kerberos ldap passthru via sasl (how do you sync your username/principal then??)
Hi, If you are using kerberos passthru ldap configuration to have a single password storage for your users through saslauth... is it possible to sync both the principal names in kerberos and usernames or userid in ldap? How? Thanks __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
anyone who has a working heimdal + krb5-telnet + Cisco????
Good day! I'm trying to configure a Cisco router (7206 12.2) to use krb5-telnet as the default authentication however I bumped into the following problems: On kdc: encode_as_rep_as_tgs_rep = true (krb5.conf {kdc}) del_enctype host/our.router {all except des-cbc-crc } On router: #conf t #aaa new-model #aaa authentication login default krb5-telnet krb5 group radius local #kerberos local-realm OUR.REALM #kerberos srvtab entry remote 10.10.10.1 /tftp/krb5.keytab And I got: Loading /tftp/krb5.keytab from 10.10... [OK - 71 bytes] truncated srvtab!... Discarding Failed to retrieve srvtab from tftp://10.10 1 1 8 And if I don't delete other etypes I got: Loading /tftp/krb5.keytab from 10.10 [OK - 209 bytes] No principals in srvtab! Discarding... Failed to retrieve srvtab from tftp://..! .. 1 3 8 However when looked into my running config using sho run I can see that the host/[EMAIL PROTECTED] has been created On des-cbc-crc encryption srvtab: the timestamp is followed by these numbers (1 1 8 ) which means that indeed it uses des... While the other srvtab has (1 3 8) On both cases: When I try telneting to our.router: #telnet our.router [ Trying mutual KERBEROS5 (host/[EMAIL PROTECTED])... ] *** Connection not encrypted! Communication may be eavesdropped. *** Server refused to negotiate encryption. ## It failed If I don't remove all encryption types for that host principal, the router doesn't throw any Truncated error but instead it says No principals in srvtab! ..it both cases, the same Server refused to negotiate encrypt! ion error occurs.. Any idea where I might went wrong?? Aren't heimdal and MIT are both compatible with Ciscos'??? That's all for now... thanks!! - Yahoo! Photos Ring in the New Year with Photo Calendars. Add photos, events, holidays, whatever. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
kfw-3.0 can't obtain tickets from heimdal kdc 0.7.1(Bad address list requested)
Ok, here's what I did: I am trying to setup a kdc server for mixed unix and windows clients. I have a working kdc setup using heimdal 0.7.1. My workstation is a unix machine (freebsd) dual boots with windows 2000. While on unix, I can obtain tickets using kinit. Then I rebooted my workstation to windows and installed kfw-3.0. copied the krb5.conf and renamed it to krb5.ini. kfw can read that file because when I enter my principal name, it automatically detects if that principal exists in the kdc. But after entering my principal's password, I got an error: Failed to acquire credentials: Incorrect net address: The last two lines in the kdc says something like: Bad address list requested --jay/[EMAIL PROTECTED] sending 147 bytes to IPv4:10.10.10.4 Why is this happening? Are they (kfw3.0, heimdal0.7.1) not compatible? Before I was using kfw 2.6.5 against heimdal 0.6.3 and it works without any error. Thanks. Bad address list requested -- jay/[EMAIL PROTECTED] - Yahoo! Shopping Find Great Deals on Holiday Gifts at Yahoo! Shopping Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: kfw-3.0 can't obtain tickets from heimdal kdc 0.7.1(Bad address
Jeffrey Altman [EMAIL PROTECTED] wrote: Both of the Heimdal KDCs I have access to work fine but I do not know what version of Heimdal they are using. Before, I use to have a heimdal-0.6.x + Leash ticket manager(kfw2.6.5) and it is working fine also. NetIdMgr will not request a ticket using addresses. I guess this is true as I cannot find a checkbox or option button anywhere in the NetIDMgr where this can be set. An incorrect net address error should mean that the addresses within theticket do not correspond to any of the addresses listed in the ticket request. Do you have a [libdefaults] entry noaddresses = false ? If so, does it make a difference if you change it to true? noaddresses = false only works with Leash and not with NetIDMgr. From Leash, I can obtain tickets when this is set to false but not with NetIDMgr. Also, when I use the putty-with-gssapi found at this link: http://www.sweb.cz/v_t_m/ http://www.sweb.cz/v_t_m/putty/PuTTY-0.58-GSSAPI-2005-07-24.zip using tickets obtained by Leash on a heimdal 0.7.1 kdc I get an error in the sshd debugging window saying: encryption type 18 not supported Is this the ticket encryption type or the ssh encryption type? Jeffrey Altman - Yahoo! Shopping Find Great Deals on Holiday Gifts at Yahoo! Shopping Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
ssh-gssapi fails when user have instance part
