Rutgers computer science has used Kerberos slightly for decades, but we’ve
never really taken advantage of its facilities. We have a number of challenges
that I think it can help us with, so we’re planning to move into a more
complete implementation, based on Redhat’s free ipa.
In the course
Redhat IPA installations already do that. You don’t need any new features. Just
start /etc/krb5.conf with
includedir /etc/krb5.conf.d/
On Feb 23, 2017, at 4:37 PM, Keith Jones
> wrote:
Hiya,
My apologies for the newbie (and deeply
The server seems to think the mount was OK, but the client says permission
denied, and the log shows
2017-02-24T13:16:28 set-error: 1: Access to home directory not allowed
Kerberos mailing list Kerberos@mit.edu
The Kerberos with OS X Sierra is not MIT’s Kerberos, so the same release
numbers don’t apply. It’s a separate implementation of the protocol, called
Heimdal Kerberos. Some software that uses Kerberos supports both types of
libraries. If node.js supports only MIT, you can get an MIT version of
.
Now on to Windows ...
> On Feb 24, 2017, at 1:26 PM, Charles Hedrick <hedr...@rutgers.edu> wrote:
>
> The server seems to think the mount was OK, but the client says permission
> denied, and the log shows
> 2017-02-24T13:16:28 set-error
Actually, if I have KRB5CCNAME set to a file in /tmp, and kinit as someone
else, e.g. admin, that will reinitialize the file in /tmp, losing my original
credentials.
With KEYRING (I’m using Centos 7), because it’s a collection, there’s some hope
of maintaining multiple caches properly. If
The KEYRING mechanism is nice, in many ways. But it has some unexpected effects.
There’s a “primary” key for the usual keyring. But this is a global object.
That is, which cache is primary is the same for all sessions, and for NFS.
Imagine I’m a privileged user. I start out logged in as
This is an update on my Kerberos usability project. I think my utilities are
feature-complete.
As I’ve described before, Rutgers computer science wants to use Kerberos to
secure NFS and ssh. We have machines administered by faculty and students, and
physically insecure lab machines. In such a
. That seems pretty close. I’ll look into TPM, to see if that
could somehow be used.
> On Jul 21, 2017, at 3:42 PM, Russ Allbery <ea...@eyrie.org> wrote:
>
> Charles Hedrick <hedr...@rutgers.edu> writes:
>
>> The argument makes sense.
>
>> However I am disturbe
gt; wrote:
>
> Russ Allbery <ea...@eyrie.org> writes:
>> Charles Hedrick <hedr...@rutgers.edu> writes:
>
>>> * A kerberized service where the user registers that they want to be
>>> able to do cron jobs on a given machine.
>>> * A kerberized pam m
The argument makes sense.
However I am disturbed by the fact that a keytab can be used anywhere. If
someone manages to become root on one machine, I’d like them not to be able to
do things on other machines. I’m in an environment where we have systems
administered by users, and unattended
If I understand the concern, I have the same one. For user cron jobs, the
traditional approach is for the user to create a keytab. As others have noted,
the keytab is equivalent to the password. The problem for me is that a keytab
is good on all hosts. So if someone manages to become root on
Another approach is kind of iffy from a security point of view, but I have a
situation where it’s needed. We have code that will generate any credentials
for which it has a keytab, including a TGT. (It’s an MIT person of
kimpersonate.) You can transmit it to the other end using
It works fine in a copy of Ubuntu running in Linux for Windows on the same
Windows 10 machine.
> On Nov 3, 2017, at 9:53 AM, Charles Hedrick <hedr...@rutgers.edu> wrote:
>
> Here’s the conversation using tcpdump on the proxy server. The connection
> opens, no data is sent i
val 348866561 ecr 32546178], length 0
> On Nov 3, 2017, at 9:30 AM, Charles Hedrick <hedr...@rutgers.edu> wrote:
>
> I’m using KfW 4.1. Since there’s no documentation on krb5.ini, I used the
> same syntax as for krb5.conf
>
> kdc =
> https://na01.safe
says no kdc is reachable.
On Nov 2, 2017, at 7:33 PM, Benjamin Kaduk
<ka...@mit.edu<mailto:ka...@mit.edu>> wrote:
On Wed, Nov 01, 2017 at 10:30:36PM +0000, Charles Hedrick wrote:
I’ll try agian. Also KfW doesn’t seem to implement kdc proxy. I’d prefer not to
open my kdc to th
It’s sort of implemented. On my Mac, if I use
--fast-armor-cache=FILE:/tmp/krb5cc_1003 it sends udp packets to the server.
The server doesn’t return anything and makes no entry in krb5kdc.log. So the
client waits and eventually times out.
If I force tcp by using tcp/hostname in krb5.conf, a
I’ll try agian. Also KfW doesn’t seem to implement kdc proxy. I’d prefer not to
open my kdc to the world. I’m currrently using the Proxy for home use.
> On Nov 1, 2017, at 2:30:55 PM, Benjamin Kaduk <ka...@mit.edu> wrote:
>
> On Wed, Nov 01, 2017 at 06:06:23PM +, Charle
You could issue a machine-specific key table, and then use a script that does
kinit from the key table, then kinit -T pointing to the resulting credentials
cache. I have verified the KfW kinit -T works.
We use OTP on Linux. I can’t get FAST/PKINIT to work there either. I have a
kerberized
Client: Mac Mojave
Server: IPA newest version
Command: /usr/bin/kinit --fast-armor-cache=FILE:/tmp/krb5cc_1003 hedrick
with KRB5_TRACE set, shows it is sending UDP packets to the server but getting
no response.
tcpdump shows the packets, but there is no entry for the transaction in
We’re starting to use Windows Kerberos, with a 3rd party login screen that
calls Kerberos. Some of our staff use FreeOTP 2FA. As far as I can tell, the
most recent KfW doesn’t support 2FA or the https: proxy. Are there plans for a
new release that would do so?
it for Mac
probably a few would do it for Windows as well. I’m paranoid enough about the
server to want use from outside the department to go through the proxy.
On Jan 16, 2019, at 12:01:19 PM, Greg Hudson wrote:
On 1/16/19 11:23 AM, Charles Hedrick wrote:
We’re starting to use Windows Kerberos
I just verified that OTP does work. Thanks.
> On Jan 16, 2019, at 12:01 PM, Greg Hudson wrote:
>
> On 1/16/19 11:23 AM, Charles Hedrick wrote:
>> We’re starting to use Windows Kerberos, with a 3rd party login screen that
>> calls Kerberos. Some of our staff use FreeOTP
I agree. I like the idea of an option to not leave it in the cache. However I
think that might require API changes.
I’ve noticed cases before where it would be useful to have a utility to copy
coaches. It’s easy for a cache in /tmp but not otherwise.
Given an appropriate copy utility you could
We have a workaround, although it wasn’t intended for this purpose.
In https://github.com/clhedrick/kerberos, look at krenew-wrapper. It builds a
sharable library intended to be loaded with LD_PRELOAD. It wraps
krb5_init_context with code that renews and copies the TGT into a memory cache,
and
That’s
exec /bin/ssh “$@"
On May 13, 2019, at 4:50 PM, Charles Hedrick
mailto:hedr...@rutgers.edu>> wrote:
exec /bin/sh “$@"
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
On Jul 30, 2019, at 4:17 AM, Jakub Hrozek wrote:
>
> On Mon, Jul 29, 2019 at 02:35:40PM -0400, Robbie Harwood wrote:
>> Greg Hudson writes:
>>
>>> On 7/22/19 1:39 PM, Charles Hedrick wrote:
>>>
>>>> Please be aware that I’m using Redhat’
Typically you create a key table. Most installations have one for root,
/etc/krb5.keytab. But you can create one for any user. Depending upon how your
kerberos is set up, you’d typically use kadmin to create the key table.
At that point you can do "kinit -k -t KEYTABLE” to get a ticket. But if
In my opinion NFS actually works fine for realistic cases, once a couple of
bugs are fixed and some other tools are put in place.
In real cases, the user logins in with a principal username@DOMAIN. That is
always placed in the default collection defined in /etc/krb5.conf. At least for
us, they
to be the default. I shouldn’t have to do C
coding to make it happen.
> On Jul 23, 2019, at 10:09 AM, Charles Hedrick wrote:
>
> Maybe there’s a path through the code that I didn’t find. But it ends up
> failing if the credential isn’t username@DOMAIN. There’s an explicit test. I
>
...@cs.rutgers.edu API:3C09F9F9-6C7D-4D41-95CB-F053F4102C7A Jul 23
17:58:11 2019
No indication of uid in the name at all. At least setting KRB5CCNAME to the
specific cache works.
> On Jul 22, 2019, at 3:22 PM, Greg Hudson wrote:
>
> On 7/22/19 1:39 PM, Charles Hedrick wrote:
>>
.
> On Jul 23, 2019, at 9:35 AM, Simo Sorce wrote:
>
> On Mon, 2019-07-22 at 20:10 +, Charles Hedrick wrote:
>> The problem is that the code in rpc.gssd works as followers:
>>
>> * get the default credential from the collection
>> * fail unless it’s user
ugh. rpc.gssd reads root’s .k5identity file. If I put my principal in
/.k5identity, things work. So a plugin would probably work. But it looks like a
bug that should be fixed.
> On Jul 23, 2019, at 10:09 AM, Charles Hedrick wrote:
>
> Maybe there’s a path through the code that I di
I’ve thought a bit more about this. i think the problem is that there’s no way
to know what the user wants, and to really give him proper control requires
significant kernel work.
Currently the Linux kernel establishes an NFS security context that is
associated with the UID. Any process
reasonable is probably the
ability to set policy.
Incidentally on a single user laptop you can actually do that. Rpc.gssd used
.k5identity in root. On a single user machine that’s actually potentially
useful.
Sent from my iPhone
On Jul 26, 2019, at 9:09 AM, Charles Hedrick
mailto:hedr...@rutgers.edu
Unfortunately it’s likely to take some experimentation. My starting point would
be on each client, unmount the file system, maybe delete /tmp/krb5ccmachine*,
restart rpc.gssd, and remount.
> On Jul 22, 2019, at 6:22 AM, Laura Smith
> wrote:
>
> Ok, I hold my hand up, I messed up. So the
‐‐
> On Monday, July 22, 2019 2:13 PM, Charles Hedrick wrote:
>
>> Unfortunately it’s likely to take some experimentation. My starting point
>> would be on each client, unmount the file system, maybe delete
>> /tmp/krb5ccmachine*, restart rpc.gssd, and remoun
I have code to deal with a number of difficulties in implementing kerberos
transparently to users.
Some of this code needs to know whether a KRB5CCNAME is a collection or a
specific cache, and to be able to find the collection if it’s a cache.
I was surprised to find the methods to do these
Please be aware that I’m using Redhat’s KCM implementation in sssd. It’s
supposed to be compatible with Heimdal’s, but based on documentation it appears
that it may not be.
The default value of KRB5CCNAME is simply KCM: It had better be user-specific,
or everybody shares a collection.
On Jul 22, 2019, at 1:00 PM, Greg Hudson
mailto:ghud...@mit.edu>> wrote:
By my reading, KEYRING also doesn't generally include the uid in the name.
Again, I can only speak for what I see in Redhat and Ubuntu. The default for
KRB5CCNAME is KEYRING:persistent:UID. Something (I think a
019, at 1:00 PM, Greg Hudson wrote:
>
> On 7/22/19 11:16 AM, Charles Hedrick wrote:
>> I was surprised to find the methods to do these things aren’t present.
>> Here’s what I’ve defined:
>
> Some of this is covered in
> https://k5w
it a specific
credential, and the issue with collections goes away.
> On Jul 26, 2019, at 11:22 AM, Greg Hudson wrote:
>
> On 7/26/19 9:09 AM, Charles Hedrick wrote:
>> I’ve submitted a feature request to fix the default ccselect plugin so
>> it reads /etc/k5identity if the
How many client systems and users?
We have a few hundred machines with around 2000 users (not all active, of
course) in a computer science dept. 3 KDCs running as VMs with 4 processors and
16 GB each. The processors are generally using < 10% of available CPU. The KDC
itself is light-weight.
ote:
>
> On Tue, Apr 7, 2020 at 8:39 AM Charles Hedrick wrote:
>>
>> we use a pam module that normalizes the credential cache. If krb5.conf
>> asks for KEYRING and sshd leaves the cache in /tmp, the code moves it
>> into KEYRING and updates KRB5CCNAME.
>
> Is this
we use a pam module that normalizes the credential cache. If krb5.conf asks for
KEYRING and sshd leaves the cache in /tmp, the code moves it into KEYRING and
updates KRB5CCNAME.
I really like KEYRING. Our staff have multiple principals. With a collection,
kinit will create a new cache in the
Having GSSAPI installed isn’t going to solve his problem, that he will need
that.. Typically you would use Kafka libraries. They already know about
Kerberos. However they have to be configured to use it.
There are lots of ways to do it. And since I no longer have Kafka installed, I
can’t
I’d like to be able to use Kerberos SPNEGO at home. Unfortunately the Mac uses
Heimdal.
We don’t currently explore our Kerberos servers to the Internet, but we do have
an https proxy for MIT kerberos. Heimal apparently has its own HTTP proxy. Does
anyone know of software to implement the
The hope is that the proxy will read requests and validate them. Thus passing
through the proxy would be less dangerous that exposing port 88 directly. If
that’s not true, we should consider the risks of making port 88 available, or
give up.
> On Sep 11, 2021, at 7:07 PM, Ken Hornstein
11, 2021 at 03:22:26PM +, Charles Hedrick wrote:
>>
>
>> I’d like to be able to use Kerberos SPNEGO at home. Unfortunately
>> the Mac uses Heimdal.
>>
>> We don’t currently explore our Kerberos servers to the Internet,
>> but we do have an https proxy fo
My use case is a few web applications. Linux user group management, editing our
wiki, and responding to help desk tickets. Generic web apps that I would like
to use at home. We support CAS, but our university CAS server has disabled SSO.
Since I already have a Kerberos ticket to use ssh, it
Another use case is getting tickets for Mac users. We have a few users that ssh
into enough different hosts that they want to use kerberized ssh. Unless we
open port 88 to the outside, they have to install Mac ports and use the MIT
kinit. While it seems simple to me, it’s not for real users. If
I’m not using that code now. When using it for real I would generate a special
key tab with a user that had no permissions to do anything or use the host key
tab depending upon the application.
Our staff and a few users have TOTP set for their account, so it has to work
for everything. Logins
We use TOTP. That allows us to tack the token on the end of the password. That
makes it easy to fix programs that expect a simple password prompt.
In fact I have a wrapper that can be interposed around pretty much anything use
LD_PRELOAD.
If all the proxy is doing is forwarding content, it might work. But in that
case it’s not obvious how much security we’re gaining by the proxy. It may be
that just enabling access directly to port 88 would be as good. (I control the
network, mostly.) Any sense how risky it is to expose port 88
src/appl/simple
For a real example, see github, clhedrick/kerberos.git, in directory kmkhomedir
This is a client-server pair designed to create home directories for users.
When you’re using kerberized NFS the normal pam_mkhomedir won’t work, because
it assumes that root can create directories
Kerberos uses a plugin to determine which principal is used in a given
situation. You could write a plugin that forces the principal to user/ssh if
the service is ssh. The API isn't complex. There are several examples.
You'd write the code to check if the service is ssh. If so, you'd look for
Freeipa (and presumably MIT kerberos) has the ability to delegate password
checking to radius. This is intended to support two factor authentication, but
it doesn't have to use two factors. So in principle you could use that and not
have separate copies of the password in your kerberos. I've
Anonymous PKINIT works fine but requires certs to be distributed. Unless you're
prepared to update every machine in the world every year, you pretty much have
to use a cert that goes back to a commercial CA. But in that case you probably
have to use the obscurely documented
58 matches
Mail list logo