Hi Carl,
Actually, this patch is incorporated in 2.3. If anyone has any additional
patches or instructions or even feature requests for the Kerberos (or any
other feature in 2.3), please drop me an email.
Thanks,
-Anne
On Fri, Sep 15, 2000 at 04:53:42PM -0400, Carl J. Nobile wrote:
> Okay configuration is simple.
>
> This is from the patch info I got from Anne:
>
> Note that you may need to edit /etc/ssh2/sshd2_config to add
> "kerberos-tgt" and "kerberos" to AllowedAuthentications. You may also
> need to edit the AllowedAuthentications line in the client's
> configuration file (/etc/ssh2/ssh2_config and/or ~/.ssh2/ssh2_config)
> to add these methods on the AllowedAuthentications line. (Note that
> they are all allowed by default, but the default
> /etc/ssh2/sshd2_config file contains an AllowedAuthentications line
> that disables them. In my opinion we should comment out the
> AllowedAuthentications line from the default config file that installs
> with the distribution.)
>
> This patch set should implement the same level of Kerberos support
> that SSH1 has, i.e.:
> - Authenticating to remote host using Kerberos credentials
> - Authenticating to remote host using forwardable TGT (ticket
> granting ticket) and passing TGT to remote host for single sign-on
> - Kerberos password authentication, plus implicit "kinit -f" (i.e.,
> when logging in using Kerberos password, the ticket granting
> ticket is added to user's credentials for single sign-on)
> - supports local name being different from kerberos name and
> cross-realm authentication (i.e., the <user>@<realm> syntax for -l).
>
> Only Kerberos5 is supported (as is the case also with SSH1; MIT
> considers Kerberos4 "dead" anyway).
>
> Good luck, Carl
>
>
> On 15-Sep-00 Mike Friedman wrote:
> > On Fri Sep 15 11:43:21 2000, Carl J. Nobile said:
> >
> >> Make real sure that kerberos was made with shared libs. It doesn't
> >> really matter to ssh, either way will work fine, but a ldd sshd2 won't
> >> find the static libs. I had to tell ./configure to make the shared
> >> libs
> >> for kerberos. Below was my command line.
> >>
> >> ./configure --enable-shared --prefix=/usr/local/krb5-1.1.1
> >> --without-krb4
> >
> > Carl,
> >
> > You're right; my mistake. I did build Kerberos with static libs.
> >
> > (I'm still wondering, though, why libcom_err was missing, since that
> > library
> > has existed in all the releases of Kerberos5).
> >
> > Anyway, assuming I now have Kerberos support in my ssh2/sshd2, where is
> > the
> > Kerberos-related documentation? I'm particularly interested in a
> > couple
> > of things right now:
> >
> > o the appropriate configuration options for using Kerberos
> >
> > o whether sshd does 'proxy' Kerberos authentication (ie, accepting a
> > Kerberos password over the ssh connection and authenticating on
> > behalf
> > of the user principal), as well as validating Kerberos service
> > tickets
> > from a (kerberized) ssh client.
> >
> > Thanks.
> >
> > Mike
> >
> > ------------------------------------------------------------------------
> > ----
> > Mike Friedman [EMAIL PROTECTED]
> > Communication & Network Services +1-510-642-1410
> > University of California at Berkeley
> > http://ack.Berkeley.EDU/~mikef
> > ------------------------------------------------------------------------
> > ----
>
> ------------------------------------------------------------------------
> E-Mail: Carl J. Nobile <[EMAIL PROTECTED]>
> Date: 15-Sep-00 Phone: 315-453-2912 Ex. 5336
> Time: 16:51:21 Fax: 315-479-0859
>
> Software Engineering Group -- AppliedTheory Corp.
> 224 Harrison Street, 6th Floor, Syracuse, NY 13202
> ------------------------------------------------------------------------
>
-------------------------------------------------------------------------
Anne Carasik | PEBKAC - Problem exists between
Principal Consultant | keyboard and chair.
SSH Communications Security, Inc. |
Email: [EMAIL PROTECTED] | DhP - Doctor of Reverse Psychology
-------------------------------------------------------------------------
PGP Key fingerprint = DA01 3999 6A1C 8124 7EA1 345F 4313 736C 1849 1F98
-------------------------------------------------------------------------
Unless stated otherwise above, the opinions expressed herein are my own,
not of my employer.
