OpenSSH, OpenAFS, Heimdal Kerberos and MIT KerberosRather then implementing kafs in MIT Kerberos, I would like to
suggest an alternative which has advantages to all parties.
The OpenSSH sshd needs to do two things:
(1) sets a PAG in the kernel,
(2) obtains an AFS token storing it in the kernel.
It can use the Kerberos credentials either obtained via GSSAPI
delegation, PAM or other kerberos login code in the sshd.
The above two actions can be accomplished by a separate process,
which can be forked and execd by the sshd and passed the environment
which may have a KREB5CCNAME pointing at the Kerberos ticket cache
Other parameters ...
replacing Heimdal with MIT Kerberos, and Kerberos key attributes in LDAP back-endHi all
Since we are migrating from Debian to RedHat, we are considering
replacing our Heimdal Kerberos server (with LDAP back-end) with an MIT
Kerberos server (again with LDAP back-end) since RedHat packages are only
available for MIT Kerberos. In order to make this migration/upgrade as
transparent as possible for our users, we want to convert all the
necessary info in the Heimdal back-end to the MIT back-end. Are there
any pointers available for this kind of operation? E.g. things like
conversion tables mapping the corresponding Kerberos-specific LDAP
attributes? Or even scripts?...
MIT Kerberos and Solaris 10 KerberosGreetings, everyone.
We run a number of Solaris 8 systems using Sun's SEAM PAM implementation
and MIT's Kerberos (which we're up to date on). We are starting to look
at Solaris 10, and are hoping to move towards Sun's implementation of
Kerberos. We are having a bit of trouble getting the two to talk
properly, however.
If we SSH (from production to test, for example) to a Solaris 8 machine,
then we can rlogin (Kerberized) to the Solaris 10 machine and, from
there, rlogin to a Sol8 machine again. If, however, we SSH directly to
the Solaris 10 machine, we cannot rlogin to a Sola...
FW: MIT Kerberos and Solaris 10 KerberosSorry, I accidentally sent this reply just to Wyllys. In the interest of
keeping the thread complete, I'll put it to the list as well.
R
> That's because Solaris 10 'kadmin' uses RPCSEC_GSS and
> MIT uses a slightly different RPC protocol. This is not a new
> issue, its been a problem ever since we introduced SEAM.
>
> The solution is that if your KDC is MIT, then you must use the MIT
> 'kadmin' client to manage it.
OK, thanks. So, I'll have to keep the MIT binaries around as well...
Rainer
________________________________________________
K...
Replacing the system Kerberos with MIT Kerberos (from ports)Is there a way to replace the Heimdal Kerberos libraries included in the FreeBSD
base system with the MIT Kerberos libraries installed from the security/krb5
port? I know about the KRB5_HOME make option. I'm concerned about other
"Kerberized" applications not working properly because they use the wrong client
libraries, hence my desire to completely replace Heimdal with MIT Kerberos.
The Heimdal Kerberos libraries shipped with the FreeBSD base system don't
support TCP, so when a KDC replies to a client request with a response larger
than the maximum UDP packet size, the Kerberos libraries return an error to the
client instead of switching to TCP (which can handle large responses). I
routinely encounter this problem when integrating FreeBSD servers and
workstations into Windows Active Directory domains, where the KDC responses
include additional authorization data derived from a security principal's group
memberships: Samba's "net ads join" command fails with a "response too big for
for UDP, retry with TCP" error when linked against Heimdal, but it succeeds (and
everything else works properly) when linked against MIT Kerberos.
(Note that I'm not willing to debate the semi-standard/non-standard inclusion of
authorization data in a Kerberos ticket's PAC, nor am I willing to argue the
applicability of the aforementioned operating systems to their assigned tasks.)
Best wishes,
Matthew
...
RE: MIT Kerberos and Solaris 10 KerberosGreetings, and thanks for the response.
> > We run a number of Solaris 8 systems using Sun's SEAM PAM
> implementation
> > and MIT's Kerberos (which we're up to date on). We are
> starting to look
> > at Solaris 10, and are hoping to move towards Sun's
> implementation of
> > Kerberos. We are having a bit of trouble getting the two to talk
> > properly, however.
>
> I'm confused - you cannot use the Solaris pam_krb5 with MIT Kerberos.
> It is linked directly with the Solaris Kerberos libraries (private).
I am trying to g...
RE: MIT Kerberos and Solaris 10 Kerberos #6OK, I think I have fixed the services. I have:
# svcs -v | grep login
online - 13:25:02 35
svc:/system/console-login:default
online - 13:25:11 - svc:/network/login:eklogin
online - 13:25:12 - svc:/network/login:klogin
online - 13:25:12 - svc:/network/login:rlogin
(Just to make sure, those ARE the correct versions? The ones I removed
looked like:
# svcadm disable svc:/network/klogin/tcp:default
# svcadm disable svc:/network/eklogin/tcp:default
The first entry in the svcs listing is, I assume, ...
