex.ca> <20080910063408.GA99970@sr.se>
next in thread | previous in thread | raw e-mail | index | archive | help 
At 02:34 AM 9/10/2008, Gunnar Flygt wrote:
>I'm very pleased with heimdal 1.1. I compile it from sources. No big
>problem. Compile on one machine and copy the file structure to the other
>at the same OS level. Then using openssh-gssapi-overwrite-base-5.0.p1,1
>with the KRB5_HOME flag set to the directory of heimdal. Same thing
>there, compile and make a package on one machine. The KDC's run FreeBSD
>7 and the same release of heimdal as the others.

Hi,
         Thanks for the response!  When you installed heimdal 1.1 
from the source, did you overwrite the local libs, or did you keep 
everything in /usr/local ?  Also, do you use hx509 at all and certs 
for pre-auth ?

         ---Mike


>On Sun, Sep 07, 2008 at 07:55:26AM -0400, Mike Tancsa wrote:
> > We are looking at deploying Kerberos for better user management (SSO)
> > and 2 factor authentication via pkcs#11 etokens.  The servers are all
> > FreeBSD and the machines principals will login from a mix of FreeBSD,
> > Windows and MAC OSX using ssh and openvpn.  As part of our compliance
> > project, access must be 2 factor.  The Heimdal in RELENG_7 is a
> > rather old version and doesnt seem to have all the bits needed for
> > x509 pre-auth so I would probably need to install from the ports
> > anyways.   Does anyone have any suggestions as to which
> > implementation to use ? We are in Canada so it doesnt matter
> > regulation wise. Is one better maintained than the other ?  There are
> > no legacy v4 apps
> > Thanks,
> >
> >         ---Mike
> >
> > --------------------------------------------------------------------
> > Mike Tancsa,                                      tel +1 519 651 3400
> > Sentex Communications,                            mike@sentex.net
> > Providing Internet since 1994                    www.sentex.net
> > Cambridge, Ontario Canada                         www.sentex.net/mike
> >
> > _______________________________________________
> > freebsd-security@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-security
> > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200809161434.m8GEYi0Y037839>