Hi everyone,
I'm trying to set a kerberos KDC to use a LDAP-backend (OpenLDAP). I would like
to reduce
most
of the action performed through kadmin tool.
For example, I would like to be able to create principals with "ldif" file",
especially, my
users and computers are convenniantly organized
Has MIT kerberos implemented pkinit with elliptic curve certs/keys? Some
initial searching points me to an informational ietf RFC posted out there, but
nothing official.
I figured I'd ask the list before I wasted any time testing.
Thanks in advance.
Matt Pallissard
__
> Yes, and although the idea of Kerberized telnet running on a 68030 w/ no
> FPU is a somewhat frightening thing, I can confirm that the resulting
> binaries do in fact work, as well...
bah. Nothing in the kerberos code uses an FPU (certainly nothing in
the crypto -- only things in gssftp, for
I haven't looked yet, but I wonder if it gives one Enough Rope to do a
"change all four halves of an interrealm key" script [something you
*can't* do with kadmin, or anything else right now...]
Kerberos mailing list [EMAIL PROTECTED]
http:
Clearly, then, the machine is confused about what it's local realm
might be. Does your krb5.conf have a [libdefaults] default_realm entry?
Kerberos mailing list [EMAIL PROTECTED]
http://mailman.mit.edu/mailman/listinfo/kerberos
Just some comments:
1) The times I've heard about this (or forced it, back when I worked
at Cygnus and was debugging this sort of thing) did in involve
"structured" names. (I'm not suggesting that one not *use*
structured usernames, it's kind of sad that it matters -- but just
to not
Umm, cvs has native GSSAPI support, or it did when I left cygnus (5
years ago or so?)
Nonetheless, I'd recommend "cvs over openssh with gss support"
instead.
Kerberos mailing list [EMAIL PROTECTED]
http://mailman.mit.edu/mailman/listinfo/
> So you're saying gserver, versus kserver then? Just FMI.
yes.
> With gserver and OpenSSH you would need user accounts on the box, AND
> maintain the file with the principals. Is that not correct?
That is not correct :)
I haven't actually touched gserver in years (after all, ssh is
actually ke
That's "noaddresses" actually (src/lib/krb5/krb/get_in_tkt.c line 896)
Kerberos mailing list [EMAIL PROTECTED]
http://mailman.mit.edu/mailman/listinfo/kerberos
The first one (A/A/A). I've never even *heard* the second two
theories, and I've been involved with kerberos since the late
1980's... you can confirm that they were the three goals by looking
at athena-dist.mit.edu:/pub/ATHENA/kerberos/doc/techplan.txt, under
"GOALS OF KERBEROS", though it does
> being dense. The main concern I had was based on the understanding
> that things work this way:
Unless I'm vastly misunderstanding your terms, your understanding is,
well, "inside out" at best.
> 1) I prove my identity to the KDC and am issued a ticket.
V4: no prove, just assert.
V5: well,
> Hrrm, the description of what boxedpenguin has right now sounds almost
> exactly like what I want to set up..
Well, the boxedpenguin site is still maintained - if you want to get
those packages, and have a debian system, the instructions for using
it as an apt-source should still work...
12 matches
Mail list logo
