MIT + Heimdal + openssh == cross realm difficulties
Henry B. Hotz
hotz at jpl.nasa.gov
Wed Feb 9 13:29:19 EST 2005
On Feb 9, 2005, at 12:53 AM, Priit Randla wrote:
> Henry B. Hotz wrote:
>
>> It's not clear to me why the MIT and Heimdal realms need to be
>> different.
>
> The reason is quite embarassing, actually - total re-branding.
> Total renamification :-) from AAA to BBB.
> Lotsa host/* principals to recreate and change. And 24/7/365 as usual.
> So I have to simply
> accept that those two realms have to exist and work together for some
> unspecified time.
>
>> You can import an MIT database into Heimdal with hprop. Google for
>> the details, but you export a MIT dump file with some specific
>> options and then use hprop to read it into Heimdal.
>
> Dit it. Unfortunately, all password policies will get lost in the
> process. Which reminds me that I didn't see a way to create and use
> policies under Heimdal...
> Major PIA if these aren't implemented.
>
> Priit
There is no generic policy framework. There's just a plug-in interface
to let you do your own code, which is what I did. There's an example
plug-in that includes cracklib in the (current) distribution. While
the policies are nice to have for simple set-ups I find them messy and
they can't match the requirements I have from on high.
Likewise password history won't import because Heimdal doesn't do that.
(The example has an inefficient implementation that I didn't use.)
Before you take on the work of changing realms you might make sure that
rest of the things that won't import are things that actually exist on
the Heimdal side. Also since both MIT and Heimdal will compile/run on
pretty much any Unix you might consider if it's better/easier to just
stick with what you've got.
------------------------------------------------------------------------
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the Kerberos
mailing list