SSH windows 2003 AD: TGS vs TGT

[abc]

We are exploring possibilities for integrating Windows AD / Unix hosts.

My two weeks old boot camp setup:

KDC: Windows 2003 AD
SSH: HP-UX SSH 4.x (openssh 4.x)
SSH Clients: Putty / F-secure ( which is not working at this time under
GSSAPI)


I got my setup working, however wondering which option to pick for my
environment.

Option 1:

In this option we create Keytab file from Windows 2003 AD server with
repective host principal and copy it to SSH server.
We update SSHD config file for GSSAP and KRB client files.

This welcomes everyone who has TGS for my host and valid PASSWD file
entry.

Option 2:

In this option we update KRB Client files (krb5.conf) and enable
Kerberos authentication for SSHD Config file or through PAM.

In this method, there is no Keytab file involved. User will enter his
credentials and if its ok, he/she get TGT and access to system.



Now, Which option is right, when you look at following.


1. User accounts lockups. (At KDC or UNIX Level)

2. Can i restrict user even if he/she has right TGS
(AllowGroups/DenyGroups based on auth type)

3. Can i restrict user even if he/she has right TGT/PASSWD
(AllowGroups/DenyGroups based on auth type)

4. Keytab file update when ever password changed.

5. Which option is right for the future.

6. Which option is right for VPN Users.

7. Do I need to update SSH Client Software (putty/??)

8. Most accepted and implemented.

9. Security patchs for SSH Server / SSH Client in future. (KDC: MS will
take care !)

10. Which option is nice while you are in transition.

11. Just have both options?

12. Any other way one can implement this

13. Which option Managers like

14. Which option Clients/Users like (and Sys. Admins, Guess should be
with users).

any pointers in right direction are welcome.

regards
satya


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

SSH windows 2003 AD: TGS vs TGT

[abc]

We are exploring possibilities for integrating Windows AD / Unix hosts.

My two weeks old boot camp setup:

KDC: Windows 2003 AD
SSH: HP-UX SSH 4.x (openssh 4.x)
SSH Clients: Putty / F-secure ( which is not working at this time under
GSSAPI)


I got my setup working, however wondering which option to pick for my
environment.

Option 1:

In this option we create Keytab file from Windows 2003 AD server with
repective host principal and copy it to SSH server.
We update SSHD config file for GSSAP and KRB client files.

This welcomes everyone who has TGS for my host and valid PASSWD file
entry.

Option 2:

In this option we update KRB Client files (krb5.conf) and enable
Kerberos authentication for SSHD Config file or through PAM.

In this method, there is no Keytab file involved. User will enter his
credentials and if its ok, he/she get TGT and access to system.



Now, Which option is right, when you look at following.


1. User accounts lockups. (At KDC or UNIX Level)

2. Can i restrict user even if he/she has right TGS
(AllowGroups/DenyGroups based on auth type)

3. Can i restrict user even if he/she has right TGT/PASSWD
(AllowGroups/DenyGroups based on auth type)

4. Keytab file update when ever password changed.

5. Which option is right for the future.

6. Which option is right for VPN Users.

7. Do I need to update SSH Client Software (putty/??)

8. Most accepted and implemented.

9. Security patchs for SSH Server / SSH Client in future. (KDC: MS will
take care !)

10. Which option is nice while you are in transition.

11. Just have both options?

12. Any other way one can implement this

13. Which option Managers like

14. Which option Clients/Users like (and Sys. Admins, Guess should be
with users).

any pointers in right direction are welcome.

regards
satya


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Problem building an API program against 1.4.1

[Buck Huppmann]

On Sun, Jul 31, 2005 at 01:44:09PM -0700, Mike Friedman wrote:

> >Mike Friedman <[EMAIL PROTECTED]> writes:
> >
> >>Thanks, that fixed it!  I must say, I didn't even know about the -R 
> >>option to gcc and can't find it in the gcc man page.  What does -R do 
> >>anyway?
> >
> >>I had just assumed that the '-L/usr/local/kerberos/lib' would be 
> >>sufficient to tell the linker where to find the libraries.  Why did 
> >>only libk5crypto have a problem and not, for example, libkrb5?

> Actually, it's a bit scarier than that.  When I first had the problem, I 
> used ldd to see which shared libraries were needed or expected by my 
> module.  And only libk5crypto showed as 'not found'.  There was an entry 
> for libkrb5.  However, what I didn't notice was that the latter was the 
> version in /usr/lib, which comes installed with FreeBSD and is not the MIT 
> version.  That's why I say 'scary', because if not for the missing 
> libk5crypto, I might never have noticed that I wasn't using the correct 
> libkrb5 either.  Whether or not this would have caused more subtle 
> problems later I can't really say.
> 
> Anyway, thanks for the pointer to info about -R.  I now see that -R 
> appears in the Makefiles used in the MIT K5 build as well.

i won't comment on how capable your system's runtime linker is in using
your vendor's libkrb5.so.${version} in lieu of a your newly installed
version (i would sorta winsomely hope that it's doing the right thing,
given the versioning info built into the libraries and their $(version)
extensions and such forth, but that's why my-administered machines
aren't launching rockets and stuff, and i guess maybe API compatibility
is a completely different fruit from feature compatibility, anyway),
but couldn't all the problems have been avoided by building with

gcc -c ${source} `${newly_installed_krb5}/bin/krb5-config --cflags`
...
gcc -o ${target} ${objects} \
`${newly_installed_krb5}/bin/krb5-config --libs`

? or (to possibly uncover a bone of contention) does krb5-config not
emit -R options?

i didn't know that FreeBSD exhibited the Solaris-ish non-infection-of-
runtime-linking-path-without--R-option, so thanks for cluing me in to that
anyway, and i'll be watching whom my dynamic executables are runtime-link-
ing with like a hawk from now on

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Problem building an API program against 1.4.1

[Mike Friedman]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Sun, 31 Jul 2005 at 12:40 (-0700), Russ Allbery wrote:


Mike Friedman <[EMAIL PROTECTED]> writes:

Thanks, that fixed it!  I must say, I didn't even know about the -R 
option to gcc and can't find it in the gcc man page.  What does -R do 
anyway?


I had just assumed that the '-L/usr/local/kerberos/lib' would be 
sufficient to tell the linker where to find the libraries.  Why did 
only libk5crypto have a problem and not, for example, libkrb5?


 tries to explain all 
this. I'm pretty sure it was complaining specifically about k5crypto 
just because it was first and would have had trouble with the others as 
well.


Russ,

Actually, it's a bit scarier than that.  When I first had the problem, I 
used ldd to see which shared libraries were needed or expected by my 
module.  And only libk5crypto showed as 'not found'.  There was an entry 
for libkrb5.  However, what I didn't notice was that the latter was the 
version in /usr/lib, which comes installed with FreeBSD and is not the MIT 
version.  That's why I say 'scary', because if not for the missing 
libk5crypto, I might never have noticed that I wasn't using the correct 
libkrb5 either.  Whether or not this would have caused more subtle 
problems later I can't really say.


Anyway, thanks for the pointer to info about -R.  I now see that -R 
appears in the Makefiles used in the MIT K5 build as well.


Mike

_
Mike Friedman   System and Network Security
[EMAIL PROTECTED]  2484 Shattuck Avenue
1-510-642-1410  University of California at Berkeley
http://ack.Berkeley.EDU/~mikef  http://security.berkeley.edu
_

-BEGIN PGP SIGNATURE-
Version: PGP 6.5.8

iQA/AwUBQu04Ha0bf1iNr4mCEQJczACgniFFhu3Z3OLlN+QO+jXhedv2h9MAoN0B
9YEgYX67eXXSxVm87mBm2E3Y
=/lnf
-END PGP SIGNATURE-

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Kerberos ticket access to MS Exchange

[Simon Wilkinson]

Nikola Milutinovic wrote:
> How about IMAP kerberized client in general?

I'm working with David Bienvenu and others on GSSAPI support for
Thunderbird. It should support both MIT Kerberos for Windows, and
Microsoft's SSPI.

Simon.

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Kerberos ticket access to MS Exchange

[Rodney M Dyer]

At 02:31 PM 7/31/2005, Nikola Milutinovic wrote:

How about IMAP kerberized client in general? I'm using Cyrus IMAP 2.2.10 
on Tru64 UNIX and it lives in a MS ADS envirnoment. Will both MS Outlook 
Express and MS Outlook 2003/XP work as GSSAPI clients? I thought I heard 
that Mulberry from Cyrusoft was also Kerberized. Of course, it is not free.


