Re: turning off auto-logon for KfW
David Bear wrote: We have a very mobile user and starting KfW causes logon times to be very long. What do you mean by "starting kfw"? How do we disable KfW from trying to authenticate at logon. Since we use KfW in order to authenticate and get tokens for OpenAFS we would like dissable both from starting at logon Both OpenAFS and KFW install network providers. If you want to remove them from the system you need to edit HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order However, neither should be introducing delays due to mobility. I doubt there is any one much more mobile than I am. Jeffrey Altman Secure Endpoints Inc. smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
turning off auto-logon for KfW
We have a very mobile user and starting KfW causes logon times to be very long. How do we disable KfW from trying to authenticate at logon. Since we use KfW in order to authenticate and get tokens for OpenAFS we would like dissable both from starting at logon. -- David Bear College of Public Programs at ASU 602-464-0424 Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Two enctype questions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 30 Apr 2008 at 14:36 (-0400), Ken Hornstein wrote: >> 1. I notice that on 1.6.3, getprinc shows 'no salt' for all keys, even >> though the enctypes in kdc.conf's supported-enctypes all specify a salt >> type of ':normal', which I thought meant salt with principal name and >> realm. Why is this? > > "No salt" means "normal" in this case. Yes, that doesn't make any > sense; I only report the news, not make it. > >> 2. Is there any way to change the enctype of the master database key? > > "no" (unless you're willing to write a fair amount of database-fiddling > code, and probably lose your password history in the process). Ken, Thanks for the definitive answers. I may not like the answer to (2), but at least now I know where I stand. As for (1), I figured as much, but had to ask, given how non-intuitive it is. Mike _ Mike FriedmanInformation Services & Technology [EMAIL PROTECTED] 2484 Shattuck Avenue 1-510-642-1410 University of California at Berkeley http://mikef.berkeley.eduhttp://ist.berkeley.edu _ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (FreeBSD) iEYEARECAAYFAkgYynYACgkQFgKSfLOvZ1S2hACfXG7nLcpIvQ97kpVthwbCzjAQ UjwAn0W2G7oGV4f20tmli7k1Ldlzhy4R =w8io -END PGP SIGNATURE- Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Two enctype questions
>1. I notice that on 1.6.3, getprinc shows 'no salt' for all keys, even >though the enctypes in kdc.conf's supported-enctypes all specify a salt >type of ':normal', which I thought meant salt with principal name and >realm. Why is this? "No salt" means "normal" in this case. Yes, that doesn't make any sense; I only report the news, not make it. >2. Is there any way to change the enctype of the master database key? "no" (unless you're willing to write a fair amount of database-fiddling code, and probably lose your password history in the process). --Ken Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Two enctype questions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I have a couple of questions related to KDC enctypes, one of which I sent to the list last week but received no reply: 1. I notice that on 1.6.3, getprinc shows 'no salt' for all keys, even though the enctypes in kdc.conf's supported-enctypes all specify a salt type of ':normal', which I thought meant salt with principal name and realm. Why is this? For example, in my kdc.conf, I have this: supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal And here's an extract of a principal's entry as shown by getprinc: Number of keys: 2 Key: vno 3, Triple DES cbc mode with HMAC/sha1, no salt Key: vno 3, DES cbc mode with CRC-32, no salt Whereas, on my 1.4.2 system, kdc.conf looks like this: supported_enctypes = des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3 des-cbc-crc:v4 and I get this principal key information: Number of keys: 5 Key: vno 1, DES cbc mode with CRC-32, no salt Key: vno 1, DES cbc mode with RSA-MD5, Version 4 Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - No Realm Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - Realm Only Key: vno 1, DES cbc mode with RSA-MD5, AFS version 3 So, why the 'no salt' in all the key descriptions for 1.6.3? 2. Is there any way to change the enctype of the master database key? I will be kprop'ing the db from my 1.4.2 system to 1.6.3 and I'd like to rekey the db with an enctype of aes256-cts:normal. But I don't see how to do this, since the 'master-key-type' entry in kdc.conf can't agree with both the old db and the rekeyed db. Am I missing something? Thanks. Mike _ Mike FriedmanInformation Services & Technology [EMAIL PROTECTED] 2484 Shattuck Avenue 1-510-642-1410 University of California at Berkeley http://mikef.berkeley.eduhttp://ist.berkeley.edu _ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (FreeBSD) iEYEARECAAYFAkgYuO0ACgkQFgKSfLOvZ1RdTACfUONpdzno2q+dIqKwRSxyc8BA NY4An3kg3eF37kUGc7xFC19MUogRDTry =DvSM -END PGP SIGNATURE- Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Encryption Type wrong
Hello,
I am having a little problem here. I am running a KDC on Solaris and a
number of clients on GNU/Linux. For both the KDC and the
Kerberos-Clients I have configured them to use only the
dec-crc-cbc:default encryption type.
When creating a principal on the server using addprinc wo/-e
des-cbc-crc:default the principal is created with 4 keys. getprinc reveals:
Key: vno 21, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 21, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 21, ArcFour with HMAC/md5, no salt
Key: vno 21, DES cbc mode with RSA-MD5, no salt
If I use addprinc -e des-cbc-crc:normal then I get the desired
Key: vno 22, DES cbc mode with CRC-32, no salt
The same goes for cpw.
This I could live with since the group of users having admin privileges
is very small.
But the ordinary user once in a while wants to change the password and
will use kpasswd. kpasswd does not have the ability to choose the
encryption type and then a users ends up not having a key with
des-cbc-crc:normal. Unfortunately GNU/Linux kinit breaks if the KDC does
not have a key with the des-cbc-crc:normal encryption type in store.
Any help appreciated
cheers
Jan Sanders
The config files following.
The krb5.conf on the GNU/Linux client:
[libdefaults]
default_realm = MY.DOMAIN
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
default_tgs_enctypes = des-cbc-crc
default_tkt_enctypes = des-cbc-crc
permitted_enctypes = des-cbc-crc
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
MY.DOMAIN = {
kdc = kdc.my.domain
admin_server = kdc.my.domain
}
[domain_realm]
my.domain = MY.DOMAIN
.my.domain = MY.DOMAIN
[login]
krb4_convert = true
krb4_get_tickets = false
The kdc.conf on the Solaris machine:
[libdefaults]
default_realm = MY.DOMAIN
default_keytab_name = /etc/krb5/krb5.keytab
[kdcdefaults]
kdc_ports = 88,750
[realms]
MY.DOMAIN = {
profile = /etc/krb5/krb5.conf
database_name = /var/krb5/principal
admin_keytab = /etc/krb5/kadm5.keytab
acl_file = /etc/krb5/kadm5.acl
kadmind_port = 749
max_life = 8h 0m 0s
max_renewable_life = 7d 0h 0m 0s
default_principal_flags = +preauth
supported_enctypes = des-cbc-crc:normal
}
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
krb5 packages available for Maemo OS2008 (Nokia N800/N810)
Hi everyone, I have uploaded a orb5 package for the the Nokia N810 and Nokia N800 (running OS2008) to the Maemo extras repository. I welcome anyone who would like to test it out. The package is small and only includes kinit and libkrb5. Feedback is welcome. If you can't find it in the repository, then try this: http://repository.maemo.org/extras/dists/chinook/install/ (click on krb5.install) Next, I'll work on the openafs packages. Sincerely, Jason Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
