Wed, 28 Dec 2005
Vodka Gravy
This can lead to nothing but good.
Posted at: 17:59 | category: /food | Link
Mon, 19 Dec 2005
OpenSSH + gssapi + kerberos + afs happy dance, on NetBSD 3.0 RC6
Server:
- Put appropritate krb5.conf krb5.keytab in place.
- Make your account directory information appear on this machine (I use hesiod).
- Make some sort of home directory (I use afs and amd to do this)
- Set these options in /etc/ssh/sshd_config:
KerberosAuthentication yes KerberosGetAFSToken yes GSSAPIAuthentication yes UsePam no
- Install heimdal from pkgsrc
- add the following to /etc/ssh/sshrc
/usr/pkg/bin/afslog -c nameofyourlocalcell
Log in with an appropriately smart ssh client where you have forwardable kerberos credentials. "Appropriately smart" means "understands gssapi-with-mic and actually tries to do it" --- see the previous entry for details on that. See the client configurations listed here. The afslog in sshrc allows you to get afs tokens when you login via gssapi-with-mic --- the forwarded kerberos credentials are just plopped down, and aren't used to automatically get afs tokens.
Neatly, I noticed that console logins Just Work. Spiffy.
Posted at: 23:59 | category: /pn/ssh | Link
Thu, 15 Dec 2005
Getting pine to do gssapi imap
- Set PKG_OPTIONS.imap-uw+= ssl kerberos in /etc/mk.conf
- Build uw-imap
- Build pine
Pine uses the c-client library from uw-imap, so if you build uw-imap with gssapi support, pine gets it too.
Posted at: 20:10 | category: /pn/mail | Link
OpenSSH + gssapi + kerberos + afs happy dance
Server:
- Install recent openssh from pkgsrc, make sure kerberos option is set when building.
- Make sure your machine has the appropriate krb5.conf in /usr/pkg/etc (I symlink to /etc/krb5.conf)
- Make sure your machine has a host/machine.name@KERB.REALM keytab in /usr/pkg/etc/krb5.keytab (once again with the symlinking
- Set these options in /usr/pkg/etc/ssh/sshd_config:
KerberosAuthentication yes KerberosGetAFSToken yes GSSAPIAuthentication yes
- Install heimdal from pkgsrc
- add the following to /usr/pkg/etc/ssh/sshrc
/usr/pkg/bin/afslog
Client:
- Install recent openssh from pkgsrc, make sure kerberos option is set when building.
- Make sure your machine has the appropriate krb5.conf in /usr/pkg/etc (I symlink to /etc/krb5.conf)
- Set these options in /usr/pkg/etc/ssh/ssh_config:
Host * PreferredAuthentications hostbased,publickey,gssapi-with-mic,keyboard-interactive,password GSSAPIAuthentication yes GSSAPIDelegateCredentials yes
- Get addressless, forwardable tickets
- run the pkgsrc ssh
Posted at: 01:15 | category: /pn/ssh | Link
Tue, 13 Dec 2005
Generating a SITE_SPECIFIC_PKGS list
This link seems to be the best documentation on using the SPECIFIG_PKGS flag in NetBSD pkgsrc. To use it, you have to generate something that looks like SITE_SPECIFIC_PKGS= mail/mutt-devel security/openssh, i.e., a list with PKGPATH for each package you wish to build.
The next obvious question is "given a particular machine that has all the packages I want (from me adding packages one-by-one) how do I get a list of PKGPATH for each package?" The following seems to work for me:
/usr/sbin/pkg_info | cut -d " " -f 1 | \ xargs /usr/sbin/pkg_info -Q PKGPATH | \ sed 's/^/SITE_SPECIFIC_PKGS+= /' > pkglist
Which generates a list that looks like:
SITE_SPECIFIC_PKGS+= misc/screen SITE_SPECIFIC_PKGS+= pkgtools/pkg_install SITE_SPECIFIC_PKGS+= pkgtools/digest SITE_SPECIFIC_PKGS+= shells/tcsh SITE_SPECIFIC_PKGS+= mail/mutt-devel ...
Posted at: 15:52 | category: /computers/netbsd/pkgsrc | Link