summaryrefslogtreecommitdiff
path: root/kerberosV/README
blob: 7c36ae120c3e45b7d209f28036f0ed7f1392dca5 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
Warning
=======

This is experimental stuff, don't expect things to work correctly at this
point. Please contact <hin@openbsd.org> if you have questions about the
kerberosV stuff.


Status of the code
==================

The current status is that the libraries, KDC, kadmind, some basic
administrators and users utilities, and the telnet client and server works.


Building
========

To build this stuff, do the following:

# echo "KERBEROS5=Yes" >> /etc/mk.conf
# cd /usr/src/kerberosV
# make build

To get a telnet client and server with kerberos5 support, do the following:

# cd /usr/src/lib/libtelnet
# make ; make install
# cd /usr/src/usr.bin/telnet
# make ; make install
# cd /usr/src/libexec/telnetd
# make ; make install 

The krb5.conf and krb5.keytab files have recently been moved to
/etc/kerberosV directory. If you've previously used this code you should
move those files.


Documentation
=============

Some documentation is available in the `heimdal' info-page, but it is currently
quite incomplete. A number of manpages for library functions are also
available.


BSD Auth
========

There's also a BSD Authentication login script in src/libexec/login_krb5,
which you can enable by typing 

# cd /usr/src/libexec/login_krb5
# make ; make install

Then change the line with "auth-defaults" in /etc/login.conf to include the
string "krb5" at the end of the authentication methods. You should now be
able to login with Kerberos 5 passwords by typing your login name followed
by ":krb5" on the login prompt.

If you put krb5 first in the list of configuration styles, you will be
able to login without type ":krb5" at the end, but we do not recommend it
at this time.

Su does not work at this time, but we expect it to do so in the near future.


TODO
====

Things todo, in no particular order:

 - Make sure to not try krb5 auth when no ticket exists. (same goes for krb4)
   (i think this is actually ok, but it needs to be verified.)
 - hack krb5 support in our passwd - we should probably change to using
   BSD authentication for password changing aswell.
 - Password quality checks in kpasswdd
 - krb5-config script
 - kx, kxd
 - krb5 support in login, xdm, xlock, su and sudo
 - rxtelnet, rxterm
 - pop-server and push
 - rsh, rshd
 - ssh and sshd
 - Test what happens for a user not using kerberos
 - Test all combinations of compat stuff between client, kdc and server
 - Slave propagation k5->k5 and k4->k5
 - Test and document how to upgrade a realm from k4 to k5
 - Test compatibility with other k5 implementations, for example MIT and
   Windows 2000, and document any caveats or tricks
 - Logging
 - Manpages are missing for many library functions, as well as a few
   programs. So we should document them and give back to the Heimdal project.
 - Fix /etc/rc and companions
 - Example configuration installed when system is installed
 - GSS-API support in our ftp client and server