Re: Master - Slave replication

2008-04-21 Thread Donn Cave 
In article [EMAIL PROTECTED],
 Derek Harkness [EMAIL PROTECTED] wrote:

 Is kprop and kpropd really the only way to replicate a master and  
 slave?  It just seems lame that in 2008 I still have to write a cron  
 job to replicate a database every X seconds.

As noted in another followup, some Kerberos sites have implemented
something on their own.  We did.  It was really more like a trivial
integration with already existing local accounting software, so
maybe not much help to anyone looking to go this way.

At the time we did that, the latency was not every X seconds, but
every X minutes, where X is two digits - since we would have to
at least wait long enough that the replica could complete its load
before getting a new one.

But if I had to start over without a convenient way to implement
incremental replication, I wouldn't worry as much about it as I
did at the time.  At any ordinary site, a single master KDC will
take the whole load without breaking a sweat, so the replica is
only really needed for service exception backup, and if in that
event it's a few minutes out of date it isn't the end of the world.
This is why the 

I sure would not turn to an LDAP back end for this reason.
Nothing against LDAP, if you have data to publish it's the way
to go and we do plenty of it here, but for replicating the KDC?
talk about a cure that's worse than the disease ...

   Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: kerberos vs ldap

2008-03-28 Thread Donn Cave 
In article [EMAIL PROTECTED],
 Danny Mayer [EMAIL PROTECTED] wrote:

 Turbo Fredriksson wrote:
  it == it is ramu [EMAIL PROTECTED] writes:
  
  it Can anyone explain to me whats the relation between LDAP vs
  it Kerberos
  
  Two _completely_ different protocols/systems.
  
  In short and generalized: LDAP is for AUTHORIZATION (access rules)
  and Kerberos is for AUTHENTICATION (verify password).
  
 
 LDAP has nothing whatsoever to do with authorization. It's a data 
 storage and retrieval mechanism. If you choose to use it for 
 authorization that's up to you.

Taken out of context, that's true, but conversations
like this can be awfully tedious if we have to drag
around explicit context.  Give us a break, OK?  How
would you explain the relation between LDAP vs. Kerberos?

   Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Issue with KDC

2007-12-18 Thread Donn Cave 
In article [EMAIL PROTECTED],
 sunilcnair [EMAIL PROTECTED] wrote:

 This is Sunil here, i am working on the cross domain authentication using
 kerberos, i have
 two domains(xx.com) and(co.yy), and i am in a dilemma as to install 2KDC in
 both the domains or is it sufficient for the kdc to be installed in only one
 single domain, and register the other domain as just the user of the domain
 in which the kdc is installed.Also I’d like to avoid cross realms
 scenario,because we should set up another KDC.(thats bit difficult)is there
 any other possibilities of using two domain for kerberos without having KDC
 on both the domains please do clear my doubt. Looking for an answer

Kerberos is basically indifferent to DNS domains, and
one Kerberos realm can certainly serve many DNS domains.
Application software may rely on DNS for realm information,
though - configuration files may specify realm/domain maps,
and Kerberos realm information can be published in special
DNS SRV and TXT records.  If you have tried this and were
not able to make it work, check that the [domain_realm]
section of your configuration file includes the new domain.

   Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: MIT Incremental Propagation

2007-09-21 Thread Donn Cave 
In article [EMAIL PROTECTED],
 Kevin Coffman [EMAIL PROTECTED] wrote:

 On 9/21/07, Jeffrey Altman [EMAIL PROTECTED] wrote:
  John Harris wrote:
   Greetings,
  
   Does MIT's current implementation of the Kerberos KDC include
   incremental propagation?  I know it didn't a long time ago, then there
   were CITI patches for it, then those didn't work for awhile.  I don't
   seem to be able to pinpoint an answer to it.
  
   Thanks,
  
   John
  There is no incremental propagation distributed with MIT Kerberos.
 
  Jeffrey Altman
 
 Our patch hasn't been ported forward to release 1.5 and beyond yet.
 With the new plugable database interface, changes are necessary.  We
 haven't had the time to get to it yet.

We haven't taken ours to a recent release level yet either, but
for other reasons.  It would be interesting, if academic, to see
if our approach would work with 1.6 without changes.  I think it
would - it's quite trivial, we just siphon off data (who, what)
from every change kadmind makes, and some other local software
takes it and applies to peer KDCs.  One or more of which are
Microsoft domain controllers (but only the MIT KDCs can propagate
changes.)  We've been doing this for ca 8 years.

As for an LDAP solution, we've talked about this here before
(cf. LDAP KDB.)  If you need an LDAP backend for some other
reason, that's one thing, but just for replication, I don't
think so.

   Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: MIT krb5 has no site support.

2006-09-01 Thread Donn Cave 
In article [EMAIL PROTECTED],
 Jeremy Allison [EMAIL PROTECTED] wrote:

 On Thu, 31 Aug 2006 12:22:47 -0700, Donn Cave wrote:
 
  Custom krb5.conf isn't very elegant, but apart from that, would you agree
  that this fits in the general area of configuration data from alternate
  sources?
  
  I mean, it seems like it would be better to use the existing configurable
  library parameters if possible, rather than add to what's already a fairly
  complex configuration diagram. Would something like the following be an
  improvement?
  
 include k5-int.h
  
 const char *kdc[4] = {realms, 0, kdc, 0};
  
 kdc[1] = this_realm;
  
 err = profile_clear_relation(kcontext-profile, kdc);
  
 err = profile_add_relation(kcontext-profile, kdc, localkdc);
 
 Interesting - are you saying there's already a way in 1.5.x
 to do this ? I can create a context then manipulate the
 KDC - IP address association in it ? I notice you're
 using k5-int.h - I take it this is an internal only API.

Yes, I suppose it's internal.  Ideally, Ithink MIT
probably recognizes that this functionality is needed
in some form, though, even if they're not committed to
this particular way to achieve it.

I don't actually know whether the above works in 1.5.x -
due static build requirements, I have elected to stay with
1.4 while I can, and that's where I tested the above.
It's effectively the same as a custom krb5.conf, with
respect to that one parameter.

   Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Presence/absence of the keytab

2006-05-09 Thread Donn Cave 
In article [EMAIL PROTECTED],
 Russ Allbery [EMAIL PROTECTED] wrote:
...
 The pam_krb5 modules that I've used either don't do this or only do this
 when the keytab is available, presumably doing a security vs. ease of
 deployment tradeoff.  One difficulty is that if the authentication is not
 being done as root, the PAM module needs something other than the host
 keytab to use for verification, and I don't know of any PAM module that is
 configurable enough to be pointed at any keytab and use that keytab for
 verification.  It would be a good thing to add, though.

Wonder if this situation is common enough to warrant library support
for some default file convention, like /etc/krb5.keytab if root,
otherwise ~/krb5.keytab.

Not to say a configurable parameter isn't a good thing, too.

   Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Presence/absence of the keytab

2006-05-04 Thread Donn Cave 
In article [EMAIL PROTECTED],
 Richard E. Silverman [EMAIL PROTECTED] wrote:

  SL == Scott Lowe [EMAIL PROTECTED] writes:
 
 SL Yesterday, however, I was able to successfully authenticate via
 SL Kerberos from VMware ESX Server 2.5.3 (the console operating
 SL system is Linux-based) *without* generating a keytab.  This seems
 SL to fly in the face of all the information and instructions I've
 SL seen.
 
 SL So, I'm curious...any thoughts as to why this worked?
 
 A keytab is needed for a host on which a kerberized service runs; it holds
 the service princpal's secret key, which the service software needs.
 
 You don't need anything special on a host to allow someone to kinit on
 it.  The only secret needed is your password.

True, though there is a sort of grey area inhabited by services
that use Kerberos to perform password authentication.  This is
functionally like kinit, but semantically quite different, and
without a service principal to validate the authentication results,
they're vulnerable.

So depending on what `successfully authenticate' actually means here,
the information and instructions that say to get a service principal
and a keytab may be worth listening to, even if the service appears
to work without it.

   Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Presence/absence of the keytab

2006-05-04 Thread Donn Cave 
In article [EMAIL PROTECTED],
 Scott Lowe [EMAIL PROTECTED] wrote:
 On 2006-05-04 12:29:53 -0400, Donn Cave [EMAIL PROTECTED] said:

  True, though there is a sort of grey area inhabited by services
  that use Kerberos to perform password authentication.  This is
  functionally like kinit, but semantically quite different, and
  without a service principal to validate the authentication results,
  they're vulnerable.
  
  So depending on what `successfully authenticate' actually means here,
  the information and instructions that say to get a service principal
  and a keytab may be worth listening to, even if the service appears
  to work without it.

 I suppose if I were seeking to use a fully Kerberized server 
 application that accept Kerberos tickets from Kerberos clients, then a 
 keytab would be necessary.  In this instance, the service does not 
 accept Kerberos authentication from connecting systems, but acts a 
 Kerberos client on the back-end to perform authentication (using PAM).  
 It seems to make sense, then, that a keytab would not be necessary.  At 
 least, not in this situation.

I guess it depends on what you mean by necessary, but if there's
any reasonable possibility that you could create a host service
principal and install that keytab, I would do it.  If you have
reason to believe that the PAM authentication isn't actually using
the keytab, I would find out why and try to get it fixed.  Without
it, you're vulnerable.  Of course everything's relative, and the
authorization you're providing with this authentication may not
warrant the concern, but that's different than thinking it isn't
necessary in the sense that there is no use for it, which would be
an error.

   Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: SRV records and canonicalization

2006-04-22 Thread Donn Cave 
In article [EMAIL PROTECTED],
 [EMAIL PROTECTED] (Simon Wilkinson) wrote:

 I'm interested in what people feel the 'correct' approach is to the
 following situation.
 
 XMPP (the 'Jabber' protocol) uses DNS SRV records to determine the
 location of a Jabber service for a given DNS domain. In some
 implementations there may be multiple servers, running on multiple
 different machines, all of which can accept an incoming connection.
 In current Jabber (and MIT Kerberos) implementations, the service
 principal used for the SASL/GSSAPI/Kerberos connection is the canonical
 version of the hostname returned from the results of the SRV query.
 
 This is obviously bad, as the use of an insecure directory service (DNS)
 to perform both of these lookups presents an opportunity for a MITM
 attack. Worse is a current proposal that the server should be able to
 tell the client the principal name to use.
 
 So, for a Jabber connection to 'example.org', should we connecting to
 the service principal 'xmpp/example.org'? But, how does this work where
 'example.org' is providing multiple XMPP servers - should they all have
 a copy of the same key material, and does this present further concerns?

Domain based names may be interesting, but the drafts are not
clear to me.  I imagine someone in my organization knows addresses
for the kitten working group mailing lists, so they may be hearing
more on that.

Some years ago, I believe a certain large software company's
LDAP clients would include the service port number in their
service principal name.  So if you wanted to support Kerberos
access to an LDAP server running on port 777 on oc.bo.co, you
would want to provide it with a key for LDAP:777/oc.bo.co (or
LDAP/oc.bo.co:777 or something, I don't remember.)

We didn't particularly appreciate it at the time, and I would
be a little surprised if anyone is doing anything like that today.
Technically I believe it may address your second point, and at
least it's easy for both parties to determine the service-specific
name, but the service distinction probably shouldn't really be
tied to a service port number.

   Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: KRB5CCNAME and sshd

2006-01-27 Thread Donn Cave 
In article [EMAIL PROTECTED],
 Victor Sudakov [EMAIL PROTECTED] wrote:

 I will tell you what I am trying to achieve, perhaps you can give me
 advice. 
 
 I kinit -f on the client box at home and then ssh to the server box
 at work.  On the server box, I have screen(1) running, which I
 reattach after login and detach before logout. It runs for weeks and
 even months on end.
 
 You know that all screen sessions or windows inherit the
 environment variables from the shell where screen was started
 initially. So, $KRB5CCNAME in the screen sessions points to stale
 credential caches, even though the fresh credentials have been
 correctly forwarded from the client machine and are available in some
 new place (but there is no way to inform the applications within
 screen about this new place).
 
 I would like to achieve that if my credentials have been forwarded to
 the server box, they should be refreshed in all the screen windows.

That certainly must be a manual operation.  I don't use screen,
but I suppose you have a number of concurrent shell processes,
and they are not really aware of this connect/disconnect cycle,
so they have no way to know when it's time to update KRB5CCNAME.
You must therefore enter some command, in each window, to get
them to do that.

The command can be a simple one, if you use an alias or shell
procedure.  Your shell startup can save the value of KRB5CCNAME
somewhere so the old screen shell can find it.

   Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Clarifications sought on Kerberos SA: TGS_REQ and Server Auth??

2005-12-07 Thread Donn Cave 
In article [EMAIL PROTECTED],
 [EMAIL PROTECTED] (Surendra Babu A) wrote:

 - Now we initiated the email operation from  Multi Funtion Printer. It 
 contacted the ESMTP server from ESMTP client.
 - Sent the EHLO command. ESMTP Server Gave me the AUTH GSSAPI response. So 
 Kerberos is supported at server sid. Right??
 - After seeing this GSSAPI string, sending the Service ticket to ESMTP 
 server.
 
 Is it correct? We are assuming that, GSSPAI is supported means, Kerberos is 
 supported. Is it right?

Yes, all sounds right to me.

 Could you please explain about the Application Server transactions??? How to 
 communicate with GSSAPI?

If you have downloaded the MIT Kerberos distribution, you
could look at src/appl/gss-sample/.  Therein you will find
example code for a simple GSS application.

gss-sample uses functions like send_token() to transmit the
authentication data.  Your application won't use those, and
instead will send and receive authentication data according
to the ESMTP AUTH protocol.  That's probably explained in
an ESMTP RFC.

   Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: AIX 5.3: kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials

2005-11-08 Thread Donn Cave 
In article [EMAIL PROTECTED],
 Christoph Weizen [EMAIL PROTECTED] wrote:

 kinit (krb5 1.4.2) on an AIX 5.3 gives me
 # /usr/local/bin/kinit -k -t foobar.keytab 
 foobar/[EMAIL PROTECTED]
 kinit(v5): Cannot resolve network address for KDC in requested realm 
 while getting initial credentials
 
  From a working Linux krb5 1.4.2 installation I copied /etc/krb5.conf 
 and foobar.keytab to AIX 5.3. The following steps don't defer to the 
 steps I did under Linux.
 
 # ./configure --without-krb4 --enable-shared
 # make  make install
 
 Using gcc 3.3.2.
 I found a patch for krb5 1.4.1 for AIX 5.2 from Ken Raeburn, but as far 
 as I see it is fixed in 1.4.2.

I don't know what's in that patch.  Does it look like you
already have applied something like this?

   Donn Cave, [EMAIL PROTECTED]
---
*** include/fake-addrinfo.h.distWed Jun  1 12:24:32 2005
--- include/fake-addrinfo.h Fri Aug 12 09:10:48 2005
***
*** 1193,1199 
 a known service name for tcp or udp (as appropriate), an error
 code (for host not found) is returned.  If the port maps to a
 known service for both udp and tcp, all is well.  */
! if (serv  serv[0]  isdigit(serv[0])) {
unsigned long lport;
char *end;
lport = strtoul(serv, end, 10);
--- 1193,1208 
 a known service name for tcp or udp (as appropriate), an error
 code (for host not found) is returned.  If the port maps to a
 known service for both udp and tcp, all is well.  */
! /*
! **
! **  However, where AI_NUNERICSERV is defined (AIX 5) and was 
specified,
! **  this is unneeded and and broken - discard is not numeric.
! */
! if (serv  serv[0]
! #ifdef AI_NUMERICSERV
!   !(hint-ai_flags  AI_NUMERICSERV)
! #endif
!   isdigit(serv[0])) {
unsigned long lport;
char *end;
lport = strtoul(serv, end, 10);

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: kinit coredump

2005-08-26 Thread Donn Cave 
In article 
[EMAIL PROTECTED]
om,
 [EMAIL PROTECTED] (Jason Brown) wrote:

 I am having a problem with kinit on AIX 4.3.3. I have compiled the 
 Kerberos 1.4.2 distro with IBM C compiler (Version 5) ... gcc 3.4.3 fails 
 because it cannot find threading support.  Used both gnu make, and IBM 
 make.
 When I run kinit to test the install I get Illegal Instruction, 
 (coredump).  Any ideas ?

You have to find each configure file and, where it has
   *-*-aix5*)   , change that to  *-*-aix*)

Re-run configure, and make.  If it's still happening, something
went wrong - maybe old configuration, maybe missed a configure file.

IBM's implementation of some DNS functions uses a different size
state struct than the include files define, which guarantees memory
corruption when you try to use these functions.  The configure
script forestalls this on AIX 5, should also do so on AIX 4.

   Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Memory Leak problems with krb5_get_init_creds_password?

2005-08-17 Thread Donn Cave 
In article [EMAIL PROTECTED], [EMAIL PROTECTED] (Chet Burgess) 
wrote:
[ ... re memory leak caused by DNS KDC lookup ... ]
   The res_ninit() call and the subsequent calls for the DNS
 records are made in the krb5int_dns_init function found at
 src/lib/krb5/os. The res_ninit() call is made for every lookup. As for
 the DNS vs. config file variable, I had a proper krb5.conf file that
 listed the REALM and the KDCs, untill I added dns_fallback = false
 to the config file it would always try DNS then look at the config
 file.

That's weird, but there are some potential surprises.  For an
example I ran into myself, if your initial request fails, it
will be retried to the configured master_kdc.  Of course if that
isn't in krb5.conf it will go to DNS (_kerberos-master._udp.)

master_kdc is fairly recent and likely not configured at a
lot of sites where the krb5.conf goes back a ways (or maybe
where there is no master KDC, though such sites may as well
configure a value anyway.)

   Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: krb5 1.4 on AIX 5.1 Illegal Instruction

2005-06-27 Thread Donn Cave 
In article [EMAIL PROTECTED],
 Donald Thompson [EMAIL PROTECTED] wrote:

 I'm getting an 'Illegal Instruction' when I try to kinit using krb5 1.4 on 
 AIX 5.1. I've tried compiling
 using both the IBM XL C Compiler, as well as gcc 3.3 with the same result. 
 I've had no problems compiling
 and using krb5 1.3 versions. Anyone know if theres a fix for this?
 
 -Don

In case anyone is still set back by this one, I tracked
it to res_nsearch.  On our AIX platforms (I was looking
at 5.2, but 4.3 looks the same) this function overwrites
a much larger area than the declared size of its input
struct __res_state.  I don't know if this would be true
for everyone, or if it's a patch my hosts happen to have.
SRV lookups work better if the configure scripts don't find
res_nsearch.

Also, AIX 5 defines AI_NUMERICSERV, which has implications
for MIT's getaddrinfo wrapper.

   Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Newbie: Server not found in Kerberos database

2005-03-15 Thread Donn Cave 
In article [EMAIL PROTECTED],
 [EMAIL PROTECTED] (Michael Urban) wrote:
...
 The problem comes when I attempt to do the same thing with the same
 version of OpenSSH built with the same options on a Solaris machine.
 In that case, the server logs a Server not found in Kerberos database
 message and gives up.  I have looked at all the obvious candidates
 (wrong DNS entry, disagreement as to host name in /etc/hosts and
 DNS, etc) and come up empty.
 
 Unfortunately, the log messages do not tell me _what_ principal it
 was trying to find in krb5.keytab (I assume that this is where
 the mismatch or missing entry is).

I would expect ssh to acquire a ticket for the remote host
service.  You can see your tickets with klist, so that will
give you one side of the story.

Speaking of /etc/hosts, the host's own name as it comes out of
its own /etc/hosts has to match the hosts name as it comes out
of DNS.  So the fully qualified name must be listed first, not
second after the short name.

   Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Cannot resolve network address for KDC in requested realm while getting initial credentials

2005-01-21 Thread Donn Cave 
In article [EMAIL PROTECTED],
 [EMAIL PROTECTED] wrote:

 kinit test
 Password for [EMAIL PROTECTED]:
...
 However, I can't kinit using this keytab file:
 
 [EMAIL PROTECTED]/var/kerberos/krb5kdc]$ kinit -k kadm5test
 kinit(v5): Cannot resolve network address for KDC in requested realm
 while getting initial credentials

In the course of this message you don't show the same
realm twice, for a total of four different realms
(host.COM is not the same realm as HOST.COM.)  If that's
really the case, I believe it could account for the error
shown above.  You may find some details on this in the
KDC syslog.

The kadmin function that populates a keytab does create
a new key version, so the old one is no longer valid for
new ticket requests.  That's normally a feature.  If you
want to store the key for a typeable password in a keytab,
I believe you can use ktutil for this.

   Donn Cave, [EMAIL PROTECTED]

 klist shows:
 
 [EMAIL PROTECTED] /var/kerberos/krb5kdc]$ klist
 Ticket cache: FILE:/tmp/krb5cc_0
 Default principal: [EMAIL PROTECTED]
 
 Valid starting ExpiresService principal
 01/20/05 14:53:59  01/21/05 00:53:59  krbtgt/[EMAIL PROTECTED]
 
 
 Kerberos 4 ticket cache: /tmp/tkt0
 klist: You have no tickets cached
 
 A secondary problem is now the password seems to have been changed
 after creating the keytab, and I can no longer kinit (without the
 keytab):
 
 [EMAIL PROTECTED] /var/kerberos/krb5kdc]$ kinit test
 Password for [EMAIL PROTECTED]:
 kinit(v5): Password incorrect while getting initial credentials
 
 For testing purposes I'm using my hostname as my realm name.  I've
 tried logging in as root and as test, but get the same result.


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Kerberos and Apache Virtual Hosted Websites

2005-01-21 Thread Donn Cave 
In article [EMAIL PROTECTED],
 Scott Moseman [EMAIL PROTECTED] wrote:
...
 When I attempt to access the website, vhost.domain.com,
 I get this error message in the Apache error logs:
 
 gss_acquire_cred() failed: Miscellaneous failure
 (No principal in keytab matches desired name)
 
 How can I further trouble shoot this Kerberos problem?
 When I use kerbtray on my PC, it shows the correct name
 for the Kerberos ticket (vhost.domain.com).  Any help?

The way it looks to me, you have a fairly good case
from your troubleshooting so far.  Someone now needs
to look at the code.  This gss_acquire_cred() gets the
service principal name from its caller, so you can
start there, where the module calls gss_acquire_cred
with the wrong principal name, and see how that happened.
I don't know anything about it, but I would guess there
may be two ways to get it right.  Either propagate this
information from whatever configuration option initially
determines the virtual host, or dig it up via getsockname()
on the service port socket.  Instead they probably did
the easiest thing and used gethostname().

   Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Kerberos authentication without reverse lookup

2005-01-19 Thread Donn Cave 
In article [EMAIL PROTECTED],
 Fredrik Tolf [EMAIL PROTECTED] wrote:

 On Tue, 2005-01-18 at 18:45 -0500, Roland Dowdeswell wrote:
  On 1106079270 seconds since the Beginning of the UNIX epoch
  Fredrik Tolf wrote:
  
  
  I came up with a fairly simple solution that would be  to add, to inetd
  on each host, a simple program that just echoes to the connecting host
  what that host's perception of its own FQDN is. Then I'd write a simple
  nsswitch module for gethostbyaddr (possibly with some kind of config
  file so that it never tries for hosts that aren't supposed to be part of
  this) that connects to this service on the address that it is supposed
  to canonicalize.
  
  You could always do what Heimdal does which is use ai-ai_canonname
  rather than performing a reverse lookup.  Unfortunately, this strategy
  is not followed by 3rd party vendors such as OpenSSH.
 
 I'm sorry if I'm wrong, but doesn't getaddrinfo get ai_canonname by
 doing a reverse lookup? When I tried it out, at least that is what
 happened.

It depends on the platform.  The GNU getaddrinfo implementation
does.  I'm assuming AI_CANONNAME in ai_flags.

NetBSD 2.0, AIX 5.2 don't, they stop at what you'd get from
gethostbyname() -- they look up CNAME aliases but don't
look up the IP PTR.

Also might be worth mentioning that the MIT implementation
also uses this in several places, though in the critical
sname_to_principal() function it uses getnameinfo for the
lookup.

Secure DNS would be nice for all this.

   Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Preauth and ticket forwarding

2004-12-07 Thread Donn Cave 
In article [EMAIL PROTECTED],
 [EMAIL PROTECTED] (Rachel Elizabeth Dillon) wrote:
 I am one of many administrators for a network of 50 machines running
 MIT Kerberos on Solaris. Recently, another administrator installed a 
 Cisco VPN Magic Box that supposedly uses Kerberos authentication, but
 won't work unless preauthentication is turned off. With 
 preauthentication turned off for any given principal, ticket forwarding
 no longer works for that principal. I guess my question is threefold:
 
 1. What does preauth  actually  do? From some reading, I believed it to
be based on clock skew, and fixed the clock skew between the VPN box
and the Kerberos server, but preauth still fails. All the KDC logs
say is that preauth is required just as they would for a successful
kinit, but with no successful kinit afterward. Of course, all the 
Cisco box gives me is Authentication Failure. Unfortunately, I do
not have a choice as to whether or not to use this product.

In case it may help, you can find more detail about the
preauthentication failure in the syslog output from the KDC.
The error message can be a little misleading - I believe
No such file or directory really means that the key was
wrong.  Other errors are no valid preauth type, which
I think may commonly be a Microsoft issue, and Clock skew
too great.  These messages appear on a separate line, so
you have to locate the failure event in the log and then
look for diagnostic messages on the line before.

 2. Assuming I have no choice but to turn off preauth for the Cisco box,
is there any way to make SSH ticket forwarding work with preauth
turned off? It works just fine as my system stands with preauth turned
on, but when preauth goes off, ticket forwarding stops working. This
makes sense as a security feature and I realize I am shooting myself
in the foot, but I am being ordered to shoot myself in the foot, and 
I am trying to minimize immediate bleeding. :)

I would be surprised if preauthentication has any effect on
the subsequent properties of the credentials, anyway, so I
can't answer this one.

 3. Does anyone have experience making MIT Kerberos work with a Cisco 
VPN 3000? I've looked through the Cisco documentation and it doesn't
mention preauth or really much of anything except how to format your
@ signs. 

Sorry!

   Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: LDAP gateway for Kerberos

2004-10-29 Thread Donn Cave 
Quoth [EMAIL PROTECTED] (talisman):
| is there such a thing as a ldap gateway for kerberos i.e.
|
| the ldap gateway piece of software accepts ldap searches and returns
| basic user info from kerberos, and accepts a bind and passes that
| through to kerberos and returns success/failure back to the ldap
| client?

You can find an LDAP implementation that supports Kerberos
authentication at http://www.openldap.org/ (plus Cyrus SASL),
and I imagine there are others.  Such an implementation would
allow a client to use Kerberos credentials to authenticate
during bind.

The part about basic user info from Kerberos is not so obvious,
inasmuch as, in general, there isn't any useful user info there.
Some, maybe most, environments that use Kerberos also have a user
database with all kinds of information, but if that's what you
want, you'll have to ask about that (hypothetical) database.

Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Kerberized telnetd: -a valid option eight char limit on account names

2004-10-22 Thread Donn Cave 
In article [EMAIL PROTECTED],
 Jeffrey Altman [EMAIL PROTECTED] wrote:
 hwntw wrote:
...
  The Kerberos bit comes in because Vintela vas authentication is
  essentially Kerberos auth. If I log in and do klist I get Ticket
  cache: FILE:/tmp/krb5cc_1001_SQ2421
  Default principal: [EMAIL PROTECTED]
  
  Valid starting ExpiresService principal
  10/22/04 10:00:13  10/22/04 20:00:14 
  krbtgt/[EMAIL PROTECTED]
  renew until 10/23/04 10:00:13
   
  That is the result of the VIntela product authenticating to Active
  Directory. Point is I telnet using a kerberised telnetd from the MIT
  distribution. Praps I am being unrealistic in expecting the -a valid
  argument to telnetd to work in this case. Nevertheless, the issue of
  the eight char limit on accounts names is still germane, as this is a
  Kerberos telnetd we are talking about, not the in.telnetd that comes
  with Solaris 9 (and which does not work at all with Vintela VAS). I
  should have mentioned that ssh connections do not exhibit this eight
  char account name limit

 The Vintela product is performing a Kerberos initial ticket request
 upon login.  The telnet session is not being authenticated using 
 Kerberos.  You are typing in a user name and password.

Hoping that it will help to make this semantic distinction,
actually the Vintela product apparently isn't authenticating
at all but rather leaving that to the MIT telnetd ... which,
as you say, gets an initial ticket, which naturally appears
on the remote end.  Vintela appears to me to be the client.

 I am not aware of any restrictions on the length of the user name
 in MIT's telnetd.  In particular, because telnetd does not know anything
 about usernames.  The username is determined by the text entered into
 the 'login' program on the machine.  'login' more then likely is being
 replaced by Vintela.

Could have been replaced by something, anyway.  The system
administrator on this host may know more about what's going
on.  To start with though, it might be worth looking at
/etc/passwd on the remote host to see if these long names
are in fact in there, in the first field as user IDs.

   Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: OpenLDAP - GSSAPI (SASL) - KERBEROS V Questions

2004-10-19 Thread Donn Cave 
In article [EMAIL PROTECTED],
 [EMAIL PROTECTED] (Gerald (Jerry) Carter) wrote:
 Matt Joyce wrote:
...
 | How can I get more verbose error logs without recompiling?
 
 Verbose error logs for the krb libs or for Openldap ?

The normal level syslog logs from the Kerberos KDC host
can be pretty useful when there are authentication problems
involving a service principal.

The application error messages from the Cyrus SASL GSSAPI
module will help a little, but unfortunately tend to omit
specifics of the error.

 | And, once i've generated my ldap principal, and his key...
 | can I copy the key out of the keytab and chown/chmod it for
 | ldap in another directory and expect it to work?
 
 Since (as Sam already said), the service principal
 name is ldap/[EMAIL PROTECTED], each ldap server will need its
 own keytab.  It sounds like you are asking if you can
 use the same keytab for multiple OpenLDAP installations.
 Sorry if i misunderstood.

Or could be intending to run slapd under a less privileged
UID than 0, for whom /etc/krb5.keytab is inaccessible.
There's no reason that can't work, as long as you can specify
the location of the keytab.  The krb5 library mechanism for
that, an enviroment variable KRB5_KTNAME, is the only way
that comes to mind.

   Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Heimdal or MIT kerberos

2004-10-04 Thread Donn Cave 
In article [EMAIL PROTECTED],
 [EMAIL PROTECTED] (Ken Raeburn) wrote:
 On Oct 4, 2004, at 01:40, Frank Cusack wrote:
 
  Heimdal does not have a functioning replay cache, so if your app
  needs that you must go with MIT.
 
  If heimdal is thread-safe, that's news to me.  You shouldn't care
  if the apps you plan to use are off the shelf (sounds that way).
 
 MIT's use of a replay cache also leads to poorer performance of 
 application servers under very heavy load (but if you're not under 
 heavy load, do you care about that extra tiny fraction of a second 
 delay?).  I believe the replay cache may also be a contributor to MIT's 
 reported worse behavior in multithreaded servers; none of that code is 
 thread-safe, and we can spend quite a few cycles there.

That fits with my observations with Cyrus SASL GSSAPI
authentication in an LDAP service.  Heimdal is commonly
recommended there.  I tried both, and MIT was indeed slower
and crashed in the GSSAPI code under heavy load.

But it's really pretty simple to add an interlock to the
SASL GSSAPI module, which disposes of the issue entirely,
and I felt that authentication was acceptably fast and we
didn't need to abandon replay checking.

   Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Kerberos and UW-IMAP

2004-09-13 Thread Donn Cave 
Quoth [EMAIL PROTECTED] (Luis Daniel Lucio Quiroz):
...
| Well, I seems I forgot to export keytab for imap/server.name 
|
| but where do you read that I should be on /etc/krb5.keytab? I'd like to reed 
| UW-IMAP doc but it's so poor :(

Well, of course nothing in the code for imapd actually specifies
/etc/krb5.keytab.  That just happens to be the default location,
in the predominate Kerberos implementations on UNIX.  It's like
inetd.conf, which you must modify if you install imapd -- unless
your platform uses something else.  Your UNIX system administrator
is presumed to be a more reliable source for this than the author
of imapd.

Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Kerberos and UW-IMAP

2004-09-12 Thread Donn Cave 
Quoth [EMAIL PROTECTED] (Luis Daniel Lucio Quiroz):

| Well, I was wondering if someone has a successful history on setting up
| WU-IMAP 2002+ (I use 2004) with Krb auth?  I have just this realms
| configured
|
| imap/host.domain
...
| but then what I shall do?  WU IMAP does no have enoght doc.

Shouldn't need one for this (though I guess one benefit of
more documentation might be that people would know its name
better - WU?)

The source distributions does have directions for building
with Kerberos 5.  If that happened, and the key for that
imap service principal is there in /etc/krb5.keytab, the
server should support GSSAPI authentication.  Apple Mail,
Pine are a couple of clients that come to mind that support
GSSAPI authentication.  imapd logs to the mail syslog log.
There is a comp.mail.imap newsgroup, where people know more
about this software.

Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: storing tickets in memory

2004-06-10 Thread Donn Cave 
In article [EMAIL PROTECTED],
 [EMAIL PROTECTED] (Ken Raeburn) wrote:

 On Jun 10, 2004, at 09:11, Adam Denenberg wrote:
  ok thanks for the info.  I did some reading and was basically thinking
  of implementing kerberos here on our unix systems but read about some
  security concerns about ticket credentials being stored in /tmp.
  Meaning anyone with root can become another user and steal his/her
  credentials.  How do people deal with this security issue?
 
 By realizing that unless your OS significantly curtails the access 
 granted to root, the root user can look at users' shared memory 
 segments and local process memory, or run processes as the target user, 
 or modify system software to do things the users don't intend; so 
 basically, the game is over once the bad guy gets root access.

I think there may be two questions here.  One of them is
your bad guy scenario, which I suppose applies just as well
to my personal NetBSD desktop computer as to a host in the
basement with thousands of accounts.

The other is about per host level of assurance, where we
assume that every host's administrator is to some level a
bad guy.  Take for example a university campus -- many
departments will maintain their own sites, with a vast
range of security policies, and then there will be a lot
of one-of-a-kind hosts run by some professor's graduate
student, dormitory residents, who knows what all.  People
on campus are using these hosts, usually several of them
if any, and we would like to think that their access to
a residence hall computer wouldn't compromise their account
on the central site financial database.

I think this is actually a strong point of Kerberos
authentication, relative to the alternatives, because
you _don't have_ credentials on the remote host, so
it sort of doesn't matter what happens to you there.
Only the data you actually send to that host, or get
back from it, can be compromised, and your credentials
are not part of that data stream.  (I wish that were
easier for people to understand.)  In contrast, if you
use ssh or SSL to encrypt your password, for example,
it's going to be unencrypted on the remote end, and
your primary authentication key is utterly exposed to
the remote host's administrator.

So it seems to me, to answer `How do people deal with
this security issue?', I would start by asking, why is
it an issue?  Why does your user have credentials on
this host?  Maybe there's a good reason, like it's the
user's workstation which is obviously where the credentials
are going to be, but just to be aware that not every host
that plays the Kerberos game keeps user credentials.

And of course then there's the Kerberos authenticated
filesystem, but I don't know that can of worms/garden of
delights by experience.

   Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: FTP - GSSAPI Error acquiring credentials

2004-06-08 Thread Donn Cave 
In article 
[EMAIL PROTECTED],
 [EMAIL PROTECTED] (Pierre Goyette) wrote:
 I have a Solaris box with MIT Kerberos 1.3.3 installed as an application
 server which is part of a Windows 2000 KDC.
  
 I can perform a kerberized telnet to the box perfectly. However, I
 cannot ftp to the box.
...
 A Ethereal trace shows the client receiving a 501-GSSAPI error minor: no
 principal in keytab matches desired name.
...
 On my client, I properly acquire all the right tickets, klist -e shows:
  
 Ticket cache: API:krb5cc
 Default principal: [EMAIL PROTECTED]
 Valid starting Expires Service principal
 06/08/04 08:01:18 06/08/04 18:01:18
 krbtgt/[EMAIL PROTECTED]
 renew until 06/15/04 08:01:18, Etype (skey, tkt): ArcFour with HMAC/md5,
 ArcFour with HMAC/md5
 06/08/04 12:04:48 06/08/04 18:01:18
 host/[EMAIL PROTECTED]
 renew until 06/15/04 08:01:18, Etype (skey, tkt): DES cbc mode with
 RSA-MD5, DES cbc mode with RSA-MD5
 06/08/04 12:05:47 06/08/04 18:01:18
 ftp/[EMAIL PROTECTED]
 renew until 06/15/04 08:01:18, Etype (skey, tkt): DES cbc mode with
 CRC-32, DES cbc mode with CRC-32 
 Kerberos 4 ticket cache: API:krb4cc

I see your ftp service ticket's encryption is different
from the host service ticket.  If you could, as root, try

 $ klist -k -e

does the ftp key's encryption type match your service ticket?

   Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: gss_accept_sec_contextand channel binding in ftp

2004-06-04 Thread Donn Cave 
In article [EMAIL PROTECTED],
 [EMAIL PROTECTED] (Markus Moeller) wrote:

 I noticed that from MIT version 1.2.4 to 1.3.1 the gss_accept_sec_context 
 call 
 has changed in ftpd.c. It is now set to use always GSS_C_NO_CHANNEL_BINDINGS. 
 I also noticed that changing the channel bindings in gss_init_sec_context on 
 the client doesn't create an error I would expect. 
 
 I also see a different behaviour in my proftpd mod_gss module. If the client 
 uses gss_init_sec_context with GSS_C_NO_CHANNEL_BINDINGS, the channel 
 bindings 
 settings in gss_accept_sec_context on the server are ignored (e.g if the 
 server uses channel bindings with application data set and the client used 
 GSS_C_NO_CHANNEL_BINDINGS the client can login)
 
 Is this intention ??

I can't speak for the MIT Kerberos developers, but I feel
fairly confident that it was not an accident.  Moreover,
it is quite useful for GSS Fetch users behind NATs, for
example.

   Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: deletion of old keys

2004-06-03 Thread Donn Cave 
In article [EMAIL PROTECTED],
 [EMAIL PROTECTED] (Sam Hartman) wrote:

  Lara == Lara Adianto [EMAIL PROTECTED] writes:
 
 Lara Hi, In section 4.1 of RFC 1510, it is mentioned that When
 Lara an application server's key changes, if the change is
 Lara routine, the old key should be retained by the server until
 Lara all tickets that had been issued using that key have
 Lara expired
 
 It means in the keytab, not the KDC database.
 
 There's not currently a way to delete key data from the kdc if you use
 the option to retain old keys.

Which is probably not an issue, right?  I mean, unless
this option is widely used.

If I may elaborate a little (I hope someone will correct
me if this isn't right), a service ticket for your
service is based on the key for that service at the
time the ticket was issued, of course.  Then, for the
rest of its lifetime, it needs to match the key in the
keytab file.  That key is identified by kvno, so it's
possible to retain the old key alongside the new key.
(Assuming MIT or Heimdal Kerberos, not MS.)

The time span during which this is an issue depends on
ticket expiration.  Once that time has elapsed, the
old key may be removed by the system administrator.
Or left in there, doesn't make any difference.

   Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Kerberizing a non-kerberized telnet client

2004-05-14 Thread Donn Cave 
In article 
[EMAIL PROTECTED],
 [EMAIL PROTECTED] (Burkhardt, Andrew) wrote:
...
   We have setup a test Windows Server 2003 Domain/KDC.  We have a Windows
 2000 Professional computer using the kerberized Ktelnet client, connecting
 to a Red Hat 9 Linux box running kerberized telnetd, and successfully
 authenticating using Kerberos.  Basically, everything is running correctly
 in the environment.  The problem is we use a non-kerberized telnet client in
 the field.  We are heavily dependant on this client, meaning we can not
 change clients and fyi, there are no kerberized upgrade for this client.  Is
 there a way to wrap a non-kerberized telnet client so it will use kerberos
 authentication?  Has anyone had any experience with this problem?  I am
 looking for any suggestions. Many thanks!

I don't recall ever hearing of a Kerberos telnet wrapper, but
it could be worth a look.  We did something like that here with
FTP, for the sake of web development tools that use it, and it
seems to have worked out fairly well.  You'd have to know something
about the telnet protocol and how Kerberos fits in, which I guess
you could get from the MIT source.

   Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: loadbalancing of keberized services

2004-04-13 Thread Donn Cave 
In article [EMAIL PROTECTED],
 [EMAIL PROTECTED] (Jeffrey Hutzelman) wrote:

 On Monday, April 12, 2004 16:52:23 -0700 Donn Cave [EMAIL PROTECTED] 
 wrote:
 
  I believe we're more or less always asking for this trouble.
  If you don't get a canonical, reverse looked-up name back
  out of MIT Kerberos krb5_sname_to_principal(), then you're
  doing something different than me.
 
 Well, for starters, I don't call MIT kerberos krb5_sname_to_principal() 
 very often, since I don't currently use that implementation.

So, do you currently use an implementation where that function
or its equivalent doesn't return a canonical name?  My experiment
with Heimdal 0.6 tells me it works just like MIT, but I am not as
familiar with that implementation and could be missing something.

 Performing DNS alias resolution in krb5_sname_to_principal() is insecure 
 unless you have a well-managed DNSSEC infrastructure, which virtually no 
 one does.  I have always considered this behaviour to be an implementation 
 bug.  While this is not addressed well enough in RFC1510, the next version 
 of the Kerberos V spec (due out later this year) will include the following 
 text:
 
   Implementations of Kerberos and protocols based on Kerberos MUST
   NOT use insecure DNS queries to canonicalize the hostname
   components of the service principal names (i.e. MUST NOT use
   insecure DNS queries to map one name to another to determine the
   host part of the principal name with which one is to communicate).

The language I read (I think it was at least 6 months ago) didn't
even leave room for CNAME alias translation, let alone reverse
lookup canonicalization. 

I don't think it's really fair to call current behavior a bug,
because it has too large of a constituency.  Whatever MIT chooses
to do about it after this spec comes out, I wouldn't care to be
in their shoes.

It would be especially ironic if adequately secure DNS were to
become widespread in a year or two from now.  So after a decade
of supporting a naming model with this security problem, Kerberos
switches to a different model just about the time the old one
becomes safe for anyone who cares.

   Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: loadbalancing of keberized services

2004-04-12 Thread Donn Cave 
In article [EMAIL PROTECTED],
 [EMAIL PROTECTED] (Jeffrey Hutzelman) wrote:

 On Saturday, April 10, 2004 16:47:21 + Donn Cave [EMAIL PROTECTED] 
 wrote:
 
  It depends on your client software.  All you need to do is resolve the
  addresses to canonical host name first, and use the resolved name for
  both the client connect and the service ticket.
 
 Careful here...  Using insecure DNS to compute a service principal name is 
 asking for trouble.  You're OK if, as suggested, you compare the resulting 
 name to a list of known valid servers, but that's a fair bit of work and 
 most software that does reverse resolution to determine service names 
 either can't or doesn't do it.

I believe we're more or less always asking for this trouble.
If you don't get a canonical, reverse looked-up name back
out of MIT Kerberos krb5_sname_to_principal(), then you're
doing something different than me.

Given that implementation, you're going to do the reverse
lookup anyway, so the only question is whether it would be
convenient to actually connect to the same host.  I assume
so, that's why I'd propose to look up the canonical name in
the application.

   Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: loadbalancing of keberized services

2004-04-10 Thread Donn Cave 
Quoth vadim [EMAIL PROTECTED]:
| I am evaluating now a possibility of load balancing between several ldap 
| servers. I imagine each ldap server will bind to its own ip address. 
| LDAP client will try to connect to ip address of the loadbalancer and 
| the loadbalancer will distribute requests between ip address of ldap 
| servers.

I am not following you.  I expect the domain name service (DNS) to
distribute load by rotating a list of one or more IP addresses, for
a single well known LDAP server domain name.  Maybe that's what you
mean.  The details of what you're proposing to do are important.

| If I use GSSAPI to authenticate my clients against ldap servers, I am 
| afraid I will get in troubles, as my clients will ask for ticket for
|
| ldap/[EMAIL PROTECTED]
|
| although they will be connected to ldapservers with principals like
|
| ldap/[EMAIL PROTECTED] or ldap/[EMAIL PROTECTED]
...

It depends on your client software.  All you need to do is resolve the
addresses to canonical host name first, and use the resolved name for
both the client connect and the service ticket.  (It would be nice to
check the resolved name against some list of valid hosts, in case you're
vulnerable to DNS spoofing.)  You might do this in the actual LDAP client
program if you have the source, or in a wrapper script otherwise.  This
reverse lookup procedure uses gethostbyname() and then gethostbyaddr()
with the result.

If you can't do that, then I guess you will need the keys for each server
host, on all server hosts - ldap/server1 + ldap/server2 + ...

Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: kerberos password change in master-slave environ

2004-03-24 Thread Donn Cave 
In article [EMAIL PROTECTED],
 [EMAIL PROTECTED] (Ken Hornstein) wrote:

 Our realm has 43,000+ principals so for us, its a big deal. :)  We have
 slaves not only for redundancy, but also for load balancing.  We don't want
 all the users on our campus authenticating or changing passwords against
 just one machine.  
 
 With ticket caching, the load against one KDC hasn't been really that bad,
 from my experience.

I'll second that.  We have roughly twice as many, and I have never
noticed any significant amount of traffic to the secondary, even
without much caching (Kerberos per se has never really caught on
here, mainly due to lack of applications, so authentication mostly
means acquiring initial credentials and then throwing them away.)

However, dump propagation and performance were part of the issue
when we set up our own multimaster system some years back.

- Propagation takes up resources on the master, especially during
  the dump.  Not a desperate problem if you have a fast computer
  and you're doing it once an hour, but I didn't think we could
  afford to do it, say, every 5 minutes (and that's the minimum,
  because we couldn't finish it in less than 5 minutes.)

- Fallback to slave servers will be infrequent, but significant.
  We couldn't totally disregard the phenomenon for user support
  purposes, it will happen often enough that it has to work right.
 
- Lag between master and slave - 30 minutes, 60 minutes, something
  like that - would be a user support issue.  See previous point:
  hard to say `has to work right' and then allow this.  People's
  new passwords would not work, perhaps intermittently, during a
  fallback episode.

Our system revolves around some software locally developed out
of a legacy system, with only minimal changes to the KDC.  This
approach has been very successful, in my opinion, and if anyone
is thinking about developing a more general solution in this
area, it's a model to consider.  Useful in a heterogeneous
authentication environment.

   Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: kerberos password change in master-slave environ

2004-03-24 Thread Donn Cave 
In article [EMAIL PROTECTED],
 [EMAIL PROTECTED] (John Hascall) wrote:
...
 We are running MIT's with our own incremental replication code
 (we replicate to the slave, our W2K-AD, and our Novell NDS).
 
 Basically, we put 5 little hooks in the kadmin libs that
 write 'transaction log records' into a directory.  Everything
 else is done with external programs and scripts.  I've posted
 more details which should be in the list archives someplace.

That sounds similar to our setup.  Same hooks, but of course
different external software.

   Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Thread-safe libraries

2004-03-01 Thread Donn Cave 
In article [EMAIL PROTECTED],
 [EMAIL PROTECTED] (Sam Hartman) wrote:

  Lukas == Lukas Kubin [EMAIL PROTECTED] writes:
 
 Lukas Is there any progress in the ability of Kerberos libraries
 Lukas on Linux to be used by threads-enabled applications?  I'm
 Lukas still having troubles using sasl kerberos authentication to
 Lukas ldap server on Linux (Debian). It always fails when
 Lukas parallel connection appears.  Is there any solution for
 Lukas this now?  Thank you.
 
 I believe someone has written a patch to the SASL library to use
 mutexes around GSSAPI calls.

That sounds like Simon Wilkinson.  I have done this too,
but I'm sure his code is at least better tested.  Unless
I missed something, it can be done with fairly simple
changes to one source file (plugins/gssapi.c) and does
away with a few little headaches if you're not otherwise
using Heimdal already.

   Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: OpenSSH 3.7, kerberos thru pam

2004-02-12 Thread Donn Cave 
Quoth [EMAIL PROTECTED] (Patrice Seyed):
| I'm running openssh-3.7.1p1, /etc/pam.d/authconfig is syntactically
| correct regarding pam_kerb5.so, and /etc/krb5.conf and /etc/krb.conf are a
| pristine working config from another linux system. (oh running
| 2.4.21-4.0.1.ELsmp also here).
|
| so kerberos will only work/authenticate properly with this setup when i
| uncomment in
| /etc/ssh/sshd_config:
| KerberosAuthentication yes

Yes.

| i think is the mechanism for going around PAM though.

Yes.

As I understand it, PAM is not Kerberos authentication in the sense
that your ssh client uses your local credentials to get a service ticket
for the remote sshd.  Rather, it is password authentication - your
password goes across the wire to the remote sshd - where the Kerberos
module acts as a proxy client+server to validate the password.

Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: new kerberos5 1.3.1 possible config problems

2004-01-06 Thread Donn Cave 
Quoth Jacob Williams [EMAIL PROTECTED]:
...
| When I try to use the service in any way (even just using kinit) i get the res
| kinit(v5): Client not found in Kerberos database while getting initial credent
| and I cannot work out what this means or what I need to do to fix it.

Hard to say.  I would look in the KDC syslog, or if you don't have
access to it yourself, ask someone who does (mention time, date and
your IP address.)  This log will show the full principal name in your
request.  (Assuming you're actually configured for the correct realm -
if not, then of course nothing will appear in that log.  You might
try the full [EMAIL PROTECTED] principal name with kinit.)

The KDC syslog is really essential for troubleshooting configuration
problems and things like that.

Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: documentation for ssh/gssapi auth anywhere?

2003-12-09 Thread Donn Cave 
In article [EMAIL PROTECTED],
 paul [EMAIL PROTECTED] wrote:
...
 debug1: Miscellaneous failure
 No principal in keytab matches desired name
 
 I'm stuck here, what is the desired name?

   host/[EMAIL PROTECTED]

   where
   host is the literal string host
   address is the full canonical DNS address of the host computer
   realm is the Kerberos realm, exact case (rarely needed.)


   Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Last successful authentication always set to never

2003-10-14 Thread Donn Cave 
In article [EMAIL PROTECTED],
 [EMAIL PROTECTED] (John Hascall) wrote:

  When I do getprinc on any principal in our REALM, it prints the
  attributes Last successful authentication and Last failed
  authentication set to value [never]. Similarly, the value of Failed
  password attempts is 0.
  Why the system doesn't update that values?
  Thanks.
 
 When you 'configure' kerberos during the build process,
 you need to include the '--with-kdc-kdb-update' flag to
 enable this.  And then you need to put the 'requires_preauth'
 attribute on your principals.
 
 MIT will tell you these features are 'not well tested',
 but they seem to work fine for me.

Requires an update to the database for each authentication, right?
For us, that would be a fairly radical increase in the number of
updates per day.  Seems like there would also be a propagation
issue, since these updates would automatically apply to the master
only if the master is also taking all the authentication requests.

I would get that information from logs, instead.

   Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: preauth error

2003-10-07 Thread Donn Cave 
In article [EMAIL PROTECTED],
 [EMAIL PROTECTED] (Kristian Rink) wrote:
...
 kerberos:~# tail /var/log/krb-kdc.log 
 Oct 07 11:44:18 kerberos krb5kdc[192](info): preauth (timestamp)
 verify failure: Decrypt integrity check failed Oct 07 11:44:18
 kerberos krb5kdc[192](info): AS_REQ (6 etypes {18 16 23 1 3 2})
 192.168.10.170: PREAUTH_FAILED: krink/[EMAIL PROTECTED] for
 krbtgt/[EMAIL PROTECTED], Decrypt integrity check
 failed

When I've seen that `preauth (timestamp)' error, it has
indeed meant that there is a substantial time discrepancy
between the KDC and client.

   Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: kerberos ftpd bug? can't get it to work (New, sort of)

2003-10-06 Thread Donn Cave 
I don't think this qualifies as new at all.  Since you are
not able to provide accurate information about your problem,
you are going to have to rely on your own resources for the
most part.

The key point that you have to accept, is that when you get
this error `No principal in keytab matches desired name', it's
due to either the most trivially obvious cause:
  A. the remote host hasn't been set up with its own ftp key,
or if that isn't the problem, it has to be
  B. the ftp client uses a different name for the host than
 the host uses for itself.

There are various ways to diagnose the latter problem, but
of course they are not very useful where the actual host
names have to be cloaked in mystery.

   Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Q: Ordering master/slave KDC's in CLIENT machines' krb5.conf

2003-09-09 Thread Donn Cave 
In article [EMAIL PROTECTED],
 MattW [EMAIL PROTECTED] wrote:

 Please help me understand how I should order the
 client's list of KDC's it can contact in the krb5.conf file.
 
 
 I have:
 
 
 
 [realms]
  YADDA.WASHINGTON.EDU = {
 
  kdc = kdc.yadda.washington.edu
  kdc = kdc1.yadda.washington.edu
  kdc = kdc2.yadda.washington.edu
  admin_server = kdc1.yadda.washington.edu
  default_domain = yadda.washington.edu
  krb524_server = kdc1.yadda.washington.edu
  }
 
 NOTE: kdc.yadda.washington.edu points to the master, which is
 kdc1.yadda.washington.edu
 
 
 but I have MANY clients which will need to set up to use
 kerberos, and kdc1 and kdc2 are on different subnets.
 
 Should I put the kdc that is the closest (fewest hops, or local)
 first in the list? or should I always put the master server first,
 regardless of network proximity.
 
 Am i nit-picking here? Does order matter in the kdc list?

Yes.

The addresses are contacted in order until one responds,
but some requests may then also find their way to the master
server.  Master is however spelled admin_server, so in your
example the master is really kdc1. As far as I know, the first
KDC on the list will be contacted first, but otherwise gets
no special status from this.

You may also be interested in the use of DNS records to do this.
Cf. for example, SRV record for _kerberos._udp.u.washington.edu,
and TXT record for _kerberos.u.washington.edu.  That allows
applications in u.washington.edu to find the realm's KDC without
any local configuration file.  If you have a serious issue with
network connectivity, that might be another way to address it
(though I would think it's highly unlikely to be worth it - I mean,
the DNS records are a fine idea, especially if you don't have a
name collision with a Windows domain, but having them resolve
to different hosts depending on the DNS server would be only 
for the desperate.)

 Im curious how failover is done if my router to the first
 kerb server in the list goes down.

It's done with select() on the socket file descriptor in conjunction
with the connect() function.

   Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Ssh trouble with forwarding

2003-09-02 Thread Donn Cave 
Quoth [EMAIL PROTECTED] (Matthijs Mohlmann):

| I have trouble with ssh en forwarding.
...
| Now when i try to login to my ssh service with the following command:
| [EMAIL PROTECTED]:~$ ssh -A -K active2.active2.homelinux.org
| Password:
|
| I don't want that password prompt. My ticket is enough to authenticate
| me.
|
| When i now do some debugging:
| Active2:~# ssh -d -f /etc/ssh/sshd_config
...
| 17612: debug1: Miscellaneous failure
| 17612: debug1: No principal in keytab matches desired name
|
| What does this mean ? I have a
| host/[EMAIL PROTECTED] in my
| /etc/krb5.keytab on the ssh-server. I have also a ssh service key in my
| keytab (ssh/[EMAIL PROTECTED])

However, the IP address associated with that name seems to be
actually hosted at x4sall.nl, under another domain name.  Your
key unfortunately has to match that canonical domain name,
rather than active2.active2.  Or at any rate, you have to use
whatever name the host uses for itself.

Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Ssh trouble with forwarding

2003-09-02 Thread Donn Cave 
In article [EMAIL PROTECTED],
 [EMAIL PROTECTED] (Matthijs Mohlmann) wrote:
 On Tue, 2003-09-02 at 05:12, Donn Cave wrote:
  Quoth [EMAIL PROTECTED] (Matthijs Mohlmann):
  ...
  | Now when i try to login to my ssh service with the following command:
  | [EMAIL PROTECTED]:~$ ssh -A -K active2.active2.homelinux.org
  ...
  | 17612: debug1: Miscellaneous failure
  | 17612: debug1: No principal in keytab matches desired name
  |
  | What does this mean ? I have a
  | host/[EMAIL PROTECTED] in my
  | /etc/krb5.keytab on the ssh-server. I have also a ssh service key in my
  | keytab (ssh/[EMAIL PROTECTED])

 I have my own dns-server for internal network. And my domain is
 active2.homelinux.org. My computers are
 name.active2.homelinux.org and all this names are in the dns. I have
 checked what ip every computer is using and it sounds to me as oke
 active2.active2.homelinux.org - 192.168.0.2
 server.active2.homelinux.org - 192.168.0.7
 router.active2.homelinux.org - 192.168.0.1

$ host active2.active2.homelinux.org
active2.active2.homelinux.org is a nickname for active2.homelinux.org
active2.homelinux.org has address 80.126.240.96
active2.homelinux.org mail is handled (pri=5) by active2.homelinux.org
active2.homelinux.org mail is handled (pri=10) by bulletgate.org

$ host 80.126.240.96
96.240.126.80.IN-ADDR.ARPA domain name pointer 
a80-126-240-96.adsl.xs4all.nl

There's a limit to what we can tell from here, but believe me,
it will not work until the name the host knows itself by, and
the name in the Kerberos host principal, are the same.  This
is the problem you have to solve.  If you have access to logs
from the KDC, you can see exactly what the principal name needs
to be.

   Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: kerberos ftpd bug? can't get it to work

2003-07-10 Thread Donn Cave 
In article [EMAIL PROTECTED],
 [EMAIL PROTECTED] (root) wrote:

 HAS ANYONE GOTTEN FTP/FTPD TO WORK ON KERBEROS V5?  I need help.

Talk to us.  Douglas Engert posted a followup in response to
your initial question.  He asks what host name you're connecting
to, what host name is in the keytab.  I might add, what host
name shows up in klist afterwards, if any.  GSS ftp does have
some host name issues.  On the bright side, at least you're not
running krb5-1.3 yet, so telnet probably works.

   Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Decrypt integrity check failed

2003-07-08 Thread Donn Cave 
In article [EMAIL PROTECTED],
 [EMAIL PROTECTED] (Muhammed Reahan) wrote:

 Decrypt integrity check failed
 First of all I created a principal name test. It is successfully created
 i entered the password  for it two times.
...
 Then i added the entry for the principal in the keytab file as 
 
 kadmin.local: ktadd test
 Entry for principal test with kvno 2, encryption type DES-CBC-CRC added to 
 keytab 
 WRFILE:/etc/krb5/krb5.keytab.
...
Now i want to get the ticket of principal test  with kinit command.

kinit test
 Password for [EMAIL PROTECTED]: 
 kinit: Password incorrect
 i entered the password correctly which i entered the first time.But 
 automatically password is 
 changed. i have tried this with two or three principals.

Yes, ktadmin invents a pseudo-random key when it adds a keytab
entry, so there is no way to subsequently authenticate with a
password.  If you want a keytab entry and a known password, you
have to use ktutil to create it.  I think ideally this would very
rarely be necessary.

   Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Password-less authentication with OpenSSH 3.6.1 and krb5/GSSAPI

2003-06-28 Thread Donn Cave 
Quoth [EMAIL PROTECTED] (Kerry Thompson):
...
| I've since run into the same problem, it seems that OpenSSH with Simon's
| patch doesn't enable GSSAPI properly when built out of the box. Maybe a
| problem with the patched ./configure or configure.ac or autoconf or
| something. You can quickly check the status by running 'grep -i gssapi
| Makefile' and seeing if you've got the GSSAPI stuff being linked into
| the OpenSSH build or not.

You have to run autoreconfig after applying the patch.  That's the
part that's easiest to forget to do, at least it was for me.

Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: telneting into solaris 8 kerberized telnetd prompts for passwd

2003-06-27 Thread Donn Cave 
In article 
[EMAIL PROTECTED]
oft.com,
 [EMAIL PROTECTED] (Peter Himmelfarb \(Excell Data 
 Corporation\)) wrote:
...
 ./telnet -a -x msaum01
 
 Trying 10.10.0.10...
 
 Connected to abc.abc.com (10.10.0.10).
 
 Escape character is '^]'.
 
 Waiting for encryption to be negotiated...
 
 [ Kerberos V5 accepts you as ''[EMAIL PROTECTED]'' ]
 
 done.
 
 Last login: Fri Jun 27 11:47:13 from 10.10.0.10
 
 Password:


That would suggest to me that the client's Kerberos principal,
[EMAIL PROTECTED], isn't authorized to log in on any particular
account on that host.  In the simple case that means there
isn't a bullet in the password file, but at any rate there
must be some mapping from [EMAIL PROTECTED] to user.

   Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Forwarding Kerberos Credentials - SSH

2003-06-23 Thread Donn Cave 
In article [EMAIL PROTECTED],
 [EMAIL PROTECTED] (Parag Godkar) wrote:
...
 9. Now from this telnet/ssh session, I would like the users to
telnet/ssh to another linux server (or to the same server) 
in the same kerberos domain WITHOUT BEING PROMPTED FOR A 
PASSWORD.
 
NOW THIS IS WHAT I WANT TO KNOW IF IT IS 
PRACTICABLE OR I AM TRYING TO DO SOMETHING
IMPOSSIBLE?

Yes!  It is possible, and everything up to here leads me to
expect it will work.

But as another followup has already pointed out, the server
apparently has no service key - from the server diagnostics,
  Miscellaneous failure No principal in keytab matches desired name

Someone needs to create a principal host/x.y.z and add its key
to /etc/krb5.keytab on x.y.z (the remote host.)

Remember when testing the client, you must do that as the user
who logged in and has the credentials -- don't do it as root.


 3. I have the following relevant lines in my sshd_config -
 
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
#PasswordAuthentication yes
#PermitEmptyPasswords no
#ChallengeResponseAuthentication yes
KerberosAuthentication yes
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
GssapiAuthentication yes
GssapiKeyExchange yes
GssapiUseSessionCredCache yes
#AFSTokenPassing no
#KerberosTgtPassing no
#PAMAuthenticationViaKbdInt no
 
and the following relevant lines in my ssh_config -
 
# Host *
#   ForwardAgent no
#   ForwardX11 no
#   PasswordAuthentication yes
GssapiAuthentication yes
GSSAPIDelegateCredentials yes

KerberosAuthentication yes alone, in both, should be enough,
something you can easily try if you have further difficulties.

   Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Forwarding Kerberos Credentials - SSH

2003-06-19 Thread Donn Cave 
In article [EMAIL PROTECTED],
 Frank Cusack [EMAIL PROTECTED] wrote:
 Wow.  Lots of info. :-)  I'll quote it all, since it's so involved that
 it will be useful to have a complete reference in a single message.

Good - so, folks who want that complete reference:  you know where to go!

 No.  Only if you want to use ssh protocol 2.  ahhh... this is the problem.
 By default, ssh will select protocol 2.  Which doesn't support krb5.  So
 you must tell it to use protocol 1, and probably must tell the server
 to do krb5 (probably sshd_config on the server doesn't accept krb5 by
 default).

I found this all a little confusing, and I'm sure there are people
here who know more about the GSSAPI OpenSSH patch, but in case it
helps ...  The way I read it, he applied this patch with the expectation
that it provides Kerberos support for protocol 2, and that is true -
it should.  Only between patched OpenSSH servers and clients, because
unfortunately it doesn't interoperate with the ssh.com approach to
Kerberos 5 for protocol 2.  I agree that ssh -v ought to help narrow
down the problem.  It might be worth trying some other Kerberos 5
application - I believe we're talking about Redhat Linux here, where
the telnet and ftp applications should support Kerberos 5.

Secondly I think the term forwarding doesn't apply to the scenarios
I'm reading about here.  If you log in to sshd with your Kerberos
password, the remote credentials acquired in the process are actually
local in this sense - they reside on the host that acquired them, as
sshd did that.  When used to authenticate to some service from there,
that's just simple basic Kerberos authentication, no forwarding needed.

   Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Host Alias

2003-03-25 Thread Donn Cave 
| I have come across a usability issue where users of a network I plan
| to implement Kerberos on are currently accustomed to host aliases.
| i.e: typing 'ftp foo' instead of 'ftp foo.my.long.host.name.com.' 
| 
| Anyone have advice on how to get around using fully qualified hostnames
| for Kerberos host principals? 

On the contrary, you certainly should use fully qualified hostnames
for Kerberos host principals.  That also should work, that is, you
should be able to type 'ftp foo' and it should be automatically
expanded to the full domain name.  If it isn't, the reason is likely
the short comes before the full name in /etc/hosts.  The same is
true of alias names in the DNS CNAME sense, that they should just
work in current implementations (though perhaps not forever, if I
read the draft right.)

Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: krb5 ticket cache

2003-02-05 Thread Donn Cave 
Quoth [EMAIL PROTECTED] (Klaas Hagemann):
...
| after doing kinit the kerberos client creates a krb5 ticket cache file 
| like /tmp/krb5cc_506.
|
| Another user having root privileges on this client can optain these 
| ticket cache file and have the network wide rights of the owner of this 
| ticket.
|
| Is there any chance that the ticket is stored in memory rather than on 
| the local disk? can i configure it in any way?

Yes!  Try this:

  $ KRB5CCNAME=MEMORY:0 kinit
  Password for [EMAIL PROTECTED]:

Now look for your credentials in /tmp, and they won't be there.  They
won't be anywhere else either, they're just gone, along with the kinit
process that owned that storage, but that would be what you wanted.

Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Kerberos5 NAT and kftp

2002-11-25 Thread Donn Cave 
Quoth [EMAIL PROTECTED] (Jeffrey Altman):
| You need to use an FTP client that allows you to disable the use 
| of channel bindings.  See C-Kermit
|
|   http://www.kermit-project.org/ckermit.html
|
| It will do what you need when the command
|
|   SET AUTH K5 NO-ADDR ON

You also need a patched ftpd, right?  Or does the GSS ftpd from
the current MIT release now support clients from behind a NAT?

Donn Cave, [EMAIL PROTECTED]

| In article [EMAIL PROTECTED],
| Protima Chhabra [EMAIL PROTECTED] wrote:
| : Hi,
| : 
| : I have a Kerberos client sitting behind a firewall doing NAT. I have 
| : patched my client and added the proxy gateway to my configuration file, as 
| : explained in the document below
| :  
|http://www.ncsa.uiuc.edu/UserInfo/Resources/Software/kerberos/firewall.html#proxy
| : 
| : I can get a ticket, get ktelnet to work with an error message, but kftp 
| : does not work, as shown below. Can someone tell me what is it that I am 
| : doing wrong.
| : 
| : Thanks
| : Protima
| : 
| : 
|--
| : kclient101% klist
| : Ticket cache: /tmp/krb5cc_11617
| : Default principal: [EMAIL PROTECTED]
| : 
| : Valid starting ExpiresService principal
| : 11/14/02 19:06:17  11/15/02 05:06:15  [EMAIL PROTECTED]
| : 
| : 
| : kclient102% ktelnet opal0-gx.main.KRB.COM
| : Trying 255.255.255.255... Connected to opal0-gx.main.KRB.COM
| : (255.255.255.255). Escape character is '^]'. [ Kerberos V5 accepts you as
| : ``[EMAIL PROTECTED]'' ] [ Kerberos V5 refuses forwarded credentials because
| : Read forwarded creds failed: Incorrect net address ] Last login: Thu Nov 14
| : 17:58:26 from 68.156.252.64.snet.net
| : opal0 exit
| : opal0 logout
| : Connection closed by foreign host.
| : 
| : kclient103% kftp opal0-gx.main.KRB.COM
| : Connected to opal0-gx.main.KRB.COM.
| : 220 opal0 FTP server (Version 5.60) ready.
| : 334 Using authentication type GSSAPI; ADAT must follow
| : GSSAPI accepted as authentication type
| : GSSAPI error major: Incorrect channel bindings were supplied
| : GSSAPI error minor: No error
| : GSSAPI error: accepting context
| : GSSAPI ADAT failed
| : GSSAPI authentication failed
| : Name (opal0.main.KRB.COM:user):
| : 530 User user access denied: authentication required.
| : Login failed.
| : Remote system type is UNKNOWN.
| : ftp bye
| : 221 Goodbye.

Kerberos mailing list   [EMAIL PROTECTED]
http://mailman.mit.edu/mailman/listinfo/kerberos

Re: afs-krb5 integration

2002-10-22 Thread Donn Cave 
Quoth [EMAIL PROTECTED] (Sam Hartman):
| Josh == Josh Huber [EMAIL PROTECTED] writes:
...
| Josh I like the thought of more integration of AFS and krb5.
|
| Not surprisingly those of us who worked on this proposal had similar
| motivations.

Excellent.  I'm encouraged enough by all this to overcome my
embarrassment and ask a very basic question about AFS and krb5.

Unlike (I gather) most or all AFS sites, we never used Kerberos 4
here, we started with V5 (after a brief flirtation with DCE.)
Hence, no --with-krb4, no Kerberos 4 salted keys, just pure krb5.

Will pure V5 work with AFS, once implementation of all this new
stuff is nailed down?  Am I right that the classic krb524d AFS
support depends on V4 keys in the V5 KDC?

Thanks,
Donn Cave, [EMAIL PROTECTED]

  An alternate conversion is provided for AFS servers that support the 
  encrypted part of a krb5 ticket as an AFS token.  If the krb524d is 
  converting a principal whose first component is afs and if the 
  encrypted part of the ticket fits in 344 bytes, then it will default 
  to simply returning the encrypted part of the ticket as a token.  If 
  it turns out that the AFS server does not support the ticket, then 
  users will get an unknown key version error and the krb524d must be 
  configured to use v4 tickets for this AFS service.

Kerberos mailing list   [EMAIL PROTECTED]
http://mailman.mit.edu/mailman/listinfo/kerberos

Re: Eudora-Mac-Cannot communicate with Kerberos

2002-08-01 Thread Donn Cave 

Quoth [EMAIL PROTECTED] (Ken Hornstein):
| So this is really a good news to me. May you let me know 
| what specific configuration I need to modify to make it work.
|
| You need a V5-capable KCLNT32.DLL (that's the Kerberos piece that
| Qualcomm doesn't provide).  That's sorta specific to your Kerberos
| implementation, though ... I could give you mine, but if you're using
| a newer Kerberos release, it probably won't work.  I think we got ours
| from Donn Cave, originally.

I don't think so!  It doesn't come with the MIT Kerberos5 distribution
for Windows, you're saying?

As for Eudora, I have seen 4.3 authenticate with GSSAPI-Kerberos5
to an IMAP service, but at the time that was apparently for IMAP
only, and Windows only.

Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   [EMAIL PROTECTED]
http://mailman.mit.edu/mailman/listinfo/kerberos

Re: krb5_rd_req: Wrong principal in request while reading request

2002-07-24 Thread Donn Cave 

Quoth [EMAIL PROTECTED] (Thomas Huang):
| I am trying to setup a kerberorized service (using kerberos 5 v1.2.2) 
| on a Solaris 7 machine.  When trying to connect to this service using 
| a kerberorized client, the server returned the following error 
| message:
|
| krb5_rd_req: Wrong principal in request while reading request
|
| I have verified my /etc/krb5.keytab has the correct entries.  I was 
| able to use 'kinit -k -t /etc/krb5.keytab -S myserivce principal' 
| to obtain a service ticket on that server host.  I have also updated 
| the /etc/hosts file to make sure the fully qualified host name is on 
| the first position.  My guess is some how the host lookup is 
| returning a different host name, but I am sure I am on a single home 
| machine.  My /etc/nsswitch.conf has the following entry on for hosts
|
| hosts: nisplus dns [NOTFOUND=return] files
|
| I am not very good in system administration.  Any ideas?

Not really, but I agree that's a likely cause.  If you can look
(or get someone to look) in the syslog records for the KDC, you
should see the exact ticket the client gets, and that ought to be
helpful.  Or for that matter, you should have the ticket in your
credentials cache after you run the client, so try klist.  In
either case, it may be helpful to clear the cache first.

Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   [EMAIL PROTECTED]
http://mailman.mit.edu/mailman/listinfo/kerberos

Re: Compiling 1.2.5 on True64 v5.x

2002-07-09 Thread Donn Cave 

Quoth Peter Losher [EMAIL PROTECTED]:
| Has anyone encountered an issue compiling Kerberos 1.2.5 on a Tru64 {5.0 or 
| 5.1) box using Compaq's C compiler?  Any pointers would be welcome.

Well, I just had a go at it with Digital UNIX 4.0, using DEC's
C compiler.  What a mess!  Your compiler sure seems to be more
tolerant than mine.  I'm having to fix several include files,
where preprocessor macros were indented.  (Folks, if you must
indent a preprocessor macro, that's fine, but the # has to stay
in the first column.)  With those fixes, it did build.

But I don't have your problem - maybe because DU 4.0 doesn't
even have an in6.h.  The authors of in6.h apparently expect
typedefs like uint8_t to exist, but don't manage to make
that happen.  You'll have to find where they're supposed to
come from - not sys/types.h, evidently, but no doubt something
like it.  Your compiler may actually be misconfigured, like
someone installed a IPv6 option but some include files were
not updated.  It's going to bite you every time you try to
compile just about anything.

Donn Cave, [EMAIL PROTECTED]

| (Error message below)
...
| cc: Error: /usr/include/netinet/in6.h, line 55: Missing type specifier or 
| type qualifier. (missingtype)
| uint8_t sa6_addr[16];
| ^

Kerberos mailing list   [EMAIL PROTECTED]
http://mailman.mit.edu/mailman/listinfo/kerberos

Re: Compiling 1.2.5 on True64 v5.x

2002-07-09 Thread Donn Cave 

Quoth [EMAIL PROTECTED] (Tom Yu):
[... re indented # in preprocessor statements]

| Did you use the -std flag to cc?  It's documented in the build notes
| as being necessary.  Tru64 4.x I think had a cc that defaulted to KR
| mode.

No, I didn't use -std, and it does help with the indented parentheses.
Minus that problem, it doesn't appear to be necessary at this point -
in terms of compiler errors, anyway, from there on it was all about
signed vs. unsigned.

Digital UNIX cc doesn't so much default to KR, as accommodates it.
It would work fine everywhere you have #ifdef __STDC__, as would
any fairly recent compiler.  But it doesn't define __STDC__, and
that's really what -std is usually about -- it's just there to get
that macro.

Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   [EMAIL PROTECTED]
http://mailman.mit.edu/mailman/listinfo/kerberos

Re: Building from source question (krb5 1.2.5) ...

2002-06-21 Thread Donn Cave 

Quoth [EMAIL PROTECTED] (Sam Hartman):
| No.  Kerberos has no TLI support at all.
|
| Obviously you could write this support since you have the source, but
| that would be significant work.

Our PTX machine went out via the loading dock many years ago, and
I have only vague memories of it.  One is replacing Berkeley socket
API calls with TLI functions to get things to work.  The other is
finding out that the socket version of the application could as
easily have been fixed, and that we didn't seem to really need TLI
for anything.  The socket library is a third party effort that wasn't
as excellent as it would be on a real Berkeley type UNIX, but I don't
remember any problems with applications that do ordinary things and
are written correctly.

I don't remember how much MIT krb5 I got running there.  Some, I'm
pretty sure, but that would have been ca. beta7, and things have
changed a little here and there since then.  The SIOCGIFCONF etc.
stuff in krb5/os/ might be an obvious suspect if nothing works,
for example.  Exotic stuff like this may just need to be avoided,
as you'll notice it already is avoided for non-UNIX platforms.
Will need PTX specific stuff for util/pty (man getpseudotty),
if building an application that uses ptys.

It's some work, but not like rewriting to TLI - and that might
not work anyway, if the actual problem is no better understood
than sockets are bad!

Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   [EMAIL PROTECTED]
http://mailman.mit.edu/mailman/listinfo/kerberos

Re: Odd Kermit Kerberos problem

2002-05-20 Thread Donn Cave 

Quoth [EMAIL PROTECTED] (Ed Ravin):
| I encountered a very odd problem with Kermit and Kerberized
| telnet today.  I tried to use kermit to connect to a host:
|
|   $ kermit -J serverhost
|DNS Lookup...  Trying 192.168.1.23...  Reverse DNS Lookup... (OK)
|   No credentials found with supported encryption types while authorizing (3).
|   Authentication failed: No authentication method available
|
| This was odd because I had just Kerberized using /usr/bin/telnet to a
| different host.  I tried serverhost with telnet, it Kerberized without
| a problem, then tried Kermit again, and it now could Kerberize without
| a problem.
|
| Environment is NetBSD 1.5.2, with MIT libraries and KDC.
|
| Any idea what might be going on here?

No, and I don't want to.  I just want the encryption types
pain to end.  But if you can repeat this, you might use
klist -e to check up on your credentials before and after
these steps.

On NetBSD, /usr/bin/telnet would normally be Heimdal, not MIT.
These two implementations can use the same krb5.conf, but there
are differences that happen to be related to encryption types.
My MIT krb5.conf has these two lines in [libdefs]:

default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc

and I added these for the Heimdal applications -

default_etypes = des-cbc-crc
default_etypes_des = des-cbc-crc

Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   [EMAIL PROTECTED]
http://mailman.mit.edu/mailman/listinfo/kerberos

Re: imap server and GSSAPI ?

2002-04-18 Thread Donn Cave 

Quoth Martin Schulz [EMAIL PROTECTED]:

| I'am currently setting up an imap server. Basic mail delivery works,
| but authentication still needs password passing (via ssl, but
| nevertheless). But I definitely want to make use of the available Krb5
| TGT, to avoid that password passing; as I understood it, GSSAPI is the
| way to go.
|
|
| Are there any comprehensive descriptions about this setup? 
|
| I found a brief description for cyrus-imapd, but I am using the UW imapd.

Do you mean you want to know to implement GSSAPI-Kerberos5 authentication
in your own IMAP client?  I guess you could look at RFC 2060 (IMAP4rev1),
AUTHENTICATE command, for starters.  Use GSSAPI for mechanism name.
You can also see one implementation in the imapd source, c-client/auth_gss.c.
I might be able to provide another examples if you happen to be working
in Python instead of C.

On the other hand, if you want to use existing software, you might want
to specify the platform.  I know pine and recent Windows versions of Eudora
will do that, undoubtedly a few others.

Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   [EMAIL PROTECTED]
http://mailman.mit.edu/mailman/listinfo/kerberos

Re: default principal confusion

2002-04-10 Thread Donn Cave 

Quoth [EMAIL PROTECTED] (Ken Grady):
|What is the correct way to do this?  Or is it correct to allow both?
| And should an option be added to SomeNewSSH  to allow either
| functionality (-k1 kerberos original -k2 extra principal...)?
| Openssh-3.1p1 uses the default principal is the same as the client and
| things seem to be compatable as far as using forwarded tickets are
| concerned.  Compatability between differing versions of ssh is
| practically non-existant AFAICT.
|
| When I kinit I get klg @lanl.gov as the default principal.  An od -c
| of the cache shows that klg is also the client. When I use ssh.com's
| ssh-3.1.0 and ssh -l acct machine.lanl.gov, I end up with a ticket for
| default principal [EMAIL PROTECTED] and client [EMAIL PROTECTED] which isn't
| necessarily bad, because I can use that ticket and ksu (ticket default
| principal becomes [EMAIL PROTECTED]) and I become root (I'm in acct's and
| roots's .k5login files).  The logs on the KDC show that root was
| authenticated as [EMAIL PROTECTED] for acct (see below). Where it gets
| confusing is if I ssh -l root machine.lanl.gov my default principal is
| [EMAIL PROTECTED] client [EMAIL PROTECTED], but [EMAIL PROTECTED] isn't a valid
| kerberos principal.  So should ssh-3.1.0 revert back to [EMAIL PROTECTED] or
| should ksu change the principal to [EMAIL PROTECTED] and just leave the
| client [EMAIL PROTECTED]?  The ssh from ssh-3.1.0 doesn't seem to use the
| client info from the ticket cache, so I am unable to ssh with a default
| principal of [EMAIL PROTECTED] and client of [EMAIL PROTECTED] to another machine
| (unless I ksu klg first.  What if I don't have an account on the
| machine?) nor am I able to ssh with a default principal of
| [EMAIL PROTECTED]  So the question is Which is correct?.

I don't have much to do with these things, but since no one else's
followup has appeared yet, here's my opinion.  Where it gets confusing
above shows why -l username should refer to a remote account and not
a Kerberos principal.  Authorization to that account can be based on
whatever suits sshd.  If Kerberos then the Kerberos principal should be
determined according to general Kerberos rules, i.e., the default
principal from the credentials.  If that's inconvenient, the solution
should apply to Kerberos applications in general, where I would imagine
the use of more than one principal could be better supported.

Whether ssh should forward credentials I don't know for sure, but since
there isn't any real mapping between principal and account, only a
set of loose conventions, I guess it should be as happy to forward to
a .k5login-authorized account as to a name==name-authorized account.

Donn Cave, [EMAIL PROTECTED]

| The logs show:
| Apr 10 08:11:00 kerb1 krb5kdc[715]: TGS_REQ 123.123.123.2(88):
| ISSUE:authtime 1018447267, [EMAIL PROTECTED] for [EMAIL PROTECTED]
| pr 10 08:11:48 kerb1 krb5kdc[715]: TGS_REQ 123.123.123.2(88):
| ISSUE:authtime 1018447267, [EMAIL PROTECTED] for
| [EMAIL PROTECTED]
| Apr 10 08:11:48 kerb1 ksu[8599]: 'ksu root' authenticated [EMAIL PROTECTED]
| for acct on /dev/pts/2
| Apr 10 08:11:48 kerb1 ksu[8599]: Account root: authorization for
| [EMAIL PROTECTED] successful

Kerberos mailing list   [EMAIL PROTECTED]
http://mailman.mit.edu/mailman/listinfo/kerberos

Re: Problems using Kerberos telnet

2002-03-21 Thread Donn Cave 

Quoth [EMAIL PROTECTED] (Wyllys Ingersoll):
...
| This is the problem.  Is the hostname you entered at the client prompt 
| the same as the name
| of the server that is stored in the KDC?  It may be a DNS issue, try 
| specifying the
| fully-qualified hostname when you make your connection from the client.
|
| A look at the KDC logs might help clear this up.

While we're on the subject, I find that the Heimdal telnet on my
NetBSD 1.5.2 host fails to do a reverse lookup to determine the
service host's canonical name.  That's probably a bug.  MIT clients
do this more or less universally, in krb5_sname_to_principal().

This is probably not the problem our nameless correspondent Someone
is having, but I believe he is using Heimdal too.

Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   [EMAIL PROTECTED]
http://mailman.mit.edu/mailman/listinfo/kerberos

RE: Tickets accepted upon login but still prompted for password

2002-03-15 Thread Donn Cave 

Quoth [EMAIL PROTECTED] (Rechenberg, Andrew):
| [arechenberg@rh71test ~]$ telnet -a rh71test.shermfin.com
| Trying 10.1.1.55...
| Connected to rh71test.shermfin.com (10.1.1.55).
| Escape character is '^]'.
| [ Kerberos V5 accepts you as ``[EMAIL PROTECTED]'' ]
| telnetd: Authorization failed.

rm $HOME/.k5login

Just a guess.

Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   [EMAIL PROTECTED]
http://mailman.mit.edu/mailman/listinfo/kerberos

RE: Tickets accepted upon login but still prompted for password

2002-03-15 Thread Donn Cave 

Quoth [EMAIL PROTECTED] (Rechenberg, Andrew):
| Looking at the code, it looks like if I don't have a .k5login
| I should be allowed access, but the authorization is failing.
| Is this a correct assumption?

Not completely correct, or you wouldn't have a problem, but yes,
that's how it works for everyone else.  There are basically two
ways to decide authorization:

1.  You don't have a .k5login.  Rules are used to decide whether
your prinicipal ought to be authorized for the present account.
Those rules can be anything in theory, but in practice they're
like [EMAIL PROTECTED] is authorized for account 'myname'.

2.  You do have a .k5login - use it instead.

That's why Mark Eichin speculated that your host doesn't know its
local realm.  Something's going wrong in (1), if you can make it
work by using your own principal in (2).  If I were in your shoes,
I would get the source and build it, and find out what it's doing
in lib/krb5/os/kuserok.c.  (Or find out that the source you build
works, where the stuff you're now using doesn't.)

Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   [EMAIL PROTECTED]
http://mailman.mit.edu/mailman/listinfo/kerberos

Re: Kerberized rsh/rlogin on FreeBSD and NetBSD?

2002-03-07 Thread Donn Cave 

Quoth Chris Schadl [EMAIL PROTECTED]:
| Hi,
|
| When I try to rlogin or rsh to my NetBSD or FreeBSD machines with
| kerberos support, I get the error Couldn't authenticate to server: Bad
| sendauth version was sent.  Looking in the syslogs of these hosts, I see
| the following:
|
| Mar  6 22:12:07 ryoko rlogind[37294]: usage: rlogind [-Dalnx]
| Mar  6 22:12:07 ryoko rlogind[37294]: usage: rlogind [-Dalnx]
| Mar  6 22:12:07 ryoko rlogind[37294]: Connection from 192.168.0.2 on illegal port
|
| (that's on the FreeBSD host; I get something simmilar on the NetBSD
| server)
|
| rlogind and rshd are set in inetd.conf to use the -k flag to enable
| Kerberos authentication, however the errors in my syslog would seem to
| indicate that the -k flag is not supported.  Does anyone what I have to
| do to get kerberos rsh/rlogin working on these platforms?

On NetBSD 1.5, it doesn't look to me like /usr/libexec/rlogind supports
Kerberos.  Only /usr/libexec/telnetd.  Same story in the clients - only
telnet supports Kerberos.  (Host/service principal lookup in this telnet
has the same bug as in MIT's ftp, multiple lookups lose in a dynamic DNS
environment.)  Well, ssh looks like it might support Kerberos 4, but
I wouldn't expect that to do you much good.

Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   [EMAIL PROTECTED]
http://mailman.mit.edu/mailman/listinfo/kerberos

Re: Kerberos Security Question

2002-02-27 Thread Donn Cave 

Quoth [EMAIL PROTECTED] (Tomas Maly):
[... re credentials in /tmp ]
| Any way, I was wondering if it was thought of how to
| secure this hole. Would it be possible to make a
| ticket cache file valid only for a particular process
| group, perhaps? Is there any current ways to tighten
| security? I would like to not force removing root
| access from these untrusted users (such as for their
| Linux PCs).

If you're giving root access to someone, they're trusted!
I guess you mean that they're not worthy of the trust you
place in them?  Something's unclear here.

Here are a couple more questions for you:

- Do these credentials have any value at all?  I mean, do you
  use them, does anyone use them?  It sounds like they're the
  by-product of password validation.  It might take some work
  in login.krb5, but in theory those credentials are optional.

- Following the password validation assumption, are those passwords
  in the clear on the network?

- Can your users actually use Kerberos?  Can they have Kerberos
  telnet or ssh on their desktop?  If you do the Kerberos single
  login thing, and then use your credentials to log in to a
  remote host, you don't go through that password validation step
  and wouldn't have credentials there (unless you deliberately
  forward them.)  This is really a _more_ secure way to deal
  with trust issues - compared to say ssh or SSL with passwords,
  where you expose your password to the remote host.

| Also, I've noticed that the login.krb5 program creates
| a pseudo-random filename for the cache (such as
| /tmp/krb5cc_XYZPDQ). Why is this?

You could have several sessions concurrently on the same host.
This way you don't lose your credentials from one session when
another one starts or exits (they're deleted on exit.)

Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   [EMAIL PROTECTED]
http://mailman.mit.edu/mailman/listinfo/kerberos

Re: kerberos 1.2.3 compile problems on aix 4.3.3

2002-02-27 Thread Donn Cave 

Quoth [EMAIL PROTECTED] (jesse raynor):

| I had trouble compiling kerberos 1.2.3 on AIX 4.3.3.  I got it to build with
| cc, which doesn't define __STDC__, but not with xlc, which does.  I am using
| version 5 of the AIX C compiler.
|
| To build with cc, I cd'ed to the src directory and did:
|
|   ./configure --prefix=/opt/kerberos --without-krb4
|   make
|
| By default, cc gets picked as the compiler to use.  Eventually the build 
| dies
| under the telnet directory.  Here's the last command make tried:
...
| To make the prototypes match, I changed lines 192-194 of ext.h from
|
| extern void netprintf P((const char *, ...));
| extern void netprintf_urg P((const char *fmt, ...));
| extern void netprintf_noflush P((const char *fmt, ...));
|
| to
|
| extern void netprintf (const char *, ...);
| extern void netprintf_urg (const char *fmt, ...);
| extern void netprintf_noflush (const char *fmt, ...);
|
| and then reran make.  It finished compiling.

That's the right fix.  Unless you want to add varargs support, you're
already limited to compilers that support stdarg.  They will all support
function prototypes, so __STDC__ as a test for function prototype support
is useless (as well as wrong.)

Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   [EMAIL PROTECTED]
http://mailman.mit.edu/mailman/listinfo/kerberos

Re: host and services principals/tickets

2002-01-25 Thread Donn Cave 

Quoth [EMAIL PROTECTED] (Andreas Hasenack):
|   LDAP
|   services aren't really a distinct category.  You might run
|   several LDAP services on the same host whose data and access
|   controls are completely different, and that's what you would
|
| I though ACLs were not kerberos' concern. Kerberos only says
| that you are you, right? What you can or cannot do outside of
| kerberos is not its business, right?

Right.  I really am talking about the identity of the service, the
point is that an LDAP service's useful concept of identity is not
about being the LDAP service on host x.y.z.  Neither the host nor
the use of LDAP protocol are particularly interesting to me, it's
the data.  And I suppose that's how telnet, rsh and ssh all came to
use the same host principal - your connection's network protocol may
be telnet or ssh, but what matters is that you have a shell prompt.

Access controls are just an example of the possible differences, and
they're interesting because they hint at potentially different
security considerations that might lead back to Kerberos when we
consider for example which keytab to store the keys in, privileges
to access the keytab vs. what privileges the server runs with.

Donn Cave, [EMAIL PROTECTED]

Re: host and services principals/tickets

2002-01-25 Thread Donn Cave 

Quoth [EMAIL PROTECTED] (Booker C. Bense):
...
| - There's nothing stopping these various ldap servers from
| sharing the same keytab. I can see some reasons for not wanting
| to do that, but the only compelling one to me is that if
| you don't trust the security of one of the servers.
| Other than that I can't see any real reason why the keytab
| can be shared. Anything else hints of using the naming
| of kerberos principals for authorization, and we all know
| how evil that is.

I seem to be too dense this morning to see how service principal
names could be authorization.  I mean, with client principals it's
obvious enough, but I reckon that the service would be the one who
grants authorization, not the one who receives it, in at least the
typical use of service principals.

By extension, do you see any reason why all services should not just
use the host principal?  That's not a sarcastic question - I think
the point could be argued, at least for services that all run as root
or have enough common privilege.

Donn Cave, [EMAIL PROTECTED]

Re: host and services principals/tickets

2002-01-25 Thread Donn Cave 

Quoth [EMAIL PROTECTED] (Sam Hartman):
|  Donn == Donn Cave [EMAIL PROTECTED] writes:
|
|Donn An LDAP service certainly should have its own key, but in my
|Donn opinion this should actually be a run time option.  LDAP
|Donn services aren't really a distinct category.  You might run
|Donn several LDAP services on the same host whose data and access
|Donn controls are completely different, and that's what you would
|Donn like to base the service principals on, not the technicality
|Donn of the protocol.  But you might also run two that are
|Donn essentially identical, but on separate service ports for
|Donn testing, so it isn't ideal to just incorporate the service
|Donn port in the service principal to accomplish this (don't
|Donn laugh!  I believe there are implementations that do exactly
|Donn that.)
|
| The problem is that you need a secure mechanism to tell the client
| what principal to authenticate against.  Specifying that in the
| protocol document is a great way to make sure it is securely known.

If I run separate LDAP services with separate principals like
ldapwhitepages/x.y.edu and ldapaccounts/x.y.edu, the clients
(and the servers) would presumably get that information from
configuration files, just as they currently need to know what
host and service port to connect to.

Could you elaborate on the problem with this as a secure mechanism?
Given that host and port are going to be determined this way.

Donn Cave, [EMAIL PROTECTED]

Re: host and services principals/tickets

2002-01-24 Thread Donn Cave 

Quoth [EMAIL PROTECTED] (Andreas Hasenack):
| I'm suddenly a little bit confused about host and services
| principals.
|
| For example, for OpenLDAP I have a principal called
| [EMAIL PROTECTED] But, for openssh, I found out
| that I had to have a [EMAIL PROTECTED] principal
| instead of something like [EMAIL PROTECTED]
|
| This is defined by the service/application, right?

Yes, the application decides.  Some are even ambivalent, like
ftp which can be either ftp or host.  Telnet uses host,
and it seems to have made sense to everyone that the same key
would serve for sshd.

An LDAP service certainly should have its own key, but in my
opinion this should actually be a run time option.  LDAP
services aren't really a distinct category.  You might run
several LDAP services on the same host whose data and access
controls are completely different, and that's what you would
like to base the service principals on, not the technicality
of the protocol.  But you might also run two that are
essentially identical, but on separate service ports for
testing, so it isn't ideal to just incorporate the service
port in the service principal to accomplish this (don't laugh!
I believe there are implementations that do exactly that.)

Donn Cave, [EMAIL PROTECTED]

Re: Unresolved symbol _et_list for OSF4.0f (dynamic lib)

2002-01-18 Thread Donn Cave 

Quoth [EMAIL PROTECTED] (Jonathan Wackley):
| Configured and built MIT Kerberos V5 release 1.2.2 distribution with no
| obvious issues.  Execute code to perform dlopen of libkrb5.so and the
| following error message (from my program) is shown at exit:
|
| /sbin/loader: Error: Unresolved symbol in
| /kerberos/tru64_new/lib/libkrb5.so.3: _et_list
| /sbin/loader: Warning: update_reference_counts: negative reference_count for
| libkrb5.so.3
|
| Verified that LD_LIBRARY_PATH is set properly.  Assuming that it was a
| problem with my actions I downloaded the binary version of release 1.2.3 and
| the exact same error occurs.  Verified that the symbol is resolved in
| libcom_err.so.  Does anyone have any suggestions why this error occurs?

Not really, but you might try linking the application - the one that
calls dlopen() - with -rpath /kerberos/tru64_new/lib.

I've done that on Digital UNIX 4.0 to solve a run time loading problem
with Kerberos libraries in a non-standard directory.  I don't recall
the error.  My problem was that the dlopen() was called from another
shared library (a Python module), and the normal library load path rules
didn't work by extension in this case, perhaps for security reasons.
(Since then I have seen the light, Kerberos libraries are static.)

Donn Cave, [EMAIL PROTECTED]

Re: telnet - encryption

2001-11-28 Thread Donn Cave 

Quoth Tns Bker [EMAIL PROTECTED]:

| as I read from the Kerberos documentation the kerberized version of telnet can
| use an encrypted mode.
|
| Does that mean, that all the traffic, that travels over that connection is
| encypted? Or does it mean, that only passwords are encrypted?
|
| Is such a telnet connection as 'secure' as an ssh or ssl encrypted connection?

More secure.  Kerberos telnet doesn't send any password at all, encrypted
or not.  SSL can encrypt your password across the network, but at the other
end you just have to trust the remote host.

| Is there a list of applications, which can be kerberized and then use
| encryption in the same manner as it can be done with telnet? Would it be
| possible for openafs, as well?

I would think so, but not necessarily with the current version of Kerberos,
Kerberos 5.  Haven't tried it myself.

Donn Cave, [EMAIL PROTECTED]

Re: Kerberos single sign on

2001-11-09 Thread Donn Cave 

Quoth David Stern [EMAIL PROTECTED]:
| We have a DCE/DFS environment with kerberos 5.1.2. The kerberos 
| source builds with ftp ea daemons. I'm interested in setting up
| single signon st once users logon and are authenticated, they can
| ssh, ftp or whatever to any machine without being prompted for a
| password. Does anyone have any pointers to How-To docs on this?

Have you tried it?  As you know, your login procedure is a key part
of it.  Telnet, is it?  Do you already have MIT's telnetd and login.krb5
in place?

At many academic sites, the means by which people log in are as varied
as could be.  Some of them are by nature not going to result in remote
credentials, like rlogin or ssh with RSA keys.  Others can make credentials,
like ssh with password.  And then some are configurable, Kerberos5 ssh
or telnet can forward credentials.  If all that is going on, remote
credentials could be kind of a headache to document for typical users.

What you describe is kind of a perversion of single signon.  The real
thing happens on the local computer, not some remote computer.  If you
can get Kerberos 5 telnet  ssh working, on both the hosts and for some
significant fraction of users, then ticket forwarding will give you
that extended single signon as an extra benefit for those users.

Donn Cave, [EMAIL PROTECTED]

Re: Kerberos single sign on

2001-11-09 Thread Donn Cave 

Quoth [EMAIL PROTECTED] (Sam Hartman):
|  Donn == Donn Cave [EMAIL PROTECTED] writes:
|
| Donn What you describe is kind of a perversion of single signon.
| Donn The real thing happens on the local computer, not some
| Donn remote computer.  
|
| UH, no, this is single signon.  Single signon means that I get all the
|  credentials to access services at the site from one signon.  This
|  includes things like getting to IMAP mail, filesystems and local
|  applications.  It also includes getting to services like shells
|  exported by some machines.  IT happens that these shell services
|  often need proxy authentication to be useful.

I might have misunderstood him.   What I was getting was, you log in
to a remote host, and acquire a TGT in the process that gives you
access to remote services from there.  For example, connect via ssh,
sshd takes your password and acquires an initial ticket granting ticket
while validating it against the KDC, and then it and any subsequent
service tickets are available to that session.

The way I count it, that would be single login only if all day long,
that one ssh session accounted for everything you did at the site.
If you ssh to another host in another window, you're going to have
to do another login, because your own computer has no credentials.

Donn Cave, [EMAIL PROTECTED]