Hi, I created a user with an instance mis jay/[EMAIL PROTECTED] and tried ssh'ing to one machine configured to accept gssapi ssh authentication, however, to my surprise, gssapi authentication failed. Now what I did was to create another principal, this time removing the instance mis [EMAIL PROTECTED] and the authentication succeeded. I tried creating an mis group and putting jay into it (just trying my luck) but still authentication fails. Any idea how ssh should handle user accounts with instances?? Thanks. - Yahoo! Shopping Find Great Deals on Holiday Gifts at Yahoo! Shopping Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
ssh using gssapi athentication without local account existing on the target machine
Hi, I already got it working but ssh requires local accounts to exist in the machine for it to actually allow any authenticated to have a ssh session. Can this be done, let's say machine A doesn't have any user account. Now I will ssh to machine A and authenticate using GSSAPI, I will then land on a command prompt inside my home dir(possibly retrieved through some other means). Anyone done this before? Thanks. - Yahoo! Shopping Find Great Deals on Holiday Gifts at Yahoo! Shopping Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Storing kerberos database in ldap: Will the rest of my directory be encrypted too?
Hi, I'm planning to create a single-sign-on authentication and authorization in our network. Kerberos for authentication and ldap for authorization. My problem is that, only few application supports the kerberos protocol unlike the ldap, and one suggest that I should use kerberos as much as possible and for applications that can only authenticate through ldap, use an ldap server which supports kerberos pass-thru userPasswords. In this scenario, the duplication of userPassword has been eliminated but userid still has to reside on both ldap database and the kerberos database. I've read that heimdal supports placing userid/password in an ldap directory. Will it be safe to do so, or are there things here I still need to look into? If this is the case, does it mean that my whole ldap directory will be encrypted too because of the way kerberos stores user credentials? Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Storing kerberos database in ldap: Will the rest of my directory be encrypted too?
Hi, I'm planning to create a single-sign-on authentication and authorization in our network. Kerberos for authentication and ldap for authorization. My problem is that, only few application supports the kerberos protocol unlike the ldap, and one suggest that I should use kerberos as much as possible and for applications that can only authenticate through ldap, use an ldap server which supports kerberos pass-thru userPasswords. In this scenario, the duplication of userPassword has been eliminated but userid still has to reside on both ldap database and the kerberos database. I've read that heimdal supports placing userid/password in an ldap directory. Will it be safe to do so, or are there things here I still need to look into? If this is the case, does it mean that my whole ldap directory will be encrypted too because of the way kerberos stores user credentials? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Windows SSH client that uses tickets not obtained from AD login
Hi, Do you know any windows ssh client that can use gssapi authentication and not using SSPI(used by vintela and CSS putty versions)wherein it uses tickets that were obtained from an Active Directory login? I have downloaded KFW from MIT and I have successfully obtain tickets using Leash. I tried to use vintela's putty but I don't know how to tell it where Leash put my tickets. The vintela docs says it will use the tickets obtained upon an Active Directory login. In our case, we don't use AD service. BTW, just curious, KFW says it places the tickets obtained from KDC inside the memory of the computer, I remembered my tickets when using kinit places it in /tmp of my unix box. Is there a security issue here regarding the use of /tmp as a storage of tickets against placing it in the memory? Thanks. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Need some tips on kerberizing our ENTIRE network
Good day, We had a meeting last time regarding the need for a centralized authentication in our agency. Everyone except me, was looking into using an ldap directory. I insist on them that if we were to use ldap for sole authentication purpose, ldap was not designed for it, and we should be considering the use of kerberos instead. But I told them that there is a catch, if we were to use kerberos, we must find a kerberized versions for those network services we wish to use the kerberos authentication. In short, other custom made apps, such as web applications must find a way to know how to interact with kerberos. On the other hand, doing some research of my own, ldap support for popular services seems to be more available than that with kerberos support. At the end of our meeting, we have agreed upon the accounting of our services which requires authentication and finding out if it supports authentication through ldap(since we still need the directory functions of ldap). But my problem is this, I've been reading a lot of discussion regarding the use of kerberos authentication, its stregth against