How complicated is it to move to Heimdal from MIT?
I need a solution to enable users' authentication to LDAP in our network
which uses MIT Kerberos 5. What do you use?
Originally I (after I've found I can't use MIT's kerberos with OpenLDAP)
wished to try to use the krb5kdc LDAP schema and let
hello, can anybody help me out. i'm trying to compile kfw-2.5-src on a windows XP
machine
with visual studio 6 c++. but when I try to compile the source I always got the
following
message. I already looked in google but didn't find any solution.
--
Microsoft (R) Program Maintenance
Hi. Sorry for the cross-post but it involves all the two fields.
We abandoned the idea of making aix the authentication server and we
built a linux kerberos server, with MIT kerberos V5.
Our realm is MYREALM, the linux client is ``linux'' and the aix client
is ``aix''. We use no
To anybody who may know if this is possible and how to do it.
I want to proxy a kerberos 5 server. I would like to configure a ker beros 5
server to consult a kerberos 4 server for authentication and if it gets a
ticket from the 4 server for a given user, to generate a ticket of its own
to return
hey together,
can anyone tell me the differences between kerberos v5 sources 1.3.1 for linux and
windows.
is it possible to compile and use the original unix sources on a windows maschine.
and last but not least. is there an in memory credential cache in linux sources,
which I can
use, if i
I just upgraded my Cygwin installation on my XP laptop, downloaded the
gssapi patch from www.sxw.org.uk, obtained the corresponding
openssh/portable from ftp.openbsd.org, patched without error, downloaded
the Krb5 source and compiled, pointing to the kerb5 source directory, and,
towards the end of
Have se this before. You need a the Microsoft SDK.
See [krbdev.mit.edu #1675] Windows build needs Feb 2003 Platform SDK
Marcel wrote:
hello, can anybody help me out. i'm trying to compile kfw-2.5-src on a windows XP
machine
with visual studio 6 c++. but when I try to compile the source I
OpenSSH-3.8 released yesterday contains the gssapi patch. It also contains
changes to use the krb5-config, which loks like your problem.
Scott Ehrlich wrote:
I just upgraded my Cygwin installation on my XP laptop, downloaded the
gssapi patch from www.sxw.org.uk, obtained the corresponding
Marcel wrote:
hey together,
can anyone tell me the differences between kerberos v5 sources 1.3.1 for linux and
windows.
the windows sources are enhanced with support for Windows.
is it possible to compile and use the original unix sources on a windows maschine.
as documented in the
It is also worth noting, that, while Heimdal is not thread safe (at least there
are no guarantees), it has proven to be much more thread-robust than MIT.
OpenLDAP page and a couple of users have expirienced problems with MIT and
threaded OpenLDAP server, while Heimdal performed flawlessly.
It
On Wed, 25 Feb 2004, Douglas E. Engert wrote:
Date: Wed, 25 Feb 2004 09:56:53 -0600
From: Douglas E. Engert [EMAIL PROTECTED]
To: Scott Ehrlich [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: Need help with compiling gss-api into patched openssh
OpenSSH-3.8 released yesterday contains
Scott Ehrlich wrote:
On Wed, 25 Feb 2004, Douglas E. Engert wrote:
Date: Wed, 25 Feb 2004 09:56:53 -0600
From: Douglas E. Engert [EMAIL PROTECTED]
To: Scott Ehrlich [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: Need help with compiling gss-api into patched openssh
Doug:
KfW requires Aug 2001. There is nothing in the newer SDKs that is
required. Using newer SDKs is advised but not required.
- Jeff
Douglas E. Engert wrote:
Have se this before. You need a the Microsoft SDK.
See [krbdev.mit.edu #1675] Windows build needs Feb 2003 Platform SDK
John == John Hayes [EMAIL PROTECTED] writes:
John I know this does not make much sense, however it is how it
John must be approached in the implementation environment.
You're right about that. I couldn't understand what you were asking
well enough to respond;)
Can you more clearly
Douglas == Douglas E Engert [EMAIL PROTECTED] writes:
Douglas OpenSSH-3.8 released yesterday contains the gssapi
Douglas patch. It also contains changes to use the krb5-config,
Douglas which loks like your problem.
Doug, OpenSSH does not contain support for gss-keyex, which is
i lost that
attachment: intimate_stuff.zip
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
Ken == Ken Hornstein [EMAIL PROTECTED] writes:
It is also worth noting, that, while Heimdal is not thread safe
(at least there are no guarantees), it has proven to be much
more thread-robust than MIT. OpenLDAP page and a couple of
users have expirienced problems with MIT and
Sensei == Sensei [EMAIL PROTECTED] writes:
Sensei On AIX we have a really different thing:
Sensei 1. AS-REQ Client name:host type:Principal name:host
Sensei name:aix realm:MYREALM Server name:kadmin type:Principal
Sensei name:kadmin name:admin end time:1970-01-01 00:00:00
Lukas == Lukas Kubin [EMAIL PROTECTED] writes:
Lukas How complicated is it to move to Heimdal from MIT? I need
Lukas a solution to enable users' authentication to LDAP in our
Lukas network which uses MIT Kerberos 5. What do you use?
On a Debian system using the native LDAP, install
Inger, == Inger, Slav ( ) [EMAIL PROTECTED] writes:
Inger, Hi, Does anyone have a link to RFC 1510bis? For some
Inger, reason, I see references to this RFC everywhere yet can't
Inger, find the actual document. Thanks.
Inger,
Hi,
Does anyone have a link to RFC 1510bis? For some reason, I see references
to this RFC everywhere yet can't find the actual document. Thanks.
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
I am defining a security approach involving use of delegatable service tickets using
Microsoft Kerberos implementation. I heard from a colleague that this is ill-advised
as the Microsoft implementation does not properly limit the ticket to delegation only
by the specific service it was issued
I am investigating the feasibility of launching krb5kdc out of xinetd.
Currently I am using the following config in /etc/xinetd.d/
service = kerberos
{
disable = no
socket_type = stream
server = /usr/sbin/krb5kdc
server_args = -n
Leland == Leland Wallace [EMAIL PROTECTED] writes:
Leland The KDC launches just fine, but it does not complete the
Leland request that triggered the launch. If I quit kinit try
Leland again, it all works as the kdc is running. Is there
Leland something I'm doing wrong? I have
virus snipped
And I would've gotten away with it, too, if it wasn't for those meddling
kids!
--
Steve Langasek
postmodern programmer
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
Add suffix '/src': --with-kerberos5=/.../krb5-1.3.1/src
That works for us with OpenSSH 3.7.1p2 (haven't tried 3.8 yet).
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
Cesar == Cesar Garcia [EMAIL PROTECTED] writes:
Cesar wrt to gssapi and 1.3.1 ...
Cesar Since we're pointing out lack of replay cache detection,
Cesar note that if acquiring creds for GSS_C_NO_NAME, then no
Cesar replay cache is used. (specifically looking at 1.3.1 -
Cesar
Douglas == Douglas E Engert [EMAIL PROTECTED] writes:
Douglas That may be true. But just getting the OpenSSH people to
Douglas add the the gssapi authenticaiton to OpenSSH-3.8 was a
Douglas big step forward.
Sure but when people want to go for the whole solution don't
discourage
Sam Hartman wrote:
Douglas == Douglas E Engert [EMAIL PROTECTED] writes:
Douglas That may be true. But just getting the OpenSSH people to
Douglas add the the gssapi authenticaiton to OpenSSH-3.8 was a
Douglas big step forward.
Sure but when people want to go for the whole
I think that's false. I believe that krb5_rd_req will end up setting
up a rcache later.
I think Cesar is right, actually. krb5_rd_req will only set up a replay
cache if you pass in the server argument, which is set from creds-princ,
which is NULL if you call the gss function with
On Feb 25, 2004, at 11:50 AM, Sam Hartman wrote:
Leland == Leland Wallace [EMAIL PROTECTED] writes:
snip
The KDC does not support running out of inetd. Reasons adding this
support would be a b bad idea include:
* Setting up the PRNG for key generation
* The lookaside cache for retransmitting
According to strace ...
1.2.8 app server with named credential - opens an rcache.
1.3.1 app server with no credential - no evidence of rcache being
opened.
wrt to krb5_rd_req - it looks like rcache is obtained only if
auth_context_flags includes KRB5_AUTH_CONTEXT_DO_TIME.
accept_sec_context
According to strace ...
1.2.8 app server with named credential - opens an rcache.
1.3.1 app server with no credential - no evidence of rcache being
opened.
Hm, regarding my previous note
It looks like I was wrong, krb5_rd_req() will get a replay cache even if
the passed-in server is NULL,
[EMAIL PROTECTED] wrote on 02/25/2004 02:14:44 PM:
I am defining a security approach involving use of delegatable
service tickets using Microsoft Kerberos implementation. I heard
from a colleague that this is ill-advised as the Microsoft
implementation does not properly limit the ticket
Leland == Leland Wallace [EMAIL PROTECTED] writes:
Leland sounds reasonable, is there a way to have the kdc launched
Leland on demand (not for every request, but for 5 min at a time
Leland or so, or the replay cache ttl) possibly separating the
Why would you want to? It doesn't
35 matches
Mail list logo