> My next step is to create a puppet recipe to automatize all the
> process and to packet-ize wallet so it is easier to install it.
I, for one, would be interested in your Puppet solution once you have
it. :)
-JP
Kerberos mailing list
> I am a software developer in a commercial company, currently we are
> planning to Kerberize our product, I want to know if there are restrictions
> in using krb5 libs, specifically:
The MIT Kerberos license is very liberal [1]; IANAL but it would seem
possible for you to do pretty much what you
> Do I need to use the kprop tool if I want to run more than one KDC for
> the same realm or can both KDCs just access the same database inside
> the DIT of OpenLDAP at the same time?
Don't use kprop. The advantage of storing the KDC database in LDAP is
that you make use of OpenLDAP's replication
> The multi master OpenLDAP setup works like a charm. As far as I can
> say there are no problems at all.
That is very good to hear. Maybe I should shrug my pessimism off and
give it a try. Considering I'm in the midst of a project setting up
Kerberos with an LDAP back-end, I might do that... :)
> > The idea behind the multi (two) master setup is to have a failover
> > solution for everything, so that one slapd or one kdc can go down.
>
> It sounds like a good idea, but IMO it may be more trouble than it's
> worth.
I've thrown aside my pessimism and have implemented the following
sce
I need a bit of help, please for the following scenario: a bunch of
workstations (PCs, on the left) currently connect via SSH to a
semi-trusted bastion host, from which users jump onto machines in a
truested environment. This design cannot be changed.
+++-+++
|
> > +++-+++
> > |+-- SSH -> semi+-- SSH -> trusted|
> > | PC || trusted |||
> > +++-++---^+
> > |
> > +---++
> >
Ross,
On Tue Jun 05 2012 at 08:54:11 CEST, Russ Allbery wrote:
> Our KDCs have always been open to the Internet.
Oh, I've always thought KDCs need to be particularly protected from the
elements...
Are you willing/able to share a bit more information on what kind of
protection measures (apart fr
> Are you willing/able to share a bit more information on what kind of
> protection measures (apart from basic Unix) you apply to your KDCs, or
> is there a paper on how MIT has implemented that?
Apologies: I meant Stanford, of course.
-JP
> Ugh. Any do's and dont's? How do you harden the KDC (not the host but
> the kerberos side)?
>
> It will solve some of our problems as well but it was deemed too risky.
+1 :)
-JP
Kerberos mailing list Kerberos@mit.edu
https://
I think I'm getting the hang of Wallet (0.12) even though I have a pile
of questions (mainly concerning ACLs) I'll save for another time. :)
A bit of `grep' through documentation and source show that the LDAP
verifyer (I believe that's the term) hasn't been implemented yet. I
neither have (nor wan
Russ,
> You may want to grab the latest Git version, which has an implementation
> (although it may still not be quite what you want).
It looks good, but is indeed not quite what I want: your code compares
an attribute type in a principal's LDAP entry to a specified attribute
type, whereas I pref
> I'll post code when ready.
FWIW, it works :) I've put it up at [1] with an attempt at explaining it.
Regards,
-JP
[1] https://github.com/jpmens/tenDB
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listi
Hello,
I'm *really* liking Wallet (v0.12), but have a few questions, mainly
regarding ACLs and their use. I hope you can help me. Here goes:
1. I'm unsure of the order in which wallet commands are issued. In order
to create and then obtain (i.e. `get') a keytab I seem to have to
issue the f
> > There are also security issues with trusting DNS if you don't have DNSSEC
> > configured.
>
> How are they different from trusting DNS to correctly resolve a
> statically configured server?
They aren't different: you can't very well trust the DNS for anything
without DNSSEC.
-JP
FWIW, I've written [1] a short article on my very good experience with
Wallet. Thanks to Russ for having created it and for help in
understanding!
-JP
[1]:
http://jpmens.net/2012/06/25/streamlining-distribution-of-kerberos-keytabs-and-other-secure-data/
__
> When I run this script on one of my linux boxes I get this (as expected):
>
> Kerberos 5 version 1.8.3
> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_1000)
> klist returned false
>
> And on a different one:
>
> Kerberos 5 version 1.10-beta1
> k
Hello,
The documentation of remctl (version 3.2) is not clear to me in regard
to setting the source IP address of outgoing connections:
remctl_set_source_ip(3) in doc/api/ specifies:
"Call this function before remctl_open() if remctl client connections
need to come from a specifi
Hola Javier,
> I'm trying to setup a krb5 server with openldap backend. According to
> documentation seems that ldapi is a valid method to connect, but I'm not
> able to create the database.
>
> Trying to use
> kdb5_ldap_util -H ldapi:/// create -r DOMAIN.LOCAL -s
> gives an 'LDAP bind dn value m
> How are folks performing functional testing of KDCs (without PKINIT)?
We have a very primitive Nagios/Icinga plugin (loosely based on [1])
which invokes `kinit' with a keytab. This verifies that the round-trip
principal->KDC->OpenLDAP is possible.
-JP
[1] http://exchange.nagios.org/dir
20 matches
Mail list logo
