Date:Tue, 29 Jan 2013 17:33:47 CST
To: Marcus Watts m...@umich.edu
cc: kerberos@mit.edu kerberos@mit.edu
From:Nico Williams n...@cryptonector.com
Subject: Re: client's system clock is ahead of KDC system clock
Content-Type: text/plain; charset=UTF-8
On Tue, Jan 29
a problem for users, but it
is a problem for scripts that get a ticket and immediately use
it: the result is sometimes the ticket will work, and
sometimes it won't.
-Marcus Watts
Kerberos mailing list
the first part.
host/fqdn - is wired into program logic.
user/admin - is not wired in. that's strictly a human convention.
If it really bothers you, why not switch to
admin/user - and revise your acl logic to match?
-Marcus Watts
to get a service ticket
for a given enc type if the service doesn't have a key for
that enc type. (It will probably always be encrypted
with the *first* key - which is where and why the principal
key order matters.)
-Marcus Watts
/kerberos
bad ld.so.cache?
ok, you've run ldconfig. maybe not...
prelinking?
the prelink command has interesting options...
-Marcus Watts
Kerberos mailing list Kerberos@mit.edu
https
Date:Wed, 24 Aug 2011 21:39:26 PDT
To: 'Marcus Watts' m...@umich.edu
cc: kerberos@mit.edu
From:Allen McWongahey allen...@comcast.net
Subject: RE: Gssapi Questions
Hi Marcus,
Sorry, I should have specified more how I fixed the compile flags which
caused gcc
Date:Thu, 25 Aug 2011 15:34:30 PDT
To: 'Marcus Watts' m...@umich.edu
cc: kerberos@mit.edu
From:Allen McWongahey allen...@comcast.net
Subject: RE: Gssapi Questions
Hi Marcus,
Thanks very much. I have the Kerberos 5 package now compiling properly for
my cross-target
will
*definitely*
produce the wrong answer. For your cross-compile environment, you may want to
do something about that.
-Marcus Watts
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman
Date:Wed, 24 Aug 2011 12:03:24 PDT
To: 'Marcus Watts' m...@umich.edu
cc: kerberos@mit.edu
From:Allen McWongahey allen...@comcast.net
Subject: RE: Gssapi Questions
Hi Marcus,
Thanks very much. This definitely got me further and I removed all the
changes I made
appears to have a leading space on the kerberos
principal name. Of course, that could be just the result of reformatting
via your mail client. Generally speaking, control characters including
backspace could result in invisible text in your principal name.
-Marcus
costs, with little if any real decrease in security.
I think there's still a build time issue to obscure useful information
if you still believe it has security value for your environment.
-Marcus Watts
Kerberos
).
-Marcus Watts
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
. If the license is acceptable
and you can dig the code out and make it useable
in your environment, this might be sufficient for you.
-Marcus Watts
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman
: most passwords. unexpired tickets and session keys.
encrypted kdb contents.
What is not safe: admin passwords. service keys. master key.
unencrypted contents of kdb.
-Marcus Watts
Kerberos mailing list
; it was fixed in 1.7.1 and 1.8.
... and here's a previous message I posted to this list which
is unobviously relevant here:
http://www.mail-archive.com/kerberos@mit.edu/msg15880.html
-Marcus Watts
Kerberos mailing list
-cbc-md5
des-hmac-sha1
des3-cbc-sha1
rc4-hmac
rc4-hmac-exp
aes128-cts
aes256-cts
salt
normal
v4
norealm
onlyrealm
special
afs3
- Marcus Watts
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu
Date:Thu, 03 Jun 2010 16:21:43 EDT
To: Marcus Watts m...@umich.edu
cc: kerberos@mit.edu kerberos@mit.edu
From:Tom Yu t...@mit.edu
Subject: Re: kadmin.local ank -randkey ignores kdc.conf's
default_principal_f
***lags?
Marcus Watts m...@umich.edu writes:
Date
auth_to_local
-Marcus Watts
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
they'll feel mostly comfortable when you say
that the *Winblows* Server OS choice is cheaper and easier to deploy.
This might not be what you want them to hear.
-Marcus Watts
Kerberos mailing list Kerberos
to the cisco must not have any non-des key
types in the kdc.
-Marcus Watts
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
, formats
the name differently, only uses one byte for the kvno, and lacks the
creation timestamp, encryption type, and key length.
...
-Marcus Watts
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu
of the object code. Not the source. If you're curious, read,
http://www.openssl.org/docs/fips/UserGuide-1.1.1.pdf
There's additional interesting info there as well, and pointers to more.
Marcus Watts
Kerberos mailing list
is to fall back to the old
case.
Obviously this was for 1.6.3, but it might apply to 1.7.
-Marcus Watts
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
not be simple.
-Marcus Watts
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
of the necessary
functions. So, that approach is feasible, albeit messy.
-Marcus Watts
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Date:Tue, 19 May 2009 12:03:59 PDT
To: kerberos@mit.edu
From:Russ Allbery r...@stanford.edu
Subject: Re: NIS = Kerberos/LDAP Migration
Marcus Watts m...@umich.edu writes:
I'm not sure I understand why
Authen::Krb5::Admin
http://search.cpan.org/~korty/Authen-Krb5
ordinary circumstances.
My recollection is that you need to restart kadmind before changes in
the acl file are recognized - past that, I would hate to speculate just
what is going on in your setup.
-Marcus Watts
Kerberos
not describe
actual practice, particularly for software. The 3rd describes the actual
experience of one open source project. The 2nd 3rd have pointers to
additional resources. You can find lots more with google.
-Marcus Watts
.
-Marcus Watts
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
, Joshua
Besides preauth (which you need to detect failures),
you need to rebuild krb5kdc with
--with-kdc-kdb-update
I don't know how well tested that code is.
It may also have performance constraints in a very large environment.
-Marcus Watts
administrator or local linux expert may be able to provide
more help. Like I said, this isn't kerberos specific.
-Marcus Watts
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman
be changed by reading a later
configuration file (including the same one twice).
-Marcus Watts
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
.
We didn't go with that for various reasons, but maybe it
can meet your needs.
-Marcus Watts
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
, but substantially the same
code (and presumably the same behavior) was still there as of 1.6.1.
-Marcus Watts
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
You wrote:
...
Key: vno 5, DES cbc mode with CRC-32, AFS version 3
...
^
Have you tried using other salt types?
-Marcus Watts
Kerberos mailing list
of an existing open source kadm5 library for java? It turns out folks
here are interested in such a beast, so if it doesn't exist, we may
end up creating one. It would be nice to avoid recreating the wheel...
-Marcus Watts
.
-Marcus Watts
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
).
-Marcus Watts
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Date:Mon, 13 Aug 2007 12:01:13 PDT
To: Marcus Watts [EMAIL PROTECTED]
cc: kerberos@mit.edu, [EMAIL PROTECTED]
From:Gopal Paliwal [EMAIL PROTECTED]
Subject: Re: preauth mechanism functioning at the client-side
thanks for suggestions for using negative number.
It seems
Writes Gopal Paliwal [EMAIL PROTECTED]:
Date:Wed, 18 Jul 2007 16:15:00 PDT
To: Marcus Watts [EMAIL PROTECTED], kerberos@mit.edu
From:Gopal Paliwal [EMAIL PROTECTED]
Subject: Re: Preauth mechanism provision in MIT kerberos
Hi,
The solution you guys provided help me.
Though I
set, the keytab isn't useable by principals that
for some reason did not authenticate using preauth.
-Marcus Watts
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo
types. This will complicate things.
Also, of course, demopwkt isn't a kerberos administrator (not in kadm5.acl)
so has very limited rights. And, of course, you don't need to do this.
-Marcus Watts
Kerberos
support may include
the ability to use either k5 or x509. Some versions of openssh also
include special handling for afs tickets.
-Marcus Watts
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu
This is used for the password-changing service, but unfortunately the
RPC code used for the kadmin program still looks up admin_server, and
uses the first IP address found when looking up that hostname. No
DNS, one hostname, one address, no service-location plugin support,
no IPv6.
.
Interesting obscure factoid:
If your dns information lacks a _kerberos-master record (and you don't
have a krb5.conf that specifies a master_kdc for your realm), MIT library
code won't prompt to change the password for principals with expired passwords.
-Marcus Watts
.
-Marcus Watts
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
directly, but I don't
know if you have something that depends on being able to create
such names. So beware: for much of kerberos, uc != lc.
-Marcus Watts
Kerberos mailing list Kerberos@mit.edu
https
explain things like this adequately, you should let
your vendor know where and how the documentation can be improved.
-Marcus Watts
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu
scotty adams [EMAIL PROTECTED] writes:
hi,
after i modified the principal using modprinc -requires_preauth
kinit scotty
kinit: Password incorrect
Why!!!
I don't know. Could be lots and lots of things. For instance:
/1/ password *is* incorrect.
/2/ operator error --
and does work.
tcpdump (or on solaris 9, snoop) can be used to capture
network traffic with overlapping diagnostic capabilities to gdb or
strace.
-Marcus Watts
Kerberos mailing list Kerberos@mit.edu
-Marcus Watts
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
as an I-D, per item 19 in the FAQ at
http://www.rfc-editor.org/rfcfaq.html
Your deadline of 2007-04-01 is coming up. You should probably hurry
if you want this to be accepted.
;-)
-Marcus Watts
Kerberos
is UMICH.EDU
[2] same usage as yours
[3] same error as yours
[4] different usage. realm matters.
[5] success
-Marcus Watts
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo
wrapped around bits of ipv6 code. If you get
something that compiles (or better yet runs) you should probably
submit it as a patch to the MIT folks.
-Marcus Watts
Kerberos mailing list Kerberos@mit.edu
John Hascall [EMAIL PROTECTED] writes:
Given the KDB entry:
kadmin: getprinc host/cerberus.ait.iastate.edu
Principal: host/[EMAIL PROTECTED]
...
Number of keys: 1
Key: vno 6, DES cbc mode with CRC-32, no salt
and the request:
Oct 11 11:24:26
[EMAIL PROTECTED] writes:
Subject: RE: Kerberos 5 v1.5.1 on AIX 5.2 or AIX 5.3
Date: Mon, 18 Sep 2006 21:01:12 -0500
Message-ID: [EMAIL PROTECTED]
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
Cc: kerberos@mit.edu
Believe it or not; both solutions seem to work and
Tom Simons [EMAIL PROTECTED] writes:
I'm trying to get a keytab with des-cbc-md5 encryption (no salt) from our
kerberos 1.5 realm for a CyberSafe client. How do I specify the ktadmin
ktadd command's -e keysaltlist parameter? I tried variations on ktadd -k
filename -e ENCTYPE_DES_CBC_MD5:NONE,
lizhong [EMAIL PROTECTED] writes:
SGkgYWxsLA0KICAgIEkgYW0gdXNpbmcgZ3NzLWNsaWVudCB0byBjb25uZWN0IHRvIG15IGdzcy1z
ZXJ2ZXIuSSBoYXZlIDMgbGludXggbWFjaGluZXMgLG1hY2hpbmUgQSBpcyBydW5uaW5nIGtkYyxt
YWNoaW5lIEIgaXMgcnVubmluZyBnc3Mtc2VydmVyLGFuZCBtYWNoaW5lIEMgaXMgcnVubmluZyBn
this
effect; you may not have any tools in the linux world that can do this
with AD directly.
-Marcus Watts
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
be sending both an AS-REQ and a
TGS-REQ over the same socket at the same time in the first place?
-Marcus Watts
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
...
-Marcus Watts
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Richard E. Silverman [EMAIL PROTECTED] writes:
...
Check the key version number:
# klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
--
14 host/[EMAIL PROTECTED]
$ kvno host/[EMAIL
::krb5_free_context();
but that won't buy you anything unless you edit Krb5.xs and
add a context = 0 after the krb5_free_context call.
-Marcus Watts
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman
can have more than one
krb5 context accessible from perl at the same time.
-Marcus Watts
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
NOT be used in principal
or realm names. There are additional constraints on realm names;
the use of : or / in the realm indicates special behavior.
-Marcus Watts
Kerberos mailing list Kerberos@mit.edu
https
stuff, and other
kerberos specific stuff. This will not be a trivial effort.
-Marcus Watts
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
enough information to eliminate any of
these possible fixes -- or even enough information for
anybody to give you good directions on how to do any of these.
-Marcus Watts
Kerberos mailing list Kerberos@mit.edu
From: Russ Allbery [EMAIL PROTECTED]
Subject: Re: Presence/absence of the keytab
Date: Fri, 05 May 2006 22:52:19 -0700
Organization: The Eyrie
Message-ID: [EMAIL PROTECTED]
References: [EMAIL PROTECTED]
To: kerberos@MIT.EDU
Marcus Watts [EMAIL PROTECTED] writes:
Or it could be using
, but there is a debug option
that will cause it to log helpful text when various errors occur,
including no keytab.
-Marcus Watts
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman
the keyblock.
(as per above the inline kvno was an 8 bit quantity).
...
-Marcus Watts
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
name-type
* }
* xxx 4timestamp
* xxx 1vno
* {
* 0 2 keytype
* 2 2 keylen
* 4 keylen keydata
* }
* POSSIBLE if length left {
* xxx 4vno
* }
*/
-Marcus Watts
Various wrote:
Message-ID: [EMAIL PROTECTED]
From: Jeffrey Altman [EMAIL PROTECTED]
Subject: Re: keytab file format - exporting arcfour keys from active directory
Date: Mon, 01 May 2006 23:08:32 GMT
Organization: Road Runner High Speed Online http://www.rr.com
To: kerberos@mit.edu
Michael
.
-Marcus Watts
UM ITCS Umich Systems Group
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
(somewhat misnamed) which can
be used for key negotiation or strengthen the initial key exchange.
There are plenty of basic ways to misuse and compromise kerberos,
starting with the obvious: ask for a kerberos password using an html
form.
-Marcus Watts
in MIT k5.
This is almost certainly not what you want to do in this case,
but if you had a real database which you had somehow neglected
to back up, you might find it was worth the pain.
Tell Bob Beck I said hi, if you want.
-Marcus Watts
(and
remove pw1array also).
For future reference, it is probably useful to identify what version
file you're talking about, when you post code frags like this.
-Marcus Watts
UM ITCS Umich Systems Group
for for users in the default realm.
-Marcus Watts
UM ITCS Umich Systems Group
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
?).
-Marcus Watts
UM ITCS Umich Systems Group
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
this may be acceptable. To be truely
effective, you'd also need routers elsewhere that prevent people from
forging your trusted IP addresses.
-Marcus Watts
UM ITCS Umich Systems Group
level make all can be done.
-Marcus Watts
UM ITCS Umich Systems Group
Kerberos mailing list [EMAIL PROTECTED]
http://mailman.mit.edu/mailman/listinfo/kerberos
are
solved (in a new port), compiler problems typically show up in:
large packages, in obscure corners.
in the optimizer
in code that deals with cryptography, where any
compiler error breaks the math.
-Marcus Watts
also require a particular version of K5. I believe K5 1.0.6
is pretty old now, and 1.2 has significant improvements. If your
version of ssh uses openssl, for instance, you are very likely going
to need K5 1.2+.
-Marcus Watts
UM ITCS
?
-Marcus Watts
UM ITCS Umich Systems Group
Kerberos mailing list [EMAIL PROTECTED]
http://mailman.mit.edu/mailman/listinfo/kerberos
with just what an expired x509
cert means, but you've got that problem already as well as
certification revocation and online vs. offline processing no matter
what solution you do.
-Marcus Watts
UM ITCS Umich Systems Group
.
-Marcus Watts
UM ITCS Umich Systems Group
Kerberos mailing list [EMAIL PROTECTED]
http://mailman.mit.edu/mailman/listinfo/kerberos
system to get some more specific detail on *why* sshd won't
load your shared library. There ain't no mind readers here on the list.
-Marcus Watts
UM ITCS Umich Systems Group
the same functionality...) (There are some ugly things
about openssl libcrypto.a -- maybe a 3rd opencrypto library both
could use?)
-Marcus Watts
UM ITCS Umich Systems Group
interesting
experiment using elliptic key cryptography, so I'm sure there are
reasonable solutions, though I'm not sure I found one.
There is of course also, today, in existance, one commercial k5
implementation which supports 128 bit keys -- MS.
-Marcus
types for the principal in the db.
[ Looks to me like lib/krb5/krb/preauth2.c didn't contain
logic to handle KRB5_PADATA_ETYPE_INFO in krb5-current
of 19990817. ]
-Marcus Watts
UM ITCS Umich Systems Group
Index
.)
-Marcus Watts
UM ITCS Umich Systems Group
90 matches
Mail list logo
