On Friday, December 19, 2003 14:12:52 -0600 Steve Langasek <[EMAIL PROTECTED]> wrote:
On Fri, Dec 19, 2003 at 03:00:05PM -0500, Jeffrey Hutzelman wrote:On Friday, December 19, 2003 08:47:27 -0600 dave schrader <[EMAIL PROTECTED]> wrote:
> Are there any modules available that will allow freeradius to do > kerberos authentication under netbsd ? Dave Schrader
Freeradius includes a 'rlm_krb5' module which will verify passwords against your krb5 KDC. Note that this is not the same as using Kerberos to authenticate the RADIUS protocol spoken between the NAS and RADIUS server.
I have attached a patch against freeradius-0.3 which makes some improvements to the rlm_krb5 module, including actually validating the tickets it obtains in the process of verifying a password. We've been running this for a couple of years with good results. It won't be exactly what you need, but it should serve as a good starting point. Notably...
freeradius 0.3 is substantially out of date, and probably has remotely exploitable vulnerabilities (or then again, maybe it's too old for them...). The current version of the rlm_krb5 module (0.9+) includes the enhancements you describe, including improved portability between MIT KRB5 and Heimdal (though I recently made some changes to CVS HEAD that I haven't tested on Heimdal, so I may have ruined that again ;).
Yeah; that doesn't surprise me. We don't actually use it much, and keeping it up to date hasn't been a high priority for me...
I'm glad to hear that work has been done on improving the rlm_krb5 module; I seem to recall last I looked that it was still broken, but that was quite some time ago.
-- Jeffrey T. Hutzelman (N3NHS) <[EMAIL PROTECTED]> Sr. Research Systems Programmer School of Computer Science - Research Computing Facility Carnegie Mellon University - Pittsburgh, PA
________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