other mechanisms, the whole protocol itself and I'm pretty much convinced that for authentication, kerberos is the only way to go. In short, I'm still looking forward to using kerberos in our network services authentication instead of ldap which leads me to a bigger problem. Will it be achievable for the following services?: jabberd2 (by just looking at its config file, it definitely supports ldap, not sure with kerberos) Nagios server monitoring(I've heard some discussions regarding its ldap support, not sure with kerberos) rt3 TTS(also read some ldap support, not sure with kerberos) email (qmail or postfix) I just bumped into a document saying postfix supports sasl/gssapi, and qmail has a qmail-ldap version but not sure with qmail-kerberos. ssh (I saw its sshd_config and it has an option for kerberos authentication) Unix login (I'm also quite sure it supports being kerberized) radius wifi login( ldap support, also not sure with kerberos) ftp (although kerberos provides kerberized ftpd, we are currently using ProFTP, no idea if it supports kerberos authentication) samba( we are using snap server. Its an appliance which if it doesn't support kerberos, there's no way to tweek it, I guess.) web apps( I've read some docs regarding apache modules for kerberos, some patches for some web browser to support kerberos authentication and also some rfcs which discusses adding kerberos mech to the SSL/TLS protocol. openldap directory( it definitely supports kerberos) Summary of apps that I'm SURE it has kerberos support: postfix ssh unix logins ldap Summary of apps that I'm NOT SURE if it has kerberos support: jabberd2 webapps samba(Snap server) radius rt nagios Our bosses relies on best practices most of the time such as using the most widely use email server, ftp, etc. If only I can convince them the ease of having a rock-solid single sign-on environment kerberos has to offer, which I think I can, I'm sure it would be easy to convince them to use other software alternatives if it supports kerberos rather than those popular ones which lacks it. My huge problem is, will it be achievable for those services I have mentioned above? IMO, I don't see any sense on kerberizing some of the services while others are still authenticating through ldap, do you? What do you think? Thanks! -jay __ Yahoo! Mail Stay connected, organized, and protected. Take the tour: http://tour.mail.yahoo.com/mailtour.html Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Need some tips on kerberizing our ENTIRE network
--- Mark Campbell [EMAIL PROTECTED] wrote: When you ask about nagios support are you asking about authentication to I'm referring to nagios authentication of restricted pages, but it's more of webserver/browser negotiation problem as others have already mentioned. the nagios interface or monitoring a KDC? If you asking about monitoring I have written a plug in for nagios that monitors our KDCs here. I am sure I could share. Thanks! Your plugin is interesting, I'll be looking forward to obtaining it when we already have our kdc configured. Mark jay alvarez wrote: Good day, We had a meeting last time regarding the need for a centralized authentication in our agency. Everyone except me, was looking into using an ldap directory. I insist on them that if we were to use ldap for sole authentication purpose, ldap was not designed for it, and we should be considering the use of kerberos instead. But I told them that there is a catch, if we were to use kerberos, we must find a kerberized versions for those network services we wish to use the kerberos authentication. In short, other custom made apps, such as web applications must find a way to know how to interact with kerberos. On the other hand, doing some research of my own, ldap support for popular services seems to be more available than that with kerberos support. At the end of our meeting, we have agreed upon the accounting of our services which requires authentication and finding out if it supports authentication through ldap(since we still need the directory functions of ldap). But my problem is this, I've been reading a lot of discussion regarding the use of kerberos authentication, its stregth against other mechanisms, the whole protocol itself and I'm pretty much convinced that for authentication, kerberos is the only way to go. In short, I'm still looking forward to using kerberos in our network services authentication instead of ldap which leads me to a bigger problem. Will it be achievable for the following services?: jabberd2 (by just looking at its config file, it definitely supports ldap, not sure with kerberos) Nagios server monitoring(I've heard some discussions regarding its ldap support, not sure with kerberos) rt3 TTS(also read some ldap support, not sure with kerberos) email (qmail or postfix) I just bumped into a document saying postfix supports sasl/gssapi, and qmail has a qmail-ldap version but not sure with qmail-kerberos. ssh (I saw its sshd_config and it has an option for kerberos authentication) Unix login (I'm also quite sure it supports being kerberized) radius wifi login( ldap