There ought to be more information in the Apache error log. Also you
can increase the log level if necessary.
On Jul 3, 2008, at 9:16 PM, kul gupta wrote:
Hello
I am using mod_auth_kerb module( for apache webserver ) for
authentication.I am facing the following issues(Issue (1) and
: In function `main':
ab.c:2154: undefined reference to`SSL_CTX_set_info_callback'
Please help me out in resloving this issue
Thanks
kul
On 6/30/08, Henry B. Hotz [EMAIL PROTECTED] wrote:
On Jun 29, 2008, at 9:15 AM, [EMAIL PROTECTED] wrote:
Message: 1
Date: Sun, 29 Jun 2008 16:31
If you run a Windows Domain and you also use BIND and MIT (or
Heimdal) for DNS/Kerberos then you must have a strategy for
preventing them from stepping on each other. Can I ask people for
thumbnail's of how you-all do that? What raw services are handled by
which servers? Are there magic
That does sound interesting. Count me in.
On Sep 28, 2007, at 2:26 PM, Douglas E. Engert wrote:
Sounds interesting. And yes, I would be interested in
the cascading credentials delegation code. Does the
delegation code depend on the key exchange code?
What would it take to get both of
On Aug 28, 2007, at 2:51 AM, Mikkel Kruse Johnsen wrote:
Hi Rob
The latest patch was a big mess and the way I made mod_auth_kerb
use it's internal SPNEGO was not good. An options in configure
should properbly be made (--enable-internal-spnego).
But since the problem is not really with
Grolms wrote:
On Thursday 26 July 2007 21:54, Douglas E. Engert wrote: Achim
Grolms wrote: On Thursday 26 July 2007 20:40, Henry B. Hotz
wrote: If I understand RFC2744 correct GSS_C_DELEG_FLAG
would not be set in that case? Achim
Agreed. That flag shouldn't be set AFAIK
On Jul 26, 2007, at 8:22 AM, Douglas E. Engert wrote:
Attached is the Wireshark print output of the GET request showing
the SPNEGO and GSSAPI
In original trace, the client does request a ticket to delegate
but it looks like it is not delegating it.
It looks like it is:
User-Agent:
:
On Thursday 26 July 2007 20:40, Henry B. Hotz wrote:
If I understand RFC2744 correct GSS_C_DELEG_FLAG
would not be set in that case?
Achim
Agreed. That flag shouldn't be set AFAIK, though the value isn't
valid until negotiation is complete.
That means before trying to store delegated
On Jul 25, 2007, at 2:55 AM, Mikkel Kruse Johnsen wrote:
Is the KRB5CCNAME being set in the environment of the subprocess.
Don't know how to check this. The KRB5CCNAME is in the env. with
the attached patch but the credetials is never saved to that file.
Protect CGI's and access a cgi
On Jun 1, 2007, at 12:00 PM, Markus Moeller wrote:
Henry B. Hotz [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
On May 31, 2007, at 11:25 AM, Markus Moeller wrote:
I have a AD forest with MM.COM with domains
DOM1.MM.COM,DOM2.MM.COM and
SUB.DOM2.MM.COM which all trust each
On May 31, 2007, at 11:25 AM, Markus Moeller wrote:
I have a AD forest with MM.COM with domains DOM1.MM.COM,DOM2.MM.COM
and
SUB.DOM2.MM.COM which all trust each other. To test the
availability of
service tickets I created the following short program:
Any particular reason you didn't
Anybody know of *anything* out there that actually uses the des-cbc-
md4 encryption type?
IIRC there was something Microsoft-ish that did at one time, but I
wonder if it still exists.
The opinions expressed in this
On Nov 2, 2006, at 9:03 AM, [EMAIL PROTECTED] wrote:
Date: Wed, 1 Nov 2006 22:21:53 -0500
From: Ken Raeburn [EMAIL PROTECTED]
Subject: Re: Migrating a Kerberos Realm
To: John Hascall [EMAIL PROTECTED]
Cc: kerberos@mit.edu
Message-ID: [EMAIL PROTECTED]
Content-Type: text/plain;
No, I'm not talking about using LDAP to store the back-end for a KDC.
I'm wondering if there are any thoughts or wisdom related to RFC 2307
(or successors) about how to store meta-information about Kerberos
principals. That RFC defines schema's for machines and things with
IP numbers. I
On Oct 24, 2006, at 7:35 PM, Nicolas Williams wrote:
On Tue, Oct 24, 2006 at 06:19:04PM -0700, Henry B. Hotz wrote:
No, I'm not talking about using LDAP to store the back-end for a KDC.
I'm wondering if there are any thoughts or wisdom related to RFC 2307
(or successors) about how to store
:
Date: Fri, 6 Oct 2006 02:14:04 +0200
From: Markus Schaaf [EMAIL PROTECTED]
Subject: Re: Kerberized DBMS's Available
To: kerberos@MIT.EDU
Message-ID: [EMAIL PROTECTED]
Henry B. Hotz [EMAIL PROTECTED] wrote:
I'm looking for a DBMS that supports Kerberos for user
authentication =
and has
I'm looking for a DBMS that supports Kerberos for user authentication
and has a JDBC client. It appears that I may have to write the
support myself, unless someone can add something I haven't been able
to find out.
The big three I know about are:
MySQL -- market leader, but no Kerberos
On Sep 23, 2006, at 9:05 AM, [EMAIL PROTECTED] wrote:
Date: Sat, 23 Sep 2006 08:42:51 CDT
From: John Hascall [EMAIL PROTECTED]
Subject: Re: Remembering Master Password
To: Jason C. Wells [EMAIL PROTECTED]
Cc: kerberos@mit.edu
Message-ID: [EMAIL PROTECTED]
In big bold letters we are
Anyone know how to use Kerberos with MySQL?
I thought I once saw a kludge where you could use Kerberos with some
kind of tunneling mechanism and make the server pick up the username
from the tunnel. I can't seem to find any reference to that with
Google now, though.
Anyone actually
On Sep 27, 2006, at 11:10 AM, Jeffrey Hutzelman wrote:
On Wednesday, September 27, 2006 08:52:52 AM -0700 Henry B. Hotz
[EMAIL PROTECTED] wrote:
Heimdal uses a standard keytab file for the master password. In
Heimdal kadmin you can do:
add -r M/K
del_enc M/K all encryption types
Does the MySQL server have any provision for external identification
of users at all?
Beyond this point maybe the question belongs on a MySQL list. Thanks
for answering though.
On Sep 27, 2006, at 11:13 AM, Evan Vittitow wrote:
The best idea I could come up with was to Kerberize
On Sep 27, 2006, at 1:38 PM, Jeffrey Hutzelman wrote:
On Wednesday, September 27, 2006 01:26:22 PM -0700 Henry B. Hotz
[EMAIL PROTECTED] wrote:
On Sep 27, 2006, at 11:10 AM, Jeffrey Hutzelman wrote:
On Wednesday, September 27, 2006 08:52:52 AM -0700 Henry B. Hotz
[EMAIL PROTECTED] wrote
On Sep 27, 2006, at 2:00 PM, Jeffrey Hutzelman wrote:
On Wednesday, September 27, 2006 01:54:30 PM -0700 Henry B. Hotz
[EMAIL PROTECTED] wrote:
I'm assuming from your omission that add will look at the existing
kvno's and create the next one?
Well, the man page claims it will prompt
I've got a kerberized service that worked fine before I started
trying to use it through a load balancer. (I'm saying that for
background, not because I didn't think it should matter.)
So the current situation is that I've changed /etc/hosts and /etc/
nodename to contain the FQDN of the
On May 16, 2006, at 2:32 PM, [EMAIL PROTECTED] wrote:
Message: 9
Date: Tue, 16 May 2006 17:32:45 -0400
From: Jeff Blaine [EMAIL PROTECTED]
Subject: Re: Solaris 9, stock sshd, pam_krb5, MIT 1.4.3 KDC
To: kerberos@mit.edu
Message-ID: [EMAIL PROTECTED]
Content-Type: text/plain;
The Oracle Kerberos implementation appears to be different from the
Solaris implementation it sits on top of. There isn't much info on
the core differences in the Oracle documentation I've seen and we
haven't gotten much out of our support contract, at least yet.
What I've seen is the
On Feb 9, 2005, at 12:53 AM, Priit Randla wrote:
Henry B. Hotz wrote:
It's not clear to me why the MIT and Heimdal realms need to be
different.
The reason is quite embarassing, actually - total re-branding.
Total renamification :-) from AAA to BBB.
Lotsa host/* principals to recreate
It's not clear to me why the MIT and Heimdal realms need to be
different.
You can import an MIT database into Heimdal with hprop. Google for the
details, but you export a MIT dump file with some specific options and
then use hprop to read it into Heimdal. There's some place in
Except for the environment variable thing that's exactly what I did.
(I put the file in /Library/Preferences/edu.mit.Kerberos.)
I didn't do it myself, but someone else was able to use a close
relative of my krb5.conf file with RHEL 3. The kinit command
*required* the -4 option even though
should die. It's just that there's this little project
here that won't let me deploy Kerb 5 until after they land their probe
on Titan in January.
On Nov 30, 2004, at 8:24 AM, Alexandra Ellwood wrote:
On Nov 30, 2004, at 4:25 AM, Henry B. Hotz wrote:
Except for the environment variable thing
It appears that with 1.3.x you can't force it to make a kerberos 4 auth
request. I've tried putting only info in the [v4 realms]-like sections
and disabling the DNS lookup on OSX 10.3, but then a kinit just fails.
Is there any MIT equivalent to Heimdal kinit -4?
Yes, I know this is a *BAD*
?
Best of luck,
-r.
On Tue, Nov 23, 2004 at 01:26:24PM -0800, Henry B. Hotz wrote:
It appears that with 1.3.x you can't force it to make a kerberos 4
auth
request. I've tried putting only info in the [v4 realms]-like
sections
and disabling the DNS lookup on OSX 10.3, but then a kinit just fails
On Oct 25, 2004, at 4:04 PM, [EMAIL PROTECTED] wrote:
First, I'd like to mention I was mistaken when I said the 'libdefaults'
section, I meant 'appdefaults', such as:
[appdefaults]
ticket_lifetime = 30days
renew_lifetime = 180days
or alternatively, within a 'kinit' subgroup.
I'm running with:
My basic objection to a load balancer is that Kerberos was designed to
do its own failover without one.
Kerberos was also originally designed to require FQDN's to uniquely map
to the destination IP numbers. Violations of those assumptions
deserved to fail because they might indicate some
On Oct 4, 2004, at 9:02 AM, [EMAIL PROTECTED] wrote:
Date: Sun, 03 Oct 2004 22:40:50 -0700
From: Frank Cusack [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re: Heimdal or MIT kerberos
Message-ID: [EMAIL PROTECTED]
References: [EMAIL PROTECTED]
Precedence: list
Message: 2
On Mon, 04 Oct 2004
The pam_krb5 session module is supposed to clean up your credentials on
logout (if you are the last logout for that session).
I had a Solaris 9 machine which did that. Now I have a different S9
machine which doesn't. Any suggestions for what to look for?
Bingo!
I just fixed it on my test machines, but left it out of the setup
procedure that I gave to the VV folk.
On Aug 25, 2004, at 6:22 AM, Kevin Coffman wrote:
One of my tester's Solaris 8 Kerberos clients is sending Kerberos 4
requests (req's on port 750 anyway). Another solaris 8 machine is
Heimdal arcfour == MIT rc4. Also there's the chaining method missing.
I'm guessing it ought to be something like cpw -e rc4-cbc-hmac.
On Aug 4, 2004, at 9:03 AM, [EMAIL PROTECTED] wrote:
Date: Tue, 3 Aug 2004 17:11:10 -0400
From: David Botsch [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject:
, and
destroyed at logout correctly. This is awfully nice. Now, I think
the next step is to install the full SEAM packages to get the
kerberized telnet server and client.
Thanks again for your attention on this issue.
Regards,
Eliot
-Original Message-
From: Henry B. Hotz [mailto:[EMAIL PROTECTED
(781) 271-5830
Lead Communications Engineer [EMAIL PROTECTED]
The MITRE CorporationBedford, MA
-Original Message-
From: Henry B. Hotz [mailto:[EMAIL PROTECTED]
Sent: Monday, July 26, 2004 6:20 PM
To: Eliot Lebsack
Cc: [EMAIL PROTECTED]
Subject: Re
Bedford, MA
-Original Message-
From: Henry B. Hotz [mailto:[EMAIL PROTECTED]
Sent: Monday, July 26, 2004 6:20 PM
To: Eliot Lebsack
Cc: [EMAIL PROTECTED]
Subject: Re: Solaris pam-krb5 client and MIT krb5 KDC on Linux (Eliot
Lebsack)
Right, that's the problem. You need
If it works as root, but not as a user, then it sounds like a
permissions problem. Is /etc/krb5/krb5.conf world-readable?
On Jul 26, 2004, at 9:00 AM, [EMAIL PROTECTED] wrote:
Date: Mon, 26 Jul 2004 09:55:02 -0400
From: Eliot Lebsack [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Solaris
-Original Message-
From: Henry B. Hotz [mailto:[EMAIL PROTECTED]
Sent: Monday, July 26, 2004 3:17 PM
To: [EMAIL PROTECTED]
Cc: Eliot Lebsack
Subject: Re: Solaris pam-krb5 client and MIT krb5 KDC on Linux (Eliot
Lebsack)
If it works as root, but not as a user, then it sounds like a
permissions
In the long run the Kerberos password is a problem because the human
brain does not obey Moore's law. As I see it the solution is to use
some form of two-factor authentication for the initial ticket exchange.
So what options are there in that space?
AFAIK none --- with the standard open
Given all the issues I didn't want to get into, maybe I shouldn't have
mentioned SecureID. Since I did mention it, it's good to have your
caveat on the record.
Just trying to make sure I really know what exists.
On Jul 15, 2004, at 11:27 AM, Ken Hornstein wrote:
So what options are there in
We benchmarked significantly more than 50,000 authentications/hour
against a Sun Ultra-1 running Solaris 8 and Heimdal 0.6.1. The
database contained about 25,000 principals at the time. Does that
help?
I have no idea if MIT or Solaris 9 would be faster or slower. There's
a long history
I don't think it's off-topic, but heimdal questions may get better
answers from [EMAIL PROTECTED]
This is a bit theoretical for me, but I think you will need to dump the
database, upgrade the server (which may use a different backend db
utility, even if the db hasn't changed), and then
I'm sure there are doc's on this, but can you configure the workstation
to add a correct-for-MIT/Heimdal default realm? (name
canonicalization? or is that only on the server end?)
On Jun 8, 2004, at 8:19 AM, [EMAIL PROTECTED] wrote:
From: Jeffrey Altman [mailto:[EMAIL PROTECTED]
Sent:
In Heimdal the way to do this is:
1) Create the principal with kadmin add -r princ
(IIRC this creates a principal without the multiple key salt's because
there is no corresponding password, and therefore no applicable key
salt. You get a principal with a better key and less confusion.)
2)
MIT rc4 == Heimdal arcfour == preferred Microsoft encryption type?
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
[EMAIL PROTECTED], or [EMAIL PROTECTED]
On Apr 21, 2004, at 6:13 AM, [EMAIL PROTECTED] wrote:
Date: Wed, 21 Apr 2004 08:54:25 -0400
From: Dan Million [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re: KFW 2.6.1
Message-ID: [EMAIL PROTECTED]
References: [EMAIL PROTECTED] [EMAIL PROTECTED]
Precedence: list
Message: 11
Jeffrey Altman
According to something I read on sunsolve, on Solaris 8 Sun forgot to
remove the Kerberos 4 man pages when they removed the Kerberos 4
libraries and other code.
To reinforce what other people have said: 1) there is no native API
for Kerberos on Solaris, you use GSSAPI, and 2) there is no
On Apr 12, 2004, at 5:12 PM, [EMAIL PROTECTED] wrote:
Date: 12 Apr 2004 14:36:33 -0700
From: [EMAIL PROTECTED] (melissa_benkyo)
To: [EMAIL PROTECTED]
Subject: setup kerberos client
Message-ID: [EMAIL PROTECTED]
Precedence: list
Message: 5
Hello all,
its me againnn. :D
I'm having trouble setting
Actually SEAM works just fine with a Heimdal (and therefore MIT and
MS?) KDC, but there are a several caveats:
1) You need to have the latest Kerberos patches from Sun installed.
There's a compatibility bug that's fixed along with the security
fixes.
2) You need to have an entry for
At 9:40 AM -0600 3/12/04, Digant Kasundra wrote:
Is anyone aware of any product that can sync passwords
between an MIT
Kerberos KDC and MS Active Directory?
Alf Wachsmann at SLAC is doing this with Heimdal.
Personally I'd rather only have the passwords (keys actually) stored
in one of the
At 12:40 PM -0500 3/12/04, Jeffrey Hutzelman wrote:
Note that it sounds like the OpenAFS code you were looking at was
actually src/des/strng_to_key.c, which implements the DES
string-to-key function, not the AFS one. The AFS string-to-key code
is in src/kauth/client.c.
Correct. I looked for
At 12:00 PM -0500 3/11/04, [EMAIL PROTECTED] wrote:
Date: Thu, 11 Mar 2004 00:46:53 -0600
From: Digant Kasundra [EMAIL PROTECTED]
To: '[EMAIL PROTECTED]' [EMAIL PROTECTED]
Subject: Password synching
Message-ID: [EMAIL PROTECTED]
Content-Type: text/plain
MIME-Version: 1.0
Precedence: list
Message:
There's also kx509.
At 12:00 PM -0500 3/8/04, [EMAIL PROTECTED] wrote:
Date: Mon, 08 Mar 2004 08:38:05 -0500
From: Wyllys Ingersoll [EMAIL PROTECTED]
To: Russ Allbery [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: WebISO: the killer kerberos app?
Message-ID: [EMAIL PROTECTED]
In-Reply-To:
Sorry about not fixing the subject in the last email.
At 12:16 PM -0500 1/31/04, Sam Hartman wrote:
Henry == Henry B Hotz [EMAIL PROTECTED] writes:
Henry Well, what we do here is have the LDAP server do a kinit
Henry against the central kerberos server for authentication.
Henry
I don't disagree with your proposal at all. Sounds good. It should
make it easier to fix/change things in the future.
But. . .
Isn't the reason this keeps coming up that AFS client doesn't
(can't?) behave like a normal Kerberos application and just get it's
own service ticket when it needs
At 9:07 PM +0100 1/22/04, Harald Barth wrote:
I think that OpenSSL != OpenSSH.
Correct. I got the install order wrong. The right order is OpenSSL,
Heimdal, OpenSSH.
Harald.
OK, so how do you install OpenSSL with RFC 2712 support enabled?
--
The opinions expressed in this message are mine,
not
At 12:00 PM -0400 10/12/03, Sam Hartman wrote:
Henry == Henry B Hotz [EMAIL PROTECTED] writes:
Henry Does the MIT code have a user hook in the change password
Henry function where I can link in cracklib?
No. Nicolas Williams from Sun has proposed that the right way to do
Does the MIT code have a user hook in the change password function
where I can link in cracklib?
--
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
[EMAIL PROTECTED], or [EMAIL PROTECTED]
Is it possible you built ssh with kerberos 4 support instead of
kerberos 5 support?
At 12:00 PM -0400 7/16/03, [EMAIL PROTECTED] wrote:
Date: Wed, 16 Jul 2003 17:06:31 +0200
From: Jeremy Fressard [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: bad ticket
Message-ID: [EMAIL PROTECTED]
Are there documents that describe how to configure Kerberos for OSX
10.3 (Panther) yet? I tried copying my
/Library/Preferences/edu.mit.Kerberos file over and that wasn't
enough for the Kerberos GUI to work.
(I got an error something like user not in database. The
configuration should have
65 matches
Mail list logo