The gss-keyex userauth method is just an optimization; it prevents you
having to actually run the GSSAPI exchange again after you've already used
one of the GSSAPI-based keyex methods. The real win is in the GSSAPI-based
keyex methods themselves, which are useful (and exist) because they avoid
On Thu, Oct 26, 2023 at 3:41 PM Nico Williams wrote:
>
> So what can you do? Well, you could build an online kerberized CA that
> vends short-lived OpenSSH-style certificates, then use that for SSH.
>
OpenSSH apparently does not support X.509 certificates because they believe
there is too much
On Wed, Oct 25, 2023, 11:59 Nico Williams wrote:
> On Wed, Oct 25, 2023 at 08:51:29AM -0400, Ken Hornstein wrote:
> > I think we've lost the thread here; I do not think that any krb5
> > mechanism today ever asserts PROT_READY before GSS_S_COMPLETE, but I
> > would love to be proven wrong.
>
>
bably
best to do that anyway.
-- Jeff
On Fri, Oct 28, 2022, 00:06 Greg Hudson wrote:
> On 10/27/22 12:36, Jeffrey Hutzelman wrote:
> > You don't need libkadm5 for any of this -- all you need to print a
> service
> > ticket (even a TGT) is the service's key. Heimdal comes with
You don't need libkadm5 for any of this -- all you need to print a service
ticket (even a TGT) is the service's key. Heimdal comes with a program,
kimpersonate, which does this and could easily be used as a basis for your
impersonation service. Naturally, you should be cautious about giving an
On Tue, May 31, 2022 at 3:36 PM Carson Gaspar wrote:
> On 5/31/2022 12:16 PM, Jeffrey Hutzelman wrote:
> > That code should not actually used on a properly-configured PAM-based
> > system. Typical configuration for such systems should enable UsePAM and
> > KbdInte
That code should not actually used on a properly-configured PAM-based
system. Typical configuration for such systems should enable UsePAM and
KbdInteractiveAuthentication and disable PasswordAuthentication and
ChallengeResponseAuthentication. This causes all password verification to
go through
), the expiration
time of the existing TGT.
Examine the database entries for both kadmin/admin and your admin user.
From: Yegui Cai
Sent: Tuesday, March 26, 2019 1:17 PM
To: Jeffrey Hutzelman
Cc: John Devitofranceschi; Greg Hudson; kerberos@mit.edu
Subject: Re
add, add_new_key, and ank are synonyms. The last dates back to krb4
From: Robbie Harwood
Sent: Monday, March 11, 2019 13:49
To: Lothar Schilling; kerberos@mit.edu
Subject: Re: Installing heimdal-kdc
Lothar Schilling writes:
> I got stuck again with putting
To: Jeffrey Hutzelman
Cc: John Devitofranceschi; Greg Hudson; kerberos@mit.edu
Subject: Re: Admin session expiry
Hi Jeffrey.
I did some experiments with kadmin. It looks like by default, remote admin
sessions are authenticated with admin password. And in that case, the sessions
will never expired
You need to tell the Kerberos library where to find your kdc. You have
basically two options:
1) Add the following to /etc/krb5.conf on every client:
[realms]
MYDOMAIN.DE = {
kdc = kdc.mydomain.de:88
}
2) Publish SRV records in DNS:
_kerberos._udp.mydomain.de IN SRV kdc.mydomain.de
It's not necessary to disable the admin principal or expire the session to get
this effect. The admin service is itself a Kerberos-authenticated service, and
Kerberos tickets expire. Without valid tickets for the admin service, it is not
possible to make a request, regardless of whether or not
From: kerberos-boun...@mit.edu on behalf of Robbie
Harwood
Sent: Thursday, January 10, 2019 2:18 PM
To: Grant Taylor; kerberos@mit.edu
Subject: Re: Kerberos n00b question.
Grant Taylor writes:
>> You don't have to recreate them, but yes, it's a good idea to set
>> +requires_preauth.
On Fri, 2012-02-10 at 18:02 -0500, Tom Yu wrote:
In the long run, there are better ways to overcome the problems you're
experiencing, but they probably require adding new capabilities to the
glibc runtime linker:
* support for RTLD_GROUP
In practice, RTLD_DEEPBIND is usually good enough for
On Tue, 2012-02-14 at 12:23 -0600, Nico Williams wrote:
On Tue, Feb 14, 2012 at 12:13 PM, Carson Gaspar car...@taltos.org wrote:
On 2/14/12 7:35 AM, Jeff Blaine wrote:
On 2/14/2012 2:41 AM, Carson Gaspar wrote:
[ much DLL hell deleted ]
In general, it is death to link any PAM module
--On Monday, June 30, 2008 04:43:10 PM +0200
[EMAIL PROTECTED] wrote:
I would like to know if I can modify the ASN.1 files of kerberos.
As far as I know, you can modify anything you want in your copy of Kerberos.
However, the ASN.1 describes the Kerberos protocol, which is specified in
--On Wednesday, June 25, 2008 05:04:18 PM +0530 kul gupta
[EMAIL PROTECTED] wrote:
Hello
I was going through IAKERB and have some doubts
I will be highly thankful if anyone can clear my doubts.
1) Can someone please explain me the scenerio for using IAKERB.?
Take a look at section 1 of
On Wednesday, March 21, 2007 01:25:26 PM +0200 Nikolai Tenev
[EMAIL PROTECTED] wrote:
On server one (server1) in krb5.conf I have a record:
auth_to_local = {
RULE:[2:$2](support)s/^.*$/root/
}
On server two (server2) in krb5.conf I have a record:
auth_to_local = {
On Thursday, March 01, 2007 01:23:19 PM +0530 Gayal
[EMAIL PROTECTED] wrote:
Who is officially governing the GSSAPI and SPNEGO standards? Is it IETF?
Yes. The current GSS-API spec is RFC2743, and its C language bindings are
specified in RFC2744 (which, unfortunately, also includes some
On Friday, February 02, 2007 10:05:09 AM -0500 Jim Rees [EMAIL PROTECTED]
wrote:
So would it be fair say this is sort of like using a smartcard in that you
need both possession of the token and knowledge of a PIN? And that the
KDC guards the PIN against brute force guessing, because each
On Fri, 2 Feb 2007 [EMAIL PROTECTED] wrote:
That being said I'm certainly no IETF politician.
Good. Neither are the rest of us, for the most part. What we are is
engineers trying to produce quality network protocol standards, preferably
in non-infinite amounts of time. If you have something
On Thursday, February 01, 2007 03:06:21 PM -0600 [EMAIL PROTECTED] wrote:
What keeps a user from copying the identity token from the USB
device to a local or shared file system to avoid having to insert
the USB device all the time?
We were considering public flogging but were unsure if we
On Thursday, February 01, 2007 05:15:56 PM -0500 Jeffrey Hutzelman
[EMAIL PROTECTED] wrote:
On Thursday, February 01, 2007 03:06:21 PM -0600 [EMAIL PROTECTED] wrote:
What keeps a user from copying the identity token from the USB
device to a local or shared file system to avoid having
On Wednesday, January 10, 2007 02:16:53 PM -0500 Ken Hornstein
[EMAIL PROTECTED] wrote:
In addition to needing to enter a passphrase to launch krb5kdc (with
the -m option), it looks like kdb5_util will also need a passphrase,
understandably.
This means that the traditional
On Monday, November 27, 2006 03:26:25 PM -0200 Andreas Hasenack
[EMAIL PROTECTED] wrote:
When I run MIT's kinit (version 1.4.3 + sec.patch) against a heimdal KDC
(0.7, backend in ldap, no samba attributes), I always get the password
expiration warning:
$ kinit
Password for [EMAIL
On Friday, October 13, 2006 09:54:19 AM -0400 Danny Mayer
[EMAIL PROTECTED] wrote:
What are you talking about? Timezones are local display issues. When you
go from summer time to winter time and visa versa do you see issues? All
applications use UTC which doesn't care about timezones.
On Friday, October 13, 2006 07:45:17 PM +0100 Markus Moeller
[EMAIL PROTECTED] wrote:
I tried to use kinit [EMAIL PROTECTED]@DOMAIN.COM (\\ escapes @)
with MIT against AD where the userprincipalname is set to the email
address but failed, whereas I can login on XP using the email address.
On Friday, October 13, 2006 05:05:37 PM -0400 Wesley Chow
[EMAIL PROTECTED] wrote:
Is there a kerberized tcpserver or inetd program out there? What I'd
like to do is kerberize an rsync file transfer session without having to
go through ssh. It also seems like having such a program would
On Wednesday, October 11, 2006 06:16:33 PM -0400 Marcus Watts
[EMAIL PROTECTED] wrote:
In the MIT kerberos source, there's a pair of routines
select_session_keytype and dbentry_supports_enctype that are probably
making this decision for you. Here's the comment in
dbentry_supports_enctype:
On Wednesday, October 11, 2006 06:06:08 PM -0500 John Hascall
[EMAIL PROTECTED] wrote:
Except the issue here is he's getting a DES_CBC_MD4 session key when he
wants DES_CBC_CRC. The why is likely in the code you're quoting -
DES_CBC_MD4 is a better enctype, and both sides appear to
On Wednesday, October 11, 2006 06:20:30 PM -0500 John Hascall
[EMAIL PROTECTED] wrote:
Except the issue here is he's getting a DES_CBC_MD4 session key when
he wants DES_CBC_CRC. The why is likely in the code you're quoting
- DES_CBC_MD4 is a better enctype, and both sides appear to
On Monday, October 02, 2006 02:08:59 PM -0500 Ryan Schultz
[EMAIL PROTECTED] wrote:
Currently the password requirements for kerberos is 10 characters using
2 of 5 classes (lower, upper, numeric, punctuation, other). Could
someone point me to why/how this criteria came about and
On Wednesday, September 27, 2006 08:52:52 AM -0700 Henry B. Hotz
[EMAIL PROTECTED] wrote:
Heimdal uses a standard keytab file for the master password. In
Heimdal kadmin you can do:
add -r M/K
del_enc M/K all encryption types except the one you want
ext_key -k master key stash location
On Wednesday, September 27, 2006 01:26:22 PM -0700 Henry B. Hotz
[EMAIL PROTECTED] wrote:
On Sep 27, 2006, at 11:10 AM, Jeffrey Hutzelman wrote:
On Wednesday, September 27, 2006 08:52:52 AM -0700 Henry B. Hotz
[EMAIL PROTECTED] wrote:
Heimdal uses a standard keytab file for the master
On Wednesday, September 27, 2006 01:54:30 PM -0700 Henry B. Hotz
[EMAIL PROTECTED] wrote:
I'm assuming from your omission that add will look at the existing
kvno's and create the next one?
Well, the man page claims it will prompt for anything you don't specify;
I'm not sure I believe that
On Wednesday, September 13, 2006 07:29:22 PM -0700 Mike Friedman
[EMAIL PROTECTED] wrote:
The sysadmin has tried several times to 'refresh' inetd via smf commands,
to no avail.
The issue here is very likely that there is already a service in smf for
Sun's kpropd, which is conflicting with
On Friday, September 08, 2006 03:37:33 PM -0400 Ken Raeburn
[EMAIL PROTECTED] wrote:
(A question I haven't investigated: Does the
presence of an A record there and no records mean there is no
record, or would you still need to make that query? My guess
would be the latter.)
I
On Sunday, August 20, 2006 11:19:13 PM -0400 Michael B Allen
[EMAIL PROTECTED] wrote:
I was just trying pam_krb5 for kicks but it can't find my KDC. My
/etc/krb5.conf is just:
It helps a lot if you quote actual error messages, instead of paraphrasing
them. Similarly, it's going to be a
On Monday, August 21, 2006 12:05:24 PM -0400 Michael B Allen
[EMAIL PROTECTED] wrote:
[EMAIL PROTECTED] src]$ ssh [EMAIL PROTECTED]
[EMAIL PROTECTED]'s password:
Permission denied, please try again.