support, also not sure with kerberos) ftp (although kerberos provides kerberized ftpd, we are currently using ProFTP, no idea if it supports kerberos authentication) samba( we are using snap server. Its an appliance which if it doesn't support kerberos, there's no way to tweek it, I guess.) web apps( I've read some docs regarding apache modules for kerberos, some patches for some web browser to support kerberos authentication and also some rfcs which discusses adding kerberos mech to the SSL/TLS protocol. openldap directory( it definitely supports kerberos) Summary of apps that I'm SURE it has kerberos support: postfix ssh unix logins ldap Summary of apps that I'm NOT SURE if it has kerberos support: jabberd2 webapps samba(Snap server) radius rt nagios Our bosses relies on best practices most of the time such as using the most widely use email server, ftp, etc. If only I can convince them the ease of having a rock-solid single sign-on environment kerberos has to offer, which I think I can, I'm sure it would be easy to convince them to use other software alternatives if it supports kerberos rather than those popular ones which lacks it. My huge problem is, will it be achievable for those services I have mentioned above? IMO, I don't see any sense on kerberizing some of the services while others are still authenticating through ldap, do you? What do you think? Thanks! -jay __ Yahoo! Mail Stay connected, organized, and protected. Take the tour: http://tour.mail.yahoo.com/mailtour.html Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos __ Discover Yahoo! Find restaurants, movies, travel and more fun for the weekend. Check it out! http://discover.yahoo.com/weekend.html Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
After validating by the server, will the final actual service session be encrypted?
Hi, While reading The Moron's Guide to Kerberos, Version 1.2.2 found at http://www.isi.edu/gost/brian/security/kerberos.html I decided to document the whole kerberos process starting from the USER getting a TGT upto the USER getting the actual ticket and establishing a session with his desired service. Here are my writings: Legend: AU - authentication server (kerberos) SERVICE - the service the user is requesting ticket for. SERVER - the computer running the service the user wants to use. SNAME - server's name USER - the one who is requesting the ticket to use a certain service. UNAME - user's name SKEY - session key SVKEY - the password for a particular service known only to AU and SERVER EDATA - encrypted data TGS SERVER(KDC) - ticket granting server possibly residing with AU TGT - ticket granting ticket Note: SKEY1 and SKEY2 are identical 1. USER sends his UNAME and the desired SERVICE(this time TGS) to AU 2. AU looks at it's database if UNAME really exists and if so... 3. AU creates two SKEY; 4. AU encrypts SKEY1 together with SNAME using the USER's password and package it into EDATA1 5. AU encrypts SKEY2 together with USER's name using SVKEY and package it into EDATA2(ticket) 6. AU sends the two EDATA back to USER 7. USER decrypts EDATA1 using his password extracting SKEY1 and SERVER's name(TGS) 8. USER encrypts the current time using SKEY1 and package it into EDATA3(authenticator) 9. USER sends EDATA2 and EDATA3 to TGS SERVER 10. TGS SERVER decrypts EDATA2 using its SERVICE's password extracting the SKEY2 and USER's name 11. SERVICE(TGS) decrypts EDATA3 using SKEY2 extracting the current time that came from USER 12. upon decryption, TGS SERVER knows the ticket really came from AU and also the TTL of the ticket 13. the session now begins, in this case, TGS SERVER sends a TGT back to USER ?? Does this means that AU is sending an unencrypted TGT to the USER? Does this means that any future session with a particular service e.g; retrieving an email from a pop server will not be tunneled into encrypted form? 14. if USER wants to use another SERVICE, he will just use his TGT to request a ticket from TGS SERVER ??This one seems to be vague. Does this mean the USER will send his TGT back to TGS SERVER? Unencrypted? Quoting: Furthermore, the reply is encrypted not with the user's secret key, but with the session key that the AS provided for use with the TGS 15. TGS SERVER encrypts the ticket using SKEY2 and package it into EDATA4. The explanation ends at step 15. The author didn't tell how EXACTLY the USER will use the TGT in step 14 to get an actual service tickets. Also, in step 15, he did mention what the user will do, upon arrival of the encrypted service ticket. He said that after step 15, the process repeats itself, so I'm guessing the repitition happens on the 8th step, such that he will again create an encrypted authenticator and forward it to the SERVER together with the ecrypted ticket that came from TGS. What do you think?? Thank you very much... -Mark Jayson R. Alvarez __ Do you Yahoo!? Yahoo! Small Business - Try our new Resources site http://smallbusiness.yahoo.com/resources/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
After validating by the server, will the final actual service session be encrypted?
