Coda File System

Re: MIT krb5 or Heimdal-0.6.2 for Kerberos 5 implementation?

From: Ivan Popov <pin_at_medic.chalmers.se>
Date: Wed, 22 Dec 2004 15:45:14 +0100
On Wed, Dec 22, 2004 at 02:13:21PM +0100, Jiri Navratil wrote:
> I'm installing a new machine based on BLFS instructions. I would like to
> test the coda with Kerberos 5 authentification. As BLFS make no

I would rather strongly suggest you to try the modular clog,
it has a better support for kerberos than the mainstream one.

A binary Linux client is available at

http://www.konvalo.org/?pagename=Main.Software
http://www.konvalo.org/pub/coda-client-setup

You would want to install an inetd service on the Coda server machine(s)
like that:

inetd.conf:
-----------
codaauth2 stream tcp nowait nobody /bin/cat cat /etc/codaauth.conf
-----------

whith /etc/codaauth.conf being like the following,
words containing "substitute" to be replaced by your actual values:
-----------------------------------
version = 3
authorities {
###################### traditional Coda password support section,
###################### may be omitted in pure Kerberos installation
## the authority label you chose:
  adm {
    methods {
## the method label you chose:
      pass {
## the method name, a predefined string, "codapassword" for Coda password auth
        authmethod = codapassword
        methodopts {
          tokensrvs {
            substitute.your.coda.auth.server.fqdn 370
#           substitute.your.another.server.fqdn 370
#           and so on for each host where you run auth2 services
          }
        }
      }
    }
  }
###################### example kerberos5 authority description
## the authority label you choose freely:
  myrlm {
    methods {
## the method label you choose freely:
      my_krb5 {
## the method name, it has to be spelled "kerberos5"
        authmethod = kerberos5
        methodopts {
          krb5realm = substitute-YOUR-KERBEROS-REALM.HERE
          krb5kdcs {
            substitute.by.fqdn.of.a.corresponding.krb.kdc
#           another.one
#           and.so.on
          }
          krb5options {
## for plain mit kerberos possibly:
            withaddrs = no
            proxiable = yes
          }
          krb5service {
## choose it arbitrarily, together with your kerberos realm administrator
## (which can happen to be yourself)
            codaauth/coda.realm.org
          }
          tokensrvs {
            substitute.your.auth2.server.fqdn 370
#           substitute.your.another.server.fqdn 370
#           and so on for each host where you run auth2 services
          }
        }
      }
    }
  }
}
-----------------------------------

Note that this part makes unnecessary any kerberos-related client
configuration, and you will be able to authenticate against Coda realms
using services of different kerberos realms, at the same time.

You do not need to install any libraries on a client either.
The client contains the necessary (MIT) libraries, though it does not
reveal them in the traditional places like /lib.

If you do not do this "authentication advertisement" part,
you still will be able to use the kerberized clog - by putting all
the information about kerberos servers, auth2 servers,
kerberos principal, kerberos options on the command line.

clog --help   may help

You may use a mainstream Coda server, I think, just configure it
to use the krb5 principal in accordance with krb5service above,
or the other way around, and let it possess a copy of the corresponding keytab 
and have a corresponding contents of /etc/krb5.conf on the server hosts.

You may of course compile both the server and the client for modularized
clog. The source, the compile "NOTES" as well as the binaries are at

/coda/konvalo.org/sw/pm/1/TOP/c/coda/V/cvs20040923/L/1/

It is not the newest Coda, but the modular part is present as a patch
which should work with the most recent code as well.

Caution, the binaries there would not work for you directly, they are assumed
to be run via explicit
  ld-linux.so.2 --library-path <where-the-libraries-are> <binary> [<args>]

(in the http://www.konvalo.org/pub/coda-client-setup
binaries are wrapped properly and you do not have to worry)

> preference between MIT krb5 and Heimdal-0.6.2, can somebody tell me,
> which one is better for coda or otherwise, that I do not need to care
> about the choice?

I'd suggest picking MIT as I am running MIT libraries myself (those from
/coda/konvalo.org/sw/pm/1/TOP/k/krb5/V/1.3.5/L/1, not from any OS distribution)

> Which document/page I shall read to be able to secure  my coda server
> placed in Internet?

I am not aware of one yet...

--
Ivan
Received on 2004-12-22 09:47:35