I think I’ve got Kerberos pretty well set up. Followed the
instructions in the RH reference guide pretty much exactly. Even have
a RH 7.2 box that’s able to kinit. I can’t think of any real
snags I hit during the process of setting up the client or the server.
One apparent disappointment is that if I kinit, ssh doesn’t
magically use this token to authenticate me, apparently. I still have
to enter a password. I used authconfig on the Kerberos server
(which is also the server I’m trying to SSH to — is this a problem?)
to turn off LDAP and turn on Kerberos. (I have a diff like I did
against /etc for LDAP, but I have to clean it up. Maybe I’ll post
it tomorrow.) It seems, though, that pam_krb5 just bounces your
password against the Kerberos server to see if it sticks, somehow. I
guess this makes sense in the end: the client has to have the support
to pass along a ticket to the service. Another interesting note: the
SSH client that ships in RH 7.2, at least, has no mention of the word
“Kerberos” in it, or so strings `which ssh` | grep -i kerberos
reports at least. Additionally, ssh -o 'KerberosAuthentication
yes' doesn’t work. I need to check the OpenSSH sources and see what
kind of Kerberos support it has. I guess if it passes some sort of
AFS tickets I’ll be happy enough. I found a few things on Google that
kind of indicate that, at the very least, I’ll have to apply some
patches to OpenSSH to get some Kerberos authentication support — and
then I lose PAM authentication support, supposedly. This is entirely
unconfirmed. Look, fuck you! I need to sleep some time. I’ll check
it out tomorrow perhaps. Though I should really get RT working,
probably.
In other news, I installed YAPS on my Palm to keep some passwords in. With these Kerberos passwords that I just made up, I decided I needed somewhere to keep them. YAPS supposedly uses Blowfish, the author supposedly built it for his own needs, and it seems to work well enough. Maybe I should strings the files that Backup Buddy transfers and see if I have any password lying about.