Re: Decrypting a kerberos session
Hi Lyle, I guess the following information will be helpful to you.. http://www.hsc.fr/ressources/presentations/ad_proto_traffic/win_net_proto_trafic_en.html Regards, Mukul --- [EMAIL PROTECTED] wrote: Hi, I wish to intercept traffic from the client to a server and decrypt it. The messages are encrypted (keys are setup via kerberos KR5). To do the decryption, I would need the server's long term key (the long term key that is stored in and maintained by the kerberos key distribution center KDC). On windows server operating systems, how can I get a server's (say file server's) long term key from the KDC (domain controller)? This is the key that would have been generated when the file server joined the domain. Obviously I am assuming I have admin access to the domain controller... Thanks Lyle Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Assertion failuers
thank you. may be i should explain what o really want to know: why by disabling the threads our problem on 2.6 went away? why using these flags was suggested? is multi-threading support kind of buggy? Sam Hartman wrote: fariba == fariba [EMAIL PROTECTED] writes: fariba i work with phil as well. i was wondering what are the fariba proc/con of using these flags: fariba --disable-shared --enable-static --disable-threads It turns off threads support which gets you roughly the 1.3.x behavior. If miltiple threads are using the library at once you can run into problems. It disables shared libraries and enables static libraries. That means that Kerberos is linked into each application instead of using a dynamic library. --Sam Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Assertion failuers
On Jul 11, 2005, at 04:59, fariba wrote: thank you. may be i should explain what o really want to know: why by disabling the threads our problem on 2.6 went away? why using these flags was suggested? is multi-threading support kind of buggy? There have been problems on some systems in determining whether the pthread support has been linked into the program, and arranging for initialization functions to be run. Unfortunately, unless we commit to always linking in the pthread library into all Kerberos applications, we're stuck trying some hacks that'll depend on behavior of various systems, outside the standard specifications -- things like weak references to thread support functions. It may well be that either switching to static libraries *or* disabling the thread support is sufficient. But as a simple answer, doing both is more likely to just make things work for now (without fixing the actual bug, of course). Ken Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Need some tips on kerberizing our ENTIRE network
Fred Dushin wrote: A big part of the problem is HTTP (big surprise -- yet another protocol that is being used for purposes for which it was not designed). Yes, IIS supports GSS authentication via SPNEGO, but I have not been able to decipher whether data protection is offered; anecdotal evidence suggests not; I've read commentary on the web to this effect, and if you read the mod_auth_krb source code, you'll see no reference to gss_wrap or gss_*_mic, so my guess is that all SPNEGO is doing is offering SSO authentication. (That seems to be the gist of the spec, as well) I'm not entirely sure if mutual auth is offered, either, though I suppose technically it's possible to use HTTP 401 to establish a mutually authenticated channel. (Anyone know if IE/IIS supports this?) Data protection is not part of the HTTP/Negotiate-Auth protocol. It only provides for *authentication* and even that is not protected unless you channel it over SSL. After the authentication is complete, GSSAPI is never used again for that session. The browsers and servers out there today do not support the use of GSSAPI for protecting the HTTP exchanges, only SSL. Mutual authentication is not supported correctly because it is not possible to do so without violating the HTTP spec. Microsoft did it with IIS/IE, but Mozilla stops short of the complete mutual-auth checking because it would involve alot of hacks in the HTTP engine to handle non-standard fields being sent in a 200 OK response header. Basically, the recommended way to do HTTP/GSSAPI authentication is to use SSL to protect the exchange and the data. Mozilla/Firefox is configured by default to only do the GSSAPI auth exchange if the protocol is https, though that setting can be changed easily enough. -Wyllys Ingersoll Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Assertion failuers
On Sun, Jul 10, 2005 at 03:53:40PM -0400, Sam Hartman wrote: fariba == fariba [EMAIL PROTECTED] writes: fariba i work with phil as well. i was wondering what are the fariba proc/con of using these flags: fariba --disable-shared --enable-static --disable-threads It turns off threads support which gets you roughly the 1.3.x behavior. If miltiple threads are using the library at once you can run into problems. It disables shared libraries and enables static libraries. That means that Kerberos is linked into each application instead of using a dynamic library. BTW, I didn't disable shared libraries (we need them), but I did disable threads. -- Phil Dibowitz Systems Architect and Administrator Enterprise Infrastructure / ISD / USC UCC 180 - 213-821-5427 pgpgqGkjGESMr.pgp Description: PGP signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Assertion failuers
i relinked our other application(mureqd) with the new 2.6 (thread disabled) and released it, to see if the process functions better now. Phil Dibowitz wrote: On Sun, Jul 10, 2005 at 03:53:40PM -0400, Sam Hartman wrote: fariba == fariba [EMAIL PROTECTED] writes: fariba i work with phil as well. i was wondering what are the fariba proc/con of using these flags: fariba --disable-shared --enable-static --disable-threads It turns off threads support which gets you roughly the 1.3.x behavior. If miltiple threads are using the library at once you can run into problems. It disables shared libraries and enables static libraries. That means that Kerberos is linked into each application instead of using a dynamic library. BTW, I didn't disable shared libraries (we need them), but I did disable threads. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
krb5-1.4.1 build failure on FreeBSD 5.4 (EAI_NODATA), and a workaround
I'm getting a krb5-1.4.1 build failure on FreeBSD 5.4-RELEASE: .../krb5-1.4.1/src/lib/krb5/os/hst_realm.c: In function `krb5int_translate_gai_error': .../krb5-1.4.1/src/lib/krb5/os/hst_realm.c:370: error: `EAI_NODATA' undeclared (first use in this function) .../krb5-1.4.1/src/lib/krb5/os/hst_realm.c:370: error: (Each undeclared identifier is reported only once .../krb5-1.4.1/src/lib/krb5/os/hst_realm.c:370: error: for each function it appears in.) I believe this is partially due to autoconf, which is (correctly) detecting getaddrinfo in FreeBSD 5.4, and hence not building the fake- addr-info types (.../krb5-1.4.1/src/include/fake-addrinfo.h:333) However, I find the somewhat cryptic obsoleted comments in /usr/ include/netdb.h, on FreeBSD: /* * Error return codes from getaddrinfo() */ #if 0 /* obsoleted */ #define EAI_ADDRFAMILY 1 /* address family for hostname not supported */ #endif #define EAI_AGAIN2 /* temporary failure in name resolution */ #define EAI_BADFLAGS 3 /* invalid value for ai_flags */ #define EAI_FAIL 4 /* non-recoverable failure in name resolution */ #define EAI_FAMILY 5 /* ai_family not supported */ #define EAI_MEMORY 6 /* memory allocation failure */ #if 0 /* obsoleted */ #define EAI_NODATA 7 /* no address associated with hostname */ #endif #define EAI_NONAME 8 /* hostname nor servname provided, or not known */ #define EAI_SERVICE 9 /* servname not supported for ai_socktype */ #define EAI_SOCKTYPE10 /* ai_socktype not supported */ #define EAI_SYSTEM 11 /* system error returned in errno */ #define EAI_BADHINTS12 #define EAI_PROTOCOL13 #define EAI_MAX 14 My solution has been to modify the generated autoconf.h to not set HAVE_GETADDRINFO, and hence force the generation of the fake addrinfo code, but this is maybe less than optimal. EAI_NO_DATA is defined in /usr/include/lwres/netdb.h, but I don't know off hand what that header file is for. Any BSD experts available? /Fred Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: krb5-1.4.1 build failure on FreeBSD 5.4 (EAI_NODATA), and a workaround
Fred Dushin [EMAIL PROTECTED] writes: I'm getting a krb5-1.4.1 build failure on FreeBSD 5.4-RELEASE: .../krb5-1.4.1/src/lib/krb5/os/hst_realm.c: In function `krb5int_translate_gai_error': .../krb5-1.4.1/src/lib/krb5/os/hst_realm.c:370: error: `EAI_NODATA' undeclared (first use in this function) .../krb5-1.4.1/src/lib/krb5/os/hst_realm.c:370: error: (Each undeclared identifier is reported only once .../krb5-1.4.1/src/lib/krb5/os/hst_realm.c:370: error: for each function it appears in.) EAI_NODATA is obsolete; current implementations just return EAI_NONAME in that case. Note that EAI_NODATA is not listed as a valid return code in RFC 3493. This should be fixed in the krb5 source, but in the meantime the workaround would be to compile with -DEAI_NODATA=EAI_NONAME, which the code appears to deal with correctly. -- Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Windows SSH client that uses tickets not obtained from AD login
Hi, Do you know any windows ssh client that can use gssapi authentication and not using SSPI(used by vintela and CSS putty versions)wherein it uses tickets that were obtained from an Active Directory login? I have downloaded KFW from MIT and I have successfully obtain tickets using Leash. I tried to use vintela's putty but I don't know how to tell it where Leash put my tickets. The vintela docs says it will use the tickets obtained upon an Active Directory login. In our case, we don't use AD service. BTW, just curious, KFW says it places the tickets obtained from KDC inside the memory of the computer, I remembered my tickets when using kinit places it in /tmp of my unix box. Is there a security issue here regarding the use of /tmp as a storage of tickets against placing it in the memory? Thanks. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Windows SSH client that uses tickets not obtained from AD login
Kermit 95 http://www.kermit-project.org/k95.html provides support for SSH with GSS and it derives its tickets from KFW. The version distributed by Columbia University is old and not quite up to date but it works. jay alvarez wrote: Hi, Do you know any windows ssh client that can use gssapi authentication and not using SSPI(used by vintela and CSS putty versions)wherein it uses tickets that were obtained from an Active Directory login? I have downloaded KFW from MIT and I have successfully obtain tickets using Leash. I tried to use vintela's putty but I don't know how to tell it where Leash put my tickets. The vintela docs says it will use the tickets obtained upon an Active Directory login. In our case, we don't use AD service. BTW, just curious, KFW says it places the tickets obtained from KDC inside the memory of the computer, I remembered my tickets when using kinit places it in /tmp of my unix box. Is there a security issue here regarding the use of /tmp as a storage of tickets against placing it in the memory? Thanks. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos -- - This e-mail account is not read on a regular basis. Please send private responses to jaltman at mit dot edu Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