There is no user5 on the local system. My expectation is that pam_krb5.so
should use the
On Monday, August 21, 2006 04:36:32 PM +0200 [EMAIL PROTECTED]
wrote:
We did not receive any answer, therefore we send you another email in
order to get some feedback from you.
Thank you very much in advance.
kerberos@mit.edu is a public mailing list, not a private contact address.
On Wednesday, August 16, 2006 08:51:45 AM -0700 Nor Mas Ayu Adam
[EMAIL PROTECTED] wrote:
greeting to you.
I'm ayu, a comp science student. Currently i'm doing a research about
Kerberos that have been developed as part of project athenna at MIT.
so would you give me an information
On Wednesday, August 09, 2006 11:56:07 AM -0500 Nicolas Williams
[EMAIL PROTECTED] wrote:
On Wed, Aug 09, 2006 at 09:36:30AM -0700, Erich Weiler wrote:
I am getting credentials through PAM. That much is working. My
problem, very specifically, is that:
1: I want SSH to automatically
On Wednesday, August 09, 2006 02:55:05 PM -0500 Douglas E. Engert
[EMAIL PROTECTED] wrote:
__gss_userok() is not; should it be?
I would say yes. Every service needs to do this, and use the GSS creds
to test if it can use the local resource. So it in that regards it is
generic.
Actually,
On Tuesday, July 11, 2006 07:20:18 PM -0400 Marcus Watts [EMAIL PROTECTED]
wrote:
Looks like it's working as coded. All of this logic appears to have
been in MIT since at least kerberos 1.0 in, um, 1995 --presumably
the older clients mentioned in the comment ought not be there anymore
so
On Monday, July 10, 2006 12:06:12 AM -0700 [EMAIL PROTECTED] wrote:
Hi all,
I have a query regaqrding specifying the clock_skew in the client side
( kerberos client) krb5.conf file. As I understand, the maximum
allowable time skew is determined by KDC. Please let me know whether my
On Thursday, June 29, 2006 07:12:53 PM -0400 Michael B Allen
[EMAIL PROTECTED] wrote:
I have confirmed with a packet capture that the client never tries
Kerberos. It just tries raw NTLMSSP. No SPNEGO.
Finally, the installer on the Linux machine validates the keytab
credential with
On Tuesday, June 13, 2006 03:00:20 AM -0400 Ken Raeburn [EMAIL PROTECTED]
wrote:
On Jun 12, 2006, at 16:03, [EMAIL PROTECTED] wrote:
The whole problem is solved. Man page for 'kerberos_selinux'
essentailly says that selinux protection for krb5kdc and kadmind needs
to be turned off using
On Tuesday, June 13, 2006 06:40:56 PM +0200 Jan Iven [EMAIL PROTECTED]
wrote:
On Tue, 2006-06-13 at 11:17 -0400, Jeffrey Hutzelman wrote:
..
I'd suggest looking at the kadmind log and/or attaching strace to the
running strace to see what file it's trying to access that is prohibited
On Saturday, June 10, 2006 11:13:59 AM +0530 Srinivas Cheruku
[EMAIL PROTECTED] wrote:
Hi All,
I understand that we need to change Kerberos keys at regular intervals,
since it is not recommended to use the same keys for a long amount of
time. When we change keys the kvno is incremented
On Tuesday, May 16, 2006 05:32:45 PM -0400 Jeff Blaine
[EMAIL PROTECTED] wrote:
I guess this is what I want:
http://www.ietf.org/internet-drafts/draft-zhu-kerb-enctype-nego-04.txt
Actually, this doesn't help with your problem. The mechanism described in
that document allows a client and
On Tuesday, May 16, 2006 06:40:29 PM -0400 Jeff Blaine
[EMAIL PROTECTED] wrote:
Yes, MIT k5 1.4.3
The only Solaris piece I ever expect to use is pam_krb5.so
I've yet to touch/test Linux + K5, but it will be promptly
after I find most of the hiccups with Solaris + MIT for
now. Then it's
On Saturday, May 13, 2006 10:29:38 AM -0700 Vasken Houdoverdov
[EMAIL PROTECTED] wrote:
I am very interested in the Kerberos authentication protocol, and was
simply wondering whether I needed special permission to post a quick
overview of the protocol on my site, and link to your official
On Friday, May 05, 2006 09:17:34 PM -0700 Russ Allbery [EMAIL PROTECTED]
wrote:
One difficulty is that if the authentication is not
being done as root, the PAM module needs something other than the host
keytab to use for verification
... or a setuid-0 helper program.
On Tuesday, May 09, 2006 03:49:35 PM -0400 Gwen Parker
[EMAIL PROTECTED] wrote:
[libdefaults]
default_realm = dcri.duke.net
[realms]
dcri.duke.net = {
# kdc = vmsodium.dcri.duke.net
kdc = 10.0.101.65
}
Kerberos realm names are case-sensitive.
On Tuesday, April 11, 2006 08:40:10 PM +0200 Sensei [EMAIL PROTECTED]
wrote:
Good. One thing I noticed on many clients here is that an ntpdate at
boot solution is not good, since it can produce large time drifts if
you don't reboot the clients often. A cron job was my solution.
Note that
On Monday, April 03, 2006 11:11:14 AM -0500 Nicolas Williams
[EMAIL PROTECTED] wrote:
Let's uplevel a bit.
To me PAGs provide a useful distinction between processes in some sort
of session, sharing some common characteristics, one that is better than
environment variables in that it is
On Monday, April 03, 2006 02:01:21 PM -0500 Nicolas Williams
[EMAIL PROTECTED] wrote:
On Mon, Apr 03, 2006 at 02:27:36PM -0400, Jeffrey Hutzelman wrote:
Now, the issue is that when you're talking about a caching distributed
filesystem, your identity affects not only what credentials
On Monday, April 03, 2006 02:08:46 PM -0500 Nicolas Williams
[EMAIL PROTECTED] wrote:
File descriptors in Solaris already retain a reference to the cred_t
used to open the file. So UID or PAG is not relevant here. Neither
is processes with that UID or PAG. What is relevant is references
On Friday, March 31, 2006 03:44:57 PM -0600 Douglas E. Engert
[EMAIL PROTECTED] wrote:
Ken Hornstein wrote:
Why store tickets in the kernel, what's the point? Presumably you'd not
want anything other than TGTs in the kernel, so where do you cache
service tickets? Or do you want all
On Friday, March 31, 2006 04:20:48 PM -0600 Nicolas Williams
[EMAIL PROTECTED] wrote:
On Fri, Mar 31, 2006 at 04:56:27PM -0500, Jeffrey Hutzelman wrote:
On Friday, March 31, 2006 03:44:57 PM -0600 Douglas E. Engert
[EMAIL PROTECTED] wrote:
The caches I see
On Friday, March 31, 2006 05:24:04 PM -0600 Nicolas Williams
[EMAIL PROTECTED] wrote:
On Fri, Mar 31, 2006 at 06:17:53PM -0500, Jeffrey Hutzelman wrote:
On Friday, March 31, 2006 04:20:48 PM -0600 Nicolas Williams
[EMAIL PROTECTED] wrote:
What other kernel-land applications can you think
On Friday, March 31, 2006 06:27:22 PM -0600 Nicolas Williams
[EMAIL PROTECTED] wrote:
On Fri, Mar 31, 2006 at 07:07:43PM -0500, Jeffrey Hutzelman wrote:
On Friday, March 31, 2006 05:24:04 PM -0600 Nicolas Williams
[EMAIL PROTECTED] wrote:
- Encrypted (local) filesystems
Orthogonal
On Wednesday, March 29, 2006 04:12:12 PM -0600 Nicolas Williams
[EMAIL PROTECTED] wrote:
On Wed, Mar 29, 2006 at 03:53:33PM -0600, Douglas E. Engert wrote:
Nicolas Williams wrote:
On Wed, Mar 29, 2006 at 03:24:24PM -0600, Will Fiveash wrote:
On Wed, Mar 29, 2006 at 10:02:54AM -0600,
On Thursday, March 30, 2006 06:08:10 PM -0600 Nicolas Williams
[EMAIL PROTECTED] wrote:
On Thu, Mar 30, 2006 at 06:58:39PM -0500, Jeffrey Hutzelman wrote:
On Wednesday, March 29, 2006 04:12:12 PM -0600 Nicolas Williams wrote:
The last two supplementary groups add up to a PAG thing
On Wednesday, February 22, 2006 04:08:33 PM -0800 Russ Allbery
[EMAIL PROTECTED] wrote:
avillarrealpouw [EMAIL PROTECTED] writes:
I have been testing the Fedora distribution of Kerberos and tripped on a
problem: after upgrading from Fedora core 3 to Fedora core 4 in my KDC
the KDC stopped
On Friday, February 24, 2006 10:15:32 AM -0600 Douglas E. Engert
[EMAIL PROTECTED] wrote:
I am looking for other Kerberos sites that use Oracle with or without the
ASO who would like to see the ASO improved. I would also be interested to
know if you have approached Oracle on improvements,
On Wednesday, January 18, 2006 06:37:44 AM -0800 [EMAIL PROTECTED] wrote:
In a nutshell, I need to take a username and an expired password and
see if that truely was the users' last pasword.
You haven't said what Kerberos server you're using, so I'll assume you're
using either the MIT or
On Thursday, January 19, 2006 03:31:53 PM -0600 John Hascall
[EMAIL PROTECTED] wrote:
If you present a correct but expired password to Kerberos
you will get a 'password expired' error, which is different
from the 'password incorrect' error you get if the password
is not correct (expired or
On Thursday, January 19, 2006 04:35:26 PM -0600 John Hascall
[EMAIL PROTECTED] wrote:
On Thursday, January 19, 2006 03:31:53 PM -0600 John Hascall
[EMAIL PROTECTED] wrote:
If you present a correct but expired password to Kerberos
you will get a 'password expired' error, which is
On Thursday, January 12, 2006 01:42:54 PM +0100 Bjorn Tore Sund
[EMAIL PROTECTED] wrote:
University of Bergen is setting up a unix/linux Kerberos realm to handle
logons on our unix/linux clients and servers (about 1500). Our problem
is that all 30.000 users needs principals on the KDC, and
On Saturday, January 07, 2006 11:38:47 AM +0100 Turbo Fredriksson
[EMAIL PROTECTED] wrote:
Security? Nah, both need _extra ordinary security_ so it's easier to
safegard ONE machine than two (* nr of slaves of course :).
On the contrary, depending on what you are using your LDAP directory
On Friday, January 06, 2006 12:37:51 PM +0100 Turbo Fredriksson
[EMAIL PROTECTED] wrote:
Quoting Jeffrey Hutzelman [EMAIL PROTECTED]:
On Thursday, January 05, 2006 10:03:44 AM +0200 Amir Saad
[EMAIL PROTECTED] wrote:
i use Fedora 4, OpenLDAP and Kerberos instead of NIS
what
On Thursday, January 05, 2006 06:53:27 PM + Garrett Wollman
[EMAIL PROTECTED] wrote:
In article
[EMAIL PROTECTED],
Amir Saad [EMAIL PROTECTED] wrote:
i use Fedora 4, OpenLDAP and Kerberos instead of NIS
what is the suitable hardware configuration for the KDC to support a
network with
On Friday, December 30, 2005 06:12:48 PM -0500 Ken Raeburn
[EMAIL PROTECTED] wrote:
On Dec 30, 2005, at 10:39, Huub wrote:
Hi,
I've created a krb5.conf file but verify_krb5_conf says it fails:
I'm not familiar with the program, but a man page I found on the web
seems to indicate that it
On Wednesday, September 28, 2005 05:38:14 PM +0530 Nikhil Mulley
[EMAIL PROTECTED] wrote:
can some one please respond..
This is a mailing list, not an IRC chat room.
You sent your initial message at 9:45 PM Pacific time, which is after
midnight on the US east coast, and early morning in
On Wednesday, September 28, 2005 03:29:08 AM -0500 Gurganus, Brant L
[EMAIL PROTECTED] wrote:
Time.rose-hulman.edu is a time server and ntpd will synchronize to it.
The time client in Leash does not recognize that as a time server
though.
I suggest you ignore the time-setting stuff in
On Tuesday, September 27, 2005 10:11:56 AM -0500 Balakrishnan, Sivakumar
[EMAIL PROTECTED] wrote:
I am trying to implement a custom Kerberos authentication for my IIS
application using an ISAPI filter. I am expecting the
gss_accept_security_context tor return me AP-REP if I passed a input
On Monday, September 12, 2005 15:13:27 + Jeffrey Altman
[EMAIL PROTECTED] wrote:
This can end up causing some problems for end users. It is entirely
possible for the GSSAPI authentication to succeed and yet the user
will be unable to access the mailbox they are attempting to reach
because
On Sunday, September 04, 2005 09:21:21 + Yeechang Lee [EMAIL PROTECTED]
wrote:
/usr/kerberos/sbin/kprop: Password has expired while getting
initial ticket
I believe the principal you're looking for is kprop/fqdn.of.master.kdc
You should probably arrange for it not to have a
On Tuesday, August 30, 2005 23:59:16 -0400 Jeff Aitken [EMAIL PROTECTED]
wrote:
Assuming I've got that part right, here's the part that's got me
confused. In step #2, the AS generates a session key that will be
used by the client during all future communication with the TGS;
i.e., this is
On Monday, August 29, 2005 10:28:35 -0400 Wyllys Ingersoll
[EMAIL PROTECTED] wrote:
By default, Firefox will only perform GSSAPI (negotiate-auth)
authentication
when the protocol is 'https://'.
Check the network.negotiate-auth.delegation-uris and
network.negotiate-auth.trusted-uris
On Thursday, July 07, 2005 05:46:18 PM -0700 Phil Dibowitz [EMAIL PROTECTED]
wrote:
and the right tgt (based on Kerberos by Brian Tung), doesn't seem to be
doing anything:
[EMAIL PROTECTED]
This principal is meaningless, and is used for nothing.
and the mystery ticket is doing
On Thursday, July 07, 2005 06:18:16 PM -0700 Phil Dibowitz [EMAIL PROTECTED]
wrote:
On Thu, Jul 07, 2005 at 09:03:36PM -0400, Jeffrey Hutzelman wrote:
On Thursday, July 07, 2005 05:46:18 PM -0700 Phil Dibowitz
[EMAIL PROTECTED] wrote:
and the right tgt (based on Kerberos by Brian Tung
On Friday, July 01, 2005 02:14:02 AM -0700 Phil Dibowitz [EMAIL PROTECTED]
wrote:
So reading through:
http://web.mit.edu/kerberos/www/krb5-1.4/krb5-1.4.1/doc/krb5-install/Upgr
ading-to-Triple-DES-and-RC4-Encryption-Keys.html#Upgrading%20to%20Triple-
DES%20and%20RC4%20Encryption%20Keys
On Monday, June 06, 2005 09:59:56 AM -0500 Nicolas Williams
[EMAIL PROTECTED] wrote:
On Mon, Jun 06, 2005 at 09:27:51AM -0500, Matt Crawford wrote:
I really think that working on this axis [IAKERB/Wireless Auth.]
should be amongst the milestones of kerberos wg.
Work area for energetic
The Second Annual
AFS Kerberos
Best Practices Workshop
June 20-24, 2005
Carnegie Mellon
On Friday, June 03, 2005 01:32:20 PM -0600 Heilke, Rainer
[EMAIL PROTECTED] wrote:
P.S. What is the other issue?
Sun's lack of a ksu binary. The way we use ksu, RBAC and su simply do
not provide the same functionality. We have an RFE open on this. BTW, if
anyone else needs ksu, please add
On Thursday, April 07, 2005 05:35:59 PM -0400 Sam Hartman
[EMAIL PROTECTED] wrote:
The best you can do is use the -e argument of the kvno program to
request a des-cbc-crc ticket for the appropriate oracle service
principal before you start Oracle.
The other thing you should do is file a TAR
On Friday, April 01, 2005 07:23:37 PM -0800 Darren Hoch
[EMAIL PROTECTED] wrote:
kadmin: lisprincs
snip
krbtgt/[EMAIL PROTECTED]
krbtgt/[EMAIL PROTECTED]
krbtgt/[EMAIL PROTECTED]
The second components of each of these principal names must exactly match
the name of the realm involved, including
On Wednesday, March 30, 2005 04:33:21 PM -0800 kaiduan xie
[EMAIL PROTECTED] wrote:
Hi, all,
I have an application where the client needs to authenticate to the
server before carrying on further communications. The client will acquire
ticket from KDC which runs in Microsoft's Domain Controller.
On Monday, February 14, 2005 01:34:20 PM -0800 Seema Malkani
[EMAIL PROTECTED] wrote:
Maybe the next Kerberos clarifications should clarify this particular
scenario.
A large part of the problem here is that KRB-ERROR does not actually have a
complete extension mechanism. It has e-data, which
On Wednesday, February 02, 2005 07:31:44 AM -0600 Douglas E. Engert
[EMAIL PROTECTED] wrote:
Client not found in database: [EMAIL PROTECTED]: No such entry in the database
Ask the Heimdal people, what does this message mean? With cross realm,
the server's realm should not require any knowlwdge
On Friday, December 10, 2004 02:18:27 -0800 Mark [EMAIL PROTECTED] wrote:
Hello!
I need to connect to some kerberos environment using gssapi, but the
ssh client on fc3 refuses to do so. What is the problem here? Is there
a trick to solve that problem?
It would help if you defined your problem a
On Tuesday, December 07, 2004 16:26:39 -0600 David A Flores
[EMAIL PROTECTED] wrote:
Help anyone,
We are using a Windows domain controller as a KDC and we are trying to
authenticate a Solaris 9.0 OS box using Kerberos. The following is the
command we use to create the keytab file:
ktpass
On Thursday, September 23, 2004 01:57:50 +0200 Fredrik Tolf
[EMAIL PROTECTED] wrote:
On Wed, 2004-09-22 at 19:43 -0400, Ken Raeburn wrote:
On Sep 22, 2004, at 18:50, Fredrik Tolf wrote:
On Wed, 2004-09-22 at 22:37 +, Sam Hartman wrote:
Fredrik == Fredrik Tolf [EMAIL PROTECTED] writes:
On Monday, September 20, 2004 21:42:21 + Jelmer Vernooij
[EMAIL PROTECTED] wrote:
Hi,
Trying to get krb5 authentication working together with PostgreSQL, I
stumbled across a couple of error codes that I can't place.
The PostgreSQL error logs report that krb5_recvauth returns error
'103'
*** WARNING ***
I'm going to start an exchange to try to determine whether Mike has the
correct bits and why he can't verify the signature. It should be noted
that this entire exchange is occuring over unprotected email, and so it is
a bad idea to rely on statements made by either of us like
On Wednesday, September 01, 2004 07:20:00 -0700 Frank Taylor
[EMAIL PROTECTED] wrote:
No, although an explanation of why the problem is hard and why in
general you may not be able to solve it is in
draft-ietf-krb-wg-kerberos-clarifications (successor to RFC 1510).
Thanks for the pointer... I
On Thursday, June 17, 2004 21:49:34 -0400 David Botsch
[EMAIL PROTECTED] wrote:
Ok... however, since Windows can come up with the other string to key
algorithm, why does authentication not work?
Because when it constructs an AS-REP, the KDC gets to choose which of the
user's keys will be used,
On Thursday, April 22, 2004 18:42:46 -0700 Nick Atkins
[EMAIL PROTECTED] wrote:
Hi,
I am using Heimdal Kerberos on SuSE 8.1 and trying to write a script
to automate adding principals. I am using kadmin and this works
when I do something like:
kadmin -l add res/[EMAIL PROTECTED]
However, I'm
1 - 100 of 118 matches
Mail list logo