Re: kerberos programming and ldap
[EMAIL PROTECTED] (Sam Hartman) wrote in message news:[EMAIL PROTECTED]... melissa == melissa benkyo [EMAIL PROTECTED] writes: melissa hello all, How do I use kerberos api calls and ldap? I melissa know ldap needs the sasl gssapi to authenticate to it melissa with the kerberos. But is it possible to run kerberos and melissa ldap without using sasl gssapi. It has been possible with various versions of LDAP2 but using SASL and GSSAPI will be more secure and more portable. Why do you want to avoid SASL? Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos hello!!! thanks for the resposnse I was hoping not to use SASL since this means that it is a third party software. I was planning on using the native protocols available to the OS such as the ldap and the kerberos. Do u know how to use the kerberos with ldap? so is it not possible now to use kerberos directly with ldap since this is a LDAP v3? thanks so much for the help. :) Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Disable Mac OS X Kerberos Auto Prompting
In 10.3 (Panther), you can set the environment variable KERBEROSLOGIN_NEVER_PROMPT (it doesn't matter what it is set to) in your application before making any Kerberos calls. If you can't rebuild the application, you can set it in a wrapper script which calls your application. There is no way to turn off automatic prompting in 10.2 or earlier. On Apr 11, 2004, at 7:05 PM, Nebergall, Christopher wrote: Is there a way to programmatically or in a configuration file to disable Mac OS X auto-prompting for the user's kerberos password? I'm interested in only disabling auto-prompting in one particular application. Thanks, Christopher Nebergall Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos --lxs --- Alexandra Ellwood [EMAIL PROTECTED] MIT Information Services Technology http://mit.edu/lxs/www/ --- Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: kerberos programming and ldap
On Apr 12, 2004, at 9:38 AM, melissa_benkyo wrote: hello!!! thanks for the resposnse I was hoping not to use SASL since this means that it is a third party software. I was planning on using the native protocols available to the OS such as the ldap and the kerberos. Do u know how to use the kerberos with ldap? so is it not possible now to use kerberos directly with ldap since this is a LDAP v3? thanks so much for the help. :) Melissa, For ease of deployment, and future-proofing what you are trying to do, I suspect you will find that SASL is actually a better route to go. Non-SASL kerberos authentication support in LDAP clients is rare -- I'm not aware of any clients that support it. But, there are a lot of LDAP clients which do support kerberos authentication via SASL. You could modify OpenLDAP to directly support kerberos (instead of via SASL), but why re-invent the wheel? A nice standards based way to do what you're trying to do already exists. You could get cyrus-sasl, or something similar, up and running in less time than it would take you to develop a customized, non-standard ldap client, server and library. Brian Davidson George Mason University Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: kerberos programming and ldap
melissa benkyo [EMAIL PROTECTED] writes: hello!!! thanks for the resposnse I was hoping not to use SASL since this means that it is a third party software. I was planning on using the native protocols available to the OS such as the ldap and the kerberos. Native to what OS? The Cyrus SASL libraries are just as standard on Linux as the OpenLDAP libraries are. I don't think of SASL as any less native than LDAP. Do u know how to use the kerberos with ldap? so is it not possible now to use kerberos directly with ldap since this is a LDAP v3? Part of the point of LDAP v3 was to standardize use of SASL to do authentication. -- Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: kprop trouble.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 John Hascall wrote: | Show us the kdc.conf on your machines... Sure. On the master (elwing): # cat /etc/krb5kdc/kdc.conf [kdcdefaults] ~kdc_ports = 88,750 [realms] ~SLUGGARDY.NET = { ~database_name = /etc/krb5kdc/principal ~admin_keytab = /etc/krb5kdc/kadm5.keytab ~acl_file = /etc/krb5kdc/kadm5.acl ~dict_file = /etc/krb5kdc/kadm5.dict ~key_stash_file = /etc/krb5.keytab ~kadmind_port = 749 ~max_life = 12h 0m 0s ~max_renewable_life = 7d 0h 0m 0s ~master_key_type = des3-hmac-sha1 ~supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal ~} On the slave (mithrandir): # cat /etc/krb5kdc/kdc.conf [kdcdefaults] ~kdc_ports = 88,750 [realms] ~SLUGGARDY.NET = { ~database_name = /etc/krb5kdc/principal ~admin_keytab = /etc/krb5kdc/kadm5.keytab ~acl_file = /etc/krb5kdc/kadm5.acl ~dict_file = /etc/krb5kdc/kadm5.dict ~key_stash_file = /etc/krb5.keytab ~kadmind_port = 749 ~max_life = 12h 0m 0s ~max_renewable_life = 7d 0h 0m 0s ~master_key_type = des3-hmac-sha1 ~supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal ~} There are a couple of things that I have been kicking around in my head that may be causing the trouble. Will kprop work properly if the slave KDC is behind a NATing firewall? I can't think of a reason why it should matter, but I thought I would check. I have the master KDC behind a non NATing firewall, but the slave is in my home NATed network. Could this be the problem? If I get a chance I may try moving the machine in front of the firewall and see if that makes a difference. Thanks for any help, I really appreciate it. I love what I have seen of Kerberos so far and would really like to get it working properly. - -Nick -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFAewWtWRxj7DCRpGURAig0AKCZ2iq30yG1er7WL/R1PlXOxxy45gCgoiLz 4blHoEWS4SCFAaUb7aZ8xu4= =m5dr -END PGP SIGNATURE- Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
setup kerberos client
Hello all, its me againnn. :D I'm having trouble setting up a kerberos client on solaris 8. I'm running a kdc on a linux machine. and I want to use gss-server on the linux machine and run gss-client on the solaris machine. is this possible? steps that I did: 1) add_principal host/solaris_machine_name@REALM.COM 2) ktadd -k /etc/krb5.keytab host/solaris_machine_name@REALM.COM 3) ktadd -k /tmp/host.keytab host/solaris_machine_name@REALM.COM [to the same thing for sample1/solaris_machine_name@REALM.COM 4) ftp the host.keytab and sample1.keytab to the solaris machine 5) gss-server -port 4 -verbose sample1 output: GSS-API error acquiring credentials: Miscellaneous failure GSS-API error acquiring credentials: No principal in keytab matches desired name But if I use the sample/linux_macine output: GSS-API error acquiring credentials: Wrong rpincipal solaris client side 6) kinit kerberos user (OK!) 7) gss-client -port 4 sample hello world can someone please tell me what I did wrong? thanks! Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: kerberos programming and ldap
Hi brian, thanks for the info. I guess, I'm looking for a way not to use cyrus if possible cause I'm not sure how to use it with SEAM? :D I'm going to be using the native SEAM on solaris. Do I need to install it again if I were to enable it to use cyrus? There are actually more parts involved like SEAM, iplanet, and cyrus. I don't know how to make iplanet use cyrus and SEAM? any inputs are much appreciated. thanks for the help, guys. making my life complicated, melissa :D [EMAIL PROTECTED] (Brian Davidson) wrote in message news:[EMAIL PROTECTED]... On Apr 12, 2004, at 9:38 AM, melissa_benkyo wrote: hello!!! thanks for the resposnse I was hoping not to use SASL since this means that it is a third party software. I was planning on using the native protocols available to the OS such as the ldap and the kerberos. Do u know how to use the kerberos with ldap? so is it not possible now to use kerberos directly with ldap since this is a LDAP v3? thanks so much for the help. :) Melissa, For ease of deployment, and future-proofing what you are trying to do, I suspect you will find that SASL is actually a better route to go. Non-SASL kerberos authentication support in LDAP clients is rare -- I'm not aware of any clients that support it. But, there are a lot of LDAP clients which do support kerberos authentication via SASL. You could modify OpenLDAP to directly support kerberos (instead of via SASL), but why re-invent the wheel? A nice standards based way to do what you're trying to do already exists. You could get cyrus-sasl, or something similar, up and running in less time than it would take you to develop a customized, non-standard ldap client, server and library. Brian Davidson George Mason University Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: loadbalancing of keberized services
On Saturday, April 10, 2004 16:47:21 + Donn Cave [EMAIL PROTECTED] wrote: It depends on your client software. All you need to do is resolve the addresses to canonical host name first, and use the resolved name for both the client connect and the service ticket. Careful here... Using insecure DNS to compute a service principal name is asking for trouble. You're OK if, as suggested, you compare the resulting name to a list of known valid servers, but that's a fair bit of work and most software that does reverse resolution to determine service names either can't or doesn't do it. Also, the problem description _I_ read involved a connection-forwarder with its own IP address, not a DNS load balancer. It makes a difference -- with a connection-forwarder, reverse-resolving the address you connected to will still get you the name of the forwarder. If you can't do that, then I guess you will need the keys for each server host, on all server hosts - ldap/server1 + ldap/server2 + ... It should work just fine for each server to have its own key plus a copy of the shared key for the load-balanced name. -- Jeffrey T. Hutzelman (N3NHS) [EMAIL PROTECTED] Sr. Research Systems Programmer School of Computer Science - Research Computing Facility Carnegie Mellon University - Pittsburgh, PA Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Newbie question on keytab -- no need for this on clients, right?
On Monday, April 12, 2004 08:17:15 -0400 Wyllys Ingersoll [EMAIL PROTECTED] wrote: Clients do not typically use the keytab file, they either prompt for name/password and then request initial creds or read the initial credentials from the user's cache. True, in most cases. It's perhaps clearer to think about this this way... First, try to think of clients and servers as processes, not machines. Several processes may be running on the same machine in both roles. In any Kerberos authentication exchange, both entities involved (client and server) share a key with the KDC. For the most part, when the entity is a human, that key is derived from a password the human types. When the entity is a daemon, the key is normally read from a keytab. So, telnetd or sshd is going to read its key from a keytab. On the other hand, kinit is going to read a password from the user, and turn it into a key; in this case, a keytab is not needed. However, an automated process that needs to access a Kerberos-authenticated service (for example, a cron job that needs to scp something from a remote machine or write to a file in AFS) will generally obtain Kerberos tickets using a key stored in a keytab, even though it is acting as a client. Then there's the login program. A Kerberos-aware login generally acts as both a client and server in the same process. It accepts a username and password from a user, and uses them to obtain a TGT, just as kinit does. It then uses that TGT to obtain a service ticket for the login service (generally host/fully.qualified.host.name), and verifies the resulting service ticket against the service key, which is obtained from a keytab. This step is essential to preventing unauthorized logins by an attacker who is cooperating with the operator of a bogus KDC. Since the attacker and bogus KDC operator both know the password that will be typed, they could together trick a host into allowing a login, unless the host validates the obtained TGT against a service whose key is known only to it and to the real KDC. -- Jeffrey T. Hutzelman (N3NHS) [EMAIL PROTECTED] Sr. Research Systems Programmer School of Computer Science - Research Computing Facility Carnegie Mellon University - Pittsburgh, PA Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Authenticat Kerberos-enabled Linux client at Active Directory
Hello All, I dowloaded and installed krb5-1.3.3-i686-pc-linux-gnu.tar on RedHat 9, and tried to set it up to work with MS Active Directory for cross-platform authentication, but without success. Has anyone tried this and can point me to the right direction, or to some sites with more info on this issue? Thanks a lot! fwu _ You could be a genius! Find out by taking the IQ Test 2003. $5.50 (incl GST). Click here: http://sites.ninemsn.com.au/minisite/testaustralia/ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: loadbalancing of keberized services
In article [EMAIL PROTECTED], [EMAIL PROTECTED] (Jeffrey Hutzelman) wrote: On Saturday, April 10, 2004 16:47:21 + Donn Cave [EMAIL PROTECTED] wrote: It depends on your client software. All you need to do is resolve the addresses to canonical host name first, and use the resolved name for both the client connect and the service ticket. Careful here... Using insecure DNS to compute a service principal name is asking for trouble. You're OK if, as suggested, you compare the resulting name to a list of known valid servers, but that's a fair bit of work and most software that does reverse resolution to determine service names either can't or doesn't do it. I believe we're more or less always asking for this trouble. If you don't get a canonical, reverse looked-up name back out of MIT Kerberos krb5_sname_to_principal(), then you're doing something different than me. Given that implementation, you're going to do the reverse lookup anyway, so the only question is whether it would be convenient to actually connect to the same host. I assume so, that's why I'd propose to look up the canonical name in the application. Donn Cave, [EMAIL PROTECTED] Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
MIT Krb5 + SELinux
Good Morning/Afternoon/Evening, I am trying to install krb5 over SELinux policies. The first point is to secure the Kdc (so it could minimise the risk of this key server being compromised). Does someone have already taken this path ? The first though i had for being the most secure, is to give read-only access to key database for the kdc, and write access to the kadmin server. It seems to me that it could reduce the risk on kdc failures. But, you do know more the internals and access needs of the program. By the way, a common constant on the programs is that most want access do urandom devices, but do not require it really. I guess, that to create tickets, kdc do need access to the device, otherwise the work could be altered. Am i right ? Is there any special files/devices the kdc/kadmin/kclients do need access to ? TIA for your answers, Best Regards, Jerome Walter -- -+-- Jerome Walter - EFREI p2004 +- Mail *is* private Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: kprop trouble.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 John Hascall wrote: |There are a couple of things that I have been kicking around in my head |that may be causing the trouble. Will kprop work properly if the slave |KDC is behind a NATing firewall? I can't think of a reason why it should |matter, but I thought I would check. | | | Yes, NAT matters to Kerberos! The authentication (by default) | contains the IP address which is verified. You can add additional | addresses or ask for addressless tickets through your krb5.conf | configfile (addressless is the default in the latest versions). Right, but does any other part of the protocol for kprop rely on not being NATed? My kpropd gets past the authentication step, as I turned on addressless tickets by default when I did the initial setup. It errors out recieving the database size, which made me wonder if there was something else going on. I will try moving the slave out in front of the firewall though and report back on what I find. It looks like I may have to dig through the kprop code to figure this one out though. Thanks for your help, - -Nick -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFAe1AmWRxj7DCRpGURApUQAKC8zAYDAKGmkRPv16esL9l+9HqXYgCgysN0 b4t60DCai+KHbpKeteMBbHQ= =Xthg -END PGP SIGNATURE- Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: kprop trouble.
nick == Nick Palmer [EMAIL PROTECTED] writes: nick Right, but does any other part of the protocol for kprop rely on nick not being NATed? My kpropd gets past the authentication step, as nick I turned on addressless tickets by default when I did the nick initial setup. It errors out recieving the database size, which nick made me wonder if there was something else going on. I will try nick moving the slave out in front of the firewall though and report nick back on what I find. It looks like I may have to dig through the nick kprop code to figure this one out though. KRB-SAFE and KRB-PRIV messages (used in kprop) need to have a correct sender's network addresses in them in order to protect from reflection attacks. NATs can interfere with this. ---Tom Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos