MIT + Heimdal + openssh == cross realm difficulties

Henry B. Hotz hotz at
Wed Feb 9 13:29:19 EST 2005

On Feb 9, 2005, at 12:53 AM, Priit Randla wrote:

> Henry B. Hotz wrote:
>> It's not clear to me why the MIT and Heimdal realms need to be   
>> different.
>    The reason is quite embarassing, actually - total re-branding.  
> Total renamification  :-) from AAA to BBB.
> Lotsa host/* principals to recreate and change. And 24/7/365 as usual.  
> So I have to simply
> accept that those two realms  have to exist and work together for some  
> unspecified time.
>> You can import an MIT database into Heimdal with hprop.  Google for  
>> the  details, but you export a MIT dump file with some specific  
>> options and  then use hprop to read it into Heimdal.
>    Dit it. Unfortunately, all password policies will get lost in the  
> process. Which reminds me that I didn't see a way to create and use  
> policies under Heimdal...
> Major PIA if these aren't implemented.
> Priit

There is no generic policy framework.  There's just a plug-in interface  
to let you do your own code, which is what I did.  There's an example  
plug-in that includes cracklib in the (current) distribution.  While  
the policies are nice to have for simple set-ups I find them messy and  
they can't match the requirements I have from on high.

Likewise password history won't import because Heimdal doesn't do that.  
  (The example has an inefficient implementation that I didn't use.)

Before you take on the work of changing realms you might make sure that  
rest of the things that won't import are things that actually exist on  
the Heimdal side.  Also since both MIT and Heimdal will compile/run on  
pretty much any Unix you might consider if it's better/easier to just  
stick with what you've got.
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at, or hbhotz at

More information about the Kerberos mailing list