Re: GSSAPI x Kerberos
[EMAIL PROTECTED] wrote: Sam Hartman wrote: Implement using GSSAPI unless there is something that you need that cannot be provided by GSSAPI. Thanks :-) I was going to do that but I asked here to be sure... The SPNEGO draft on IETF (draft-brezak-spnego-http-04) explains how Microsoft implemented the GSS over HTTP to IIS and IE, in the docs it says to use WWW- Authenticate: Negotiate, but the patch to Mozilla looks a little different, it uses GSS-Negotiate... Since I'm going to do both server and client modification to support Kerberos in this application I could use anything, what you think that would be better the MS draft or the one the works on Mozilla/Apache? Sorry for the delay (the summer time :-). I think you're refering to the mozilla patch available from negotiateauth.mozdev.org, which I'm maintaining. The reason for the use of GSS-Negotiate instead of Negotiate is that I don't have any SPNEGO implementation I could use, so I suppose the patch will be linked with the GSSAPI libs provided by a krb5 implementation. That's why I used the GSS- prefix in order to avoid problems with MS products, which use SPNEGO protocol here. I'm working on a SPNEGO implementation (I believe most of it could be based on the mechglue mechanism) but I don't have much time I could spend on it. Moreover, if I recall some discussion on the IETF krb mailinglist, the Microsoft implementation of SPNEGO doesn't comply with the SPNEGO standard. -- Dan Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Maximum AP and AS message sizes
Hi All, Can anyone tell me what the AP and AS message size maximums would be and what factor are to be considered? I'm using PKINIT so I know my AS request will be rather large due to the certificate. Thank! Eric Naud Software Development Engineer, Ottawa Design Center Imedia Semiconductor 613.592.1052 x232 mailto:[EMAIL PROTECTED] Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
RE: Maximum AP and AS message sizes
Eric, You also need to consider : i) Whether IP addresses are stored in the tickets. In particular on a multi homed system the number of addresses can be quite large. ii) Whether the KDC is a Microsoft KDC because PAC data will be stored in tickets. These, along with PKINIT requirements are the major contributors to large tickets, and hence large request/response packets to/from the KDC. Cheers, Tim. -Original Message- From: Naud, Eric [mailto:[EMAIL PROTECTED] Sent: 21 July 2003 16:23 To: [EMAIL PROTECTED] Subject: Maximum AP and AS message sizes Hi All, Can anyone tell me what the AP and AS message size maximums would be and what factor are to be considered? I'm using PKINIT so I know my AS request will be rather large due to the certificate. Thank! Eric Naud Software Development Engineer, Ottawa Design Center Imedia Semiconductor 613.592.1052 x232 mailto:[EMAIL PROTECTED] Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
RE: Maximum AP and AS message sizes
Hi Tim, Thanks for the quick response, but concerning the sizes are we talking 500 bytes, 1k, 2k? Statically allocating 4k on an embedded system is a little heavy so I'd like get a ballpark idea for the upper boudries on the reply messages. What are the largest numbers you've seen? Eric Naud Software Development Engineer, Ottawa Design Center Imedia Semiconductor 613.592.1052 x232 mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] - -Original Message- From: Tim Alsop [mailto:[EMAIL PROTECTED] Sent: July 21, 2003 11:27 AM To: Naud, Eric; [EMAIL PROTECTED] Subject: RE: Maximum AP and AS message sizes Eric, You also need to consider : i) Whether IP addresses are stored in the tickets. In particular on a multi homed system the number of addresses can be quite large. ii) Whether the KDC is a Microsoft KDC because PAC data will be stored in tickets. These, along with PKINIT requirements are the major contributors to large tickets, and hence large request/response packets to/from the KDC. Cheers, Tim. -Original Message- From: Naud, Eric [ mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] Sent: 21 July 2003 16:23 To: [EMAIL PROTECTED] Subject: Maximum AP and AS message sizes Hi All, Can anyone tell me what the AP and AS message size maximums would be and what factor are to be considered? I'm using PKINIT so I know my AS request will be rather large due to the certificate. Thank! Eric Naud Software Development Engineer, Ottawa Design Center Imedia Semiconductor 613.592.1052 x232 mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos https://mailman.mit.edu/mailman/listinfo/kerberos Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
RE: Maximum AP and AS message sizes
Eric, I have seen in excess of 4k, but in your particular requriements the buffer may not need to be anywhere near that large. If you can confirm the usage scenario (e.g. is this a PacketCable compliant MTA ?) I can give you a better feel for size limits involved. Tim. _ From: Naud, Eric [mailto:[EMAIL PROTECTED] Sent: 21 July 2003 16:35 To: 'Tim Alsop'; Naud, Eric; [EMAIL PROTECTED] Subject: RE: Maximum AP and AS message sizes Hi Tim, Thanks for the quick response, but concerning the sizes are we talking 500 bytes, 1k, 2k? Statically allocating 4k on an embedded system is a little heavy so I'd like get a ballpark idea for the upper boudries on the reply messages. What are the largest numbers you've seen? Eric Naud Software Development Engineer, Ottawa Design Center Imedia Semiconductor 613.592.1052 x232 mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] - -Original Message- From: Tim Alsop [mailto:[EMAIL PROTECTED] Sent: July 21, 2003 11:27 AM To: Naud, Eric; [EMAIL PROTECTED] Subject: RE: Maximum AP and AS message sizes Eric, You also need to consider : i) Whether IP addresses are stored in the tickets. In particular on a multi homed system the number of addresses can be quite large. ii) Whether the KDC is a Microsoft KDC because PAC data will be stored in tickets. These, along with PKINIT requirements are the major contributors to large tickets, and hence large request/response packets to/from the KDC. Cheers, Tim. -Original Message- From: Naud, Eric [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] Sent: 21 July 2003 16:23 To: [EMAIL PROTECTED] Subject: Maximum AP and AS message sizes Hi All, Can anyone tell me what the AP and AS message size maximums would be and what factor are to be considered? I'm using PKINIT so I know my AS request will be rather large due to the certificate. Thank! Eric Naud Software Development Engineer, Ottawa Design Center Imedia Semiconductor 613.592.1052 x232 mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos https://mailman.mit.edu/mailman/listinfo/kerberos Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
RE: Maximum AP and AS message sizes
Eric, I didn't mention before, but I understand the max size allowed for UDP communications is 65000 bytes, so this will be your upper limit. Tim. _ From: Tim Alsop Sent: 21 July 2003 16:45 To: 'Naud, Eric'; Tim Alsop; [EMAIL PROTECTED] Subject: RE: Maximum AP and AS message sizes Eric, I have seen in excess of 4k, but in your particular requriements the buffer may not need to be anywhere near that large. If you can confirm the usage scenario (e.g. is this a PacketCable compliant MTA ?) I can give you a better feel for size limits involved. Tim. _ From: Naud, Eric [mailto:[EMAIL PROTECTED] Sent: 21 July 2003 16:35 To: 'Tim Alsop'; Naud, Eric; [EMAIL PROTECTED] Subject: RE: Maximum AP and AS message sizes Hi Tim, Thanks for the quick response, but concerning the sizes are we talking 500 bytes, 1k, 2k? Statically allocating 4k on an embedded system is a little heavy so I'd like get a ballpark idea for the upper boudries on the reply messages. What are the largest numbers you've seen? Eric Naud Software Development Engineer, Ottawa Design Center Imedia Semiconductor 613.592.1052 x232 mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] - -Original Message- From: Tim Alsop [mailto:[EMAIL PROTECTED] Sent: July 21, 2003 11:27 AM To: Naud, Eric; [EMAIL PROTECTED] Subject: RE: Maximum AP and AS message sizes Eric, You also need to consider : i) Whether IP addresses are stored in the tickets. In particular on a multi homed system the number of addresses can be quite large. ii) Whether the KDC is a Microsoft KDC because PAC data will be stored in tickets. These, along with PKINIT requirements are the major contributors to large tickets, and hence large request/response packets to/from the KDC. Cheers, Tim. -Original Message- From: Naud, Eric [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] Sent: 21 July 2003 16:23 To: [EMAIL PROTECTED] Subject: Maximum AP and AS message sizes Hi All, Can anyone tell me what the AP and AS message size maximums would be and what factor are to be considered? I'm using PKINIT so I know my AS request will be rather large due to the certificate. Thank! Eric Naud Software Development Engineer, Ottawa Design Center Imedia Semiconductor 613.592.1052 x232 mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos https://mailman.mit.edu/mailman/listinfo/kerberos Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
RE: Maximum AP and AS message sizes
Hi Tim, This is for Cablehome, it borrows much from the packetCable spec. What are the sizes you've seen for this context? As for the UDP upper limit ;) I don't it would be wise to grab that much memory on this embedded device. Eric Naud Software Development Engineer, Ottawa Design Center Imedia Semiconductor 613.592.1052 x232 mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] - -Original Message- From: Tim Alsop [mailto:[EMAIL PROTECTED] Sent: July 21, 2003 11:47 AM To: Tim Alsop; Naud, Eric; [EMAIL PROTECTED] Subject: RE: Maximum AP and AS message sizes Eric, I didn't mention before, but I understand the max size allowed for UDP communications is 65000 bytes, so this will be your upper limit. Tim. _ From: Tim Alsop Sent: 21 July 2003 16:45 To: 'Naud, Eric'; Tim Alsop; [EMAIL PROTECTED] Subject: RE: Maximum AP and AS message sizes Eric, I have seen in excess of 4k, but in your particular requriements the buffer may not need to be anywhere near that large. If you can confirm the usage scenario (e.g. is this a PacketCable compliant MTA ?) I can give you a better feel for size limits involved. Tim. _ From: Naud, Eric [mailto:[EMAIL PROTECTED] Sent: 21 July 2003 16:35 To: 'Tim Alsop'; Naud, Eric; [EMAIL PROTECTED] Subject: RE: Maximum AP and AS message sizes Hi Tim, Thanks for the quick response, but concerning the sizes are we talking 500 bytes, 1k, 2k? Statically allocating 4k on an embedded system is a little heavy so I'd like get a ballpark idea for the upper boudries on the reply messages. What are the largest numbers you've seen? Eric Naud Software Development Engineer, Ottawa Design Center Imedia Semiconductor 613.592.1052 x232 mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] - -Original Message- From: Tim Alsop [mailto:[EMAIL PROTECTED] Sent: July 21, 2003 11:27 AM To: Naud, Eric; [EMAIL PROTECTED] Subject: RE: Maximum AP and AS message sizes Eric, You also need to consider : i) Whether IP addresses are stored in the tickets. In particular on a multi homed system the number of addresses can be quite large. ii) Whether the KDC is a Microsoft KDC because PAC data will be stored in tickets. These, along with PKINIT requirements are the major contributors to large tickets, and hence large request/response packets to/from the KDC. Cheers, Tim. -Original Message- From: Naud, Eric [ mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] Sent: 21 July 2003 16:23 To: [EMAIL PROTECTED] Subject: Maximum AP and AS message sizes Hi All, Can anyone tell me what the AP and AS message size maximums would be and what factor are to be considered? I'm using PKINIT so I know my AS request will be rather large due to the certificate. Thank! Eric Naud Software Development Engineer, Ottawa Design Center Imedia Semiconductor 613.592.1052 x232 mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos https://mailman.mit.edu/mailman/listinfo/kerberos Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
HELP ME
HELLO I WANT TO KNOW WHERE I CAN FIND MORE INFORMATION ABOUT THE HISTORY OF KERBEROS, AND OTHER QUESTION IS: I HAVE TO IMPLEMENT THESE SOLUTION USING AN IBM RS/6000 (AIX) KDC, AND THE APLICATIONS SERVERS IS AN IBM AS/400 (OS/400) AND IBM NETFINITY (WINDOWS 2000), MY CUESTION IS: DO I NEED IN MY PC CLIENT SOME SPECIAL SOFTWARE TO USE KERBEROS?. THANKS I HOPE YOUR ANSWER SOON Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
RE: Maximum AP and AS message sizes
Eric, I haven't been involved in any CableHome pilot deployments, but I understand that they exist. I think the best thing you can do is to test with a 4k limit and see if any problems occur. For PKINIT in this environment I would not expect the buffer size to be 4k. I suspect you are planning to use Jungo or IPFonix KDC - have you asked the developers of these products for guidelines ? Cheers, Tim. _ From: Naud, Eric [mailto:[EMAIL PROTECTED] Sent: 21 July 2003 18:16 To: 'Tim Alsop'; Naud, Eric; [EMAIL PROTECTED] Subject: RE: Maximum AP and AS message sizes Hi Tim, This is for Cablehome, it borrows much from the packetCable spec. What are the sizes you've seen for this context? As for the UDP upper limit ;) I don't it would be wise to grab that much memory on this embedded device. Eric Naud Software Development Engineer, Ottawa Design Center Imedia Semiconductor 613.592.1052 x232 mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] - -Original Message- From: Tim Alsop [mailto:[EMAIL PROTECTED] Sent: July 21, 2003 11:47 AM To: Tim Alsop; Naud, Eric; [EMAIL PROTECTED] Subject: RE: Maximum AP and AS message sizes Eric, I didn't mention before, but I understand the max size allowed for UDP communications is 65000 bytes, so this will be your upper limit. Tim. _ From: Tim Alsop Sent: 21 July 2003 16:45 To: 'Naud, Eric'; Tim Alsop; [EMAIL PROTECTED] Subject: RE: Maximum AP and AS message sizes Eric, I have seen in excess of 4k, but in your particular requriements the buffer may not need to be anywhere near that large. If you can confirm the usage scenario (e.g. is this a PacketCable compliant MTA ?) I can give you a better feel for size limits involved. Tim. _ From: Naud, Eric [mailto:[EMAIL PROTECTED] Sent: 21 July 2003 16:35 To: 'Tim Alsop'; Naud, Eric; [EMAIL PROTECTED] Subject: RE: Maximum AP and AS message sizes Hi Tim, Thanks for the quick response, but concerning the sizes are we talking 500 bytes, 1k, 2k? Statically allocating 4k on an embedded system is a little heavy so I'd like get a ballpark idea for the upper boudries on the reply messages. What are the largest numbers you've seen? Eric Naud Software Development Engineer, Ottawa Design Center Imedia Semiconductor 613.592.1052 x232 mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] - -Original Message- From: Tim Alsop [mailto:[EMAIL PROTECTED] Sent: July 21, 2003 11:27 AM To: Naud, Eric; [EMAIL PROTECTED] Subject: RE: Maximum AP and AS message sizes Eric, You also need to consider : i) Whether IP addresses are stored in the tickets. In particular on a multi homed system the number of addresses can be quite large. ii) Whether the KDC is a Microsoft KDC because PAC data will be stored in tickets. These, along with PKINIT requirements are the major contributors to large tickets, and hence large request/response packets to/from the KDC. Cheers, Tim. -Original Message- From: Naud, Eric [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] Sent: 21 July 2003 16:23 To: [EMAIL PROTECTED] Subject: Maximum AP and AS message sizes Hi All, Can anyone tell me what the AP and AS message size maximums would be and what factor are to be considered? I'm using PKINIT so I know my AS request will be rather large due to the certificate. Thank! Eric Naud Software Development Engineer, Ottawa Design Center Imedia Semiconductor 613.592.1052 x232 mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos https://mailman.mit.edu/mailman/listinfo/kerberos Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Maximum AP and AS message sizes
Tim Alsop [EMAIL PROTECTED] writes: Eric, I didn't mention before, but I understand the max size allowed for UDP communications is 65000 bytes, so this will be your upper limit. Tim. ... unless the communication is done with TCP. Ken Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
RE: Maximum AP and AS message sizes
Ken, Thanks. This is correct. I didn't mention TCP because I know that CableHome and PacketCable are only supporting UDP based communications at the moment. Take care, Tim. -Original Message- From: Ken Raeburn [mailto:[EMAIL PROTECTED] Sent: 21 July 2003 19:25 To: [EMAIL PROTECTED] Subject: Re: Maximum AP and AS message sizes Tim Alsop [EMAIL PROTECTED] writes: Eric, I didn't mention before, but I understand the max size allowed for UDP communications is 65000 bytes, so this will be your upper limit. Tim. ... unless the communication is done with TCP. Ken Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Windows 2000 Server as KDC
Mel Riser wrote: the Win2k KDC has to be the primary, That's annoying. but Linux boxes or other OS's running kerberos can be backups. Replication is the problem though. Any pointers on how to make that work? an easier solution would be to setup a windows realm for Win2k KDC and a cross realm trust with a linux box in a different realm. We were doing this (with Solaris, not Linux), but when the bug and fix for the cross-realm security hole came out a few months ago, that caused it all to break (we need krb4 cross-realm auth because AFS is in the picture). So, we're basically running an older un-patched krb524d in order to keep things working ... but that doesn't make me comfortable in the long run, so I'm looking for other solutions. Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
MIT Kerberos: is it Thread-Safe?
Hi all. As the subject says, is MIT Kerberos thread-safe and if it is, which version? OpenLDAP FAQ warns that MIT Kerberos libraries are not thread safe and that one should either use --no-threads when building it or build with Heimdal implementation. Now, I have gotten quite used to MIT Kerberos, have built several packages linked with it. It would be a drag to switch to Heimdal now. Nix. Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos