any input.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/[EMAIL PROTECTED] http://vas.tomsk.ru/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Victor Sudakov wrote:
Sorry, I screwed up the subject. Trying again.
I am running heimdal-0.6.3 on a FreeBSD 4.9-RELEASE system. Kerberized
FTP logins from other systems fail with the following error:
ftpd[51877]: <--- 220 admin.sibptus.tomsk.ru FTP server (Version 6.00+Heimdal
0.6.3) ready
ought it was just an implementation of HTTP basic auth, with Kerberos
>> instead of the AuthUserFile.
> mod_auth_kerb can do either GSSAPI and/or Kerberos through Basic (you should
> protect it with SSL)
I have read http://modauthkerb.sourceforge.net/configure.html and it
is not clea
s
instead of the AuthUserFile.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/[EMAIL PROTECTED] http://vas.tomsk.ru/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
he term "KrbMethodK5Passwd" was unclear.
So the "password based authentication for Kerberos v5" means Basic
with Kerberos password backend, doesn't it.
>
> To enable or disable the use of password based authentication for
> Kerberos v5.
Thanks for clarification.
assword using
> KRB auth on the server side (trying to obtain a TGT).
Why maintain two infrastructures (kerberos and PKI) while you can
maintain one? :(
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/[EMAIL PROTECTED] http://vas.tomsk.ru/
Kerber
CS/people/kenh/kerberos-faq.html
on this server.
Additionally, a 403 Forbidden error was encountered while trying to
use an ErrorDocument to handle the request.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/[EMAIL PROTECTED] http:
is right now; I got a redirect to www.cmf.nrl.navy.mil,
> and it worked just fine.
Yes, it works now. Must have been some transient problem.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/[EMAIL PROTECTED] http://vas.tomsk.ru/
Kerberos mailing l
e value of "/tmp/krb5cc_NN" where NN is my uid would be fine.
I am running OpenSSH 3.8.1 on FreeBSD 5.x
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/[EMAIL PROTECTED] http://vas.tomsk.ru/
Kerberos mailing list Ke
by sshd, I lose the
forwarded credentials which sshd stores under a unique name, not under
the common name.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/[EMAIL PROTECTED] http://vas.tomsk.ru/
Kerberos mailing list Ker
d to
the server box, they should be refreshed in all the screen windows.
>
>>
>> The value of "/tmp/krb5cc_NN" where NN is my uid would be fine.
>>
>> I am running OpenSSH 3.8.1 on FreeBSD 5.x
>>
>
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/[EMAIL PROTECTED] http://vas.tomsk.ru/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
find it.
However, a manual operation could be easily avoided if I could
persuade sshd to store the forwarded credentials always in the same
place.
For example, telnetd does not do any such fancy things with unique
KRB5CCNAME for each new login.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/[EMAIL PROTECTED] http://vas.tomsk.ru/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
for each new login.
>
> Indeed it does, for the same reason:
It surely does not in FreeBSD 4.x (and Heimdal from the ports collection).
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/[EMAIL PROTECTED] http://vas.tomsk.ru/
Kerberos
Colleagues,
If a server is known by several names in DNS, how can I make GSSAPI
authentication work with all those names?
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/[EMAIL PROTECTED] http://vas.tomsk.ru/
Kerberos mailing list
The system is FreeBSD 6.2 with stock Kerberos and ssh.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/[EMAIL PROTECTED] http://vas.tomsk.ru/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
bling this canonicalisation, but
> I'm not sure about Heimdal.
Does a ssh client really pass any server name to sshd during GSSAPI
negotiation?
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/[EMAIL PROTECTED] http://vas.tomsk.ru/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
rs, MUAs and other client applications are also
expected to try each IP address until success, but this is already
another story.
[dd]
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/[EMAIL PROTECTED] http://vas.tomsk.ru/
Kerberos mai
TECTED]
Jan 2 09:27:47 Jan 3 09:27:47 host/[EMAIL PROTECTED]
How can I configure Kerberos so that all service tickets also get a
lifetime of 3 days?
TIA.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/[EMAIL PROTECTED] http://vas.tomsk.ru/
K
he maximum ticket lifetime for all of those
> principals in the KDC.
Thank you, it worked.
Is there a way to set the default maximum ticket lifetime for all
newly created principals?
I usually create new host principals by running "ktutil get" on the
host
Victor Sudakov wrote:
> > You probably need to change the maximum ticket lifetime for all of those
> > principals in the KDC.
> Thank you, it worked.
> Is there a way to set the default maximum ticket lifetime for all
> newly created principals?
It seems that the "de
I assume there is, but I'm not familiar enough
> with that implementation. In MIT Kerberos, it's a kdc.conf setting.
In Heimdal, you modify the "default" principal.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/[EMAIL PROTECTED] http://vas.tomsk.ru/
l I try to authenticate as.
