Re: Kerberos keytab
On Mon, 2008-11-10 at 07:18 -0500, Ansar Mohammed wrote: Does anyone know what is the actual purpose of the Kerberos krb5.keytab file? I have a freebsd 7 configured to authenticate users via Kerberos (both apache and ssh). Although the authentication between apache and browser is still basic and between the ssh client and server is still keyboard interactive. FreeBSD validates the account in the background using Kerberos to AD. Actually from my understanding (which may very well be basic, but I have done some very extensive research) browser auth with kerberos and apache may be possible on firefox 2 and IE6. The older browsers are a dead loss, but it will fallback gracefully I've read. One thing that makes this possible is navigating to about:config in firefox and updating negotiate uri's. In IE6 you don't need to do anything, but that does increase the security risk (ergo the firefox method of negotiate). The keytab file (again, only from my understanding) contains the current keys in use mapped to the users. These change as per the kerberos ttl settings for tickets. Check the kerberos site for further, more accurate info, and run a google search for browser kerberos auth with apache. You do need the right module for apache to achieve this though- mod_auth_kerb. Some only offer a link between apache and kdc with base64 encryption. I'm pretty sure of my facts here, but I'll appreciate a correction of my comments. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Kerberos keytab
On Monday 10 November 2008 13:53:41 Da Rock wrote: Check the kerberos site for further, more accurate info, and run a google search for browser kerberos auth with apache. You do need the right module for apache to achieve this though- mod_auth_kerb. Some only offer a link between apache and kdc with base64 encryption. Non-related to the OP's problem, but base64 is a transport encoding and not encryption. It is used as 7-bit transport for 8bit (or more) data, like attachments (email) and form uploads (web). -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Kerberos keytab
Does anyone know what is the actual purpose of the Kerberos krb5.keytab file? I have a freebsd 7 configured to authenticate users via Kerberos (both apache and ssh). Although the authentication between apache and browser is still basic and between the ssh client and server is still keyboard interactive. FreeBSD validates the account in the background using Kerberos to AD. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Kerberos keytab
On Mon, 2008-11-10 at 14:17 +0100, Mel wrote: On Monday 10 November 2008 13:53:41 Da Rock wrote: Check the kerberos site for further, more accurate info, and run a google search for browser kerberos auth with apache. You do need the right module for apache to achieve this though- mod_auth_kerb. Some only offer a link between apache and kdc with base64 encryption. Non-related to the OP's problem, but base64 is a transport encoding and not encryption. It is used as 7-bit transport for 8bit (or more) data, like attachments (email) and form uploads (web). Good to know the difference, but that still seems very poor against the kerberos security available. Good to know that the newer browsers are addressing this issue... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
