[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Heimdal and openssh



Juha Jäykkä <juhaj@iki.fi> writes:

> 1) Ssh-krb5 (sarge) and openssh 4.2 (sid) will not talk GSSAPI to each
> other. I gather from openssh mailing lists that no versions of openssh
> <4 and >4 will ever talk GSSAPI together due to some security patches
> made.  Thus this is not a Debian -related problem, but it leads to one.

Er, huh?

wanderer:~> dpkg -l ssh-krb5
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name           Version        Description
+++-==============-==============-============================================
ii  ssh-krb5       3.8.1p1-10     Secure rlogin/rsh/rcp replacement (OpenSSH w
wanderer:~> ssh windlord
Last login: Thu Dec 22 21:07:28 2005 from 113.110-113-64.ftth.swbr.surewest.net
 23:10:07 up 12 days,  7:22, 28 users,  load average: 0.00, 0.01, 0.00

windlord:~> dpkg -l openssh-server
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name           Version        Description
+++-==============-==============-============================================
ii  openssh-server 4.2p1-5        Secure shell server, an rshd replacement

Works fine for me.

> 3) LDAP needs gssapi libraries compiled against Heimdal, not MIT
> kerberos (I assume this has something to do with the service being used
> is Heimdal, not MIT.)

No, it has to do with thread safety and is partly obsolete now that MIT
Kerberos 1.4 is in sid.  MIT 1.4 should be fine for OpenLDAP for most
purposes (although as I recall Quanah says that it has a lot of trouble
compared to Heimdal under load).

Anyway, LDAP just uses SASL; it doesn't link with Kerberos directly.  So
you should be fine installing whatever SASL modules you prefer, whether
the Heimdal ones or the MIT ones.

> 4) Now that I have Heimdal GSSAPI libraries, openssh GSSAPI will not
> work.

Um, this doesn't make any sense to me.  Two different GSSAPI libraries,
two different library names or SONAMEs, should co-exist on the same system
just fine.  The *development* packages don't co-exist, but the libraries
do.  I have them both installed at the same time on my system right now.

> 5) As a side note: I learned afterwards that AFS token passing with ssh
> *needs* openssh compiled againsta heimdal-dev.

Don't ever do AFS token passing.  Pass your Kerberos tickets with GSSAPI
and then use a PAM module to get AFS tokens from your forwarded tickets.
AFS token passing is obsolete, insecure, and requires that you use
protocol version one.

> Now my real question: what's the smartest way to keep all these
> self-compiled packages up to date?

I'm pretty sure you shouldn't need to do any of this.  :)

> [1] MIT kerberos is not thread safe (unless my info is outdated)

MIT Kerberos is thread-safe as of 1.4.

> and only Heimdal is capable of seamlessly integrating to AFS.

MIT Kerberos works fine with AFS, but I admit that you have to go to
marginally more effort.  Not enough to deter me from using MIT, but if you
prefer Heimdal, I won't stand in your way.  :)

> The first can be worked around, but the second is probably very
> important to anyone running AFS and kerberos.

Not really.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>



Reply to: