[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Heimdal and openssh


I am in the process of implementing Heimdal and OpenAFS into our
laboratory network (already using LDAP for NSS). The network contains a
mixed environment of sarge and sid (even one etch, but I plan to upgrade
that to sid soon). Now, the version of Heimdal will be 0.7.1, which has
been in experimental for a while and just made its way to unstable. This
seems to produce a couple of problems (points, rather).

1) Ssh-krb5 (sarge) and openssh 4.2 (sid) will not talk GSSAPI to each
other. I gather from openssh mailing lists that no versions of openssh <4
and >4 will ever talk GSSAPI together due to some security patches made.
Thus this is not a Debian -related problem, but it leads to one.

2) I can either build openssh 3.8 on the sids or 4.2 on the sarges. It's
wiser to build 4.2 on sarges (security and upgrade path), especially since
backports.org has already done that.

3) LDAP needs gssapi libraries compiled against Heimdal, not MIT kerberos
(I assume this has something to do with the service being used is Heimdal,
not MIT.) So, install Heimdal GSSAPI libraries on sids, compile and
install them on sarges.

4) Now that I have Heimdal GSSAPI libraries, openssh GSSAPI will not work.
Recompiling openssh against heimdal-dev instead of its declared build-dep
libkrb5-dev solves the problem. Now LDAP SASL works, Heimdal works and
GSSAPI-ssh works and AFS tokens are passed automatically.

5) As a side note: I learned afterwards that AFS token passing with ssh
*needs* openssh compiled againsta heimdal-dev. Thus compiling everything
against Heimdal is somewhat compulsory here to make AFS work without extra
afslog/aklog commands.

Now my real question: what's the smartest way to keep all these
self-compiled packages up to date? And is it worth filing a bug report
against the various packages involved, asking for versions compiled
against both heimdal-dev and libkrb5-dev? Since there are two reasons
pro-Heimdal and con-MIT [1], should Debian start using Heimdal as its
primary KerberosV implementation? I know Ubuntu people have been
discussing the same question but I don't know what they decided if indeed
there has yet been any decision. One more question: did I make a mistake
somewhere along the road? ;) I would like nothing better than a solution
which does *not* involve packages being compiled by hand. Heimdal 0.7.1
cannot be helped, but how about the others? (Luckily Heimdal is quite
stable and does not need updating very often.)


[1] MIT kerberos is not thread safe (unless my info is outdated) and only
Heimdal is capable of seamlessly integrating to AFS. The first can be
worked around, but the second is probably very important to anyone running
AFS and kerberos.

                | Juha Jäykkä, juolja@utu.fi			|
		| Laboratory of Theoretical Physics		|
		| Department of Physics, University of Turku	|
                | home: http://www.utu.fi/~juolja/              |

Attachment: pgpdKsm7u_jPc.pgp
Description: PGP signature

Reply to: