various kerberos software

Rutgers computer science has used Kerberos slightly for decades, but we’ve never really taken advantage of its facilities. We have a number of challenges that I think it can help us with, so we’re planning to move into a more complete implementation, based on Redhat’s free ipa. In the course

Re: krb5.conf vs krb5.d/*.conf designs...

Redhat IPA installations already do that. You don’t need any new features. Just start /etc/krb5.conf with includedir /etc/krb5.conf.d/ On Feb 23, 2017, at 4:37 PM, Keith Jones > wrote: Hiya, My apologies for the newbie (and deeply

anyone have Kerberized mount working on Mac 10.12?

The server seems to think the mount was OK, but the client says permission denied, and the log shows 2017-02-24T13:16:28 set-error: 1: Access to home directory not allowed Kerberos mailing list Kerberos@mit.edu

Re: Kerberos Installation MacOS Sierra

The Kerberos with OS X Sierra is not MIT’s Kerberos, so the same release numbers don’t apply. It’s a separate implementation of the protocol, called Heimdal Kerberos. Some software that uses Kerberos supports both types of libraries. If node.js supports only MIT, you can get an MIT version of

Re: anyone have Kerberized mount working on Mac 10.12? [solved]

. Now on to Windows ... > On Feb 24, 2017, at 1:26 PM, Charles Hedrick <hedr...@rutgers.edu> wrote: > > The server seems to think the mount was OK, but the client says permission > denied, and the log shows > 2017-02-24T13:16:28 set-error

Re: interaction between caches, KEYRING, and NFS

Actually, if I have KRB5CCNAME set to a file in /tmp, and kinit as someone else, e.g. admin, that will reinitialize the file in /tmp, losing my original credentials. With KEYRING (I’m using Centos 7), because it’s a collection, there’s some hope of maintaining multiple caches properly. If

interaction between caches, KEYRING, and NFS

The KEYRING mechanism is nice, in many ways. But it has some unexpected effects. There’s a “primary” key for the usual keyring. But this is a global object. That is, which cache is primary is the same for all sessions, and for NFS. Imagine I’m a privileged user. I start out logged in as

update on utilities to improve Kerberos usability

This is an update on my Kerberos usability project. I think my utilities are feature-complete. As I’ve described before, Rutgers computer science wants to use Kerberos to secure NFS and ssh. We have machines administered by faculty and students, and physically insecure lab machines. In such a

Re: Is a keytab file encrypted?

. That seems pretty close. I’ll look into TPM, to see if that could somehow be used. > On Jul 21, 2017, at 3:42 PM, Russ Allbery <ea...@eyrie.org> wrote: > > Charles Hedrick <hedr...@rutgers.edu> writes: > >> The argument makes sense. > >> However I am disturbe

Re: Is a keytab file encrypted?

gt; wrote: > > Russ Allbery <ea...@eyrie.org> writes: >> Charles Hedrick <hedr...@rutgers.edu> writes: > >>> * A kerberized service where the user registers that they want to be >>> able to do cron jobs on a given machine. >>> * A kerberized pam m

Re: Is a keytab file encrypted?

The argument makes sense. However I am disturbed by the fact that a keytab can be used anywhere. If someone manages to become root on one machine, I’d like them not to be able to do things on other machines. I’m in an environment where we have systems administered by users, and unattended

Re: Doubts regarding Keytab file

If I understand the concern, I have the same one. For user cron jobs, the traditional approach is for the user to create a keytab. As others have noted, the keytab is equivalent to the password. The problem for me is that a keytab is good on all hosts. So if someone manages to become root on

Re: temporarily granting a TGT for a client coming in with a 3rd party authn system

Another approach is kind of iffy from a security point of view, but I have a situation where it’s needed. We have code that will generate any credentials for which it has a keytab, including a TGT. (It’s an MIT person of kimpersonate.) You can transmit it to the other end using

Re: MIT Kerberos OTP with Windows

It works fine in a copy of Ubuntu running in Linux for Windows on the same Windows 10 machine. > On Nov 3, 2017, at 9:53 AM, Charles Hedrick <hedr...@rutgers.edu> wrote: > > Here’s the conversation using tcpdump on the proxy server. The connection > opens, no data is sent i

Re: MIT Kerberos OTP with Windows

val 348866561 ecr 32546178], length 0 > On Nov 3, 2017, at 9:30 AM, Charles Hedrick <hedr...@rutgers.edu> wrote: > > I’m using KfW 4.1. Since there’s no documentation on krb5.ini, I used the > same syntax as for krb5.conf > > kdc = > https://na01.safe

Re: MIT Kerberos OTP with Windows

says no kdc is reachable. On Nov 2, 2017, at 7:33 PM, Benjamin Kaduk <ka...@mit.edu<mailto:ka...@mit.edu>> wrote: On Wed, Nov 01, 2017 at 10:30:36PM +0000, Charles Hedrick wrote: I’ll try agian. Also KfW doesn’t seem to implement kdc proxy. I’d prefer not to open my kdc to th

Re: OTP/FAST: MIT KDC <--> heimdal client integration

It’s sort of implemented. On my Mac, if I use --fast-armor-cache=FILE:/tmp/krb5cc_1003 it sends udp packets to the server. The server doesn’t return anything and makes no entry in krb5kdc.log. So the client waits and eventually times out. If I force tcp by using tcp/hostname in krb5.conf, a

Re: MIT Kerberos OTP with Windows

I’ll try agian. Also KfW doesn’t seem to implement kdc proxy. I’d prefer not to open my kdc to the world. I’m currrently using the Proxy for home use. > On Nov 1, 2017, at 2:30:55 PM, Benjamin Kaduk <ka...@mit.edu> wrote: > > On Wed, Nov 01, 2017 at 06:06:23PM +, Charle

Re: MIT Kerberos OTP with Windows

You could issue a machine-specific key table, and then use a script that does kinit from the key table, then kinit -T pointing to the resulting credentials cache. I have verified the KfW kinit -T works. We use OTP on Linux. I can’t get FAST/PKINIT to work there either. I have a kerberized

mac heimmal / MIT server problem with 2FA

Client: Mac Mojave Server: IPA newest version Command: /usr/bin/kinit --fast-armor-cache=FILE:/tmp/krb5cc_1003 hedrick with KRB5_TRACE set, shows it is sending UDP packets to the server but getting no response. tcpdump shows the packets, but there is no entry for the transaction in

windows kerberos update?

We’re starting to use Windows Kerberos, with a 3rd party login screen that calls Kerberos. Some of our staff use FreeOTP 2FA. As far as I can tell, the most recent KfW doesn’t support 2FA or the https: proxy. Are there plans for a new release that would do so?

Re: windows kerberos update?

it for Mac probably a few would do it for Windows as well. I’m paranoid enough about the server to want use from outside the department to go through the proxy. On Jan 16, 2019, at 12:01:19 PM, Greg Hudson wrote: On 1/16/19 11:23 AM, Charles Hedrick wrote: We’re starting to use Windows Kerberos

Re: windows kerberos update?

I just verified that OTP does work. Thanks. > On Jan 16, 2019, at 12:01 PM, Greg Hudson wrote: > > On 1/16/19 11:23 AM, Charles Hedrick wrote: >> We’re starting to use Windows Kerberos, with a 3rd party login screen that >> calls Kerberos. Some of our staff use FreeOTP

Re: special ccache performance issue

I agree. I like the idea of an option to not leave it in the cache. However I think that might require API changes. I’ve noticed cases before where it would be useful to have a utility to copy coaches. It’s easy for a cache in /tmp but not otherwise. Given an appropriate copy utility you could

Re: special ccache performance issue

We have a workaround, although it wasn’t intended for this purpose. In https://github.com/clhedrick/kerberos, look at krenew-wrapper. It builds a sharable library intended to be loaded with LD_PRELOAD. It wraps krb5_init_context with code that renews and copies the TGT into a memory cache, and

Re: special ccache performance issue

That’s exec /bin/ssh “$@" On May 13, 2019, at 4:50 PM, Charles Hedrick mailto:hedr...@rutgers.edu>> wrote: exec /bin/sh “$@" Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: krb5 library missing functions for collections

On Jul 30, 2019, at 4:17 AM, Jakub Hrozek wrote: > > On Mon, Jul 29, 2019 at 02:35:40PM -0400, Robbie Harwood wrote: >> Greg Hudson writes: >> >>> On 7/22/19 1:39 PM, Charles Hedrick wrote: >>> >>>> Please be aware that I’m using Redhat’

Re: Correct way to provide access to kerberised NFS services to daemon/system users ?

Typically you create a key table. Most installations have one for root, /etc/krb5.keytab. But you can create one for any user. Depending upon how your kerberos is set up, you’d typically use kadmin to create the key table. At that point you can do "kinit -k -t KEYTABLE” to get a ticket. But if

Re: krb5 library missing functions for collections

In my opinion NFS actually works fine for realistic cases, once a couple of bugs are fixed and some other tools are put in place. In real cases, the user logins in with a principal username@DOMAIN. That is always placed in the default collection defined in /etc/krb5.conf. At least for us, they

Re: krb5 library missing functions for collections

to be the default. I shouldn’t have to do C coding to make it happen. > On Jul 23, 2019, at 10:09 AM, Charles Hedrick wrote: > > Maybe there’s a path through the code that I didn’t find. But it ends up > failing if the credential isn’t username@DOMAIN. There’s an explicit test. I >

Re: krb5 library missing functions for collections

...@cs.rutgers.edu API:3C09F9F9-6C7D-4D41-95CB-F053F4102C7A Jul 23 17:58:11 2019 No indication of uid in the name at all. At least setting KRB5CCNAME to the specific cache works. > On Jul 22, 2019, at 3:22 PM, Greg Hudson wrote: > > On 7/22/19 1:39 PM, Charles Hedrick wrote: >>

Re: krb5 library missing functions for collections

. > On Jul 23, 2019, at 9:35 AM, Simo Sorce wrote: > > On Mon, 2019-07-22 at 20:10 +, Charles Hedrick wrote: >> The problem is that the code in rpc.gssd works as followers: >> >> * get the default credential from the collection >> * fail unless it’s user

Re: krb5 library missing functions for collections

ugh. rpc.gssd reads root’s .k5identity file. If I put my principal in /.k5identity, things work. So a plugin would probably work. But it looks like a bug that should be fixed. > On Jul 23, 2019, at 10:09 AM, Charles Hedrick wrote: > > Maybe there’s a path through the code that I di

Re: krb5 library missing functions for collections

I’ve thought a bit more about this. i think the problem is that there’s no way to know what the user wants, and to really give him proper control requires significant kernel work. Currently the Linux kernel establishes an NFS security context that is associated with the UID. Any process

Re: krb5 library missing functions for collections

reasonable is probably the ability to set policy. Incidentally on a single user laptop you can actually do that. Rpc.gssd used .k5identity in root. On a single user machine that’s actually potentially useful. Sent from my iPhone On Jul 26, 2019, at 9:09 AM, Charles Hedrick mailto:hedr...@rutgers.edu

Re: kvno X not found in keytab; ticket is likely out of date

Unfortunately it’s likely to take some experimentation. My starting point would be on each client, unmount the file system, maybe delete /tmp/krb5ccmachine*, restart rpc.gssd, and remount. > On Jul 22, 2019, at 6:22 AM, Laura Smith > wrote: > > Ok, I hold my hand up, I messed up. So the

Re: kvno X not found in keytab; ticket is likely out of date

‐‐ > On Monday, July 22, 2019 2:13 PM, Charles Hedrick wrote: > >> Unfortunately it’s likely to take some experimentation. My starting point >> would be on each client, unmount the file system, maybe delete >> /tmp/krb5ccmachine*, restart rpc.gssd, and remoun

krb5 library missing functions for collections

I have code to deal with a number of difficulties in implementing kerberos transparently to users. Some of this code needs to know whether a KRB5CCNAME is a collection or a specific cache, and to be able to find the collection if it’s a cache. I was surprised to find the methods to do these

Re: krb5 library missing functions for collections

Please be aware that I’m using Redhat’s KCM implementation in sssd. It’s supposed to be compatible with Heimdal’s, but based on documentation it appears that it may not be. The default value of KRB5CCNAME is simply KCM: It had better be user-specific, or everybody shares a collection.

Re: krb5 library missing functions for collections

On Jul 22, 2019, at 1:00 PM, Greg Hudson mailto:ghud...@mit.edu>> wrote: By my reading, KEYRING also doesn't generally include the uid in the name. Again, I can only speak for what I see in Redhat and Ubuntu. The default for KRB5CCNAME is KEYRING:persistent:UID. Something (I think a

Re: krb5 library missing functions for collections

019, at 1:00 PM, Greg Hudson wrote: > > On 7/22/19 11:16 AM, Charles Hedrick wrote: >> I was surprised to find the methods to do these things aren’t present. >> Here’s what I’ve defined: > > Some of this is covered in > https://k5w

Re: krb5 library missing functions for collections

it a specific credential, and the issue with collections goes away. > On Jul 26, 2019, at 11:22 AM, Greg Hudson wrote: > > On 7/26/19 9:09 AM, Charles Hedrick wrote: >> I’ve submitted a feature request to fix the default ccselect plugin so >> it reads /etc/k5identity if the

Re: Perfornace bench marking

How many client systems and users? We have a few hundred machines with around 2000 users (not all active, of course) in a computer science dept. 3 KDCs running as VMs with 4 processors and 16 GB each. The processors are generally using < 10% of available CPU. The KDC itself is light-weight.

Re: KEYRING:persistent and ssh

ote: > > On Tue, Apr 7, 2020 at 8:39 AM Charles Hedrick wrote: >> >> we use a pam module that normalizes the credential cache. If krb5.conf >> asks for KEYRING and sshd leaves the cache in /tmp, the code moves it >> into KEYRING and updates KRB5CCNAME. > > Is this

Re: KEYRING:persistent and ssh

we use a pam module that normalizes the credential cache. If krb5.conf asks for KEYRING and sshd leaves the cache in /tmp, the code moves it into KEYRING and updates KRB5CCNAME. I really like KEYRING. Our staff have multiple principals. With a collection, kinit will create a new cache in the

Re: Using Kerberos on PYTHON

Having GSSAPI installed isn’t going to solve his problem, that he will need that.. Typically you would use Kafka libraries. They already know about Kerberos. However they have to be configured to use it. There are lots of ways to do it. And since I no longer have Kafka installed, I can’t

heimdal http proxy

I’d like to be able to use Kerberos SPNEGO at home. Unfortunately the Mac uses Heimdal. We don’t currently explore our Kerberos servers to the Internet, but we do have an https proxy for MIT kerberos. Heimal apparently has its own HTTP proxy. Does anyone know of software to implement the

Re: heimdal http proxy

The hope is that the proxy will read requests and validate them. Thus passing through the proxy would be less dangerous that exposing port 88 directly. If that’s not true, we should consider the risks of making port 88 available, or give up. > On Sep 11, 2021, at 7:07 PM, Ken Hornstein

Re: heimdal http proxy

11, 2021 at 03:22:26PM +, Charles Hedrick wrote: >> > >> I’d like to be able to use Kerberos SPNEGO at home. Unfortunately >> the Mac uses Heimdal. >> >> We don’t currently explore our Kerberos servers to the Internet, >> but we do have an https proxy fo

Re: heimdal http proxy

My use case is a few web applications. Linux user group management, editing our wiki, and responding to help desk tickets. Generic web apps that I would like to use at home. We support CAS, but our university CAS server has disabled SSO. Since I already have a Kerberos ticket to use ssh, it

Re: heimdal http proxy

Another use case is getting tickets for Mac users. We have a few users that ssh into enough different hosts that they want to use kerberized ssh. Unless we open port 88 to the outside, they have to install Mac ports and use the MIT kinit. While it seems simple to me, it’s not for real users. If

Re: 2FA with krb5

I’m not using that code now. When using it for real I would generate a special key tab with a user that had no permissions to do anything or use the host key tab depending upon the application. Our staff and a few users have TOTP set for their account, so it has to work for everything. Logins

Re: 2FA with krb5

We use TOTP. That allows us to tack the token on the end of the password. That makes it easy to fix programs that expect a simple password prompt. In fact I have a wrapper that can be interposed around pretty much anything use LD_PRELOAD.

Re: heimdal http proxy

If all the proxy is doing is forwarding content, it might work. But in that case it’s not obvious how much security we’re gaining by the proxy. It may be that just enabling access directly to port 88 would be as good. (I control the network, mostly.) Any sense how risky it is to expose port 88

Re: Kerberos Server Implementation

src/appl/simple For a real example, see github, clhedrick/kerberos.git, in directory kmkhomedir This is a client-server pair designed to create home directories for users. When you’re using kerberized NFS the normal pam_mkhomedir won’t work, because it assumes that root can create directories

Re: Using an alternate principal for ssh

Kerberos uses a plugin to determine which principal is used in a given situation. You could write a plugin that forces the principal to user/ssh if the service is ssh. The API isn't complex. There are several examples. You'd write the code to check if the service is ssh. If so, you'd look for

Re: authenticate user via ldap bind

Freeipa (and presumably MIT kerberos) has the ability to delegate password checking to radius. This is intended to support two factor authentication, but it doesn't have to use two factors. So in principle you could use that and not have separate copies of the password in your kerberos. I've

Re: help with OTP

Anonymous PKINIT works fine but requires certs to be distributed. Unless you're prepared to update every machine in the world every year, you pretty much have to use a cert that goes back to a commercial CA. But in that case you probably have to use the obscurely documented