Juha Jäykkä <[EMAIL PROTECTED]> writes: > 1) Ssh-krb5 (sarge) and openssh 4.2 (sid) will not talk GSSAPI to each > other. I gather from openssh mailing lists that no versions of openssh > <4 and >4 will ever talk GSSAPI together due to some security patches > made. Thus this is not a Debian -related problem, but it leads to one.
Er, huh? wanderer:~> dpkg -l ssh-krb5 Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad) ||/ Name Version Description +++-==============-==============-============================================ ii ssh-krb5 3.8.1p1-10 Secure rlogin/rsh/rcp replacement (OpenSSH w wanderer:~> ssh windlord Last login: Thu Dec 22 21:07:28 2005 from 113.110-113-64.ftth.swbr.surewest.net 23:10:07 up 12 days, 7:22, 28 users, load average: 0.00, 0.01, 0.00 windlord:~> dpkg -l openssh-server Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad) ||/ Name Version Description +++-==============-==============-============================================ ii openssh-server 4.2p1-5 Secure shell server, an rshd replacement Works fine for me. > 3) LDAP needs gssapi libraries compiled against Heimdal, not MIT > kerberos (I assume this has something to do with the service being used > is Heimdal, not MIT.) No, it has to do with thread safety and is partly obsolete now that MIT Kerberos 1.4 is in sid. MIT 1.4 should be fine for OpenLDAP for most purposes (although as I recall Quanah says that it has a lot of trouble compared to Heimdal under load). Anyway, LDAP just uses SASL; it doesn't link with Kerberos directly. So you should be fine installing whatever SASL modules you prefer, whether the Heimdal ones or the MIT ones. > 4) Now that I have Heimdal GSSAPI libraries, openssh GSSAPI will not > work. Um, this doesn't make any sense to me. Two different GSSAPI libraries, two different library names or SONAMEs, should co-exist on the same system just fine. The *development* packages don't co-exist, but the libraries do. I have them both installed at the same time on my system right now. > 5) As a side note: I learned afterwards that AFS token passing with ssh > *needs* openssh compiled againsta heimdal-dev. Don't ever do AFS token passing. Pass your Kerberos tickets with GSSAPI and then use a PAM module to get AFS tokens from your forwarded tickets. AFS token passing is obsolete, insecure, and requires that you use protocol version one. > Now my real question: what's the smartest way to keep all these > self-compiled packages up to date? I'm pretty sure you shouldn't need to do any of this. :) > [1] MIT kerberos is not thread safe (unless my info is outdated) MIT Kerberos is thread-safe as of 1.4. > and only Heimdal is capable of seamlessly integrating to AFS. MIT Kerberos works fine with AFS, but I admit that you have to go to marginally more effort. Not enough to deter me from using MIT, but if you prefer Heimdal, I won't stand in your way. :) > The first can be worked around, but the second is probably very > important to anyone running AFS and kerberos. Not really. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/>
