That's not Kerberos authentication. If you had read the first two sentences
on that page you'd see it doesn't meet the requestor's needs.
/fc
On Fri, 1 Aug 2003 15:10:50 + (UTC) [EMAIL PROTECTED] ("Subu Ayyagari") wrote:
> Kerberos authentication for apache:
> http://modauthkerb.sourceforge.
On Tue, 5 Aug 2003 16:40:22 + (UTC) [EMAIL PROTECTED] (Sam Hartman) wrote:
> It seems kind of unfortunate that you're combining these two modules.
> It seems that I'd really rather use PAM or pubcookie for my password
> auth and then GSS-based stuff for native Kerberos.
At the risk of just doi
On 28 Jan 2004 07:32:46 -0800 [EMAIL PROTECTED] wrote:
> Anyone have any pointers to information about the relative merits
> of using Kerberos or LDAP for authentication in a large heterogeneous
> environment?
I think other responses are missing the bigger picture.
You are almost certainly (I'd b
On Wed, 2 Jun 2004 14:11:52 -0400 "bart.w.jenkins" <[EMAIL PROTECTED]> wrote:
> All,
> I would love to use MIT's Kerberos, but it looks as though it can NOT do
> Role Based Access Control (RBAC) out of the box.
That's not the job of an authentication system. RBAC is authorization.
/fc
__
On 12 Jul 2004 05:16:00 -0700 [EMAIL PROTECTED] (mdj_kerberos) wrote:
> hi all,
>
>
>Is it possible to make kerberos work without having krb5.conf file
> and keytab file Is it possible to include the contents of the
> conf file and keytab file in the code itself?
clients don't need keytab
On Mon, 04 Oct 2004 10:55:49 +0800 sam <[EMAIL PROTECTED]> wrote:
> Hi,
>
> I m not sure which kerberos I should use. With Heimdal, it is a
> thread-safe implementation, while MIT's kerberos is not.
>
> Please correct me if I m wrong, it appears that there is more
> applicatoins support MIT kerbero
On Wed, 6 Oct 2004 03:59:35 + (UTC) [EMAIL PROTECTED] (Jason T Hardy) wrote:
> Sam,
>
> Actually, a load balancer simplifies client deployment in our case (we
> can't utilize DNS load balancing on our campus). We can, with a load
Don't need DNS load balancing (and it's broken anyway).
> balan
On Wed, 6 Oct 2004 12:54:27 + (UTC) [EMAIL PROTECTED] (Jason T Hardy) wrote:
> I can't modify DNS.
Ah, well then that's a crazy restriction (since as a sysadmin, one
with a load balancer at your disposal, you can almost certainly spoof
DNS and make it do what you want anyway. I doubt you use
On Wed, 6 Oct 2004 19:31:19 + (UTC) [EMAIL PROTECTED] (Jason T Hardy) wrote:
> I guess the problem that everyone is having with our deployment is the
> term load-balancer. We don't actually want to easy the load off of our
...
Good, because:
> You'll say that DNS is the answer. I would agree
On Wed, 6 Oct 2004 19:21:19 + (UTC) [EMAIL PROTECTED] (Gary LaVoy) wrote:
The load balancer is simply another failure point.
>>>
>>> As is everything else.
>>
>> However load balancers are complicated devices and more prone to
>> failure.
>
> WHOA! - Yes load balancers can be complicated i
On February 2, 2007 5:46:55 PM -0500 Peter Iannarelli
<[EMAIL PROTECTED]> wrote:
> I don't believe I've seen anyone with a token strapped to their
> notebook and their PIN etched on the case.
I know a few thousand such users. Not with the PIN etched :-) but with
a credit card form factor token s
There's a so-called 'upcall' mechanism in the filesystem. rpc.gssd gets
requests from the nfs client through that and sends the answers through the
same mechanism. It's very patchwork IMHO.
/sbin/mount and mounts_nfs per se have no knowledge of this authentication
backdoor.
