Yes. The Kerberos protocol simply allows users to get credentials and it
provides a way for applications to check them. A user can have more than one
credential at a time. Asssociating credential with a session is up to you. You
can certainly store a credential in a session-specific place.
> O
Rutgers uses DUO. I did a test integration using the IPA Radius support, which
I believe is also in MIT Kerberos. Point it at a Radius server that supports
DUO.
> On Apr 26, 2021, at 2:36 PM, Ben Poliakoff wrote:
>
> I see this question came up 6 years ago on this list:
>
> https://kerberos.m
Rutgers computer science has used Kerberos slightly for decades, but we’ve
never really taken advantage of its facilities. We have a number of challenges
that I think it can help us with, so we’re planning to move into a more
complete implementation, based on Redhat’s free ipa.
In the course of
Redhat IPA installations already do that. You don’t need any new features. Just
start /etc/krb5.conf with
includedir /etc/krb5.conf.d/
On Feb 23, 2017, at 4:37 PM, Keith Jones
mailto:k.e.jo...@brighton.ac.uk>> wrote:
Hiya,
My apologies for the newbie (and deeply naïve!) question but I've j
The server seems to think the mount was OK, but the client says permission
denied, and the log shows
2017-02-24T13:16:28 set-error: 1: Access to home directory not allowed
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/m
The Kerberos with OS X Sierra is not MIT’s Kerberos, so the same release
numbers don’t apply. It’s a separate implementation of the protocol, called
Heimdal Kerberos. Some software that uses Kerberos supports both types of
libraries. If node.js supports only MIT, you can get an MIT version of Ke
This is an update on my Kerberos usability project. I think my utilities are
feature-complete.
As I’ve described before, Rutgers computer science wants to use Kerberos to
secure NFS and ssh. We have machines administered by faculty and students, and
physically insecure lab machines. In such a w
ials at that point
it will fail. rpc.gssd uses a GSSAPI interface that only checks the primary
credentials. Of course admin won’t mean anything to NFS, since my file access
will all need to be done as hedrick.
About the best I could come up with is to wrap kinit with a script th
Actually, if I have KRB5CCNAME set to a file in /tmp, and kinit as someone
else, e.g. admin, that will reinitialize the file in /tmp, losing my original
credentials.
With KEYRING (I’m using Centos 7), because it’s a collection, there’s some hope
of maintaining multiple caches properly. If KRB5C
er mounted with version 3.
Now on to Windows ...
> On Feb 24, 2017, at 1:26 PM, Charles Hedrick wrote:
>
> The server seems to think the mount was OK, but the client says permission
> denied, and the log shows
> 2017-02-24
If I understand the concern, I have the same one. For user cron jobs, the
traditional approach is for the user to create a keytab. As others have noted,
the keytab is equivalent to the password. The problem for me is that a keytab
is good on all hosts. So if someone manages to become root on one
The argument makes sense.
However I am disturbed by the fact that a keytab can be used anywhere. If
someone manages to become root on one machine, I’d like them not to be able to
do things on other machines. I’m in an environment where we have systems
administered by users, and unattended publi
seems pretty close. I’ll look into TPM, to see if that
could somehow be used.
> On Jul 21, 2017, at 3:42 PM, Russ Allbery wrote:
>
> Charles Hedrick writes:
>
>> The argument makes sense.
>
>> However I am disturbed by the fact that a keytab can be used
>>
y writes:
>> Charles Hedrick writes:
>
>>> * A kerberized service where the user registers that they want to be
>>> able to do cron jobs on a given machine.
>>> * A kerberized pam module that calls the same service and gets back
>>> credentials,
You could issue a machine-specific key table, and then use a script that does
kinit from the key table, then kinit -T pointing to the resulting credentials
cache. I have verified the KfW kinit -T works.
We use OTP on Linux. I can’t get FAST/PKINIT to work there either. I have a
kerberized servi
I’ll try agian. Also KfW doesn’t seem to implement kdc proxy. I’d prefer not to
open my kdc to the world. I’m currrently using the Proxy for home use.
> On Nov 1, 2017, at 2:30:55 PM, Benjamin Kaduk wrote:
>
> On Wed, Nov 01, 2017 at 06:06:23PM +, Charles Hedrick wrote:
>>
says no kdc is reachable.
On Nov 2, 2017, at 7:33 PM, Benjamin Kaduk
mailto:ka...@mit.edu>> wrote:
On Wed, Nov 01, 2017 at 10:30:36PM +, Charles Hedrick wrote:
I’ll try agian. Also KfW doesn’t seem to implement kdc proxy. I’d prefer not to
open my kdc to the world. I’m currrently usi
val 348866561 ecr 32546178], length 0
> On Nov 3, 2017, at 9:30 AM, Charles Hedrick wrote:
>
> I’m using KfW 4.1. Since there’s no documentation on krb5.ini, I used the
> same syntax as for krb5.conf
>
> kdc =
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2F
It works fine in a copy of Ubuntu running in Linux for Windows on the same
Windows 10 machine.
> On Nov 3, 2017, at 9:53 AM, Charles Hedrick wrote:
>
> Here’s the conversation using tcpdump on the proxy server. The connection
> opens, no data is sent in either direction, and K
It’s sort of implemented. On my Mac, if I use
--fast-armor-cache=FILE:/tmp/krb5cc_1003 it sends udp packets to the server.
The server doesn’t return anything and makes no entry in krb5kdc.log. So the
client waits and eventually times out.
If I force tcp by using tcp/hostname in krb5.conf, a no
Another approach is kind of iffy from a security point of view, but I have a
situation where it’s needed. We have code that will generate any credentials
for which it has a keytab, including a TGT. (It’s an MIT person of
kimpersonate.) You can transmit it to the other end using krb5_fwd_tgt_cred
Client: Mac Mojave
Server: IPA newest version
Command: /usr/bin/kinit --fast-armor-cache=FILE:/tmp/krb5cc_1003 hedrick
with KRB5_TRACE set, shows it is sending UDP packets to the server but getting
no response.
tcpdump shows the packets, but there is no entry for the transaction in
/var/log
We’re starting to use Windows Kerberos, with a 3rd party login screen that
calls Kerberos. Some of our staff use FreeOTP 2FA. As far as I can tell, the
most recent KfW doesn’t support 2FA or the https: proxy. Are there plans for a
new release that would do so?
_
Mac
probably a few would do it for Windows as well. I’m paranoid enough about the
server to want use from outside the department to go through the proxy.
On Jan 16, 2019, at 12:01:19 PM, Greg Hudson wrote:
On 1/16/19 11:23 AM, Charles Hedrick wrote:
We’re starting to use Windows Kerberos, with a
I just verified that OTP does work. Thanks.
> On Jan 16, 2019, at 12:01 PM, Greg Hudson wrote:
>
> On 1/16/19 11:23 AM, Charles Hedrick wrote:
>> We’re starting to use Windows Kerberos, with a 3rd party login screen that
>> calls Kerberos. Some of our staff use FreeOTP
We have a workaround, although it wasn’t intended for this purpose.
In https://github.com/clhedrick/kerberos, look at krenew-wrapper. It builds a
sharable library intended to be loaded with LD_PRELOAD. It wraps
krb5_init_context with code that renews and copies the TGT into a memory cache,
and
That’s
exec /bin/ssh “$@"
On May 13, 2019, at 4:50 PM, Charles Hedrick
mailto:hedr...@rutgers.edu>> wrote:
exec /bin/sh “$@"
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
5:09:05 PM, Charles Hedrick
mailto:hedr...@rutgers.edu>> wrote:
That’s
exec /bin/ssh “$@"
On May 13, 2019, at 4:50 PM, Charles Hedrick
mailto:hedr...@rutgers.edu>> wrote:
exec /bin/sh “$@"
Kerberos mailing list
I agree. I like the idea of an option to not leave it in the cache. However I
think that might require API changes.
I’ve noticed cases before where it would be useful to have a utility to copy
coaches. It’s easy for a cache in /tmp but not otherwise.
Given an appropriate copy utility you could
Unfortunately it’s likely to take some experimentation. My starting point would
be on each client, unmount the file system, maybe delete /tmp/krb5ccmachine*,
restart rpc.gssd, and remount.
> On Jul 22, 2019, at 6:22 AM, Laura Smith
> wrote:
>
> Ok, I hold my hand up, I messed up. So the ques
‐‐
> On Monday, July 22, 2019 2:13 PM, Charles Hedrick wrote:
>
>> Unfortunately it’s likely to take some experimentation. My starting point
>> would be on each client, unmount the file system, maybe delete
>> /tmp/krb5ccmachine*, restart rpc.gssd, and remoun
I have code to deal with a number of difficulties in implementing kerberos
transparently to users.
Some of this code needs to know whether a KRB5CCNAME is a collection or a
specific cache, and to be able to find the collection if it’s a cache.
I was surprised to find the methods to do these thi
Please be aware that I’m using Redhat’s KCM implementation in sssd. It’s
supposed to be compatible with Heimdal’s, but based on documentation it appears
that it may not be.
The default value of KRB5CCNAME is simply KCM: It had better be user-specific,
or everybody shares a collection.
geneva:
On Jul 22, 2019, at 1:00 PM, Greg Hudson
mailto:ghud...@mit.edu>> wrote:
By my reading, KEYRING also doesn't generally include the uid in the name.
Again, I can only speak for what I see in Redhat and Ubuntu. The default for
KRB5CCNAME is KEYRING:persistent:UID. Something (I think a combination
019, at 1:00 PM, Greg Hudson wrote:
>
> On 7/22/19 11:16 AM, Charles Hedrick wrote:
>> I was surprised to find the methods to do these things aren’t present.
>> Here’s what I’ve defined:
>
> Some of this is covered in
> https://k5w
In my opinion NFS actually works fine for realistic cases, once a couple of
bugs are fixed and some other tools are put in place.
In real cases, the user logins in with a principal username@DOMAIN. That is
always placed in the default collection defined in /etc/krb5.conf. At least for
us, they
* c...@cs.rutgers.edu API:3C09F9F9-6C7D-4D41-95CB-F053F4102C7A Jul 23
17:58:11 2019
No indication of uid in the name at all. At least setting KRB5CCNAME to the
specific cache works.
> On Jul 22, 2019, at 3:22 PM, Greg Hudson wrote:
>
> On 7/22/19 1:39 PM, Charles Hedrick wrote:
>>
t now.
> On Jul 23, 2019, at 9:35 AM, Simo Sorce wrote:
>
> On Mon, 2019-07-22 at 20:10 +, Charles Hedrick wrote:
>> The problem is that the code in rpc.gssd works as followers:
>>
>> * get the default credential from the collection
>> * fail unless it’s use
be the default. I shouldn’t have to do C
coding to make it happen.
> On Jul 23, 2019, at 10:09 AM, Charles Hedrick wrote:
>
> Maybe there’s a path through the code that I didn’t find. But it ends up
> failing if the credential isn’t username@DOMAIN. There’s an explicit test. I
>
ugh. rpc.gssd reads root’s .k5identity file. If I put my principal in
/.k5identity, things work. So a plugin would probably work. But it looks like a
bug that should be fixed.
> On Jul 23, 2019, at 10:09 AM, Charles Hedrick wrote:
>
> Maybe there’s a path through the code that I di
become root. I’d like to copy
a program I just built to /usr. I need root to put in on user, but when I
change UID, I lose access to my home directory. For this case perhaps it would
be better if NFS used the current principal. Then I’d have a UID of root for
local access and a principal of hedrick
reasonable is probably the
ability to set policy.
Incidentally on a single user laptop you can actually do that. Rpc.gssd used
.k5identity in root. On a single user machine that’s actually potentially
useful.
Sent from my iPhone
On Jul 26, 2019, at 9:09 AM, Charles Hedrick
mailto:hedr...@rutgers.edu
specific
credential, and the issue with collections goes away.
> On Jul 26, 2019, at 11:22 AM, Greg Hudson wrote:
>
> On 7/26/19 9:09 AM, Charles Hedrick wrote:
>> I’ve submitted a feature request to fix the default ccselect plugin so
>> it reads /etc/k5identity if the user d
Typically you create a key table. Most installations have one for root,
/etc/krb5.keytab. But you can create one for any user. Depending upon how your
kerberos is set up, you’d typically use kadmin to create the key table.
At that point you can do "kinit -k -t KEYTABLE” to get a ticket. But if
On Jul 30, 2019, at 4:17 AM, Jakub Hrozek wrote:
>
> On Mon, Jul 29, 2019 at 02:35:40PM -0400, Robbie Harwood wrote:
>> Greg Hudson writes:
>>
>>> On 7/22/19 1:39 PM, Charles Hedrick wrote:
>>>
>>>> Please be aware that I’m using Redhat’s KCM
How many client systems and users?
We have a few hundred machines with around 2000 users (not all active, of
course) in a computer science dept. 3 KDCs running as VMs with 4 processors and
16 GB each. The processors are generally using < 10% of available CPU. The KDC
itself is light-weight. You
we use a pam module that normalizes the credential cache. If krb5.conf asks for
KEYRING and sshd leaves the cache in /tmp, the code moves it into KEYRING and
updates KRB5CCNAME.
