Re: revocation feature in Kerberos

Unless things have changed, the KDC doesn't check for account lock if the tgt is valid. There's a thread from a couple years back where I asked about this and then patched it, but I haven't submitted patches for the current revision. I need to do this at some point. Or maybe it got fixed? Chris

Re: Announcing mod_auth_gssapi

By being gss-only, do you mean the module, or clients must use gss as well? Chris On Aug 14, 2014 3:24 PM, "Russ Allbery" wrote: > Simo Sorce writes: > > > I have recently released a new module for Apache called mod_auth_gssapi > > to modernize a little bit on the ancient and substantially unm

Re: upgrading kerberos 1.9.4 to 1.13 with LDAP backend

I am going to need to make the exact same update at some point, so a report back on how it went would be great! Thanks, Chris On Dec 3, 2014 2:28 PM, "Paul B. Henson" wrote: > We currently have three Kerberos servers running 1.9.4 using the LDAP > backend and are planning to upgrade to 1.13. Hi

RE: LDAP searches for Kerberos entries

I use LDAP to store additional stuff about users, so the krb stuff is a subtype (can't remember what the real term is) of my main record type. I rarely search on the krb fields. Chris On Feb 4, 2015 12:09 PM, "Paul B. Henson" wrote: > > From: Michael Ströder > > Sent: Wednesday, February 04, 2

Re: Populating krbPrincipalName multivalued (Was: Re: LDAP searches for Kerberos entries)

Yes, this piqued my interest as well... Chris On Feb 12, 2015 12:30 AM, "Gergely Czuczy" wrote: > > On 2015-02-11 15:25, Simo Sorce wrote: > > On Wed, 2015-02-04 at 12:24 +0100, Michael Ströder wrote: > >> HI! > >> > >> Maybe some of you are using MIT Kerberos with LDAP backend. > >> > >> For c

Does this separate thread connection need another as_req/rep pair?

Okay, I have a client communicating with a server, and they've gone through the AS_REQ/AS_REP dance and that's all working fine. Now, I want the server to send the client info about another connection it needs to make back to the server on another thread. Does this connection need to do anoth

Re: Does this separate thread connection need another as_req/rep pair?

ly need to worry about them for a single session? Thanks! Chris On 2015-05-07 08:17, Greg Hudson wrote: > On 05/07/2015 05:54 AM, Chris Hecker wrote: >> Okay, I have a client communicating with a server, and they've gone >> through the AS_REQ/AS_REP dance and that's all

Re: Does this separate thread connection need another as_req/rep pair?

> Hm, you might be able to speed this up by supplying the service key > to the auth context with krb5_auth_con_setuseruserkey() Cool, I'll check that out next time I'm optimizing, thanks! Chris On 2015-05-07 12:15, Greg Hudson wrote: > On 05/07/2015 02:44 PM, Chris Hecke

Re: Does this separate thread connection need another as_req/rep pair?

2015 2:22 PM, "Chris Hecker" wrote: > > Hm, you might be able to speed this up by supplying the service key >> to the auth context with krb5_auth_con_setuseruserkey() >> > > Cool, I'll check that out next time I'm optimizing, thanks! > > Chris &

Re: Does this separate thread connection need another as_req/rep pair?

On May 8, 2015 8:41 AM, "Greg Hudson" wrote: > On 05/08/2015 04:57 AM, Chris Hecker wrote: > > Hmm, thinking about this a bit more: if I turn off DO_SEQUENCE so I can > > share the auth_context, is there a way to dupe it so it can be used in > > both threads sim

Re: Does this separate thread connection need another as_req/rep pair?

ked statically in my app... Chris On 2015-05-08 08:41, Greg Hudson wrote: > On 05/08/2015 04:57 AM, Chris Hecker wrote: >> Hmm, thinking about this a bit more: if I turn off DO_SEQUENCE so I can >> share the auth_context, is there a way to dupe it so it can be used in >> both t

Re: Does this separate thread connection need another as_req/rep pair?

got it sitting right there. I'm already using this API for u2u authn, it turns out (which is what it's for, I'm assuming :). Chris On 2015-05-07 12:15, Greg Hudson wrote: > On 05/07/2015 02:44 PM, Chris Hecker wrote: >> I found it slow under a loadtest, wh

returning krb5_rd_req error code to clients

Is it a problem to return the krb5_rd_req error code on failed authn to clients? Is that revealing information it shouldn't and I should just return success or failure? Or filter it down to a few safe ones, like clock skew, etc? Chris Kerbero

krb5_keyusage

I'm calling krb5_k_encrypt with a random key that I'm going to use for miscellaneous stuff. I assume I want to use KRB5_KEYUSAGE_APP_DATA_ENCRYPT? I don't see much documentation on this, but it looks like the most obviously named one. Most of the enctypes don't seem to use the usage at all.

first rd_priv/mk_priv and KRB5_AUTH_CONTEXT_DO_SEQUENCE

So, I successfully converted one of my connections to not use DO_SEQUENCE so I can have a dupe of the auth_con in two threads as mentioned in the other (email) thread. One thing I noticed while doing the conversion was that an auth_con created with DO_SEQUENCE will communicate with one create

Re: Does this separate thread connection need another as_req/rep pair?

ree the one from get because it's not used. There should be a version of set that takes ownership of the memory, I think. Make sense? Chris On Sat, Jun 20, 2015 at 12:52 PM, Benjamin Kaduk wrote: > On Sat, 13 Jun 2015, Chris Hecker wrote: > > > > > Finally getting to this..

Re: "revoking" a TGT?

I keep meaning to contribute my patch for this (not the kvno part, just the allow_tix check and ability for services to check for bans). It is completely rotted relative to the latest rev though. I need to update. Chris On Aug 7, 2016 10:40 PM, "Greg Hudson" wrote: > On 08/05/2016 09:51 AM, Je

temporarily granting a TGT for a client coming in with a 3rd party authn system

Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

temporarily granting a TGT for a client coming in with a 3rd party authn system

(Once more, with feeling...and also hopefully acceptable-to-mailman formatting.) This is all kind of half-baked, so bear with me while I think out-loud: - I am using kerberos for my game's authn with clients and a server. Clients have connections to the server, and then also p2p connections to ea

Re: temporarily granting a TGT for a client coming in with a 3rd party authn system

Okay, I think I have a handle on this...a few responses and then a few questions: simo and greg: > but a TGT would allow this client to access any kerberized service. > Yeah, I realized this, and then I realized that for my use case even a full key instead of a ticket would be okay to send, bec

Re: temporarily granting a TGT for a client coming in with a 3rd party authn system

Oh, and to actually send the key back, I assume I can just pack up the keyblock and send that encrypted with mk_priv, there's no mk_1cred equivalent for sending a key it seems? Thanks, Chris On Sat, Nov 25, 2017 at 4:23 PM, Chris Hecker wrote: > > Okay, I think I have a handle on t

Re: upgrading kdc from 1.9 to 1.16, things to worry about?

penLDAP (or whatever > LDAP server you're using; 389ds also works with krb5, and likely > others). So if there are potential issues with updating the schema, I > wouldn't know about them. The new schema is indeed a superset of the > old one, with optional attributes added.

Re: upgrading kdc from 1.9 to 1.16, things to worry about?

ckaging for openLDAP (that I > can find). > > On Mon, Dec 11, 2017 at 12:50 PM, Chris Hecker wrote: > >> Ok, moving this over to the main list... >> >> Anybody else have any thoughts on the update below? >> >> Thanks, >> Chris >> >> >&g

-allow_tgs_req

If -allow_tgs_req / DISALLOW_TGT_BASED is set on a service princ then I shouldn't be able to kinit with it, right?  I'm able to get TGTs though with kinit and the keytab for this service, and then get service tickets with kvno; I need to update my KDC and see if this is still true, or mabye I'

Re: -allow_tgs_req

Ah. Is there any way to prevent a service princ from being able to get tickets? As in, if one of my service keytabs is compromised, can I prevent those princs from being used like a normal user princ? Chris On Mon, Jan 8, 2018 at 19:58 Russ Allbery wrote: > Chris Hecker writes: >

Re: -allow_tgs_req

Ah, I assumed that was symmetric for some reason. I obviously need to be able to get tickets for these services. Not sure why I thought that. I'll check it out, thanks! Chris On Mon, Jan 8, 2018 at 20:15 Russ Allbery wrote: > Chris Hecker writes: > > > Ah. Is there any

Re: -allow_tgs_req

Hmm, yeah, I can't get tickets to a service with -allow_tix on it. I'll have to look into why if that's supposed to work, I made a couple modifications to my KDC in this area a while back. Chris On Mon, Jan 8, 2018 at 20:24 Chris Hecker wrote: > > Ah, I assumed that w

Re: -allow_tgs_req

Right, I will disable the princ when I find out obviously, I just want the person to not be able to use it as a user princ to get tickets to other services in the meantime. Does that make sense or am I missing something? Chris On Mon, Jan 8, 2018 at 20:28 Russ Allbery wrote: > Ch

Re: How does the user principal know the service

You ask for a ticket for a specific service in the request. Chris On Sat, Jun 23, 2018 at 14:02 ZongtianHou wrote: > Hi, everyone: > I am a bit confused of the auth process of kerberos. The user principal > request the AS for a tgt, then use send the tgt to the TGS to get a ticket. > The ticket

Any set of flags on a princ to allow an AS but no TGS request?

I'd like to make a princ that can be used to test whether the kdc is working for login, but I don't want this princ to be able to get tickets to any services (except the initial TGT).  I can turn off u2u with dup skey, and I tried setting the -maxlife to 0 but that defaulted to 24 hours, and even

Re: Error - Oracle database authentication with Kerberos

Not sure if this helps, but since it's late in the US, the last time I got a "generic error" is when my LDAP db went down underneath Kerberos and it couldn't connect. Probably not remotely related to your generic error, but maybe see if you can talk to the KDC at all. Chris On Wed, Aug 8, 2018

long running kadm5 program running into errors

I have a long-running daemon that reads a kadm5 admin key from a file keytab into a memory keytab before dropping privs, and then when the kadm5 connection drops (using checks for KADM5_RPC_ERROR), it loops and tries to reconnect with kadm5_init_with_skey.  This works fine, with 1.9 it would stay

Re: long running kadm5 program running into errors

es...I can see the client having a problem due to timeouts or paging or whatever, but why would the kadmind print that stuff in this case? Chris On 2018-08-16 17:47, Chris Hecker wrote: > > I have a long-running daemon that reads a kadm5 admin key from a file > keytab into a memory keytab be

Re: long running kadm5 program running into errors

Greg Hudson wrote: > On 08/18/2018 01:53 AM, Chris Hecker wrote: > > I just got this again today, this time instead of EBUSY, the libkadm5 > > client got "Cannot resolve network address for admin server in requested > > realm (43787576)". Same "The refe

Re: Query: Need help for storing the krb5_creds(ticket) as blob format.

If you've got a krb5_creds* tkt then tkt->ticket is a krb5_data, which means tkt->ticket.data and tkt->ticket.length are available...you can just use them directly to store the ticket somewhere (or send it for u2u or whatever). Chris On 2018-08-25 01:43, Santosh Kumar wrote: > All, > > Could y

Re[2]: MIT Kerberos Master principal deletion

Maybe dump the core of the running process so you don't accidentally crash it while trying to debug it live? But that would make finding it in memory even harder... Chris -- Original Message -- From: "Nico Williams" To: "Harshawardhan Kulkarni" Cc: "kerberos@mit.edu" Sent: 2020-0

Re[2]: MIT Kerberos Master principal deletion

a struct the one he wants? Chris -- Original Message -- From: "Nico Williams" To: "Chris Hecker" Cc: "Harshawardhan Kulkarni" ; "kerberos@mit.edu" Sent: 2020-06-11 15:31:28 Subject: Re: MIT Kerberos Master principal deletion >On Thu, Jun 11,

Re[3]: MIT Kerberos Master principal deletion

Looks like it might also be in the global master_keyblock in the server_kdb.c file. Chris -- Original Message -- From: "Chris Hecker" To: "Nico Williams" Cc: "Harshawardhan Kulkarni" ; "kerberos@mit.edu" Sent: 2020-06-11 15:54:32 Subje

Re: Avoiding Pre-Auth/Auth Principal State Disclosure

There are actually a bunch of places that leak information about valid princs, I wonder if there’s a todo item to clean those up at some point? I can’t remember the one or two I found since it was a while ago but I posted it to the list as well. Chris On Tue, Jun 30, 2020 at 23:01 Eric Hattemer

Re: Avoiding Pre-Auth/Auth Principal State Disclosure

> For example, if we treated single-component principals as users, anyone with a user/admin principal (or user/root, which has no status in the code but is a common convention for elevated access) would probably still be detectable by an attacker. Not sure I follow this, why wouldn’t they be treat

Re: Avoiding Pre-Auth/Auth Principal State Disclosure

Wow, thanks for taking the time for the detailed response! I will digest this and see if I still have questions. Chris On Thu, Jul 2, 2020 at 10:45 Greg Hudson wrote: > On 7/1/20 3:55 PM, Chris Hecker wrote: > >> For example, if we treated single-component principals as users

weak regex/glob in listprincs in kadmin (on ldap)?

>From looking at the code in src/lib/kadm5/srv/svr_iters.c it seems like the listprincs command should support [] patterns like che[ca]* but it doesn't in my version (1.15.1 on cent

Re[2]: weak regex/glob in listprincs in kadmin (on ldap)?

It's not clear how you'd iterate them all with the current API in a remotely efficient manner. Maybe people don't want to do that very often though. Chris -- Original Message -- From: "Greg Hudson" To: "Chris Hecker" ; kerberos@mit.edu Sent: 2021-

Re: Kerberos Server Implementation

There are two samples in the Kerberos source that have both clients and servers, I’m not at my computer but they’re called something like sim_client and sample_client and server. Chris On Tue, Jan 11, 2022 at 14:44 Gupta, Divyansh via Kerberos wrote: > Hi Kerberos@MIT, > > I am attempting to cr

Re: Creating a principal using the kadmin C API

I use the kadm5 api to create princs and change keys. I do this with a memory keytab (well, I load a disk keytab while root, copy it to a memory keytab, and then drop privs), but I assume it's using the default system /etc/krb5.conf. I do have my krb5 client stuff build an in-memory conf a

Re: Creating a principal using the kadmin C API

> Perhaps it would be nicer if one could create an empty in-memory profile object and populate it with profile_add_relation(), but that is not currently implemented. I think I did it this way when I hacked my API in back in days of yore and it was nice and clean. I’ll look when I’m at my computer

Re: how to stash KDC password in perl

I don’t see anything in the existing perl modules but it would probably be pretty easy to add to the KDB one: https://metacpan.org/pod/Authen::Krb5::KDB Chris On Thu, Oct 20, 2022 at 11:29 Jim Shi via Kerberos wrote: > Hi, is there way to stash password in perl or Java? I know it is in KDC >

Re: appl/simple/client/sim_client.c uses internal APIs

I have versions of both perl packages (krb5 and admin) that I work on locally and have assumed I’d contribute back at some point. It would be a shame to delete them from cpan, they work well after some fixes. I use my versions in production. I have said this before on the list and it’s not a ver

Re: appl/simple/client/sim_client.c uses internal APIs

Yeah, by portable I meant I just compile the parts of krb5 client code I need when necessary. The krb5 client is very portable and fairly small. I strip out some stuff I don’t use, but not too much. Chris On Fri, Feb 24, 2023 at 11:51 Ken Hornstein wrote: > >I have said this before on the l

Re: appl/simple/client/sim_client.c uses internal APIs

, they could just use a little love and organization and documentation. If they’re calling internal stuff that should be fixed too obvs, but they don’t need to be gutted. Chris On Fri, Feb 24, 2023 at 11:59 Chris Hecker wrote: > > Yeah, by portable I meant I just compile the parts of krb5

Re: appl/simple/client/sim_client.c uses internal APIs

Sure, I agree with that rough breakdown, I just think the samples should show a hierarchy of techniques and show the flexibility, and be named appropriately. I mean, if a developer is thoughtless when using a crypto api then having messages be encrypted is not going to save them, so we need to ass

Re: appl/simple/client/sim_client.c uses internal APIs

It has been a long time since I made this evaluation so I don’t remember the details, but I definitely do all sorts of stuff with ccaches and keytabs and profiles and threads and static linking and controlling memory allocations and controlling sockets and file usage and whatnot, it seemed like GSS

Re: Slightly confused by user-to-user authentication...

> Sorry for the slow response time. krb5 user-to-user auth is a little > off the beaten track of Kerberos usage, but this is the intended use > case. Awesome, thanks. And yes, the entire reason I'm using Kerberos is to avoid rolling my own security protocol, so I'm glad I happened across the u

Re: Slightly confused by user-to-user authentication...

t kind of cc to use. Chris On 2011/07/07 05:44, Greg Hudson wrote: > On Thu, 2011-07-07 at 01:59 -0400, Chris Hecker wrote: >> One more question about user-to-user: the FAQ says that the "Clocks >> Adrift" paper's solution for not forcing clients to have synced clo

Re: Slightly confused by user-to-user authentication...

s AP_REQs handles that correctly (has that ever been > tested?), but it will be interesting to find out. I will definitely be testing this thoroughly, because I'm assuming my customers will have clocks set to rand(). Chris On 2011/07/07 17:39, Greg Hudson wrote: > On Thu, 2011-07-07 a

what is magical about kadmin.local?

I am trying to reproduce the "don't need to enter a password" behavior of kadmin.local and I can't seem to get it to work. If I just run kadmin.local with no parameters, it eventually calls kadm5_init_with_password with a default root/ad...@foo.com principal, null password and service name, a

Re: what is magical about kadmin.local?

Ah, I think I found it...I missed the fact that kadmin.local links KADMSRV_LIBS instead of KADMCLNT_LIBS. Chris On 2011/07/09 03:47, Chris Hecker wrote: > > I am trying to reproduce the "don't need to enter a password" behavior > of kadmin.local and I can't seem

misc q's: not loading profile from memory, not alloc memory on mk_priv/mk_safe, no replay cache?

Hi, I'm planning on using Kerberos for my video game, and so I am probably using it slightly differently than most installations, and I want to make sure I'm doing the right thing security-wise, and making any changes in the right places. Here are some random questions I have related to this:

Re: misc q's: not loading profile from memory, not alloc memory on mk_priv/mk_safe, no replay cache?

I'm just wondering what exactly "contribute fresh elements" means concretely... Chris On 2011/07/14 18:57, Chris Hecker wrote: > > Hi, I'm planning on using Kerberos for my video game, and so I am > probably using it slightly differently than most installations, and I

Re: misc q's: not loading profile from memory, not alloc memory on mk_priv/mk_safe, no replay cache?

s, and don't do anything on the initial client->server authentication, then I don't need to worry about cookies or nonces or anything in my packets, and I can disable the replay cache (assuming I mk_safe/mk_priv packets in both directions)? Thanks! Chris On 2011/07/14 20:59, G

when would you not want +requires_preauth?

Is there any reason I wouldn't want +requires_preauth on any user accounts? It looks like it doubles the number of connections to the KDC to get the tgt, but besides that additional load, is there any downside to doing it? Thanks, Chris Kerber

threading best practices?

Hi, my kerberos application is threaded, so all the lowlevel communication between the clients and the servers is happening on separate threads that queue messages to the main thread. I'm going to integrate kerberos authentication to all this, and I'm trying to figure out the best way to do t

Re: threading best practices?

thread, I can then use them in the main thread with a different context... I think I need to figure out exactly what I need to do, and then I'll have more of a clue for asking questions. Thanks, Chris On 2011/07/21 20:45, Greg Hudson wrote: > On Thu, 2011-07-21 at 23:01 -0400, Chris Hec

readline in kadmin when no system ss?

On CentOS, there appears to be no ss subsystem library, or at least, I can't find one after 30 minutes of searching (searching for a library called "subsystem" is a bit difficult, however, so I might have missed it). kadmin et al. use the src/util/ss version if configure doesn't find one, but

Re: threading best practices?

case. I assume I can have multiple auth_contexts in a single thread, as long as I keep straight which one is talking to which other client or server and pass them to mk_safe/mk_priv appropriately... Thanks, Chris On 2011/07/22 12:51, Nico Williams wrote: > On Fri, Jul 22, 2011 at 12:03 AM, Chris He

Re: readline in kadmin when no system ss?

Chris On 2011/07/22 14:19, Greg Hudson wrote: > On Fri, 2011-07-22 at 17:02 -0400, Chris Hecker wrote: >> On CentOS, there appears to be no ss subsystem library, or at least, I >> can't find one after 30 minutes of searching (searching for a library >> called "subsyste

Re: readline in kadmin when no system ss?

replying to myself. Chris On 2011/07/22 14:41, Chris Hecker wrote: > > Hah, awesome! > > Of course, I went to the trouble of building the rpm and patching > ss/listen.c locally, only to find it is using a system ss library from > somewhere, and _that_ doesn't use readline either

Re: threading best practices?

Chris is also pretty allergic to layers and indirection in his software unless they're absolutely necessary, so he's quite happy that he can talk directly to kerberos, since he's not going to swap out the security layer or anything, so GSSAPI would just be adding overhead (conceptual, if not c

Re: threading best practices?

looks like a bunch of people have asked about it in the past, and it would be handy for me to have. Chris On 2011/07/22 15:10, Nico Williams wrote: > On Fri, Jul 22, 2011 at 4:46 PM, Chris Hecker wrote: >>>> Okay, so if I krb5_get_credentials on the KDC thread, I can then &

keytab, kvno, ktadd, and existing tickets

Every time I ktadd to put a key in a keytab for a service, it increments the kvno. I assume this is to provide some protection for compromised keytabs. However, the existing keytabs to that service are now invalid (or, at least, fail the kvno check in the sample app if the client gets a new

Re: keytab, kvno, ktadd, and existing tickets

> what breaks you is that the keys change and you didn't expect that. Ah, I think I'm confused by what a "key" is. I thought it was just the password for the principal. What changes about it? Oh, wait, from reading this, it looks like ktadd actually changes the password itself, it doesn't ju

Re: keytab, kvno, ktadd, and existing tickets

in one spot, so there's some precedent, although this would need an #ifdef rather than a dynamic check. Chris On 2011/07/23 00:42, Russ Allbery wrote: > Chris Hecker writes: > >> And yeah, a ktexport command would be nice in kadmin. Maybe I'll look >> at doing that if

Re: keytab, kvno, ktadd, and existing tickets

x27;". :) CentOS is still on 1.6.1 (!), so I don't have it on the server. I guess I'll build latest there if I need it. Thanks for putting up with all my noob questions and mails! Chris On 2011/07/23 01:14, Russ Allbery wrote: > Chris Hecker writes: > >> Th

AP_OPTS_MUTUAL_REQUIRED only when using sendauth/recvauth? also, subkey prng priming?

Do I need to pass AP_OPTS_MUTUAL_REQUIRED to mk_req if I'm doing the packet sending myself rather than using the sendauth/recvauth helpers? I didn't realize I might need to and was doing mk_req->rd_req->mk_rep->rd_rep manually without and it seemed to work fine, but then I searched, and it loo

how to "ban" clients?

I want to be able to disable client accounts when necessary, even if they currently have a live krbtgt. I understand I can't revoke live tickets, so any existing live sessions they have will still work until they expire, and I'm fine with that, but I don't want them to be able to get any more

Re: how to "ban" clients?

gs_request, but I'd also have to get the client db entry in do_tgs_req. I must be missing something, though, since it seems like this would be something that's already supported... Chris On 2011/07/24 01:13, Chris Hecker wrote: > > I want to be able to disable client accoun

Re: how to "ban" clients?

like I think it should after 1.6.1. I need to build my own kdc on CentOS... Chris On 2011/07/24 02:00, Chris Hecker wrote: > > More details from looking at the kdc code...it looks like > validate_tgs_request in kdc_util.c only checks the server's attributes > for KRB5_KDB_DISA

client side password store best practices?

This is my last mail tonight, I promise! Okay, so I know the best answer to "What's the best way to store the user's password on his or her machine?" is "Don't!" However, the reality of my industry is security is somewhat important, but usability is very important, so I need to find the right

patch for compile errors when KRB5_DNS_LOOKUP is false on 1.9.1

I'm getting a compile error on 1.9.1 if KRB5_DNS_LOOKUP is false in locate_kdc.c because dns_locate_server calls locate_srv_dns_1, which is in an ifdef block. The calls to dns_locate_server are ifdefed, but the function itself isn't. This is true in trunk as well. Also, MAX_DNS_NA

klist patch for -v to display kvno on ccache

Not sure if others are interested in this or if Greg et al. want it for 1.10, but when debugging the ktadd kvno issue from the other thread, I wanted klist to display the kvno of the tickets in the cache, so I added -v for this (it's already displayed for keytabs, so this is only on

Re: how to "ban" clients?

ons, KDC_OPT_ENC_TKT_IN_SKEY)) { *status = "SERVER NOT ALLOWED"; return(KDC_ERR_MUST_USE_USER2USER); } Thanks for putting up with all my mails! Chris On 2011/07/24 14:02, Greg Hudson wrote: > On Sun, 2011-07-24 at 05:00 -0400, Chris Hecker wrote: >> Mor

Re: how to "ban" clients?

> We could add a configuration knob, but I'm still trying to justify > the increased complexity to myself. Preventing a disabled account > from making new TGS requests with a valid TGT seems like closing the > barn door after the horse has escaped, as you have no control over > the service tickets

Re: how to "ban" clients?

I use an LDAP backend, and I still want this "ban" feature and am willing to pay for it (and implement it :). I guess if/when I get hit with performance problems, I will look into those too, so maybe I will be hoisted on my own petard, or maybe the ldap backend will get optimized as a secondar

#defines for version available?

The src/patchlevel.h file isn't built into krb5.h, or any other publicly installed file I can find. Is there any way to find the version of kerberos installed during compile time? From these, it looks like there was a plan to at least add a reliable command line switch to one of the apps, di

why is KRB5_TL_DB_ARGS in the SECURID #ifdef in kdb.h?

Seems like it should be outside this ifdef, since it's needed for adding the tl data for supporting -x... #ifdef SECURID #define KRB5_TL_SECURID_STATE 0x0006 #define KRB5_TL_DB_ARGS 0x7fff #endif /* SECURID */ I assume this is why it's defined locally in kadmin.c and k

Re: #defines for version available?

Hudson wrote: > On Tue, 2011-07-26 at 02:04 -0400, Chris Hecker wrote: >>From these, it looks like there was a plan to at least add a reliable >> command line switch to one of the apps, did that happen? > > Yes, klist -V, added in 1.7. (Which appears to be undocumented.

Re: how to "ban" clients?

> I can understand the appeal of doing whatever you can because not all > bad actors are perfect automatons with unlimited foresight, but it's > not compelling to me in this case. I do understand where you're coming from on the system complexity front, I really do. However, the current behavior

Re: #defines for version available?

ng through the rpm patches for RHEL and getting things building and installed from latest source, but anyway). Chris On 2011/07/26 05:33, Greg Hudson wrote: > On Tue, 2011-07-26 at 08:28 -0400, Chris Hecker wrote: >> Hmm, on windows it just returns "Kerberos for Windows",

why are there two krb5_realm_params, in adm.h and admin.h?