On Fri, Sep 12, 2014
https://tools.ietf.org/html/draft-aboba-pppext-eapgss-12 maybe
On Wed, Nov 26, 2014 at 12:34 PM, Hugh Cole-Baker
wrote:
>
> > On 26 Nov 2014, at 17:18, kerberos-requ...@mit.edu wrote:
> >
> > Hello,
> >
> > I was surprised to find Kerberos authentication for both PPTP and L2TP
> on Mac OS X. I
On Fri, Nov 28, 2014 at 12:29 AM, Rick van Rein
wrote:
> Here is a detailed discussion of how to configure FreeRADIUS to use
> Kerberos with 802.1x authentication:
>
> http://freeradius.1045715.n5.nabble.com/802-1x-amp-kerberos-td2765708.html
>
That discussion is how to setup a PAP request insid
On Fri, Nov 28, 2014 at 12:54 AM, Rick van Rein
wrote:
> Hi Frank,
>
> > I didn't read the document, but from the name of it the EAP-GSS method I
> noted earlier would be a true Kerberos authentication -- the client has to
> pass on a kerberos token, not a password. It sounded like that's what y
On Fri, Nov 28, 2014 at 1:15 AM, Rick van Rein wrote:
> Hey,
>
> > There were numerous advantages to this approach for our environment,
> however we never deployed it. I should have written a brief paper at the
> time.
>
> You still may ;-)
>
> It would require a new SRV record, and it would con
I'm surprised you need a mapping at all. The default mapping should simply
strip any instance component. What happens if you kinit "manually" with
username/cron using a password?
On Tue, May 5, 2015 at 4:24 AM, Rainer Krienke
wrote:
> Hello,
>
> I am setting up a kerberos/NFS4 environment. Bas
I'm thinking of having users being able to optionally do an OTP hwauth
to obtain their TGT. Assuming that the require-hwauth flag on a
service principal would mean that the TGT has to have the H flag set in
order to obtain a service ticket, this would require hwauth in order
to use NFS, eg to a sp
On 1/5/11 2:53 PM +0530 krbmit siso wrote:
> *Server Principal Names in TGS-REQ.*
>Padata field -> Contents in the TICKET which is visible
> Tkt-vno: 5
> Realm: realm1.com
>Server Name (Principal):
I recently added this support and will release it shortly.
On 1/31/11 3:37 PM -0500 Mikhail T. wrote:
> Hello!
>
> We are using Kerberos throughout, but one feature of ssh
> "authorized_keys" feels missing...
>
> We'd like to be able to limit principles to only be able to execute
> certain command
On 1/31/11 4:20 PM -0500 mikhail_tete...@timeinc.com wrote:
> On 31.01.2011 15:57, Frank Cusack wrote:
>> I recently added this support and will release it shortly.
> Thank you, Frank! Will this be an extension to the .k5login syntax, or
> something else? Yours,
It uses .k5users, e
Patch attached.diff -uNrp openssh-5.8p1.orig/gss-serv-krb5.c openssh-5.8p1/gss-serv-krb5.c
--- openssh-5.8p1.orig/gss-serv-krb5.c 2006-08-31 22:38:36.0 -0700
+++ openssh-5.8p1/gss-serv-krb5.c 2011-02-10 15:03:29.0 -0800
@@ -32,7 +32,9 @@
#include
#include
+#include
#
On 2/10/11 6:33 PM -0500 mikhail_tete...@timeinc.com wrote:
> On 10.02.2011 18:28, Frank Cusack wrote:
>> Patch attached.
> Great! Thank you very much, Frank! What is the status of it, though? Is
> it in the OpenSSH tree already -- to be included in the next release, for
> exa
On 3/5/11 5:17 PM +0800 Lee Eric wrote:
> I'm just thinking why SSL must be enabled when using mod_auth_kerb in
> httpd. Because password will be transferred in encryption by Kerberos.
> So is SSL used to proect the tickets or anything else?
You should never send authentication credentials to an u
On Thu, Mar 31, 2011 at 6:42 AM, Guilherme Nery wrote:
> How can I get the realm of a hostname,
Consult local configuration (krb5.conf), or DNS SRV records if DNS is being
used.
