Re: decrypting the user password
Hello. On 02/13/2013 05:53 AM, Asmaa Ahmed wrote: I am having kerberos MIT integrated to LDAP as a backend which is good so far.The problem that I have some applications doesn't support Kerberos to restore the user credentials. Do they support authentication with LDAP? If so, you can configure your LDAP server to use SASL to check the user passwords against Kerberos. See this article: http://thomas.dereyck.eu/wiki/Setting%20up%20an%20LDAP%20server#Enabling_pass-through_authentication_to_Kerberos I wonder if I can decrypt the password from Kerberos server manually to have it in a plaintext, As Chris said, that's a big security risk and completely defeats Kerberos' purpose. If the applications don't allow any external authentication, you might be able to find a plug-in that sits between the application and the DB that intercepts the auth requests and services them with SASL or Kerberos directly. Sincerely, Sean M. Pappalardo Sr. Networks Engineer Renegade Technologies spappala...@renegadetech.com Office: (630) 631-6188 http://www.renegadetech.com Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: decrypting the user password
It's one-way hashed. You don't want to store plaintext passwords anywhere, or even passwords encrypted with a two-way algorithm, because people tend to use the same passwords in multiple places so in addition to comprimising your site, you also hose all your users elsewhere. Chris On 2013-02-12 20:53, Asmaa Ahmed wrote: > > Hello, > I am having kerberos MIT integrated to LDAP as a backend which is good so > far.The problem that I have some applications doesn't support Kerberos to > restore the user credentials.I wonder if I can decrypt the password from > Kerberos server manually to have it in a plaintext, so I can do some password > sync between Kerberos/ldap server and the application DB!!!My target is > having a script or so to get all the original kerberos principals passwords. > Thanks. > > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
decrypting the user password
Hello, I am having kerberos MIT integrated to LDAP as a backend which is good so far.The problem that I have some applications doesn't support Kerberos to restore the user credentials.I wonder if I can decrypt the password from Kerberos server manually to have it in a plaintext, so I can do some password sync between Kerberos/ldap server and the application DB!!!My target is having a script or so to get all the original kerberos principals passwords. Thanks. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Strange behavior with kadmind and incremental propagation in 1.8.3
Re-reading more closely it seems that krb5_put_principal() failed because of the locking issue but nonetheless still created the iprop ulog entry and marked it as committed. That would be a nasty bug I was not aware, but I believe it's fixed in master, and likely fixed in 1.11. Nico -- Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos