Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  nodelist  faq  login

People are going to scream bloody murder about that. -- Seen on linux-kernel


computers / comp.protocols.kerberos / latest

Re: Kerberos through loadbalancer

comp.protocols.kerberos

Posted: 2 Days 22 Hours ago by: Russ Allbery

Two things to check: First, how did you put the service kep for ldap/ldap.example.net onto each host? If you used ktadd via kadmin, you alas did not do that. Each time you downloaded the keytab entry, ktadd randomized the key again, s

Re: Kerberos through loadbalancer

comp.protocols.kerberos

Posted: 3 Days 6 Hours ago by: Stefan Kania

--------------ms070606060200000801040701 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Here the messages we get using ldapsearch on one of the consumers: --------------- ldapsearch -H ldaps://ldap.example.net SAS

Kerberos through loadbalancer

comp.protocols.kerberos

Posted: 3 Days 7 Hours ago by: Stefan Kania

--------------ms030609020100050707040805 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Hi to all, we have 4 ldap-provider ldap1.example.net to ldap4.example.net. We securing the replication via kerberos, everyth

Re: Installing SAP on Linux snckrb5.so unable to compile.

comp.protocols.kerberos

Posted: 5 Days 1 Hour ago by: Andrés_Sandoval

Hi nitins, Can you tell me how you compiled?

Re: Server settings from /etc/krb5.conf used despite KRB5_CONFIG set

comp.protocols.kerberos

Posted: 7 Days 9 Hours ago by: Andrej Mikus

That was it. In a different place and with different filename /usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so but setting SSSD_KRB5_LOCATOR_DISABLE works! Thanks a lot for the hint. Andrej

[CFP - Late Track Opened] EAI SecureComm 2022: CALL FOR PAPERS

comp.protocols.kerberos

Posted: 7 Days 11 Hours ago by: Steins H

[Please accept our apologies if you receive multiple copies] =========================================================== Late Track is open and the full paper submission deadline is now Jun. 26! ==========================================

[CFP - Late Track Opened] EAI SecureComm 2022: CALL FOR PAPERS

comp.protocols.kerberos

Posted: 7 Days 11 Hours ago by: He Keiyou

[Please accept our apologies if you receive multiple copies] =========================================================== Late Track is open and the full paper submission deadline is now Jun. 26! ==========================================

Re: Server settings from /etc/krb5.conf used despite KRB5_CONFIG set

comp.protocols.kerberos

Posted: 9 Days 2 Hours ago by: John Devitofrancesch

--Apple-Mail=_49E311CF-FA4C-4217-A886-757D5CA51DF8 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Is there an sssd_krb5_locator_plugin getting in the way? Check under /usr/lib/krb5/plugins/libkrb5. jd --A

Re: Always prompting for OTP

comp.protocols.kerberos

Posted: 12 Days 18 Hours ago by: Russ Allbery

Yes, you can intercept it inside pam_krb5. It's really ugly from a pam-krb5 architecture perspective, though, so I'm not sure I'd want to incorporate that upstream. I feel like we went through a very similar problem with the use_pkinit

Re: Always prompting for OTP

comp.protocols.kerberos

Posted: 12 Days 18 Hours ago by: BuzzSaw Code

But that prompt is a callback to the prompter routine in pam_krb5 passed in so I could bypass that prompt by just force feeding the "password" into the response structure right ?

Re: Always prompting for OTP

comp.protocols.kerberos

Posted: 12 Days 18 Hours ago by: Russ Allbery

Oh, I think this was the bit that I was missing. I was for some reason assuming that the Kerberos library itself understood that part of the thing passed in as a "password" was actually an OTP value and the other part was a password, bu

Re: Always prompting for OTP

comp.protocols.kerberos

Posted: 12 Days 19 Hours ago by: Greg Hudson

I will try to explain again. The Kerberos protocol was designed to be somewhat resistant to phishing. If I set up a rogue KDC and somehow convince clients to authenticate, the clients do not simply send me their passwords. This resista

Re: Always prompting for OTP

comp.protocols.kerberos

Posted: 12 Days 20 Hours ago by: BuzzSaw Code

Same - I started walking through the code but haven't tracked down the point where it tosses the original creds. Me either - haven't been able to fullyl grasp the flow.

Re: Always prompting for OTP

comp.protocols.kerberos

Posted: 12 Days 20 Hours ago by: Russ Allbery

Ah, okay, so then in theory the problem could be solved entirely within the Kerberos libraries, although I haven't wrapped my mind around the problem Greg identified. I'm assuming this is because the Kerberos library doesn't think that

Re: Always prompting for OTP

comp.protocols.kerberos

Posted: 12 Days 20 Hours ago by: BuzzSaw Code

We want the full OTP+password string just passed without modification. It would also be nice if when we use try_first_pass/use_first_pass/force_first_pass options with pam_krb5 that it actually did that in the OTP case without the extra

Re: Always prompting for OTP

comp.protocols.kerberos

Posted: 12 Days 21 Hours ago by: Russ Allbery

What behavior do you expect here? For the full OTP+password string to be carried over to other modules in the stack, or only the password? If the latter, I believe this inherently requires that the pam_krb5 module know to disassemble t

Re: Always prompting for OTP

comp.protocols.kerberos

Posted: 12 Days 21 Hours ago by: BuzzSaw Code

I guess I'm missing the security issue if I'm asking it to send the credentials originally supplied in that FAST channel. We're using anonymous FAST so I didn't expect (or want) it to send those outside that channel. pam_krb5 could work

Re: Always prompting for OTP

comp.protocols.kerberos

Posted: 12 Days 22 Hours ago by: Greg Hudson

[...] This is by design. The basic Kerberos protocol does not reveal the password to the KDC, but FAST OTP does reveal the OTP value (encrypted within the FAST channel). So for libkrb5 to transparently send the password to the KDC when

Always prompting for OTP

comp.protocols.kerberos

Posted: 12 Days 23 Hours ago by: BuzzSaw Code

I'm trying to understand if the behavior I'm seeing is by design or a bug. Using the 1.19.3 release along with Russ Allbery's pam_krb5, no matter what options are set for pam_krb5, when using one of our accounts setup for RadiusOverOTP, t

Server settings from /etc/krb5.conf used despite KRB5_CONFIG set

comp.protocols.kerberos

Posted: 13 Days 20 Hours ago by: Andrej Mikus

Hi, I would like to request comment/suggestion for a problem that resembles https://stackoverflow.com/questions/33132768/kerberos-still-using-default-etc-krb5-conf-file-even-after-setting-krb5-config As a linux user, I am trying to access

Re: Creating a principal using the kadmin C API

comp.protocols.kerberos

Posted: 14 Days 1 Hour ago by: Teo Klestrup Röijez

--nextPart11295808.nUPlyArG6x Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii"; protected-headers="v1" To: Greg Hudson <ghudson@mit.edu> Cc: kerberos@mit.edu Subject: Re: Creating a principal using the kadmin C

remctl 3.18 released

comp.protocols.kerberos

Posted: 14 Days 10 Hours ago by: Russ Allbery

I'm pleased to announce release 3.18 of remctl. remctl is a client/server application that supports remote execution of specific commands, using Kerberos GSS-API for authentication. Authorization is controlled by a configuration file and

Re: Creating a principal using the kadmin C API

comp.protocols.kerberos

Posted: 16 Days 9 Hours ago by: Greg Hudson

Many apologies; this got filed into my spam folder and I only just found it. On 4/11/22 11:09, Teo Klestrup Röijezon wrote: [...] I think this is a bug; the init functions and kadm5_get_config_params() should use the profile object from

Re: windows and smartcards

comp.protocols.kerberos

Posted: 18 Days ago by: Ken Hornstein

Here's my limited, imperfect understanding of the situation. - My understanding is that the Kerberos implementation supplied by Microsoft does implement PKINIT and works with smartcards. But I am not sure if you can use it OUTSIDE of

Re: windows and smartcards

comp.protocols.kerberos

Posted: 18 Days 10 Hours ago by: Prabin Tamang

- for windows: there are other tools such as heimdall and microsoft kerberos. with those I don't know if you ever played around with them or know if they support smartcard and pin authentication to get a ticket manually. manually meaning,

Re: windows and smartcards

comp.protocols.kerberos

Posted: 18 Days 13 Hours ago by: Ken Hornstein

Unfortunately, no (at least, not on Windows). We compile our own Kerberos kit for Windows, which have the changes in it to build the PKINIT plugin. Actually, I believe it's worse than that; from memory I believe we have a separate PKINIT

Re: windows and smartcards

comp.protocols.kerberos

Posted: 18 Days 14 Hours ago by: Prabin Tamang

Hi, for more information on this" - People I work with have adapted the stock MIT Kerberos PKINIT plugin to work on Windows. Do you have any sort of documentation that you can point me to on how to make this work with windows. And also

Re: windows and smartcards

comp.protocols.kerberos

Posted: 18 Days 15 Hours ago by: Ken Hornstein

- Current stock MIT Kerberos for Windows does not support pkinit (that's what you need to use Smartcards). - People I work with have adapted the stock MIT Kerberos PKINIT plugin to work on Windows. - We've talked with MIT about cont

windows and smartcards

comp.protocols.kerberos

Posted: 19 Days 21 Hours ago by: Prabin Tamang

HI, i was wondering if the question listed in the link below was ever answered and if not, i was hoping you could provide please. https://mailman.mit.edu/pipermail/kerberos/2010-September/016423.html

29 recent articles found.

rocksolid light 0.7.2
clearneti2ptor