Can it be done at all? Or am I just confused (not impossible)?
My current code uses the MIT Kerberos source code and talks directly
to the Kerberos servers in question (multiple domains) and while that
works I figured I'd have a look and see if I could do it using Suns
own interfaces - which is the GSSAPI stuff...
I've Googled around a bit but I've failed to find something that
fits my needs right away. And I've tried reading the documentation.
Think: Modem pool server that talks (send usernames and passwords) to
a RADIUS server which then somehow should give an OK or REFUSE a user
logging in. And that modem pool server sends the username and password
in cleartext...
- Peter
--
--
Peter Eriksson <peter@ifm.liu.se> Phone: +46 13 28 2786
Computer Systems Manager/BOFH Cell/GSM: +46 705 18 2786
Physics Department, Link�ping University Room: Building F, F203
|
|
0
|
|
|
|
Reply
|
 Peter
|
3/2/2006 4:35:03 PM |
|
Peter Eriksson wrote:
> Can it be done at all? Or am I just confused (not impossible)?
The Kerberos V5 GSS mechanism doesn't take clear test passwords.
It assumes you'be done a kinit, or its equivalent, or set up your
creds in the krb5.keytab file.
>
> My current code uses the MIT Kerberos source code and talks directly
> to the Kerberos servers in question (multiple domains) and while that
> works I figured I'd have a look and see if I could do it using Suns
> own interfaces - which is the GSSAPI stuff...
>
> I've Googled around a bit but I've failed to find something that
> fits my needs right away. And I've tried reading the documentation.
>
> Think: Modem pool server that talks (send usernames and passwords) to
> a RADIUS server which then somehow should give an OK or REFUSE a user
> logging in. And that modem pool server sends the username and password
> in cleartext...
So do you want to send a password to your modem pool server, and
have it then send it to RADIUS for authentication? If so, what
do you need Kerberos for?
>
> - Peter
>
> --
> --
> Peter Eriksson <peter@ifm.liu.se> Phone: +46 13 28 2786
> Computer Systems Manager/BOFH Cell/GSM: +46 705 18 2786
> Physics Department, Link=F6ping University Room: Building F, F203
|
|
|
0
|
|
|
|
Reply
|
Mike
|
3/5/2006 5:49:42 AM
|
|
"Mike Eisler" <spamisevi1@yahoo.com> writes:
>So do you want to send a password to your modem pool server, and
>have it then send it to RADIUS for authentication? If so, what
>do you need Kerberos for?
The RADIUS server talks to the Kerberos server(s) to validate that
password... Ie, the RADIUS server itself has no own knowledge of the
usernames/passwords.
- Peter
--
--
Peter Eriksson <peter@ifm.liu.se> Phone: +46 13 28 2786
Computer Systems Manager/BOFH Cell/GSM: +46 705 18 2786
Physics Department, Link�ping University Room: Building F, F203
|
|
|
0
|
|
|
|
Reply
|
Peter
|
3/6/2006 9:19:58 AM
|
|
Peter Eriksson wrote:
> "Mike Eisler" <spamisevi1@yahoo.com> writes:
>
> >So do you want to send a password to your modem pool server, and
> >have it then send it to RADIUS for authentication? If so, what
> >do you need Kerberos for?
>
> The RADIUS server talks to the Kerberos server(s) to validate that
> password... Ie, the RADIUS server itself has no own knowledge of the
> usernames/passwords.
OK. You can't use Kerberos V5 to authenticate users to RADIUS because
RADIUS wants passwords, and Kerberos V5 wants service tickets.
|
|
|
0
|
|
|
|
Reply
|
Mike
|
3/6/2006 9:46:15 PM
|
|
"Mike Eisler" <spamisevi1@yahoo.com> writes:
>Peter Eriksson wrote:
>> "Mike Eisler" <spamisevi1@yahoo.com> writes:
>>
>> >So do you want to send a password to your modem pool server, and
>> >have it then send it to RADIUS for authentication? If so, what
>> >do you need Kerberos for?
>>
>> The RADIUS server talks to the Kerberos server(s) to validate that
>> password... Ie, the RADIUS server itself has no own knowledge of the
>> usernames/passwords.
>OK. You can't use Kerberos V5 to authenticate users to RADIUS because
>RADIUS wants passwords, and Kerberos V5 wants service tickets.
Eh? I can't? That's pretty big news for me and my RADIUS server that has
been happily been doing just that for half a year or so now...
The RADIUS server contains a function that is called with the username
and cleartext password that then basically does this (abbreviated):
int
validate_user_krb5(char *username, char *password);
{
krb5_init_context(&context);
krb5_parse_name(context, username, &princ);
krb5_get_init_creds_opt_init(&opts);
krb5_get_init_creds_opt_set_tkt_life(&opts, 60);
krb5_get_init_creds_opt_set_renew_life(&opts, 0);
krb5_get_init_creds_opt_set_forwardable(&opts, 0);
krb5_get_init_creds_opt_set_proxiable(&opts, 0);
rv = krb5_get_init_creds_password(context, &creds, princ, passwd,
NULL, NULL, 0, NULL, &opts);
krb5_free_context(context);
return rv;
}
But since Solaris doesn't ship with the Kerberos V5 header files and libraries
I have to build and link this code against the stock MIT Kerberos instead
of Suns own Kerberos code.
- Peter
--
--
Peter Eriksson <peter@ifm.liu.se> Phone: +46 13 28 2786
Computer Systems Manager/BOFH Cell/GSM: +46 705 18 2786
Physics Department, Link�ping University Room: Building F, F203
|
|
|
0
|
|
|
|
Reply
|
Peter
|
3/7/2006 1:33:06 PM
|
|
Peter Eriksson wrote:
> "Mike Eisler" <spamisevi1@yahoo.com> writes:
>
>
> >Peter Eriksson wrote:
> >> "Mike Eisler" <spamisevi1@yahoo.com> writes:
> >>
> >> >So do you want to send a password to your modem pool server, and
> >> >have it then send it to RADIUS for authentication? If so, what
> >> >do you need Kerberos for?
> >>
> >> The RADIUS server talks to the Kerberos server(s) to validate that
> >> password... Ie, the RADIUS server itself has no own knowledge of the
> >> usernames/passwords.
>
> >OK. You can't use Kerberos V5 to authenticate users to RADIUS because
> >RADIUS wants passwords, and Kerberos V5 wants service tickets.
>
> Eh? I can't? That's pretty big news for me and my RADIUS server that has
> been happily been doing just that for half a year or so now...
What I meant was that you can't use the Kerberos V5 GSS-API mechansims
to
authenticate users to RADIUS because RADIUS wants passwords, and
Kerberos V5
wants service tickets.
>
> The RADIUS server contains a function that is called with the username
> and cleartext password that then basically does this (abbreviated):
What you are doing is using passwords to authenticate to RADIUS and
Kerberos
to authenticate to RADIUS. You aren't using Kerberos V5 to authenticate
users
to RADIUS. Kerberos doesn't send passwords in the clear, ever. Actually
it
never sends passwords not in the clear either. The Kerberos V5
mechanism defined
for GSS uses tickets, not passwords.
I think what you want to look at is using PAM and the Kerberos V5 PAM
plug in.
http://cvs.opensolaris.org/source/xref/on/usr/src/cmd/login/login.c is
an example.
You would want to call pam_start() with say "radius" as the first
argument,
and configure pam.conf to use Kerberos V5. This way you can produce
a RADIUS server that uses pluggable authentication modules, and
not have to change it if you later decide to add another password
repository.
|
|
|
0
|
|
|
|
Reply
|
Mike
|
3/7/2006 5:06:15 PM
|
|
"Mike Eisler" <spamisevi1@yahoo.com> writes:
>I think what you want to look at is using PAM and the Kerberos V5 PAM
>plug in.
>http://cvs.opensolaris.org/source/xref/on/usr/src/cmd/login/login.c is
>an example.
>You would want to call pam_start() with say "radius" as the first
>argument,
>and configure pam.conf to use Kerberos V5. This way you can produce
>a RADIUS server that uses pluggable authentication modules, and
>not have to change it if you later decide to add another password
>repository.
Yeah, I've been thinking about that and that should be doable. I only
need to figure out a way for the PAM system to be able to handle multiple
Kerberos domains. I guess I'll have to create my own pam_krb5 modules since
the default one only works against the "default" Kerberos domain of the
server it runs on... (The RADIUS server handles authentication for users
from multiple, separately managed, departments with their own Kerberos
systems/domains).
- Peter
--
--
Peter Eriksson <peter@ifm.liu.se> Phone: +46 13 28 2786
Computer Systems Manager/BOFH Cell/GSM: +46 705 18 2786
Physics Department, Link�ping University Room: Building F, F203
|
|
|
0
|
|
|
|
Reply
|
Peter
|
3/7/2006 9:59:22 PM
|
|
|
6 Replies
551 Views
(page loaded in 0.076 seconds)
|
Search |
Post Question |
Groups |
Stream |
About |
Register
25708 articles. 
78 followers. 