RE: MIT Kerberos and Solaris 10 Kerberos #2BTW, as a further clarification, the system was installed initially
using our MIT Kerberos build (i.e. the same as we use on all of the
Solaris 8 machines). I am now trying to get it to work with the Solaris
10 SEAM.
One problem I see immediately (refreshing my memory with a couple quick
tests) is that, when using the Sol10 SEAM to install the keytab, I
immediately get:
# kadmin -p rheilke/admin
Authenticating as principal rheilke/admin@ATCOTEST.CA with password.
Password for rheilke/admin@ATCOTEST.CA:
kadmin: ktadd host/salty.atcotest.ca
kadmin: Communication failure with server while chan...
RE: MIT Kerberos and Solaris 10 Kerberos #3Thanks for the response. Please see inline...
> In Solaris 10, all of the Kerberos services are already bundled,
> there is no longer any external packages that need to be added.
Right.
> Whoever told you 'ksu' was part of the encryption kit was mistaken,
> ksu has never been part of SEAM.
OK, thanks for that clarification. It was a bit of a surprise to me when
I was told it was there. So, does the Solaris 10 SEAM have any
functionality similar to ksu, or just the standard su command?
> The encryption kit for Solaris 10 enhances the overall crypto
> capabilities ...
RE: MIT Kerberos and Solaris 10 Kerberos #5> > Can we force the Sol10 box to only use DES, to be
> compatible with the
> > Sol8/MIT systems (which is everything but the one Sol10 box)?
>
> If you are using MIT Kerberos on the Solaris 8 systems (including
> pam_krb5 made for MIT, not the one that comes with SEAM), then
> you should not worry about the enctypes because MIT already
> supports all of the enctypes that S10 supports.
>
> The only time you need to worry about enctypes is when you
> are using pre-S10 systems with SEAM apps. IN that situation,
> ONLY the pre-solaris 10 systems need ...
RE: MIT Kerberos and Solaris 10 Kerberos #4Thanks. We'll have to keep our eyes open for 5-1.4.
Rainer
> -----Original Message-----
> From: Tom Yu [mailto:tlyu@mit.edu]
> Sent: Tuesday, January 11, 2005 11:12 AM
> To: Wyllys Ingersoll
> Cc: Heilke, Rainer; kerberos@mit.edu
> Subject: Re: MIT Kerberos and Solaris 10 Kerberos
>
>
> >>>>> "Wyllys" == Wyllys Ingersoll <wyllys.ingersoll@sun.com> writes:
>
> Wyllys> That's because Solaris 10 'kadmin' uses RPCSEC_GSS and
> Wyllys> MIT uses a slightly different RPC protocol.
>
> [...]
>
>...
A Query on MIT Kerberos code base and latest RFC on Kerberos ?Hi All,
I have a small query regarding MIT Kerberos and it will be kind if anyone can address it.
I wanted to know whether the latest RFC's:
RFC 4120 - The Kerberos Network Authentication Service (V5)
RFC 4121 - The Kerberos Version 5 Generic Security Service Application Program Interface (GSS-API) Mechanism: Version 2
...are already a part of MIT Kerberos code base or is it schedule to be a part for MIT code base ? If so what will be the rough time frame. �
Thanks n regards,
Prashant
________________________________________________
Kerberos mailing list Kerberos@mit.edu...
Important Notice Regarding Kerberos 4 Support in MIT Kerberos
This comes from a message distributed to another list but I thought it
might be useful here too.
On January 27th of this year, the MIT Kerberos Development team
announced plans to phase out support for Kerberos 4 in MIT Kerberos,
including v4 support in Kerberos for Macintosh and Kerberos for Windows.
We strongly recommend that all sites currently using Kerberos 4 migrate
their services and users to Kerberos 5 as soon as possible.
The MIT Kerberos team is making substantial changes to the client-side
initial ticket acquisition support in the next release of Kerberos.
These changes will im...
MIT Kerberos and Heimdalcan anyone tell me what are the differences between MIT kerberos and Heimdal kerberos?
thanks a lot
Amir Saad
Software Engineer
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
On Wed, 2005-12-28 at 15:25 +0200, Amir Saad wrote:
> can anyone tell me what are the differences between MIT kerberos and Heimdal kerberos?
Do you mean the political and social differences, or the technical
differences?
Fredrik Tolf
________________________________________________
Kerberos mailing list ...
Heimdal or MIT kerberosHi,
I m not sure which kerberos I should use. With Heimdal, it is a
thread-safe implementation, while MIT's kerberos is not.
Please correct me if I m wrong, it appears that there is more
applicatoins support MIT kerberos than Heimdal.
I basically want to use kerbeors as a SSO server and allows various
internet/network service to securely authenticate with users.
Applications I would like to be kerberized is samba, apache, email (ldap)..
So which kerberos should be used to avoid future difficulty of
integration with the above application?
thanks
sam
On Mon, 04 Oct 2004 10:55:49 +...
RE: MIT Kerberos and Solaris 10 KerberosWohoo!
I read the man page for rlogin, and it is both the old rlogin, and the
new (or something like that). Seems that you just have to give it the
correct switches, and it Kerberizes the command. So, I did:
rlogin -AF <sol8server>
and it works!
Thank you to Wyllys for all of your help.
Now I'm going to try installing from scratch, and make sure I do the
build properly.
One question left for Wyllys before I do, though. Since ksu doesn't
exist in the Solaris SEAM product, is our only option su?
Rainer
________________________________________________
Kerberos mailing list ...
RE: MIT Kerberos and Solaris 10 Kerberos<laugh> Yup, I learned (the hard way!) to always stay logged in to a
console session as root.
R
> Make sure you have a root window open before testing PAM. I
> stumbled on
> this when I tried to su and my test pam exit failed!
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
...
RE: MIT Kerberos and Solaris 10 Kerberos> possibly 'su' with pam_krb5 for the authentication. Its not quite
> the same as 'ksu', though.
Douglas says the same. The su man page indicates something about this,
but not a lot of details there. I'll look into this further. As far as a
co-worker is concerned (and in our environment, I can see his point),
this would be a show stopper. We use ksu for all sorts of things,
including giving DBA's access to Oracle ID's.
Thanks again for all of the help. I'll go through the su and pam.conf
man pages, and see if I can figure it out.
Rainer
______________...
FTP and KerberosHi,
I get the following Kerberos related error
when i do FTP from another machine(redhat 9.0)
to my machine(redhat 9.0).
How to solve this problem ?
Should i Need to start/stop some daemons ?
here is what happens when i do FTP !!! --------->>>>>>>>> Here is it .....>>>>
Connected to 107.108.89.173.
220 localhost.localdomain FTP server (Version 5.60)
ready.
334 Using authentication type GSSAPI; ADAT must follow
GSSAPI accepted as authentication type
GSSAPI error major: Miscellaneous failure
GSSAPI error minor: No credentials cache found
GSSAPI error: in...
migration from Kerberos 4 to Kerberos 5Hello,
I have a few questions about migration to a new Kerberos version. In
fact, the goal is to migrate a network with Kerberos 4 to the Kerberos
5(under Lin8x):
1) Do I have to reinstall Kerberos from the scratch or are there
packages that allow to update the version?
2) What about the users that I created, are they still valid or will
user information be lost. Part of the network uses already an LDAP
directory, do I suppose this will not be a problem for this part, but
in general, how can I migrate my user-accounts to the new version?
3) What about the clients, do I have to re-install th...
MIT Kerberos KDC & W2K Client: Changing expired password issueMIT Kerberos KDC & W2K Client: Changing expired password issueHi,
I also experienced the same problem as William
G.Zereneh
(http://mailman.mit.edu/pipermail/kerberos/2004-May/005341.html).
I'm able to change the password using ctrl-alt-del,
but when the password is expired and windows asks me
to change the password, I encountered "Domain
MIT.REALM.COM is not available" error.
As I sniff the packet, it noticed that it sent a CLDAP
query message with filter: (&(DnsDomain =
MIT.REALM.COM)(Host = myhostname)(NtVer=\006)
which is returned NULL by my
_ldap._tcp.dc._msdcs.REALM.MIT.COM
How to resolve this problem ? maybe there's a missin...
Kerberos?Who's using Kerberos authentication? Any pointers to procedure
or documentation will be appreciated!
Hi James,
Not Me!
But have a look at Doc 317141. That explains it in some more detail
than the normal manual.
Martin Bowes
> Who's using Kerberos authentication? Any pointers to procedure
> or documentation will be appreciated!
> _______________________________________________
> Info-ingres mailing list
> Info-ingres@cariboulake.com
> http://mailman.cariboulake.com/mailman/listinfo.py/info-ingres
>
James Latimer wrote:
> Who's using Kerberos authentication? Any pointers to procedure
> or documentation will be appreciated!
me neither, but this Chapter 13 may be of use:
http://downloads.ingres.com/download/connect.pdf
...
Kerberos
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
...
kerberosHi
I have kerberos server setup, and it works fine with
iseries navigator, I have to create a AS400 object now
using Java and kerberos ticket, has any one done it
successfully, does anyone have any code sample
"polilop" <fmatosicSKINI@inet.hr> burped up warm pablum in
news:fr3i5a$sn6$1@ss408.t-com.hr:
> Hi
> I have kerberos server setup, and it works fine with
> iseries navigator, I have to create a AS400 object now
> using Java and kerberos ticket, has any one done it
> successfully, does anyone have any code sample
You should read: http://publib.boulder...