On Tue, Dec 28, 2010 at 05:02:45PM +, Victor Sudakov wrote:
Russ Allbery wrote:
You use a password. Enter the same password on both sides when creating
the key, and then be sure to remove any extraneous enctypes on the Heimdal
side that AD isn't configured to provide.
Do you mean to
On Tue, Dec 28, 2010 at 01:34:17PM -0800, Wilper, Ross A wrote:
Our adjoin[0] script (which was referenced in a BigAdmin paper by Baban
Kenkre[1]) implements a heuristic to detect what enctypes are available
based on, IIRC, trying to add an LDAP attribute named
On Mon, Dec 27, 2010 at 05:20:19AM +, Victor Sudakov wrote:
Nicolas Williams wrote:
1. If a cross-realm trust is configured, do the realms' KDCs ever have to
exchange any traffic between each other?
No, they do not.
That's great, but at least at the initialization stage, how
On Sat, Dec 25, 2010 at 07:10:53AM +, Victor Sudakov wrote:
1. If a cross-realm trust is configured, do the realms' KDCs ever have to
exchange any traffic between each other?
No, they do not.
Nico
--
Kerberos mailing list
On Mon, Dec 13, 2010 at 01:03:17PM -0500, Greg Hudson wrote:
On Mon, 2010-12-13 at 00:34 -0500, Russ Allbery wrote:
Well, it poses a problem for domain to realm mappings, as you've seen.
What Russ says is true, but on top of that, the Kerberos library also
needs to know what service ticket
On Tue, Sep 14, 2010 at 04:45:25AM +, Victor Sudakov wrote:
Greg Hudson wrote:
BTW what can make Kerberos packets so big? Microsoft says: Depending
on a variety of factors including security identifier (SID) history
and group membership, some accounts will have larger Kerberos
On Thu, May 20, 2010 at 03:23:51PM -0400, Greg Hudson wrote:
On Wed, 2010-05-19 at 18:29 -0400, Richard Silverman wrote:
in my system, DNS TXT records *are* explicit local configuration.
They're explicit configuration, but not local to the host machine.
(They're local to your organization,
On Wed, May 19, 2010 at 05:58:41PM -0400, Greg Hudson wrote:
The design of referrals support assumes that referrals from the local
realm are less reliable than explicit local configuration, and more
reliable than DNS-based or heuristic mechanisms. Per that design, the
following changes are
On Mon, May 17, 2010 at 05:02:31PM +0200, Richard Smits wrote:
But my question is, is this possible ? Obtaining a krb5 ticket with ssh
public/private key mechanism ?
SSHv2 supports the use of Kerberos via the GSS-API. Putty, OpenSSH,
SunSSH, Van Dyke, and various other implementations all
On Mon, May 17, 2010 at 04:32:51PM -0400, Richard Silverman wrote:
On Mon, 17 May 2010, Greg Hudson wrote:
If a server determines its realm via
a TXT record, e.g. for gss_acquire_cred(), then it now fails where it
worked in earlier versions (this has bitten me with OpenSSH).
Is there a
On Mon, May 17, 2010 at 11:00:36PM +0100, Simon Wilkinson wrote:
On 17 May 2010, at 22:07, Nicolas Williams wrote:
You can always use GSS_C_NO_CREDENTIAL and then inquire the established
security context's acceptor principal name to see that it matches what
you expected.
When I added
On Mon, May 17, 2010 at 06:38:48PM -0400, Greg Hudson wrote:
On Mon, 2010-05-17 at 18:21 -0400, Nicolas Williams wrote:
Method #1: Use gss_compare_name() to compare a name obtained by calling
gss_import_name() on host@hostname to the acceptor name
returned
On Thu, May 06, 2010 at 04:07:03PM +0530, Srinivas Cheruku wrote:
The Wrap token should be rotated to the right by count specified in RRC
field, where as looks like MIT Kerberos (1.8.1) is rotating to left (when
gss_unwrap() is called). Is this right?
It has to be to the right in one case
Hostnames are always case folded (to lower case) in principal names.
Nico
--
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Solaris' pam_krb5 talks to a daemon (ktkt_warnd) that renews TGTs in the
background.
Nico
--
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
On Tue, Nov 10, 2009 at 11:14:40AM -0600, John Washington wrote:
Our backend was last counted at over 200,000 principals and the only
noticeable
impact (at this time) is that propagation time is around two minutes.
My previous experience was with ~100K principals, and indeed, it scales
fine.
On Tue, Sep 22, 2009 at 09:50:19AM -0700, Peter wrote:
From what I can tell, this change was not pushed as a critical update,
I had to install a patch manually to get channel binding capability
for Windows XP (http://support.microsoft.com/kb/968389). I've done
some experimenting with both
On Sat, Feb 28, 2009 at 11:40:26PM -0500, Jason Edgecombe wrote:
I guess setting things for renewable tickets longer than 7 days or
running the jobs in local disk will be easiest.
We have a 7 day normal/renewable lifetime. What length do other sites have?
I have seen sites use on the order
On Mon, Mar 02, 2009 at 09:02:59PM -0500, Jason Edgecombe wrote:
Nicolas Williams wrote:
I have seen sites use on the order of months for the renewable ticket
lifetime, but still hours for normal ticket lifetime. If you already
use seven days for renew life you might as well double
On Sat, Feb 28, 2009 at 01:07:50PM -0500, Ken Raeburn wrote:
On Feb 28, 2009, at 12:43, Theodore Tso wrote:
It might be possible to dispatch on krb5_keyblock-magic to determine
whether it the new fields are there, and in places where a passed in
krb5_keyblock is allocated on the stack, the
On Sat, Feb 28, 2009 at 01:07:50PM -0500, Ken Raeburn wrote:
We'd also still need to handle the krb5_keyblock structure embedded in
krb5_creds; in that instance it wouldn't be extensible.
I suspect we can handle that by having a new krb5_keyblock for all
non-krb5_creds uses of it, and
On Sat, Feb 28, 2009 at 01:56:22PM -0600, Nicolas Williams wrote:
On Sat, Feb 28, 2009 at 01:07:50PM -0500, Ken Raeburn wrote:
We'd also still need to handle the krb5_keyblock structure embedded in
krb5_creds; in that instance it wouldn't be extensible.
I suspect we can handle
On Fri, Feb 27, 2009 at 09:29:15PM -0800, Randy Turner wrote:
I haven't completely analyzed MIT Kerberos, but I was wondering if it
would be possible to get the MIT Kerberos subsystem to use the OpenSSL
crypto API for any cryptographic support needed for Kerberos?
MIT Kerberos has its own
On Fri, Feb 27, 2009 at 09:45:21PM -0800, Russ Allbery wrote:
Randy Turner rtur...@amalfisystems.com writes:
I haven't completely analyzed MIT Kerberos, but I was wondering if it
would be possible to get the MIT Kerberos subsystem to use the OpenSSL
crypto API for any cryptographic support
On Mon, Feb 23, 2009 at 02:00:55PM -0800, Chris wrote:
FWIW, I was slightly confused with the language in the GSSAPI RFC
which seems to indicate that an implementation of a mechanism (e.g.
Kerberos) is not necessarily compatible with that mechanism used on
its own. [...]
I suspect that may
On Fri, Feb 20, 2009 at 01:24:06PM -0800, Chris wrote:
I'm working on implementing Kerberos authentication from a C++ client
to a Java service. The Java service wants a GSSAPI context.
Is it correct that, if you can't rely on default GSSAPI credentials
(i.e. login identity and pre-cached
On Fri, Feb 13, 2009 at 08:56:43AM +, Peter Eriksson wrote:
Edward Irvine eirv...@tpg.com.au writes:
I also did a little experiment. After logging in to the target
machine, (with the GSSAPIDelegateCredentials working and all), I ran
the kdestroy command. As expected, my home directory
On Wed, Jan 14, 2009 at 04:52:34PM -0500, Ken Raeburn wrote:
On Jan 14, 2009, at 15:22, John Hascall wrote:
My solution was just to do:
int on = 1;
setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, on, sizeof(on));
before calling krb5_sendauth() but a better approach might
be for
On Mon, Dec 22, 2008 at 01:11:50PM -0500, Tom Yu wrote:
Has anyone experienced problems due to false positive conditions on an
application replay cache? [...]
Yes, this happens with Windows clients, where the Kerberos stack may
re-use a seconds and microseconds value, if multiple AP-REQs are
On Sun, Oct 05, 2008 at 11:13:00PM +0100, Markus Moeller wrote:
Thank you for the replies.
I get an GSS: error: The token was a duplicate of an earlier token and
debugging on the client shows that it received seq 0 but expected 1. So I
need to dig a bit further what my server processes
On Mon, Oct 06, 2008 at 12:01:16AM -0400, Michael B Allen wrote:
Personally I think the whole export / import of security contexts is a
little awkward. Instead of moving the context we just put all IO
buffers in shared memory and have one process running the muxer loop
(although the reason for
On Wed, Sep 10, 2008 at 02:14:19PM -0500, Douglas E. Engert wrote:
Chavez, James R. wrote:
Doug, Thanks for the reply.
I am actually using kerberos for authenticating logins through ssh.
Because I had no DNS entry for this Solaris box I was getting the
following debug output from
On Wed, Aug 06, 2008 at 03:38:27AM +, Victor Sudakov wrote:
Victor Sudakov wrote:
It is a pity I cannot check it out because Solaris' kadmin seems to be
incompatible with FreeBSD's kadmind:
$ kadmin
kadmin: unable to get host based service name for realm SIBPTUS.TOMSK.RU
I see,
On Wed, Aug 06, 2008 at 10:18:01AM -0500, Nicolas Williams wrote:
On Wed, Aug 06, 2008 at 03:38:27AM +, Victor Sudakov wrote:
Victor Sudakov wrote:
It is a pity I cannot check it out because Solaris' kadmin seems to be
incompatible with FreeBSD's kadmind:
$ kadmin
kadmin
On Tue, Aug 05, 2008 at 04:44:54AM +, Victor Sudakov wrote:
Victor Sudakov wrote:
There is a very useful command ktutil get in Heimdal. It allows to
conveniently join a host into a Kerberos domain, without bothering
about transferring the keytab.
What is the analogous command
On Wed, Jul 23, 2008 at 02:01:43PM -0400, Michael B Allen wrote:
Extracting the keys from AD is not possible [1].
Nor ist it possible to extract them from MIT krb5 KDCs.
However, the ktpass utility from MS can set the password, generate the
corresponding key separately and put it into a
On Wed, Jul 23, 2008 at 05:55:20PM -0700, Russ Allbery wrote:
Nicolas Williams [EMAIL PROTECTED] writes:
On Wed, Jul 23, 2008 at 02:01:43PM -0400, Michael B Allen wrote:
Extracting the keys from AD is not possible [1].
Nor ist it possible to extract them from MIT krb5 KDCs
On Wed, Jun 18, 2008 at 04:54:04PM -0400, Ken Raeburn wrote:
On Jun 18, 2008, at 16:33, Jeffrey Altman wrote:
I believe that the meaning of allow_tix should be altered such that
it only applies to the client
in a TGS or AS request. This would permit -allow_tix to be applied
to a
On Sun, Apr 06, 2008 at 02:52:43PM +, Victor Sudakov wrote:
Nicolas Williams wrote:
Now how do I enable GSSAPI authentication for local users? What should
I put into the /etc/mail/authinfo file so that each local user who has
a Kerberos ticket could authenticate herself
On Mon, Apr 07, 2008 at 01:48:31PM -0500, Nicolas Williams wrote:
I followed up on March 19th on the list. I seem to recall my e-mails to
you bouncing, so see the list archives.
Right, because your sender address is obfuscated. Guess what: when I
post my reply including the non-obfuscated
On Tue, Apr 08, 2008 at 01:49:02AM +, Victor Sudakov wrote:
Nicolas Williams wrote:
I followed up on March 19th on the list. I seem to recall my e-mails to
you bouncing, so see the list archives.
Sorry, what list? I posted the question to the Usenet newsgroup
comp.protocols.kerberos
On Wed, Mar 19, 2008 at 02:52:41AM +, Victor Sudakov wrote:
In comp.mail.sendmail Victor Sudakov [EMAIL PROTECTED] wrote:
Now how do I enable GSSAPI authentication for local users? What should
I put into the /etc/mail/authinfo file so that each local user who has
a Kerberos ticket
On Wed, Mar 19, 2008 at 12:29:55PM -0500, Nicolas Williams wrote:
To make it work will require enough changes that one could be forgiven
may
Kerberos mailing list Kerberos@mit.edu
https
On Wed, Mar 19, 2008 at 03:17:29PM -0400, Sam Hartman wrote:
MIt does have a configuration where this works with sendmail for
foreground delivery to a mailhub.
I don't have details though.
Good to know. Could you cajole someone into posting the details?
On Wed, Mar 19, 2008 at 02:52:41AM +, Victor Sudakov wrote:
In comp.mail.sendmail Victor Sudakov [EMAIL PROTECTED] wrote:
Now how do I enable GSSAPI authentication for local users? What should
I put into the /etc/mail/authinfo file so that each local user who has
a Kerberos ticket
On Mon, Dec 10, 2007 at 08:32:57PM -0500, Yu, Ming wrote:
But I am still not clear how to lock out account after n-times of
failed login.
Are you saying there is no way to do it in current version of MIT
kerberos?
I'm saying that the MIT and Solaris KDCs do not support that
On Tue, Dec 11, 2007 at 08:35:07AM -0600, Douglas E. Engert wrote:
But using PAM to lockout a user, is per machine.
If you are trying to avoid password guesses, the user could
try another machine, and get another N guesses. Better then
nothing, but maybe not what you really want.
As Russ
On Mon, Dec 10, 2007 at 05:11:21PM -0600, Douglas E. Engert wrote:
Yu, Ming wrote:
Does anybody know how to implement account lockout
features on Solaris 10 when the user authenticates against Kerberos?
See man shadow. /etc/passwd, NIS or LDAP can have *LK* to indicate
it
On Fri, Nov 16, 2007 at 03:50:16PM -0800, Russ Allbery wrote:
John Washington [EMAIL PROTECTED] writes:
I would definitely add aes128-cts-hmac-sha1-96 and
aes256-cts-hmac-sha1-96, as Microsoft is adding these to AD (and I
prefer good encryption, not really broken encryption)
Is there
On Mon, Nov 05, 2007 at 12:06:14PM -0500, Jeff Blaine wrote:
Solved.
Had to force client-side -o GSSAPIStoreDelegatedCredentials yes
even though it was not defined anywhere as no (although probably
a default for some reason).
The manpage (ssh_config(4)) says:
GSSAPIDelegateCredentials
On Mon, Nov 05, 2007 at 02:43:56PM -0500, Jeff Blaine wrote:
Those 3 lines make it work. Thanks again, Doug.
I can't really imagine where I'd be with this unless
someone had figured out all of this esoterica before
me. Sheesh.
The default other stack should have worked just fine.
On Mon, Nov 05, 2007 at 04:14:21PM -0500, Jeff Blaine wrote:
Very likely. One heads down roads like these and
the default 'other' stack are the last things to
consider (for me at least).
If we shipped a default PAM configuration for every application then
modifying the other one wouldn't be a
On Fri, Nov 02, 2007 at 01:54:07PM -0400, Kevin Coffman wrote:
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
ktadd does not look at those enctype definitions on the local machine
where you run ktadd. What is used is the supported_enctypes defined
for the realm
On Fri, Nov 02, 2007 at 04:42:56PM -0400, Ranga Samudrala wrote:
I am trying to develop a Java SSH client targeting a version of
Kerberised SSH1 server talking GSS-API. Does anybody know of anybody
else dealing with this scenario? Is there a place I can find SSH1
Java API that support
On Fri, Nov 02, 2007 at 05:20:37PM -0400, Ranga Samudrala wrote:
I have no control over the version of SSH we have to use. I am trying
to support a client whose Kerberized SSH servers are v1.5-1.2.26
(which is very bad) and have been hacked to communicate using GSS-
API. So, I am looking
On Thu, Nov 01, 2007 at 02:34:12PM -0400, Jeff Blaine wrote:
I apologize for the general nature of this post. Maybe it's
better posted to the secureshell list which is loaded with
spam and is often choked up sitting on some server somewhere,
but...
I can ssh with GSSAPI auth to a Solaris
On Thu, Nov 01, 2007 at 04:05:55PM -0400, Roberto C. Sánchez wrote:
On Thu, Nov 01, 2007 at 02:34:12PM -0400, Jeff Blaine wrote:
Has anyone come across this and found an answer?
$ grep GSSAPI ~/.ssh/config
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
You also need to kinit -f or
On Thu, Nov 01, 2007 at 04:31:39PM -0400, Jeff Blaine wrote:
Douglas E. Engert wrote:
Jeff Blaine wrote:
I apologize for the general nature of this post. Maybe it's
better posted to the secureshell list which is loaded with
spam and is often choked up sitting on some server somewhere,
Markus, Ken,
Is this bug present in MIT krb5?
Nico
--
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
On Mon, Oct 15, 2007 at 11:44:30PM +0100, Markus Moeller wrote:
You are right and some calling functions like krb5_copy_keyblock do
allocate, but not krb5_get_credentials(_core) if I now read the code right.
Whether it's a bug at all depends on what the krb5_get_credentials() API
docs say
On Tue, Oct 16, 2007 at 12:33:43AM +0100, Markus Moeller wrote:
Maybe I miss something but I am not in control of the initialisation of the
keyblock. The problem is mcreds-keyblock -contents in
krb5_copy_keyblock_data, which is not allocated in any function before and
not provided by the
On Fri, Sep 28, 2007 at 04:26:14PM -0500, Douglas E. Engert wrote:
Sounds interesting. And yes, I would be interested in
the cascading credentials delegation code. Does the
delegation code depend on the key exchange code?
Protocol-wise, yes, it does.
There's two ways to use the GSS-API in
On Fri, Sep 21, 2007 at 03:08:26PM -0500, John Hascall wrote:
Does MIT's current implementation of the Kerberos KDC include
incremental propagation? I know it didn't a long time ago, then there
were CITI patches for it, then those didn't work for awhile. I don't
seem to be able to
On Fri, Sep 21, 2007 at 03:54:22PM -0400, Jeffrey Altman wrote:
John Harris wrote:
Greetings,
Does MIT's current implementation of the Kerberos KDC include
incremental propagation? I know it didn't a long time ago, then there
were CITI patches for it, then those didn't work for
On Fri, Sep 21, 2007 at 03:29:16PM -0500, John Hascall wrote:
There are plenty of LDAP servers suitable for backending the KDC that
support incremental and/or multi-master replication.
That, I suppose, depends on your definition of suitable.
It certainly isn't suitable to me. The size of
On Fri, Sep 21, 2007 at 04:46:40PM -0500, John Hascall wrote:
I'm not sure that model works well with the KDC's single-threadedness.
Which, really, should be multi-threaded...
Kerberos mailing list Kerberos@mit.edu
On Thu, Sep 06, 2007 at 08:55:47AM -0400, Edgecombe, Jason wrote:
Hi All,
Does kpasswd use the kadmin protocol? I'm just looking at options for
mitigating the vulnerability.
The Solaris kpasswd will use either the kadmin password or the kpasswd
protocol. I don't recall if the same is true for
On Mon, Apr 23, 2007 at 11:27:22AM -0400, Kevin Coffman wrote:
I haven't looked at the code, but I think this is probably done on
purpose and is not a bug. When you create a keytab, you create a new
random key for the account. There is no password associated with that
key, and there is no
On Wed, Apr 18, 2007 at 08:25:39PM +0200, Robert wrote:
Does anyone know whether there is a routine in GSS-API to renew (forwarded)
client credentials? I'm unable to locate such a routine in GSS-API, but
maybe
I'm overlooking it.
There's no such thing.
In SSHv2 we deal with this by
On Wed, Apr 18, 2007 at 11:41:03PM +0200, Robert wrote:
On Wed, Apr 18, 2007 at 08:25:39PM +0200, Robert wrote:
Does anyone know whether there is a routine in GSS-API to renew
(forwarded)
client credentials? I'm unable to locate such a routine in GSS-API, but
maybe
I'm overlooking it.
On Thu, Apr 19, 2007 at 12:10:12AM +0200, Robert wrote:
I do have control over the protocol (That is, in one instance. Another
instance will
probably make use of SASL). Thanks for your elaborate answer. It's much
appreciated.
I 'll go and play around with it a bit.
Even if you're using
On Fri, Feb 02, 2007 at 10:16:28AM -0800, John Rudd wrote:
It seems to me that if you're talking about a simple dumb USB thumb
drive/data stick, that you're not going to be able to do anything to
prevent an adversary from copying that data to a local host, and then
brute-forcing the data
On Thu, Feb 01, 2007 at 06:47:43PM -0500, Sam Hartman wrote:
OK, so the requirements you are trying to meet are:
1) soft token support for flash drives.
2) Support for central password management.
3) Allow minimal or no identifying information on the token.
Any more?
4)
On Thu, Feb 01, 2007 at 07:51:47AM +1100, Andrew Bartlett wrote:
I think developing a cross-platform USB 'tumb drive' based soft token
would be an immense benefit. It could make PKINIT real for many small
sites that do not yet wish to invest in a token stack, and perhaps more
importantly,
On Thu, Feb 01, 2007 at 08:21:49AM +1100, Andrew Bartlett wrote:
What do you mean by cross-platform?
Works with windows desktops too :-)
But I think this means that you want the format of the softtoken to be
open and implementable by multiple implementors.
Love also has a PKCS#11
On Wed, Jan 31, 2007 at 08:42:43AM -0600, Douglas E. Engert wrote:
What keeps a user from copying the identity token from the USB
device to a local or shared file system to avoid having to insert
the USB device all the time?
What are the security implications if the identity token is
Give your server host/f.q.d.n principals and keytab entries for all its
interfaces' canonical names.
And get a client that know how to decode the SSH_MSG_KEXGSS_ERROR
message :)
Nico
--
Kerberos mailing list Kerberos@mit.edu
On Wed, Oct 25, 2006 at 08:22:42AM -0400, Edgecombe, Jason wrote:
What about making positions as owners?
people - positions - machines. People may have multiple
positions/jobs and the job is responsible for the machine.
Groups give you the same functionality without inventing something
On Tue, Oct 24, 2006 at 06:19:04PM -0700, Henry B. Hotz wrote:
No, I'm not talking about using LDAP to store the back-end for a KDC.
I'm wondering if there are any thoughts or wisdom related to RFC 2307
(or successors) about how to store meta-information about Kerberos
principals. That
On Wed, Aug 09, 2006 at 09:52:51AM -0500, Douglas E. Engert wrote:
Markus Moeller wrote:
There shouldn't be the need of compiling openssh with Kerberos as the
Solaris 10 version supports GSSAPI authentication.
Yes and no. Until you want to store the delegated credential or do a
On Wed, Aug 09, 2006 at 02:55:05PM -0500, Douglas E. Engert wrote:
Nicolas Williams wrote:
gss_store_cred() is a KITTEN WG work item.
__gss_userok() is not; should it be?
I would say yes. Every service needs to do this, and use the GSS creds
to test if it can use the local resource. So
On Wed, Jun 21, 2006 at 11:18:06AM -0700, Salil Dangi wrote:
How do you match two names that have different name-type attributes (UNKNOWN
and NT_PRINCIPAL)?
You ignore the name-type.
Kerberos' name types do not partition the principal namespace and are
entirely advisory.
Nico
--
Subject: Re: Is Kerberos V5 i18n ready?
Answer: no.
Nico
--
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
On Thu, May 25, 2006 at 04:23:26PM -0700, Erich Weiler wrote:
kadmin: addprinc -randkey nfs/solaris10host.domain.com
kadmin: ktadd -e des-cbc-crc:normal nfs/solaris10host.domain.com
/etc/krb5.keytab file was created successfully. Then, as root on
solaris10host:
% mount -F nfs -o vers=4
On Thu, May 25, 2006 at 07:08:30PM -0500, Will Fiveash wrote:
Did you install a version of NFS that uses the MIT Kerberos? [...]
No such thing exists for Solaris, to my knowledge. On Solaris you can
only use the native krb5 implementation for NFS.
You can deploy MIT krb5 for other things,
On Fri, May 26, 2006 at 07:38:52AM -0700, Erich Weiler wrote:
I'll blow out my dev box and re-install using Sun's SEAM krb5 and see if
that helps. I have a feeling it will.
Just so we're absolutely clear: you cannot just replace Solaris'
implementation of anything. You can install
On Mon, May 22, 2006 at 03:24:55PM -0400, Jeff Blaine wrote:
*NOW* what am I doing wrong? :) Why are my other
Nothing.
tickets not being forwarded? MIT Kerberos 1.4.3
telnet and telnetd in use.
Only TGTs are forwarded. The other tickets in your ccache, client-side,
may not be useful to
On Thu, May 18, 2006 at 04:12:00PM -0700, Henry B. Hotz wrote:
On May 16, 2006, at 2:32 PM, [EMAIL PROTECTED] wrote:
On Heimdal you would normally create the entry and then delete the
unwanted encryption key types (if necessary). I think the mechanism
is different for Sun or MIT servers:
On Tue, May 16, 2006 at 06:40:29PM -0400, Jeff Blaine wrote:
Yes, MIT k5 1.4.3
The only Solaris piece I ever expect to use is pam_krb5.so
And secure NFS? (kgssapi/kmech_krb5, gssd/mech_krb5)
I've yet to touch/test Linux + K5, but it will be promptly
after I find most of the hiccups with
On Tue, May 16, 2006 at 02:23:16PM -0400, Jeff Blaine wrote:
authentication failed: Bad encryption type
bash-2.05# /export/home/krb5/sbin/ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: list
slot KVNO Principal
On Tue, May 16, 2006 at 03:10:04PM -0400, Jeff Blaine wrote:
Nicolas Williams wrote:
What does klist -ke /etc/krb5/krb5.keytab say?
bash-2.05# /export/home/krb5/bin/klist -ke /etc/krb5/krb5.keytab
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
On Tue, May 16, 2006 at 04:01:11PM -0400, Jeff Blaine wrote:
I'm confused, then, Nicolas.
As I read the output, there are 2 keys stored
for these principals:
1 using Triple DES cbc mode with HMAC/sha1
1 using DES cbc mode with CRC-32
And the first matching enctype is supposed
On Tue, May 16, 2006 at 05:32:45PM -0400, Jeff Blaine wrote:
Nicolas Williams wrote:
What does kadmin -q getprinc host/[EMAIL PROTECTED] say?
I bet the des3-hmac-sha1 key comes before the des-cbc-crc key.
Yes, it does.
Well, that's it then. Switch to des-cbc-crc.
Yes, the krb5 team
On Tue, May 16, 2006 at 04:57:29PM -0500, Nicolas Williams wrote:
Hmmm, OK, this is complicated, and I'd rather not go into all these
details, but:
^
right now
Kerberos mailing list Kerberos@mit.edu
https
On Thu, Apr 13, 2006 at 01:12:36PM +0100, Simon Wilkinson wrote:
I'm interested in what people feel the 'correct' approach is to the
following situation.
See:
draft-ietf-kitten-gssapi-domain-based-names-01.txt
draft-ietf-kitten-krb5-gssapi-domain-based-names-01.txt
You have found a third
On Tue, Apr 04, 2006 at 12:29:04PM -0500, [EMAIL PROTECTED] wrote:
On Mar 31, 8:22pm, Jeffrey Hutzelman wrote:
} Subject: Re: Solaris ssh pam_krb
But in a multi-application PAG world, _no_ application can directly
use the real PAG ID as an identifier, because it changes too much.
Let's uplevel a bit.
To me PAGs provide a useful distinction between processes in some sort
of session, sharing some common characteristics, one that is better than
environment variables in that it is easily (cheaply) observable from the
IPC peers.
PAGs have, for me, at least these uses:
- As
On Mon, Apr 03, 2006 at 01:23:48PM -0400, Jeffrey Hutzelman wrote:
On Monday, April 03, 2006 11:11:14 AM -0500 Nicolas Williams
[EMAIL PROTECTED] wrote:
Let's uplevel a bit.
To me PAGs provide a useful distinction between processes in some sort
of session, sharing some common
On Mon, Apr 03, 2006 at 02:27:36PM -0400, Jeffrey Hutzelman wrote:
Now, the issue is that when you're talking about a caching distributed
filesystem, your identity affects not only what credentials are used to
establish connections to fileservers on your behalf, but also what you
are allowed
On Mon, Apr 03, 2006 at 02:27:36PM -0400, Jeffrey Hutzelman wrote:
On Monday, April 03, 2006 12:56:34 PM -0500 Nicolas Williams
[EMAIL PROTECTED] wrote:
That I'd rather count references to network credentials from sessions
than from processes that might have done a seteuid() to temporarily
1 - 100 of 238 matches
Mail list logo