Native Mac OSX Kerberos clients and SecurID

Derek Bastille bastille at arsc.edu
Fri Oct 11 03:41:11 EDT 2002 

  While researching getting Fetch to work with the HPCMP-flavor of
Kerberos5, I found that the Kerberos5 tools included with OS X 10.2 appear
to work just fine for getting tickets and doing kerberized telnet and ftp
connections to ARSC systems.  However, the bundled bsd-style r-services
failed to connect (rlogin gave an 'Error 0.').  In fact, once I had gotten
the tickets using the bundled kinit, Fetch was able to use that ticket to
make kerberized-ftp connections.
  The main problem that I ran into (other than the r-services) was that the
MIT Kerberos GUI (included with the krb-extras kit for 10.2) got very
confused by the extra SecurID Passcode step/prompt and locked up.  Also, I
could not seem to find where the bundled kinit stores its ticket cache.
  So, the questions:

-- Given that the bundled OS X kerberos tools create tickets using the
SecurID card (including setting the hardware pre-auth flag in the ticket),
is it acceptable to use the already bundled tools in OS X?  Or are there
other issues that would require us to stick with just the tools distributed
on kirby?

-- (for the MIT folks): Would y'all be willing to update the krb5-extras
GUI so that it can support the extra SecurID 'Passcode' prompt?

-- Where does the OS X version store it's krb5 cache?

-- Is there a setting/option/etc that can be fed to the r-services to get
them to use the ticket generated by the bundled kinit?

Finally,

-- The HPCMO ticket cache appears to be in a different format than the MIT
ticket cache.  Is this true?  Will the formats be synchronized at some
point in the future?

  Thanks to all of you who've put so much work into these tools!

Regards,
  Derek
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                        Derek Bastille | Phone: (907)474-5793
    PO Box 756020, Fairbanks AK, 99775 | Fax:   (907)474-5494
   Arctic Region Supercomputing Center | email: bastille at arsc.edu
User Services Consultant/ISSO-Accounts | http://www.arsc.edu/~bastille
                              Visit WWW page for my PGP public key
----------------------------------------------------------------------
    ARSC Help Desk:  email: consult at arsc.edu  voice: (907)474-5102
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

More information about the Kerberos mailing list