I really like KEYRING. Our staff have multiple principals. With a collection,
kinit will create a new cache in the co
> On Tue, Apr 7, 2020 at 8:39 AM Charles Hedrick wrote:
>>
>> we use a pam module that normalizes the credential cache. If krb5.conf
>> asks for KEYRING and sshd leaves the cache in /tmp, the code moves it
>> into KEYRING and updates KRB5CCNAME.
>
> Is this
Having GSSAPI installed isn’t going to solve his problem, that he will need
that.. Typically you would use Kafka libraries. They already know about
Kerberos. However they have to be configured to use it.
There are lots of ways to do it. And since I no longer have Kafka installed, I
can’t verify
I’d like to be able to use Kerberos SPNEGO at home. Unfortunately the Mac uses
Heimdal.
We don’t currently explore our Kerberos servers to the Internet, but we do have
an https proxy for MIT kerberos. Heimal apparently has its own HTTP proxy. Does
anyone know of software to implement the proxy
, 2021 at 03:22:26PM +, Charles Hedrick wrote:
>>
>
>> I’d like to be able to use Kerberos SPNEGO at home. Unfortunately
>> the Mac uses Heimdal.
>>
>> We don’t currently explore our Kerberos servers to the Internet,
>> but we do have an https proxy fo
My use case is a few web applications. Linux user group management, editing our
wiki, and responding to help desk tickets. Generic web apps that I would like
to use at home. We support CAS, but our university CAS server has disabled SSO.
Since I already have a Kerberos ticket to use ssh, it woul
Another use case is getting tickets for Mac users. We have a few users that ssh
into enough different hosts that they want to use kerberized ssh. Unless we
open port 88 to the outside, they have to install Mac ports and use the MIT
kinit. While it seems simple to me, it’s not for real users. If
The hope is that the proxy will read requests and validate them. Thus passing
through the proxy would be less dangerous that exposing port 88 directly. If
that’s not true, we should consider the risks of making port 88 available, or
give up.
> On Sep 11, 2021, at 7:07 PM, Ken Hornstein wrote:
If all the proxy is doing is forwarding content, it might work. But in that
case it’s not obvious how much security we’re gaining by the proxy. It may be
that just enabling access directly to port 88 would be as good. (I control the
network, mostly.) Any sense how risky it is to expose port 88 t
We use TOTP. That allows us to tack the token on the end of the password. That
makes it easy to fix programs that expect a simple password prompt.
In fact I have a wrapper that can be interposed around pretty much anything use
LD_PRELOAD.
https://github.com/clhedrick/kerberos/blob/master/radius
I’m not using that code now. When using it for real I would generate a special
key tab with a user that had no permissions to do anything or use the host key
tab depending upon the application.
Our staff and a few users have TOTP set for their account, so it has to work
for everything. Logins u
src/appl/simple
For a real example, see github, clhedrick/kerberos.git, in directory kmkhomedir
This is a client-server pair designed to create home directories for users.
When you’re using kerberized NFS the normal pam_mkhomedir won’t work, because
it assumes that root can create directories i
Kerberos uses a plugin to determine which principal is used in a given
situation. You could write a plugin that forces the principal to user/ssh if
the service is ssh. The API isn't complex. There are several examples.
You'd write the code to check if the service is ssh. If so, you'd look for a
Anonymous PKINIT works fine but requires certs to be distributed. Unless you're
prepared to update every machine in the world every year, you pretty much have
to use a cert that goes back to a commercial CA. But in that case you probably
have to use the obscurely documented
pkinit_eku_checkin
Freeipa (and presumably MIT kerberos) has the ability to delegate password
checking to radius. This is intended to support two factor authentication, but
it doesn't have to use two factors. So in principle you could use that and not
have separate copies of the password in your kerberos. I've tes
We're looking at one time password integration (DUO). A while ago changes were
made to allow a longer timeout, since users may take a while to respond to DUO
requests. Since this isn't in a release yet, and it takes years for new
versions to show up on all of our systems, we can't depend upon th
x27;t
have to give most users a separate password.
From: Ken Hornstein
Sent: Wednesday, July 31, 2024 3:44 PM
To: Charles Hedrick
Cc: kerberos@mit.edu
Subject: Re: one time password integration
>We're looking at one time password integration (DUO). A while ago
>changes were made to all
Yes, a data gets a service ticket.
> On Jul 31, 2024, at 4:55 PM, Ken Hornstein wrote:
>
>
>>
>> One surprise in doing all of this is that there seems to be no standard
>> utility to let us see the auth indicator for the user's credentials. I'm
>> probably doing to use one of the test program
64 matches
Mail list logo
