1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
|
Warning
=======
This is experimental stuff, don't expect things to work correctly at this
point. Please contact <hin@openbsd.org> if you have questions about the
kerberosV stuff.
Status of the code
==================
The current status is that the libraries, KDC, kadmind, some basic
administrators and users utilities, and the telnet client and server works.
Building
========
To build this stuff, do the following:
# echo "KERBEROS5=Yes" >> /etc/mk.conf
# cd /usr/src/kerberosV
# make build
To get a telnet client and server with kerberos5 support, do the following:
# cd /usr/src/lib/libtelnet
# make ; make install
# cd /usr/src/usr.bin/telnet
# make ; make install
# cd /usr/src/libexec/telnetd
# make ; make install
The krb5.conf and krb5.keytab files have recently been moved to
/etc/kerberosV directory. If you've previously used this code you should
move those files.
Documentation
=============
Some documentation is available in the `heimdal' info-page, but it is currently
quite incomplete. A number of manpages for library functions are also
available.
BSD Auth
========
There's also a BSD Authentication login script in src/libexec/login_krb5,
which you can enable by typing
# cd /usr/src/libexec/login_krb5
# make ; make install
Then change the line with "auth-defaults" in /etc/login.conf to include the
string "krb5" at the end of the authentication methods. You should now be
able to login with Kerberos 5 passwords by typing your login name followed
by ":krb5" on the login prompt.
If you put krb5 first in the list of configuration styles, you will be
able to login without type ":krb5" at the end, but we do not recommend it
at this time.
Su does not work at this time, but we expect it to do so in the near future.
TODO
====
Things todo, in no particular order:
- Make sure to not try krb5 auth when no ticket exists. (same goes for krb4)
(i think this is actually ok, but it needs to be verified.)
- hack krb5 support in our passwd - we should probably change to using
BSD authentication for password changing aswell.
- Password quality checks in kpasswdd
- krb5-config script
- kx, kxd
- krb5 support in login, xdm, xlock, su and sudo
- rxtelnet, rxterm
- pop-server and push
- rsh, rshd
- ssh and sshd
- Test what happens for a user not using kerberos
- Test all combinations of compat stuff between client, kdc and server
- Slave propagation k5->k5 and k4->k5
- Test and document how to upgrade a realm from k4 to k5
- Test compatibility with other k5 implementations, for example MIT and
Windows 2000, and document any caveats or tricks
- Logging
- Manpages are missing for many library functions, as well as a few
programs. So we should document them and give back to the Heimdal project.
- Fix /etc/rc and companions
- Example configuration installed when system is installed
- GSS-API support in our ftp client and server
|