Can this be helped? I want to create a new user in the Kerberos
database only, and this user's profile on the Windows machine should
be created automatically.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/[EMAIL PROTECTED] http
ot hard to
> modify to drop the LDAP lookups and simply create a local account.
Thank you for the link, however LDAP seems superfluous for my purpose.
The goal was to maintain the user database in just one place, and
Kerberos + LDAP mean two places.
--
Victor Sudakov, VAS4-RIP
. However my goal was to avoid
installing third party software on Windows workstations, and at the
same time to avoid the excessive complexity of Active Directory.
Kerberos at first seemed to be a good compromise.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/[EMAIL PROTECTED] http://vas.to
single place.
> And it is extremely easy to tweak the scap code to just create the
> user account instead of looking up LDAP to check that user actually
> exists.
Perhaps it is easy, but anyway it would mean installing third party
software to Windows workstations, which I was trying to
. There are a lot of useful utilities in support
tools, however those utilities are not meant for an average user.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/[EMAIL PROTECTED] http://vas.tomsk.ru/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
ldap.
And again, why would we want two databases: LDAP and Kerberos?
> And pam_mkhomedir cares about "local profile" creation.
Oh yes, I use it on NIS clients.
It is much better for my purposes than NFS-mounted homes.
--
Victor Sudakov, VAS4-RIPE, VAS47-
Colleagues,
According to the man page, some options such as ticket_lifetime,
renew_lifetime etc can be used both in the [appdefaults] and
[libdefaults] sections. What is the difference between the usages?
TIA.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/[EMAIL PROTECTED] http
ave tried setting "forwardable = yes" in both the sections,
however after "kinit -R" the ticket ceases to be forwardable. I have
to say ""kinit -Rf" explicitly all the time. What gives?
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/[EMAIL PROTECTED] http://vas.to
blem.
The kdc is Heimdal running on FreeBSD. The keytab for the host
principal was exported on FreeBSD and then transferred to Solaris and
imported there.
Thank you in advance for any input.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/[EMAIL PROTECTED] http://va
b, why wouldn't it just
use it?
# klist -e -k /etc/krb5/krb5.keytab
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
---
1 host/[EMAIL PROTECTED] (DES cbc mode with CRC-32)
1 host/[EMAIL PROTECTED] (etype 2)
1 host/[EMAIL PROTECTED] (DES cbc mode with RSA-MD
aris machine can only do
> DES, then re-issue the keytab with only a DES key:
> ktadd -e des-cbc-crc:normal ost/[EMAIL PROTECTED]
OK, I did
del_enctype host/oracle.sibptus.tomsk.ru des-cbc-md4 des-cbc-md5 des3-cbc-sha1
in kadmin and transferred the keytab anew. Now I have:
# klist -e -k /etc/kr
Victor Sudakov wrote:
> What could be the reason that I cannot telnet from FreeBSD to Solaris 10
> with the following error:
> Connected to oracle.sibptus.tomsk.ru.
> Escape character is '^]'.
> [ Trying mutual KERBEROS5 (host/[EMAIL PROTECTED])... ]
> [ Kerber
Colleagues,
If cross-realm authentication is configured between two realms, do the
KDCs ever talk directly to each other, or do they talk only to the client?
In other words, is IP connectivity necessary between the KDCs, or only
between the client and each of the KDCs?
--
Victor Sudakov, VAS4
Victor Sudakov wrote:
> What could be the reason that I cannot telnet from FreeBSD to Solaris 10
> with the following error:
> Connected to oracle.sibptus.tomsk.ru.
> Escape character is '^]'.
> [ Trying mutual KERBEROS5 (host/[EMAIL PROTECTED])... ]
> [ Kerber
il.
Reading cf/README "Providing SMTP AUTH Data when sendmail acts as
Client" did not enlighten me. I want no U or P tags in the authinfo
file, since I want the calling user's Kerberos principal name as U and
her ticket instead of password.
Thanks in advance for any input.
--
Victor Sud
In comp.mail.sendmail Victor Sudakov <[EMAIL PROTECTED]> wrote:
> I have sendmail 8.13.6 acting as MSA for local users.
It should have been "MSP" instead of "MSA".
The rest of the message is correct. Any ideas please?
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
In comp.mail.sendmail Victor Sudakov <[EMAIL PROTECTED]> wrote:
> Now how do I enable GSSAPI authentication for local users? What should
> I put into the /etc/mail/authinfo file so that each local user who has
> a Kerberos ticket could authenticate herself to the mailhub?
> T
could do
> > the same for sending.
> Actually, I want to know about this too. I'll ask Sun's sendmail
> contact.
Please do, and share the result.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/[EMAIL PROTECTED] http://vas.tomsk.ru/
__
ll install it
as /usr/sbin/sendmail.
> Or you might argue that sendmail just needs an option to work as
> described above (no queueing, no privs, or per-user queueing).
> BTW, on Solaris it wouldn't work anyways pending this:
> 6481399 sendmail needs to ship /etc/sasl/Sendmail.c
store a password in the config for receiving mail. I wish we could do
> > > the same for sending.
> > Actually, I want to know about this too. I'll ask Sun's sendmail
> > contact.
Nicolas, any results?
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/[EMAIL PROTECTE
ame for sending.
> >
> > > > Actually, I want to know about this too. I'll ask Sun's sendmail
> > > > contact.
> >
> > Nicolas, any results?
> I followed up on March 19th on the list. I seem to recall my e-mails to
> you bouncing, s
dress collecting robots. Should someone want to reply by private
mail, the obfuscation algorithm is pretty obvious to the human eye.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/[EMAIL PROTECTED] http://vas.tomsk.ru/
Kerberos mailin
ermail/kerberos/2008-March/013358.html
you were going to ask the Sun's sendmail contact about GSSAPI.
There is nothing in the list archives whether you have asked them and
what they answered.
When you say "I followed up on March 19th" I think this is not the
followup I was eagerly wa
Colleagues,
Is a Kerberos principal always a DNS name? Can't an IP literal be used?
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/[EMAIL PROTECTED] http://vas.tomsk.ru/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mi
ty issues.
I thought that sometimes it would be convenient to have a principal
like host/[EMAIL PROTECTED] to be able to ssh into 10.1.1.1 without
giving it a name. This is not possible, is it?
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/[EMAIL PROTECTED] http://vas.tomsk.ru/
_
host, how does
it figure out its own principal name? Suppose it has keys for
multiple principals in the keytab, which one would it choose?
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/[EMAIL PROTECTED] http://vas.tomsk.ru/
Kerberos mailing list
Colleagues,
There is a very useful command "ktutil get" in Heimdal. It allows to
conveniently join a host into a Kerberos domain, without bothering
about transferring the keytab.
What is the analogous command in the Solaris Kerberos implementation?
--
Victor Sudakov, VAS4-RIPE, VA
Victor Sudakov wrote:
> There is a very useful command "ktutil get" in Heimdal. It allows to
> conveniently join a host into a Kerberos domain, without bothering
> about transferring the keytab.
> What is the analogous command in the Solaris Kerberos implementation?
No So
Victor Sudakov wrote:
> > There is a very useful command "ktutil get" in Heimdal. It allows to
> > conveniently join a host into a Kerberos domain, without bothering
> > about transferring the keytab.
> > What is the analogous command in the Solaris Kerb
by VAS
[libdefaults]
default_realm = SIBPTUS.TOMSK.RU
dns_lookup_kdc = yes
$
$ host -t srv _kerberos-adm._tcp.sibptus.tomsk.ru
_kerberos-adm._tcp.sibptus.tomsk.ru has SRV record 0 0 749 big.sibptus.tomsk.ru.
$
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/[EMAIL PROTECTED] http://vas.tomsk.ru/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
floppy.
It seems that "kadmin ktadd" could do this for me if only it were
compatible with Heimdal's kadmind.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/[EMAIL PROTECTED] http://vas.tomsk.ru/
Kerberos mailing list
n. This method does not require any external means to transfer a
keytab (like ssh or floppy).
From your replies I guess that this convenient feature is totally
missing from MIT Kerberos :(( or is implemented in a totally different
manner.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/[EMAIL PRO
Victor Sudakov wrote:
> It is a pity I cannot check it out because Solaris' kadmin seems to be
> incompatible with FreeBSD's kadmind:
> $ kadmin
> kadmin: unable to get host based service name for realm SIBPTUS.TOMSK.RU
I see, Solaris kadmin looks for _kerberos-adm._udp
Michael B Allen wrote:
> Incidentally, I have been informed off-list that newer versions of
> Exchange's IMAP implementation actually do support Kerberos via
> GSSAPI.
And what win32 IMAP clients can authenticate with GSSAPI?
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/[E
s.
TIA for any input.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/[EMAIL PROTECTED] http://vas.tomsk.ru/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
still try UDP;
> this only controls the order.
Sorry, I did not mention I was talking about Heimdal.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/[EMAIL PROTECTED] http://vas.tomsk.ru/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
;>
> Default protocol in Heimdal is udp, there is no way other then you
> described to override it.
> What problem do you have that require tcp ?
The problem is with a Heimdal client and Microsoft KDC:
$ kinit [EMAIL PROTECTED]
[EMAIL PROTECTED]'s Password:
kinit: krb5_get_init_creds:
7;s stock Kerberos.
Can you give me the URL for the fix? I could submit a PR to the FreeBSD team.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/[EMAIL PROTECTED] http://vas.tomsk.ru/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
MAP4 IMAP4REV1 ACL NAMESPACE UIDPLUS IDLE LITERAL+ QUOTA ID
MULTIAPPEND LISTEXT CHILDREN BINARY LOGIN-REFERRALS UNSELECT STARTTLS
AUTH=LOGIN AUTH=PLAIN AUTH=CRAM-MD5 AUTH=DIGEST-MD5 AUTH=GSSAPI
1 OK completed
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/[EMAIL PROTECTED] http://vas.tomsk.ru/
___
Victor Sudakov wrote:
> > >
> > >> Incidentally, I have been informed off-list that newer versions of
> > >> Exchange's IMAP implementation actually do support Kerberos via
> > >> GSSAPI.
> > >
> > > And what win32 IMAP clie
ocket, no matter
if the datagram was bigger than the MTU, is it correct?
TIA.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/4...@fidonet http://vas.tomsk.ru/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/lis
>I assume the KDC should just receive data from the socket, no matter
> >if the datagram was bigger than the MTU, is it correct?
> Yes.
Then what is Microsoft talking about?
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/4...@fidonet http://vas.tomsk.ru/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
et sizes." What's there inside? Long principal
names? Long keys?
> Routers need to fragment packets as necessary but that should be
> transparent to the higher layers.
I thought so too but Microsoft seems to think otherwise.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/4...@
man values
> conveyed for PKINIT during initial authentication.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/4...@fidonet http://vas.tomsk.ru/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
mentation is Heimdal 1.1.0 from the FreeBSD base system.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/4...@fidonet http://vas.tomsk.ru/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
you add an explicit domain_realm mapping for each IP address to the
> [domain_realm] section of your krb5.conf file, it will probably work, but
> it's generally a much better idea to use real host names (possibly in some
> private domain ending in .local or some similar marker).
in .local or some similar marker).
I see. Do I need a real DNS or perhaps /etc/hosts will do? I share
/etc/hosts as a NIS map.
And another question. If a Kerberos-enabled server has several
principals in its keytab, how exactly does it decide which one to
use?
--
Victor Sudakov, VAS4-RIPE, VA
aced by
an /etc/hosts entry on the server itself. I've had many irritating
cases of being unable to use GSSAPIAuthentication in sshd because of
incongruous DNS.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/4...@fidonet http://vas.tomsk.ru/
K
ussion of ways we might improve this situation within krb5,
> see: http://mailman.mit.edu/pipermail/krbdev/2010-August/009363.html )
It also says that "For these acceptors, krb5_sname_to_principal
constructs a principal "/@", where
is the DNS-canonicalized result of gethost
such one way trust?
TIA.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/4...@fidonet http://vas.tomsk.ru/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
us/library/bb742433.aspx
But it still escapes me how on earth I will end up with
krbtgt/unix.re...@windows.realm and krbtgt/windows.re...@unix.realm
having the same key. There is nothing in the above articles about
exporting and importing keytabs.
--
Victor Sudakov,
gt principals transferred between
the two KDCs?
The Windows "New Trust" wizard just asks for a password and never
offers to export a keytab or anything.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/4...@fidonet http://vas.tomsk.ru/
Kerbe
same password will yield the same key
anywhere, in any Kerberos implementation?
And BTW how do I figure out what enctypes AD is configured to provide?
Is there anything like "kadmin get" for AD?
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/4...@fidonet http://vas.tomsk.ru/
_
s getaddrinfo() for its canonicalization step,
> and falls back to the raw hostname if that fails.
I have been able to successfully authenticate (OpenSSH,
gssapi-with-mic) to a host not present in the DNS, only in the "hosts"
NIS map. It works!! :)
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5
ELEASE
# pkg_info | grep ^ap
ap22-mod_auth_kerb-5.4_2 An Apache module for authenticating users with
Kerberos v5
apache-2.2.17_1 Version 2.2.x of Apache web server with prefork MPM.
apr-nothr-devrandom-gdbm-1.4.2.1.3.10 Apache Portability Library
#
--
Victor Sudakov,
)
Thank you, I'll save it for future reference. For the present however
I have to deal with win2000 and win2003 domain controllers. It is
strange that there is no kadmin snapin or any other graphical KDC
administration tool.
--
Victor Sudakov,
he source? What if I
wanted sshd to use a "ssh/foo" principal?
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
how I can avoid manually configuring every Windows host
before I can use the trust? The relevant _kerberos SRV records are
set up for the Unix domain, but somehow Windows wouldn't use the
information published in DNS.
TIA for any input.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/
the server will look up in the keytab whatever
principal the client has sent? So if I want a different principal
name, I should configure the client rather than the server?
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/
___
80 matches
Mail list logo