Hi, While reading The Moron's Guide to Kerberos, Version 1.2.2 found at http://www.isi.edu/gost/brian/security/kerberos.html I decided to document the whole kerberos process starting from the USER getting a TGT upto the USER getting the actual ticket and establishing a session with his desired service. Here are my writings: Legend: AU - authentication server (kerberos) SERVICE - the service the user is requesting ticket for. SERVER - the computer running the service the user wants to use. SNAME - server's name USER - the one who is requesting the ticket to use a certain service. UNAME - user's name SKEY - session key SVKEY - the password for a particular service known only to AU and SERVER EDATA - encrypted data TGS SERVER(KDC) - ticket granting server possibly residing with AU TGT - ticket granting ticket Note: SKEY1 and SKEY2 are identical 1. USER sends his UNAME and the desired SERVICE(this time TGS) to AU 2. AU looks at it's database if UNAME really exists and if so... 3. AU creates two SKEY; 4. AU encrypts SKEY1 together with SNAME using the USER's password and package it into EDATA1 5. AU encrypts SKEY2 together with USER's name using SVKEY and package it into EDATA2(ticket) 6. AU sends the two EDATA back to USER 7. USER decrypts EDATA1 using his password extracting SKEY1 and SERVER's name(TGS) 8. USER encrypts the current time using SKEY1 and package it into EDATA3(authenticator) 9. USER sends EDATA2 and EDATA3 to TGS SERVER 10. TGS SERVER decrypts EDATA2 using its SERVICE's password extracting the SKEY2 and USER's name 11. SERVICE(TGS) decrypts EDATA3 using SKEY2 extracting the current time that came from USER 12. upon decryption, TGS SERVER knows the ticket really came from AU and also the TTL of the ticket 13. the session now begins, in this case, TGS SERVER sends a TGT back to USER ?? Does this means that AU is sending an unencrypted TGT to the USER? Does this means that any future session with a particular service e.g; retrieving an email from a pop server will not be tunneled into encrypted form? 14. if USER wants to use another SERVICE, he will just use his TGT to request a ticket from TGS SERVER ??This one seems to be vague. Does this mean the USER will send his TGT back to TGS SERVER? Unencrypted? Quoting: Furthermore, the reply is encrypted not with the user's secret key, but with the session key that the AS provided for use with the TGS 15. TGS SERVER encrypts the ticket using SKEY2 and package it into EDATA4. The explanation ends at step 15. The author didn't tell how EXACTLY the USER will use the TGT in step 14 to get an actual service tickets. Also, in step 15, he did mention what the user will do, upon arrival of the encrypted service ticket. He said that after step 15, the process repeats itself, so I'm guessing the repitition happens on the 8th step, such that he will again create an encrypted authenticator and forward it to the SERVER together with the ecrypted ticket that came from TGS. What do you think?? Thank you very much... -Mark Jayson R. Alvarez __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos