Re: Kerberos 5 integration.
Who were the parties that were heading up the Kerberos 5 integration? I have questions. Me. I will be bringiong in Heimdal (when it interoperates with MIT-K5). M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Kerberos 5 integration.
I offered (to Theo T'So) before our (Computer Science Department at RPI) resources to setup a RO CVS repo for Kerberos V. He accepted out offer but things stagnated after that on setting up the details. My fault mostly for not taking the tourch that has been passed. I am [now] offering again, and I think we can do it. If someone can contact me we can get this setup ASAP. -- David Cross | email: [EMAIL PROTECTED] Systems Administrator/Research Programmer | Web: http://www.cs.rpi.edu/~crossd Rensselaer Polytechnic Institute, | Ph: 518.276.2860 Department of Computer Science| Fax: 518.276.4033 I speak only for myself. | WinNT:Linux::Linux:FreeBSD To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Kerberos 5 integration.
On Tue, 17 Aug 1999, David E. Cross wrote: I offered (to Theo T'So) before our (Computer Science Department at RPI) resources to setup a RO CVS repo for Kerberos V. He accepted out offer but things stagnated after that on setting up the details. My fault mostly for not taking the tourch that has been passed. I am [now] offering again, and I think we can do it. If someone can contact me we can get this setup ASAP. Maybe I'm a little slow here but what purpose would this serve? The changes I'm proposing can be carried out on -current with no problems. -- | Matthew N. Dodd | '78 Datsun 280Z | '75 Volvo 164E | FreeBSD/NetBSD | | [EMAIL PROTECTED] | 2 x '84 Volvo 245DL| ix86,sparc,pmax | | http://www.jurai.net/~winter | This Space For Rent | ISO8802.5 4ever | To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Kerberos 5 integration.
I am terribly sorry. I had 2 messages about kerboers5 come in at the same time (one from -hackers, one from mit), I replied to to wrong one. -- David Cross | email: [EMAIL PROTECTED] Systems Administrator/Research Programmer | Web: http://www.cs.rpi.edu/~crossd Rensselaer Polytechnic Institute, | Ph: 518.276.2860 Department of Computer Science| Fax: 518.276.4033 I speak only for myself. | WinNT:Linux::Linux:FreeBSD To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Kerberos 5 integration.
What do you think about moving all the current '#ifdef KERBEROS' to '#ifdef KERBEROS4' and starting to integrate the '#ifdef KERBEROS5' bits in ftp, telnet, rsh, rlogin etc? I don't see a reason to rip out the krb4 stuff and delay on the krb5 userland integration. Since the userland stuff doesn't involve actual crypto code I think we're pretty safe no? I have a better idea; PAM-ify everything (that can be pammed). The rest of the stuff, I intend to do as you say. I'd also be interested in hearing reasons for or against putting the krb4 specific stuff (kinit, klist whatever) in /usr/krb4, and the krb5 bits in /usr/krb5. This would simplify the task of leaving krb4 in the tree. Hmm. Methinks I might name the version-specific stuff k[45]${FOO} for FOO in init, list, destroy, etc. Telnetd and FTPD should be PAMmable, likewise the r.*d's. The userland ftp and telnets can have both (Isuspect), and the r-utils also. M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Kerberos 5 integration.
On Tue, 17 Aug 1999, David E. Cross wrote: I am terribly sorry. I had 2 messages about kerboers5 come in at the same time (one from -hackers, one from mit), I replied to to wrong one. Ah. Had me terribly confused. :) -- | Matthew N. Dodd | '78 Datsun 280Z | '75 Volvo 164E | FreeBSD/NetBSD | | [EMAIL PROTECTED] | 2 x '84 Volvo 245DL| ix86,sparc,pmax | | http://www.jurai.net/~winter | This Space For Rent | ISO8802.5 4ever | To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Kerberos 5 integration.
On Tue, 17 Aug 1999, Mark Murray wrote: I have a better idea; PAM-ify everything (that can be pammed). The rest of the stuff, I intend to do as you say. Hummm... That might be the way to go... I'm not that familliar with PAM though. This would be nice since it would let us rip all the cruft out of everything and keep it in one place. I'm pretty sure there is a kerberos5 pam module floating around somewhere... I'd also be interested in hearing reasons for or against putting the krb4 specific stuff (kinit, klist whatever) in /usr/krb4, and the krb5 bits in /usr/krb5. This would simplify the task of leaving krb4 in the tree. Hmm. Methinks I might name the version-specific stuff k[45]${FOO} for FOO in init, list, destroy, etc. Telnetd and FTPD should be PAMmable, likewise the r.*d's. The userland ftp and telnets can have both (Isuspect), and the r-utils also. Indeed. What is holding back the work in the userland stuff then? Time? -- | Matthew N. Dodd | '78 Datsun 280Z | '75 Volvo 164E | FreeBSD/NetBSD | | [EMAIL PROTECTED] | 2 x '84 Volvo 245DL| ix86,sparc,pmax | | http://www.jurai.net/~winter | This Space For Rent | ISO8802.5 4ever | To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Kerberos 5 integration.
On Tue, 17 Aug 1999, Matthew N. Dodd wrote: I'm still a bit confused about PAM though. While it is possible to do what kinit does and verify a password, the real reason we like kerberos is because we don't have to enter passwords; we get a ticket and the server verifies that the ticket is valid. How exactly does this fit in the PAM model? At a guess, it is given your username, obtains the ticket from wherever that is stored locally and goes off and verifies it against the server. If the server comes back affirmative, it grants you access. Kris To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Kerberos 5 integration.
On Tue, 17 Aug 1999, Kris Kennaway wrote: Which is the problem if you're say, using ftp to a remote system right? In the non-PAM world, how would the ticket get from the client to the FTP server? Some kind of subchannel? With FTP, one uses GSSAPI. With telnet/rlogin/rsh authentication is negotiated in such a way that it is possible for the client to say "Hey, we want to give you a kerberos ticket to authenticate ourselves." The server replies with something like "Sure, let me have it." or "Kerberos?", or "Yea, but only if you promise to give me a Kerberos 5 ticket." or smething like that. -- | Matthew N. Dodd | '78 Datsun 280Z | '75 Volvo 164E | FreeBSD/NetBSD | | [EMAIL PROTECTED] | 2 x '84 Volvo 245DL| ix86,sparc,pmax | | http://www.jurai.net/~winter | This Space For Rent | ISO8802.5 4ever | To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Kerberos 5 integration.
On Tue, 17 Aug 1999, Kris Kennaway wrote: At a guess, it is given your username, obtains the ticket from wherever that is stored locally and goes off and verifies it against the server. If the server comes back affirmative, it grants you access. Which is the problem if you're say, using ftp to a remote system right? -- | Matthew N. Dodd | '78 Datsun 280Z | '75 Volvo 164E | FreeBSD/NetBSD | | [EMAIL PROTECTED] | 2 x '84 Volvo 245DL| ix86,sparc,pmax | | http://www.jurai.net/~winter | This Space For Rent | ISO8802.5 4ever | To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Kerberos 5 integration.
On Tue, 17 Aug 1999 00:51:27 -0400, Matthew N. Dodd wrote: Who were the parties that were heading up the Kerberos 5 integration? I have questions. Seek Ye first the kingdom of Mark. (markm) Ciao, Sheldon. To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
Re: Kerberos 5 integration.
Who were the parties that were heading up the Kerberos 5 integration? I have questions. Me. I will be bringiong in Heimdal (when it interoperates with MIT-K5). M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
Re: Kerberos 5 integration.
On Tue, 17 Aug 1999, Mark Murray wrote: Who were the parties that were heading up the Kerberos 5 integration? I have questions. Me. I will be bringiong in Heimdal (when it interoperates with MIT-K5). What do you think about moving all the current '#ifdef KERBEROS' to '#ifdef KERBEROS4' and starting to integrate the '#ifdef KERBEROS5' bits in ftp, telnet, rsh, rlogin etc? I don't see a reason to rip out the krb4 stuff and delay on the krb5 userland integration. Since the userland stuff doesn't involve actual crypto code I think we're pretty safe no? I'd also be interested in hearing reasons for or against putting the krb4 specific stuff (kinit, klist whatever) in /usr/krb4, and the krb5 bits in /usr/krb5. This would simplify the task of leaving krb4 in the tree. -- | Matthew N. Dodd | '78 Datsun 280Z | '75 Volvo 164E | FreeBSD/NetBSD | | win...@jurai.net | 2 x '84 Volvo 245DL| ix86,sparc,pmax | | http://www.jurai.net/~winter | This Space For Rent | ISO8802.5 4ever | To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
Re: Kerberos 5 integration.
I offered (to Theo T'So) before our (Computer Science Department at RPI) resources to setup a RO CVS repo for Kerberos V. He accepted out offer but things stagnated after that on setting up the details. My fault mostly for not taking the tourch that has been passed. I am [now] offering again, and I think we can do it. If someone can contact me we can get this setup ASAP. -- David Cross | email: cro...@cs.rpi.edu Systems Administrator/Research Programmer | Web: http://www.cs.rpi.edu/~crossd Rensselaer Polytechnic Institute, | Ph: 518.276.2860 Department of Computer Science| Fax: 518.276.4033 I speak only for myself. | WinNT:Linux::Linux:FreeBSD To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
Re: Kerberos 5 integration.
On Tue, 17 Aug 1999, David E. Cross wrote: I offered (to Theo T'So) before our (Computer Science Department at RPI) resources to setup a RO CVS repo for Kerberos V. He accepted out offer but things stagnated after that on setting up the details. My fault mostly for not taking the tourch that has been passed. I am [now] offering again, and I think we can do it. If someone can contact me we can get this setup ASAP. Maybe I'm a little slow here but what purpose would this serve? The changes I'm proposing can be carried out on -current with no problems. -- | Matthew N. Dodd | '78 Datsun 280Z | '75 Volvo 164E | FreeBSD/NetBSD | | win...@jurai.net | 2 x '84 Volvo 245DL| ix86,sparc,pmax | | http://www.jurai.net/~winter | This Space For Rent | ISO8802.5 4ever | To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
Re: Kerberos 5 integration.
I am terribly sorry. I had 2 messages about kerboers5 come in at the same time (one from -hackers, one from mit), I replied to to wrong one. -- David Cross | email: cro...@cs.rpi.edu Systems Administrator/Research Programmer | Web: http://www.cs.rpi.edu/~crossd Rensselaer Polytechnic Institute, | Ph: 518.276.2860 Department of Computer Science| Fax: 518.276.4033 I speak only for myself. | WinNT:Linux::Linux:FreeBSD To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
Re: Kerberos 5 integration.
What do you think about moving all the current '#ifdef KERBEROS' to '#ifdef KERBEROS4' and starting to integrate the '#ifdef KERBEROS5' bits in ftp, telnet, rsh, rlogin etc? I don't see a reason to rip out the krb4 stuff and delay on the krb5 userland integration. Since the userland stuff doesn't involve actual crypto code I think we're pretty safe no? I have a better idea; PAM-ify everything (that can be pammed). The rest of the stuff, I intend to do as you say. I'd also be interested in hearing reasons for or against putting the krb4 specific stuff (kinit, klist whatever) in /usr/krb4, and the krb5 bits in /usr/krb5. This would simplify the task of leaving krb4 in the tree. Hmm. Methinks I might name the version-specific stuff k[45]${FOO} for FOO in init, list, destroy, etc. Telnetd and FTPD should be PAMmable, likewise the r.*d's. The userland ftp and telnets can have both (Isuspect), and the r-utils also. M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
Re: Kerberos 5 integration.
On Tue, 17 Aug 1999, David E. Cross wrote: I am terribly sorry. I had 2 messages about kerboers5 come in at the same time (one from -hackers, one from mit), I replied to to wrong one. Ah. Had me terribly confused. :) -- | Matthew N. Dodd | '78 Datsun 280Z | '75 Volvo 164E | FreeBSD/NetBSD | | win...@jurai.net | 2 x '84 Volvo 245DL| ix86,sparc,pmax | | http://www.jurai.net/~winter | This Space For Rent | ISO8802.5 4ever | To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
Re: Kerberos 5 integration.
On Tue, 17 Aug 1999, Mark Murray wrote: I have a better idea; PAM-ify everything (that can be pammed). The rest of the stuff, I intend to do as you say. Hummm... That might be the way to go... I'm not that familliar with PAM though. This would be nice since it would let us rip all the cruft out of everything and keep it in one place. I'm pretty sure there is a kerberos5 pam module floating around somewhere... I'd also be interested in hearing reasons for or against putting the krb4 specific stuff (kinit, klist whatever) in /usr/krb4, and the krb5 bits in /usr/krb5. This would simplify the task of leaving krb4 in the tree. Hmm. Methinks I might name the version-specific stuff k[45]${FOO} for FOO in init, list, destroy, etc. Telnetd and FTPD should be PAMmable, likewise the r.*d's. The userland ftp and telnets can have both (Isuspect), and the r-utils also. Indeed. What is holding back the work in the userland stuff then? Time? -- | Matthew N. Dodd | '78 Datsun 280Z | '75 Volvo 164E | FreeBSD/NetBSD | | win...@jurai.net | 2 x '84 Volvo 245DL| ix86,sparc,pmax | | http://www.jurai.net/~winter | This Space For Rent | ISO8802.5 4ever | To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
Re: Kerberos 5 integration.
What is holding back the work in the userland stuff then? Time? No; the lack thereof ;-) The current rush of things crypto has piqued my interest, so I am hammering away quite hard these days. M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
Re: Kerberos 5 integration.
On Tue, 17 Aug 1999, Mark Murray wrote: What is holding back the work in the userland stuff then? Time? No; the lack thereof ;-) The current rush of things crypto has piqued my interest, so I am hammering away quite hard these days. Well, would it be useful for me to commit the KERBEROS - KERBEROS4 changes? -- | Matthew N. Dodd | '78 Datsun 280Z | '75 Volvo 164E | FreeBSD/NetBSD | | win...@jurai.net | 2 x '84 Volvo 245DL| ix86,sparc,pmax | | http://www.jurai.net/~winter | This Space For Rent | ISO8802.5 4ever | To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
Re: Kerberos 5 integration.
The current rush of things crypto has piqued my interest, so I am hammering away quite hard these days. Well, would it be useful for me to commit the KERBEROS - KERBEROS4 changes? Er, no; please submit them to me as patches. :-) Thanks! M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
Re: Kerberos 5 integration.
On Tue, 17 Aug 1999, Matthew N. Dodd wrote: I'm pretty sure there is a kerberos5 pam module floating around somewhere... ftp://ftp.dementia.org/pub/pam/ http://www-personal.engin.umich.edu/~itoi/ Both referenced from http://www.us.kernel.org/pub/linux/libs/pam/modules.html Kris To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
Re: Kerberos 5 integration.
On Tue, 17 Aug 1999, Kris Kennaway wrote: On Tue, 17 Aug 1999, Matthew N. Dodd wrote: I'm pretty sure there is a kerberos5 pam module floating around somewhere... ftp://ftp.dementia.org/pub/pam/ http://www-personal.engin.umich.edu/~itoi/ Both referenced from http://www.us.kernel.org/pub/linux/libs/pam/modules.html Already found that. :) I'm still a bit confused about PAM though. While it is possible to do what kinit does and verify a password, the real reason we like kerberos is because we don't have to enter passwords; we get a ticket and the server verifies that the ticket is valid. How exactly does this fit in the PAM model? -- | Matthew N. Dodd | '78 Datsun 280Z | '75 Volvo 164E | FreeBSD/NetBSD | | win...@jurai.net | 2 x '84 Volvo 245DL| ix86,sparc,pmax | | http://www.jurai.net/~winter | This Space For Rent | ISO8802.5 4ever | To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
Re: Kerberos 5 integration.
On Tue, 17 Aug 1999, Matthew N. Dodd wrote: I'm still a bit confused about PAM though. While it is possible to do what kinit does and verify a password, the real reason we like kerberos is because we don't have to enter passwords; we get a ticket and the server verifies that the ticket is valid. How exactly does this fit in the PAM model? At a guess, it is given your username, obtains the ticket from wherever that is stored locally and goes off and verifies it against the server. If the server comes back affirmative, it grants you access. Kris To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
Re: Kerberos 5 integration.
On Tue, 17 Aug 1999, Kris Kennaway wrote: At a guess, it is given your username, obtains the ticket from wherever that is stored locally and goes off and verifies it against the server. If the server comes back affirmative, it grants you access. Which is the problem if you're say, using ftp to a remote system right? -- | Matthew N. Dodd | '78 Datsun 280Z | '75 Volvo 164E | FreeBSD/NetBSD | | win...@jurai.net | 2 x '84 Volvo 245DL| ix86,sparc,pmax | | http://www.jurai.net/~winter | This Space For Rent | ISO8802.5 4ever | To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
Re: Kerberos 5 integration.
On Tue, 17 Aug 1999, Matthew N. Dodd wrote: At a guess, it is given your username, obtains the ticket from wherever that is stored locally and goes off and verifies it against the server. If the server comes back affirmative, it grants you access. Which is the problem if you're say, using ftp to a remote system right? In the non-PAM world, how would the ticket get from the client to the FTP server? Some kind of subchannel? Kris To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
Re: Kerberos 5 integration.
On Tue, 17 Aug 1999, Kris Kennaway wrote: Which is the problem if you're say, using ftp to a remote system right? In the non-PAM world, how would the ticket get from the client to the FTP server? Some kind of subchannel? With FTP, one uses GSSAPI. With telnet/rlogin/rsh authentication is negotiated in such a way that it is possible for the client to say Hey, we want to give you a kerberos ticket to authenticate ourselves. The server replies with something like Sure, let me have it. or Kerberos?, or Yea, but only if you promise to give me a Kerberos 5 ticket. or smething like that. -- | Matthew N. Dodd | '78 Datsun 280Z | '75 Volvo 164E | FreeBSD/NetBSD | | win...@jurai.net | 2 x '84 Volvo 245DL| ix86,sparc,pmax | | http://www.jurai.net/~winter | This Space For Rent | ISO8802.5 4ever | To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
Kerberos 5 integration.
Who were the parties that were heading up the Kerberos 5 integration? I have questions. -- | Matthew N. Dodd | '78 Datsun 280Z | '75 Volvo 164E | FreeBSD/NetBSD | | [EMAIL PROTECTED] | 2 x '84 Volvo 245DL| ix86,sparc,pmax | | http://www.jurai.net/~winter | This Space For Rent | ISO8802.5 4ever | To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Kerberos 5 integration.
On Tue, 17 Aug 1999 00:51:27 -0400, "Matthew N. Dodd" wrote: Who were the parties that were heading up the Kerberos 5 integration? I have questions. Seek Ye first the kingdom of Mark. (markm) Ciao, Sheldon. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Kerberos 5 integration.
Who were the parties that were heading up the Kerberos 5 integration? I have questions. -- | Matthew N. Dodd | '78 Datsun 280Z | '75 Volvo 164E | FreeBSD/NetBSD | | win...@jurai.net | 2 x '84 Volvo 245DL| ix86,sparc,pmax | | http://www.jurai.net/~winter | This Space For Rent | ISO8802.5 4ever | To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message