suggestion: move krb5 daemons to krb5-daemons subpackage

Enrico Scholz enrico.scholz at informatik.tu-chemnitz.de
Wed Nov 24 01:44:11 UTC 2004


abo at kth.se (Alexander Boström) writes:

>> > kshd/klogind are fully encrypted if set up correctly...
>> 
>> Setting up krb5 correctly without virtualization technology (e.g. vserver)
>> or much money for extra hardware and powersupply is nearly impossible...
>> Else, you will have only trouble with hostname vs. DNS name conflicts
>> and/or multi-homed hosts.
>
> Arguing that Kerberos is useless/unusable/broken/whatever is futile.
> It's not.

It is impossible in the typical FC environment (2-3 hosts in a
network, where one machine has 'www', 'ldap', 'imap', 'kerberos',
'db' alias-names). You will never get GSSAPI authentication with
MIT kerberos running there.


> It also cannot be replaced with SSH.

I never said this... Just, that the FC kerberos can not be set up
correctly within a vanilla FC environment.


>> The shipped KRB5 implementation misses features like replication or support
>> for renaming of principals; and the rest of the system misses krb5 support
>> completely (cups, w3m, svn), nobody cares about it (e.g. no SPNEGO support
>> in firefox because missing buildrequires) or its implementation is not
>> well-thought (e.g. login for local accounts fails when network is down).
>
> Yes, this should be fixable. I'm mostly interested in Firefox and CUPS.
> Are there bug reports already or should they be filed?

afair, I filed the missing BR for firefox years ago already, it was
fixed then but seems to be broken again.

cups is an upstream issue; there are from time to time requests on the
cups-devel list, but no results yet. For now, I replace KRB with SSH,
and print with 'ssh trusted-host lpr'.



>> ssh is much easier to use and provides neat features like encryption
>> of X11 connections.
>
> Heimdal has secure X11 forwarding.

Yes, Heimdal seems to be far superior to MIT Kerberos. It supports
replication and has better AFS support (although I do not know if this
is still an issue with recent, krb5-based OpenAFS). It is a puzzle why
FC ships MIT Kerberos only...


But I saw the man-page of BSD's implementation of kerberos... Support
for TCP transport and tunneling over HTTP proxies... wow... I want to
have this also...




Enrico




More information about the devel mailing list