[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ITP Heimdal (Kerberos 5)

> Date:    23 Dec 1999 19:17:57 +1100
> To:      debian-devel@lists.debian.org
> From:    Brian May <bam@debian.org>
> Subject: ITP Heimdal (Kerberos 5)
> Hello All,
> Heimdal is a free implementation of Kerberos that is not affected by
> US export restrictions. While it is still under active development, it
> seems to be mostly usable.
> I have packaged a peliminary version of it.

Where?? Can I get and try it?

> It still has a number
> of faults (the first one is the most urgent, the second one
> is one I would rather ignore ;-), the rest are minor and
> should be easy to fix):
> this list will act as a list

Sounds good to me... :)

> to remind me what still needs
> to be done.
> - not sure about splitting of packages. Currently I have:
> heimdal-clients - contains all clients, including ftp, telnet.

About clients... Please consider the pam kerberos module by Mr. Itoi;

http://www-personal.engin.umich.edu/~itoi/ is his site.

pam_krb5 could make clients unnecessary; libpamc might help with 
using tickets as authentication.

He is in the US, so I don't know about restrictions. I have emailed
him asking about export restrictions and licenses; I will post to
this thread (or try to :) when he replies.

Further, Mr. Itoi has been working on a form of Pam for Win NT, and
a module for it that is said to work with kerberos. Information about
it is at the same place as above. Perhaps this could mean that a Debian
machine could completely act as password server for an NT server which
clients log onto. If not by kerberos, perhaps by another method: Itoi
indicated the difficulty in debugging the "gina" shared lib which NT
uses to authenticate is made larger by the fact that any changes to
that .dll requires a reboot of the machine. His effort at pamifying
NT could mean that creating other ways to authenticate could be easier
and faster since no reboot is needed to remove and re-insert a module.

You may have heard that Microsoft has announced that Windows 2000 will
use Kerberos 5 as its authentication protocol. However, closer examination
revealed that Microsoft intends to "embrace and extend" the protocol, 
which as most of you know is MicroSpeek for "we're gonna break it so
we can make money and make sure the free stuff we derived it from doesn't
work". Indeed, you cannot compile a kerberos main server (or KDC) and
use it with windows 2000. Microsoft has prevented that, and licensed
the microsoftized KDC to a few unix vendors.

I haven't looked close enough yet, but it seems possible that Mr. Itoi's
"NI-Pam" (described above) might be able to allow what Microsoft has
tried to prevent: maybe it allows a KDC sitting on a linux box to act
as a password server for an NT server serving NT workstation clients.

Mr. Itoi has asked about pamized login, and where can he get it. I think
I replied correctly; I may have been mistaken on the source for it. Point
here is, it might be possible to establish a relationship or at least a
conversation with Mr. Itoi to mutual benefit.

> heimdal-servers - contains all servers except KDC.
>                eg telnetd, ftpd, popper (supports Maildir).
>                servers are in /usr/libexec.
>                also contains /usr/bin/login - not sure yet what
>                to do with the two different versions of login...
>                telnetd uses /usr/bin/login, debian uses /bin/login.
>                There is no real conflict between the two versions.

As stated above, Mr. Itoi's pam_krb5 module allows password-style 
authentication (and maybe even ticket-based auth) hooked up to anything
pam can do.

> heimdal-kdc - server for KDC

Can a different KDC be used also? Just fill in the config files and go?

> Where/how should I distribute the result? master is out of the
> question, as it is non-US software. I am not sure it is stable enough
> yet for slink (maybe when I get the packages split up in the optimal
> way). Comments anyone?

You can probably set up an http package mirror somewhere outside the 
US. dpkg-scanpackages and dpkg-scansources is usable here to create
Packages.gz and Sources.gz files.


Jim Lynch       Finger for pgp key
as Laney College CIS admin:  jim@laney.edu   http://www.laney.edu/~jim/
as Debian developer:         jwl@debian.org  http://www.debian.org/~jwl/

Reply to: