MIT kerberos and ssh

---

• From: "Michael D. Norwick" <mnorwick@xxxxxxxxxxxxxx>
• Date: Mon, 19 Jun 2006 21:59:06 -0500

---

I didn't get any replies on freebsd-questions for this one maybe someone here could help?

-------------------------------------------------------------------

I have been trying to get a working MIT Kerberos KDC on a server running 6.1-Release. I have been able to keep the heimdal version from being built during several past 'make worlds' and I have compiled and installed MIT krb5 from /usr/ports (current per portmanager). I have
been getting an error tryiing to start sshd (also built from /usr/ports), it complains about not finding 'libkrb5.so.8' then exits.
I have been able to start the KDC but have not gotten much further as I would like to fix the ssh problem first. My questions are as follows:
1. Is libkrb5.so.8 a heimdal library?
2. Which source directories are the correct ones to use, /usr/src/kerberos - /usr/src/secure, or /usr/ports/security/krb5 -
/usr/ports/security/openssh?
3. Why are there two different directories i.e; /usr/src and /usr/ports for the same source?
4. How do I get 'kerberized' ssh and give configure directives to the krb5 make to include GSSAPI support?
5. Is there a certain build order for MIT kerberos and openssh?

I have read both the Handbook and the 'Complete' book on this subject and have not been able to glean enough information to get me going,
Google didn't help much either. I have 6 Debian clients, 2 WinXP clients, and 1 Debian KDC slave and wanted this machine to be an MIT-KDC
master and yet avoid the apparent 'kadmin' server incompatibility between Heimdal and MIT Kerberos (which all the Debian clients run). I
am also very comfortable with the MIT version. Any words of wisdom would be greatly appreciated.

Michael

_______________________________________________
freebsd-hackers@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@xxxxxxxxxxx"

---

• Follow-Ups:
  • Re: MIT kerberos and ssh
    • From: Tillman Hodgson

• Prev by Date: Re: [RFC][patch] dhclient Classless Static Routes support
• Next by Date: TLS - implementing linux one in fbsd
• Previous by thread: openospfd doesn't "See" gre/gif
• Next by thread: Re: MIT kerberos and ssh
• Index(es):
  • Date
  • Thread

---

Relevant Pages Correct build order for MIT krb5 and ssh ... I have been able to start the KDC but have not gotten much further as I ... Which source directories are the correct ones to use, ... Is there a certain build order for MIT kerberos and openssh? ... between Heimdal and MIT Kerberos (which all the Debian clients run). ... (freebsd-questions) [UNIX] Multiple Vulnerabilities in Old Releases of MIT Kerberos ... Beyond Security would like to welcome Tiscali World Online ... Multiple vulnerabilities have been found in MIT Kerberos 5 releases prior ... MIT recommends updating to 1.2.7 if possible. ... * A remote user can crash the KDC. ... (Securiteam) MITKRB5-SA-2003-001: Multiple vulnerabilities in old releases of MIT Kerberos ... Multiple vulnerabilities in old releases of MIT Kerberos ... Severity: CRITICAL: Remote user can crash KDC, ... other KDCs in the same realm; it will iterate through this list a few ... (Bugtraq) Encryption Type wrong ... For both the KDC and the Kerberos-Clients I have configured them to use only the dec-crc-cbc:default encryption type. ... Unfortunately GNU/Linux kinit breaks if the KDC does not have a key with the des-cbc-crc:normal encryption type in store. ... # The following encryption type specification will be used by MIT Kerberos ... (comp.protocols.kerberos)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• Mailing-Lists
• Newsgroups
• About
• Privacy
• Search
• Imprint

unix.derkeiler.com  > Mailing-Lists  > FreeBSD  > hackers  > 2006-06