> and get the hostname of realm?
>
That question doesn't make sense. There is no mapping of realm->hostname.
That's terrible! You've enabled anyone to sudo without having to know the
real password. The whole point of sudo requiring a password is to make sure
that the actual user is present (e.g. didn't walk away from an open
terminal). By disabling tgt_verify, anyone can spoof a KDC response that
will
On Wed, Dec 22, 2010 at 10:31 AM, wrote:
> ftp://ftp.hurderos.org/pub/Hurdo/Hurdo-0.1.0.tar.gz
>
Revisiting this.
In my followup idea on having the server initiate the request for the fresh
credential, any thoughts on how to present a secure UI to the user so that
he knows this is ACTUALLY a lo
On Fri, May 13, 2011 at 12:08 AM, wrote:
> The next release will have a PAM module which handles the
> authentication of the forwarded AP-REQ packet. That will eliminate
> the need for the sudo patch and provide a general mechanism for any
> application to leverage this system.
>
That sounds gr
On Wed, Jul 6, 2011 at 10:27 AM, wrote:
> Does anyone on this list intentionally rely on PTR lookups for
> Kerberos hostname canonicalization?
>
Yes, for "ssh host". In our case, the canonicalization is done by the ssh
client itself though, not by the krb5 library. Now that I'm aware of the
is
On Fri, Oct 14, 2011 at 1:56 AM, Martinsson Patrik <
patrik.martins...@smhi.se> wrote:
> How do I setup krb5.conf to get nfs not use pkinit, whilst when for example
> doing a regular "kinit" pkinit should be used.
>
"nfs", i.e. rpc.gssd, does not use pkinit ever. It uses only a keytab.
_
ults] section of your krb5.conf, the rpc.gssd will segfault.
>
>
> ** **
>
> In my world that means that rpc.gssd reads the pkinit-option in some way,
> but I’m not sure.
>
> ** **
>
> Best regards,
>
> Patrik Martinsson, Sweden.****
>
> **
How can I learn the enctype of the TGS key? That is, the long lived krbtgt
key. Without having kadmin privileges.
'klist -e' reports "Etype (skey, tkt)", where I take it that skey = the
enctype of the session key and tkt = the enctype of the ??? opaque ticket I
guess?
I question if this is the
Oh wait. As always, just after sending the email is when you find the
answer.
I think the answer is that the enc-part isn't just an opaque blob, it's
etype
kvno
cipher
So that's where the enctype comes from. Can someone confirm my
understanding?
On Wed, Jan 4, 2012 at
Thanks for you continued work on this.
On Mon, Jan 9, 2012 at 1:42 AM, wrote:
> Good morning, hope the day is starting out well for everyone.
>
> I'd like to announce the availability of a major upgrade to the Hurdo
> package. The update is available at the following URL:
>
> ftp://ftp.hurderos
On Sat, Jan 21, 2012 at 11:46 AM, Stefan Skoglund
wrote:
> I had a bit of problems unlocking the X session and after reading
> other people description of the same symptom i did find the trigger for
> it in my /etc/krb5.conf:
> ---
> verify_ap_req_nofail = true
> ---
>
> I dropped it and things st
ire
system.
On Saturday, January 21, 2012, Russ Allbery wrote:
> Frank Cusack writes:
>
>> They don't need to be. The screen saver itself can be run in an
>> unprivileged context.
>
> Only with an internal architecture that screen savers often don't bother
> to i
On Sat, Jan 21, 2012 at 9:12 PM, Russ Allbery wrote:
> Frank Cusack writes:
> Most screen savers are not written for or audited against running setuid
> root.
>
They don't need to be. The screen saver itself can be run in an
unp
On Wed, Aug 15, 2012 at 8:10 AM, steve wrote:
> Hi
> openSUSE 12.1
>
> Our Samba4 DC has a Kerberised NFS mounted share. I need the root user
> to be able to write to the share. I can do this with by mounting it with:
> no_root_squash,sec=sys
>
> Is there any way I can do it with:
> sec=krb5
>
>
man rpc.gssd.