Sure, you can find several Kerberized IMAP servers and clients.  And you 
can use Microsoft's Active Directory for your Kerberos KDC, no 
problem.  You just can't use Outlook, or Microsoft Exchange IMAP with 
anyone elses KDC.  Microsoft has made sure that in setting up a Kerberized 
network environment you should always use "their" server products as your 
KDCs.  Use anything else and you will not be forgiven.  You want to use MIT 
KDC, or Hesiod, forget it.  You will expend to much time and effort on 
something that will eventually not work anyway.  The funny thing is, if you 
are going to store passwords on your Microsoft AD server acting as a KDC, 
then what is the point of having a KDC in the first place...in terms of 
Microsoft authentication?  This is why I say that Microsoft uses Kerberos 
just to appease the 'nix natives.  It certainly has little use in their own 
products.


Rodney 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Problem building an API program against 1.4.1

[Russ Allbery]

Mike Friedman <[EMAIL PROTECTED]> writes:

> Thanks, that fixed it!  I must say, I didn't even know about the -R
> option to gcc and can't find it in the gcc man page.  What does -R do
> anyway?

> I had just assumed that the '-L/usr/local/kerberos/lib' would be
> sufficient to tell the linker where to find the libraries.  Why did only
> libk5crypto have a problem and not, for example, libkrb5?

 tries to explain all this.
I'm pretty sure it was complaining specifically about k5crypto just
because it was first and would have had trouble with the others as well.

-- 
Russ Allbery ([EMAIL PROTECTED]) 

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Problem building an API program against 1.4.1

[Mike Friedman]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Sun, 31 Jul 2005 at 11:35 (-0700), Russ Allbery wrote:


Here's the Makefile I use to build my program:



krb5ver:
gcc -Wall -c -I/usr/local/kerberos/include krb5ver.c
gcc -o krb5ver krb5ver.o  -L/usr/local/kerberos/lib -lk5crypto -lkrb5 
-lcom_err


If you install libraries in a non-standard location that the dynamic 
linker doesn't know about, you have to encode the path to the libraries 
into the binary.  Adding -R/usr/local/kerberos/lib will probably fix the 
problem.


Russ,

Thanks, that fixed it!  I must say, I didn't even know about the -R option 
to gcc and can't find it in the gcc man page.  What does -R do anyway?


I had just assumed that the '-L/usr/local/kerberos/lib' would be 
sufficient to tell the linker where to find the libraries.  Why did only 
libk5crypto have a problem and not, for example, libkrb5?


(My knowledge about linking is clearly inadequate).

Thanks again.

Mike

_
Mike Friedman   System and Network Security
[EMAIL PROTECTED]  2484 Shattuck Avenue
1-510-642-1410  University of California at Berkeley
http://ack.Berkeley.EDU/~mikef  http://security.berkeley.edu
_

-BEGIN PGP SIGNATURE-
Version: PGP 6.5.8

iQA/AwUBQu0jiK0bf1iNr4mCEQLbngCgg1DINvnK6cyVnMouyojG1v1z1QcAn0hb
vtB/gshqU1KzA+KeUb7ZJJyF
=rUAV
-END PGP SIGNATURE-

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Kerberos ticket access to MS Exchange

[Nikola Milutinovic]

Rodney M Dyer wrote:


At 12:41 PM 7/29/2005, Nebergall, Christopher wrote:

Are there ANY mail client programs besides MS Outlook on any OS which 
support kerberos ticket  authentication to Microsoft exchange?




How about IMAP kerberized client in general? I'm using Cyrus IMAP 2.2.10 
on Tru64 UNIX and it lives in a MS ADS envirnoment. Will both MS Outlook 
Express and MS Outlook 2003/XP work as GSSAPI clients? I thought I heard 
that Mulberry from Cyrusoft was also Kerberized. Of course, it is not free.


(sigh) I wish Mozilla had GSSAPI.

Nix.

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Problem building an API program against 1.4.1

[Russ Allbery]

Mike Friedman <[EMAIL PROTECTED]> writes:

> As far as I can tell, the MIT Kerberos stuff works.  However, after
> compiling one of my own programs that uses the MIT K5 API (and which
> I've been running, mostly on Solaris systems, for years), I get this
> message at runtime (the program is called krb5ver):

> /libexec/ld-elf.so.1: Shared object "libk5crypto.so" not found,
> required by "krb5ver"

> But when I look in /usr/local/kerberos/lib, I do see libk5crypto.so as a
> symlink to libk5crypto.so.3, which does exist in the same directory.

> Here's the Makefile I use to build my program:

> krb5ver:
>   gcc -Wall -c -I/usr/local/kerberos/include krb5ver.c
>   gcc -o krb5ver krb5ver.o  -L/usr/local/kerberos/lib -lk5crypto -lkrb5 
> -lcom_err

If you install libraries in a non-standard location that the dynamic
linker doesn't know about, you have to encode the path to the libraries
into the binary.  Adding -R/usr/local/kerberos/lib will probably fix the
problem.

-- 
Russ Allbery ([EMAIL PROTECTED]) 

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Cannot start the krb5kdc

[Daniel Savard]

I think I sent it directly to sensei instead to the list. I apologize.

Also, I am running mit-kerberos version 1.4.1. I think previous
version was 1.3.6. I just read I was supposed to backup my database
before upgrading and the Gentoo procedure didn't take this into
account. So, I guest the database is not in a proper format for 1.4.1.
Is there a way to recover this kind of error? Any tool to perform the
conversion?

-- Forwarded message --
From: Daniel Savard <[EMAIL PROTECTED]>
Date: 30 juil. 2005 20:04
Subject: Re: Cannot start the krb5kdc
To: Sensei <[EMAIL PROTECTED]>


Here is my krb5.conf:

[libdefaults]
ticket_lifetime = 600
default_realm = CIDS.CA
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc

[realms]
CIDS.CA = {
kdc = kerberos.cids.ca:88
kdc = kerberos-1.cids.ca:88
admin_server = kerberos.cids.ca:749
}

[domain_realm]
.cids.ca = CIDS.CA
cids.ca = CIDS.CA

[kdc]
profile = /etc/krb5kdc/kdc.conf

[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log



Then my kdc.conf which is in /etc/krb5kdc as in the profile stanza
above is stating:

[kdcdefaults]
kdc_ports = 88,750

[realms]
CIDS.CA = {
database_name = /etc/krb5kdc/principal
admin_keytab = /etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/.k5.CIDS.CA
dict_file = /etc/krb5kdc/kadm5.dict
kadmind_port = 749
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
}

--

And as you can see, my database is in /etc/krb5kdc/principal. All the
files exists, except the dict_file, which is no harm I think. Anyway,
even if I removed this stanza it doesn't change anything.

When trying to startup the KDC, I am getting the messages already
mentionned in my previous post. Not much more details than that.
Unless you can told me a way to increase debugging level.

Regards,

--
-
Daniel Savard


-- 
-
Daniel Savard


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Problem building an API program against 1.4.1

[Mike Friedman]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I just installed krb5-1.4.1 on my FreeBSD machine.  (I had to turn off 
pthread support, otherwise kinit and kadmin fail).


As far as I can tell, the MIT Kerberos stuff works.  However, after 
compiling one of my own programs that uses the MIT K5 API (and which I've 
been running, mostly on Solaris systems, for years), I get this message at 
runtime (the program is called krb5ver):


   /libexec/ld-elf.so.1: Shared object "libk5crypto.so" not found,
   required by "krb5ver"

But when I look in /usr/local/kerberos/lib, I do see libk5crypto.so as a 
symlink to libk5crypto.so.3, which does exist in the same directory.


Here's the Makefile I use to build my program:

- 
---
krb5ver:
gcc -Wall -c -I/usr/local/kerberos/include krb5ver.c
gcc -o krb5ver krb5ver.o  -L/usr/local/kerberos/lib -lk5crypto -lkrb5 
-lcom_err
- 
---

I don't know if this problem represents a difference just for FreeBSD (vs 
Solaris), because I haven't yet tried compiling 1.4.1 on Solaris.  Or 
whether it has something to do with the fact that the default for 1.4.1 is 
to build with shared libraries (I've always done static builds on Solaris 
with prior releases).  If it's the latter, does this mean I need to do 
something different in the Makefile (shown above) that I'm using to build 
my own program?


More likely, I suspect, it's something else I'm overlooking completely.

I'd appreciate any suggestions.

Mike

_
Mike Friedman   System and Network Security
[EMAIL PROTECTED]  2484 Shattuck Avenue
1-510-642-1410  University of California at Berkeley
http://ack.Berkeley.EDU/~mikef  http://security.berkeley.edu
_

-BEGIN PGP SIGNATURE-
Version: PGP 6.5.8

iQA/AwUBQuz/H60bf1iNr4mCEQKqSgCgsafbbWq1zJbfcHRq+0/jraZeARAAnRlT
yvKdru8wq2bx/MkbZsCowz7w
=hEe+
-END PGP SIGNATURE-

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos