Re: Shishi 0.0.26

[Simon Josefsson]

Elrond <address@hidden> writes:

> On Mon, May 15, 2006 at 04:24:19PM +0200, Simon Josefsson wrote:
> [...]
>> ** Requests for service tickets (TGS) are now sent without a sub-session key.
>> This solves interop problems with Windows 2003 and Heimdal, thanks to
>> Elrond for debugging.
> [...]
>
> Good to hear. :-)
>
> That opens a "stable" door to my next exploration: Sending
> an AP (inside hackish spnego) to w2k3. ;)

Great.

Uhm, btw, do you have any pending outstanding bugs right now?  I may
have missed some older e-mail.

> Maybe sometime, we should add an option to turn the subkey
> on again, for testing, etc.

Yes, ideally it should be enabled by default, but possibly to disable
per realm, or even per server.  But to make that workable, better
error messages are needed.

> I'm still curious, if w2k3 will accept the TGS, if the
> checksum is keyed using the subkey. (shishi still wont be
> able to decrypt the answer, but that's another story.)

Yup, there is some debugging to do there, if anyone is interested...

>> ** The Shishi PAM module in extra/pam-shishi/ is now built by default.
>> The installation path has also been changed to $prefix/lib/security,
>> but you can change it with `configure --with-pam-dir=/somewhere/else'
>> or `make install PAMDIR=/somewhere/else'.
>
> If I have waaayy to much time, I'll add it to my system and
> try it for xlock auth or something useless ;)

The hard part is getting a host keytab in Shishi format out of a
MIT/Heimdal setup.  If you run shishid, this is simple (just copy the
keytab on the KDC to the host).  Implementing a tool that extract a
Shishi keytab from a MIT/Heimdal keytab would be useful, and probably
not that difficult.

/Simon