Another option is to allow the servers to mount via sys permission. Your
NFS server may or may not allow this kind of configuration.
It should be the default that foo and foo/cron are equivalent for NFS
purposes.
Kerberos mailing lis
On Tue, Sep 18, 2012 at 12:43 PM, Matt Garman wrote:
> Isn't the above path stuff kind of pointless anyway, since I can use
> -k -t with kinit at the user level? Which I have to do anyway,
> from within cron?
>
yeah, whoops. I was thinking keytab but actually rpc.gssd wants a
credential cache.
On Tue, Sep 18, 2012 at 9:42 AM, Matt Garman wrote:
> On Sat, Sep 15, 2012 at 8:12 PM, Frank Cusack wrote:
> > man rpc.gssd.
>
> At least on my distro (CentOS 5), that man page is extremely terse.
>
At least it should tell you where to drop keytabs and how to name them so
t
On Tue, Sep 18, 2012 at 2:00 PM, Matt Garman wrote:
> === SERVER MACHINE, ROOT TERMINAL ===
> ...
> mech: krb5, hndl len: 4, ctx len 85, timeout: 1348001077 (116 from
> now), clnt: *matt@cron*, uid: -1, gid: -1, num aux grps: 0:
>
That's interesting. I wonder if that's a debug artifact or if svc
Does the server know it's in the realm MYDOMAIN.COM?
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
On Tue, Sep 25, 2012 at 2:08 PM, Russ Allbery wrote:
> We were quite concerned when we first looked at putting Kerberos KDCs
> behind a hardware firewall because of that session limit. Our firewalls
> have a 100,000 UDP session limit and a fairly quick timeout.
Ideally you just disable the con
On Tue, Sep 25, 2012 at 2:02 PM, Jack Neely wrote:
> My network engineers tell me that the firewall in one DC had 8000
> concurrent connections from the offending IP address to the KDCs and
> 4000 in the second DC. (Oddly, the DC with only 1 slave.) The KDCs
> weren't able to handle other reque
KRB5CCNAME
On Wed, Oct 31, 2012 at 12:41 PM, Jim Shi wrote:
> Hi, I have a question.
> When you start ssh, ssh will use TGT ticket in the cache that matches the
> current unix login account.
>
> Is my understanding correct? Is there way you can override this to use a
> different TGT in the cache
Windows clients will handle this automatically by giving the user the
kerberos password prompt. In that case it's done in the kerb library. For
unix (and mac) clients this doesn't happen. The easiest solution is to
wrap the ssh binary with an expiration checker tool. Another route is to
deploy
On Thu, 5 Jun 2003 18:56:01 + (UTC) [EMAIL PROTECTED] (Ken Hornstein) wrote:
>>connection, I can run the 'kinit.exe' that is a part of the KfW
>>distribution to get a TGT into my MIT cache, but I can't seem to
>>find a way to get credentials into the MS cache, so certain apps
>>(putty, e.g.)
On Tue, 17 Jun 2003 10:27:20 + (UTC) [EMAIL PROTECTED] ("Parag Godkar") wrote:
> 1. Do I have to compile openssh on all the linux servers after
> applying Simon Wilkinson's gss-api patch from -
> http://www.sxw.org.uk/computing/patches/openssh.html
Yes, if you want to use protocol 2.
On Tue, 17 Jun 2003 13:26:47 + (UTC) [EMAIL PROTECTED] ("Parag Godkar") wrote:
>> > 1. Do I have to compile openssh on all the linux servers after
>> > applying Simon Wilkinson's gss-api patch from -
>> > http://www.sxw.org.uk/computing/patches/openssh.html
>>
>> Yes, if you want to u
On Thu, 19 Jun 2003 10:22:50 -0700 Donn Cave <[EMAIL PROTECTED]> wrote:
> unfortunately it doesn't interoperate with the ssh.com approach to
> Kerberos 5 for protocol 2.
Which, AIUI, was rejected in the ietf for being deficient. Regardless
of any deficiencies (or not) in the ssh.com approach, the
51 matches
Mail list logo