As it says in adm_proto.h: /* * krb5_realm params is defined in two header files * This really needs to be fixed!!! */ If I want to add a bool flag to the realms section of kdc.conf, it seems like it should go in krb5_realm_params, but which struct should I modify? Both? How d

Re: #defines for version available?

n"); #else printf("%s version %s\n", PACKAGE_NAME, PACKAGE_VERSION); #endif exit(0); } Seems slightly less than informational for the WIN32 branch. :) Chris On 2011/07/26 10:06, Jeffrey Altman wrote: > On 7/26/2011 8:28 AM, Chris Hecker wrote: >&g

Re: why are there two krb5_realm_params, in adm.h and admin.h?

/main.c to get the struct declaration? As my set of changes grows, making Greg more and more uncomfortable... :) Chris On 2011/07/26 15:03, Greg Hudson wrote: > On Tue, 2011-07-26 at 17:38 -0400, Chris Hecker wrote: >> If I want to add a bool flag to the realms section of kdc.conf, it seem

Re: why are there two krb5_realm_params, in adm.h and admin.h?

11-07-26 22:19:37 + @@ -66,6 +66,7 @@ #include "k5-int.h" #include "com_err.h" #include "adm.h" +#include "kadm5/admin.h" #include "adm_proto.h" #include "kdc_util.h" #include "extern.h" On 2011/07/26 15:

Re: how to "ban" clients?

OUT"; +return(KDC_ERR_CLIENT_REVOKED); +} Chris On 2011/07/27 03:35, Chris Hecker wrote: > > Okay, I implemented this today. Most of the patch is loading the bool > from kdc.conf and updating all the places those config variables are > declared and copied, but I've put the busine

Re: how to "ban" clients?

Okay, I implemented this today. Most of the patch is loading the bool from kdc.conf and updating all the places those config variables are declared and copied, but I've put the business end of things below. I'll put the full patch up somewhere, but I wanted more clued people to tak

Re: how to "ban" clients?

On 2011/07/27 04:02, Chris Hecker wrote: > > Oh, and I should point out there's the obvious code in > validate_tgs_request that uses the client: > > + /* Client must not be locked out */ > + if (client && isflagset(client->attributes, KRB5_KDB_DISALLOW_A

KDC TGS_REQ ticket expired log message has no client or server info

A typical failed TGS_REQ for an expired ticket looks like this: Jul 28 04:28:17 example.com krb5kdc[14031](info): TGS_REQ (1 etypes {18}) 1.1.1.1: PROCESS_TGS: authtime 0, for , Ticket expired This is slightly less than useful for finding which client is submitting expired TGTs. rd_req_deco

Re: KDC TGS_REQ ticket expired log message has no client or server info

es > {18}) 1.1.1.1: PROCESS_TGS: authtime 0, a...@foo.com for > , Ticket expired for no performance penalty at all, which seems like a win for debugging and security? Chris On 2011/07/28 02:45, Chris Hecker wrote: > > A typical failed TGS_REQ for an expired ticket looks like this: > >

any non-krb5int way to pass a keyblock to get_init_creds?

It seems there's no exposed way to call krb5_get_init_creds with a key directly. If I've got a key that's not stored in a keytab (like it got handed to me some other way), it looks like the best/only way to do this is to create a MEMORY keytab, manually create a keytab_entry, add the entry, a

possible to compute plain old HMAC-SHA1 of buffer with krb5 api?

Is it possible to compute a regular old hmac_sha1 with the krb5 api? In other words, the normal api is digest = hmac_sha1(data,pass). I notice there are a bunch of hmac functions and krb5int_hmac is even exported, but it's not clear how to call it to be compatible with a regular hmac_sha1. N

Re: any non-krb5int way to pass a keyblock to get_init_creds?

nego functions? On 2011/08/01 08:43, Greg Hudson wrote: > On Sun, 2011-07-31 at 00:43 -0400, Chris Hecker wrote: >> It seems there's no exposed way to call krb5_get_init_creds with a key >> directly. If I've got a key that's not stored in a keytab (like it got >

  1   2   >