Re: Question about TGT forwarding
Hi Jeffrey, All of the Windows 10 and RHEL7/CentOS7 machines are domain joined. All user accounts are domain accounts. The ssh client on windows is putty 0.70. GSSAPI authantication and credential delegation are enabled in the putty settings and the GSSAPI library order preference is MIT, Microsoft, then user-specified (none). No 3rd-party Kerberos libraries or tools are installed on the Win10 machines. It's purely the Microsoft native Kerberos implementation. MIT Kerberos and Heimdal are not in the mix at all. Running "klist" when logged on to Windows 10 with my domain account shows the following flags for my krbtgt/DOMAIN entry: Ticket Flags 0x60a1 -> forwardable forwarded renewable pre_authent name_canonicalize As an extra data point, This might have started changing behavior after the Linux machines were upgraded from Centos/RHEL 7.4 to 7.5. I'm going to play around with the Credential delegation settings on the machine account in AD and see how well that works. Thanks, Jason ------- Jason Edgecombe | Linux Administrator UNC Charlotte | The William States Lee College of Engineering 9201 University City Blvd. | Charlotte, NC 28223-0001 Phone: 704-687-1943 jwedg...@uncc.edu | http://engr.uncc.edu | Facebook --- If you are not the intended recipient of this transmission or a person responsible for delivering it to the intended recipient, any disclosure, copying, distribution, or other use of any of the information in this transmission is strictly prohibited. If you have received this transmission in error, please notify me immediately by reply e-mail or by telephone at 704-687-1943. Thank you. On Fri, Jun 1, 2018 at 4:30 PM, Jeffrey Altman wrote: > On 5/31/2018 4:50 PM, Jason Edgecombe wrote: > > Hi everyone, > > > > We're noticing some odd behavior on our Windows clients where the Windows > > clients are not forwarding the TGT to our Linux servers. People can login > > to the Linux servers from windows clients, but "klist" shows no tickets > > after login. Linux clients forward the TGT just fine. In case it matters, > > we just moved our Linux home directories from a NAS with Kerberized SMB > to > > a Linux NFS server with Kerberized NFS. > > There are aspects of this post that make no sense to me. > > You say that everything worked fine a few weeks ago and you imply that > the only change that was made was a transition from SMB to NFS for home > directories. > > You also imply but do not explicitly state that the Windows clients are > Active Directory domain joined machines and the end users logged into > those systems using a domain account with either a password or smart card. > > There is no obvious connection between the replacement of the home > directory file system storage mounted by the linux workstation and > the failure of SSH GSS-API + Credential Delegation between the windows > client and the linux workstation. > > windows >linux > home directory > client workstationstorage > > Clearly there is more to this story that you are failing to describe. > > > I've had to disable GSSAPI authentication in openssh so that windows > > users can still get tickets on the remote end. > > Without GSSAPI authentication there is no possibility of delegation but > you did not specify that the OpenSSH server was configured to request > delegation. > > Nor was it specified what SSH client is being used on Windows and how it > is configured. Is it even attempting to delegate? > > Does the SSH client use the Windows Kerberos SSP or does it relying upon > MIT Kerberos or Heimdal for GSS-API support? > > Nor were any details provided about the ticket flags on the client's TGT. > > > I have a disagreement with our AD guru on whether or not TGTs are > expected > > to be forwarded and if that is a security risk. > > TGT forwarding is a security risk. The question is under which > circumstances is the practice an acceptable risk. > > As has been pointed out by another list member, the Windows domain > provides finer grained control over credential delegation than is > supported by MIT Kerberos or Heimdal. The domain administrator can > whitelist service principals to which the Windows client is permitted to > delegate. > > Jeffrey Altman > > > > > Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Question about TGT forwarding
Hi everyone, We're noticing some odd behaviour on our Windows clients where the Windows clients are not forwarding the TGT to our Linux servers. People can login to the Linux servers from windows clients, but "klist" shows no tickets after login. Linux clients forward the TGT just fine. In case it matters, we just moved our Linux home directories from a NAS with Kerberized SMB to a Linux NFS server with Kerberized NFS. I've had to disable GSSAPI authentication in openssh so that windows users can still get tickets on the remote end. I have a disagreement with our AD guru on whether or not TGTs are expected to be forwarded and if that is a security risk. Everything worked fine a few weeks ago. Any help is appreciated. Thanks, Jason ------- Jason Edgecombe | Linux Administrator UNC Charlotte | The William States Lee College of Engineering 9201 University City Blvd. | Charlotte, NC 28223-0001 Phone: 704-687-1943 jwedg...@uncc.edu | http://engr.uncc.edu | Facebook --- If you are not the intended recipient of this transmission or a person responsible for delivering it to the intended recipient, any disclosure, copying, distribution, or other use of any of the information in this transmission is strictly prohibited. If you have received this transmission in error, please notify me immediately by reply e-mail or by telephone at 704-687-1943. Thank you. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Potential Kerberos PKINIT integration with puppet
Hi everyone, Michael Weisner has submitted a pull request for puppet to add Kerberos PKINIT support for puppet, which allows puppet certificates to be used for bootstrapping kerberos services and authentication. Puppetlabs is kind enough to consider this request, and is debating whether or not to include it because the use cases aren't entirely clear. If you are a puppet user that would to see this merged, then please visit the ticket page and offer your support and use cases. This request is tracked at https://tickets.puppetlabs.com/browse/PUP-4014 Sincerely, Jason Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: kerberos testing server/realm
On 09/02/2014 12:53 PM, Greg Hudson wrote: On 09/02/2014 04:20 AM, bodik wrote: But I was thinking, if there would be something like static_kdc.c ? some very small implementation without all fancy features like PA, crossrealming, heavy encryption, something which would just send out session keys to everybody having some static secrets for anyone ... ? Is there anything like that or even could be this possible ? Or am I completely our of line ? It's possible in theory, but I don't think it would decrease the administrative burden of deploying it by much, so it wouldn't warrant the development burden of maintaining an additional KDC implementation. I understand that having a simpler dev/test environment is desirable, but a test environment is most valuable when it matches the production environment. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Proposition for new remctl ACL scheme / group support
On 04/05/2014 11:02 AM, Remi FERRAND wrote: Hi everyone, Sorry for the spam if this list isn't the I should use to discuss about remctl (http://www.eyrie.org/~eagle/software/remctl/). At IN2P3 Computing Centre, we're starting to use remctl for everything that requires privilege delegation (till now, this software seems perfect for what we want). Anyway, the more we use it, the more we believe its default ACL bundle (file, princ, deny, pcre, regex from the EPEL version) is missing something related to *groups*. For instance, we'd like to be able to allow Every member of team A to execute one command on a particular host. This way, we could allow all members of a particular physic experiment to release their AFS volumes for instance. We were unable to find a simple way to do this with the current remctl ACL methods, that's why we've submited a first patch (https://github.com/rra/remctl/pull/1). This patch introduces a new ACL method named unxgrp and is still not merged in master. It was an easy (and fast to write) answer to our problematic. For now, the default EPEL remctl package comes with remctl server local only ACL scheme (ACL that only involves local remctl server resources). What we're trying to do here is to introduce ACL scheme (PTS or unxgrp) that could use network based providers (and thus allow centralization and factorization of ACLs). As we were writing this peace of code we thought that at CC-IN2P3 we are using OpenAFS. AFS brings a PTS DB that could be used as a convenient way to distribute groups. For instance with the PTS group above: % pts mem remctl:testgrp -expand Expanded Members of remctl:testgrp (id: -6556) are: user1 user2 we could be able to use the following ACL in remctl configuration file: pts_group:remctl:testgrp to allow user1 and user2 to execute a command. Before any further development, we'd like to know if someone could be interested in that feature ? Does someone think that we absolutely shouldn't do that ? If so we'll talk later of the implementation. More important for us, we'd like to know what Russ Allbery thinks about that as he is the main developper of remctl. Thank you in advance for you answer. Thanks all for your answers and comments. Cheers At our site, we made similar functionality by writing a script to generate a part of our remctl config based on the members of a PTS group. I look forward to being able to use this and removing one more script. Jason Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Request to change MIT Kerberos behavior when principal is expired, deleted or password changed
On 03/07/2014 06:16 PM, Greg Hudson wrote: On 03/07/2014 05:17 PM, Edgecombe, Jason wrote: I don't see how anyone can object to rejecting requests for expired or deleted principals. I don't think anyone has. In the past I have mentioned performance as a possible issue, but it turns out we have been looking up the client entry for most TGS requests since 1.7, so that's not a concern. The change may not be a trivial one to make safely, because there are so many edge cases in modern TGS request processing. Be aware that: * We cannot generally do these checks for cross-realm TGS requests. * The KDC cannot revoke already-issued service tickets. I accept your bullet points, but the current situation is much worse. In the current MIT implementation, TGTs are good for the entire *renewable* lifetime, and you can't block that TGT from getting new service tickets or renewing the TGT so long as the renewable deadline has not been reached and the normal lifetime has not expired. Even if I have tickets with an 8 hour lifetime and a 7 day renewable lifetime, MIT krb will happily keep issuing service tickets and renewing the TGT until the 7 days has passed. This is not desirable when a user leaves the organization on unhappy terms. I understand that you can't block service tickets that were already issued, but I can limit the damage by having short lifetimes and longer renewable lifetimes. As it stands right now, I can only maintain a short time time window by keeping the renewable lifetime short. Jason Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
installing auks with torque
Hi everyone, We're trying to set up a Linux compute cluster using torque. I would like the jobs to be able to access each user's AFS space by caching the user's Kerberos tickets/access. One solution is auks: http://workshop.openafs.org/afsbpw10/talks/wed_3/hautreux_kerberos_hpc.pdf https://github.com/hautreux/auks According to https://twiki.ppe.gla.ac.uk/bin/view/Main/TorqueAuks , auks needs to be installed on the KDC, but I don't see any need for this based on my limited understanding of auks and a cursory glance at some of the auks code. As far as I can tell, auks is like multiple hosts sharing a ticket cache with k5start. Can anyone clarify if the auks daemon really needs to be on the KDC? I'm resistant to installing extra services on the KDC's. If anyone has any other ideas to pull off a job scheduler with Kerberos AFS access, then I'm open to that as well. Thanks, Jason Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Options for enforcing password policies
On 05/22/2013 01:15 PM, Russ Allbery wrote: Dagobert Michelsen d...@opencsw.org writes: Am 22.05.2013 um 15:41 schrieb Edgecombe, Jason jwedg...@uncc.edu: * passwords may not contain certain characters, like unicode or some ACSII characters To my knowledge this is not possible, but I also don't see a reason to limit it. If users try to use Unicode characters, they potentially get into Unicode normalization problems, which can leave them unable to type their password in the form that the Kerberos KDC expects it even if the password they're typing looks the same on their entry device. I don't think Kerberos has defined a standard normalization that would affect the kpasswd / string-to-key layer yet, although some protocols that can use Kerberos for password verification define a normalization at a higher level. Some control characters can create problems because they can be entered on some devices and not on others. In both cases, this is a user support issue. There's no real security issue from choosing such passwords, but the user may be unable to enter it again later, which prompts calls to the Help Desk, help in resetting passwords, etc. Can I set which character classes must be used? On Linux windows, how are users notified that their password is about to expire? How can you do this on windows when the passwords in a different realm with cross-realm trust? (i.e. windows is part of an AD domain that trusts our MIT KDC). Thanks, Jason Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: MIT Kerberos production realm = mirror/copy to a test/dev realm?
(replying back to list) Propagation wouldn't be any different than a dump and reload. Just point your clients at the test server for testing. This also helps to test how well the old principals will migrate to the new version. Jason On 05/11/2012 07:04 PM, Tareq Alrashid wrote: Thank you, Jason. I forgot to mention, that PRODKRB.REALM.EDU production realm is at v5-1.6.3. Need to setup a new KRBDEV.REALM.EDU to test and upgrade everything to v5.1.10.1. And also upgrade away from DES to latest/strongest enctypes. I have done a manual simple dump/load into new dev realm, and of course all principals are added with a...@prodkrb.realm.edu into the KRBDEV.REALM.EDU. So not sure how propagation would be any different. Thanks, Tareq On May 11, 2012, at 6:26 PM, Jason Edgecombe wrote: On 05/11/2012 01:44 PM, Tareq Alrashid wrote: Greetings, The production Kerberos realm is decades old. Never had a “real” test/development realm until now. Don’t ask! How to best create or mirror an existing realm of all principals and all their information, except its under a new realm for testing of all that is to be implemented in the future? My thinking with what I know its not possible considering how everything is meshed in a combination of realm/passwords/salts…etc. But I ask just in case I am missing something. Insights? Set up a test server as a slave of the prod server, then enable kadmin so that it acts like a master. You can trigger kprop by hand to sync prod to dev when you want. You might not want an entire test realm, just a devel/test copy of the production realm. I deploy changes to my slave KDC's and point for clients at it for testing. After I'm satisfied, I roll out to production. Jason Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Can't get Russ' pam_krb5 module to work with ssh on RHEL5
On 03/01/2012 06:43 PM, Russ Allbery wrote: Edgecombe, Jasonjwedg...@uncc.edu writes: I have Russ Allbery's pam_krb5 and pam_afs_session modules working for console logins, but they fail for ssh logins (both password and kerberized). I can get ssh logins to work with RedHat's pam_krb5 module, but RedHat's module causes problems with AFS tokens and Gnome (gconfd). Disabling ssh privilege separation doesn't make a difference. Any help is appreciated. Platform: RHEL 5.6 x86_64 Here is the log from the password login: Mar 1 16:39:08 myhost sshd[22409]: pam_krb5(sshd:account): pam_sm_acct_mgmt: entry Mar 1 16:39:08 myhost sshd[22409]: pam_krb5(sshd:account): skipping non-Kerberos login Mar 1 16:39:08 myhost sshd[22409]: pam_krb5(sshd:account): pam_sm_acct_mgmt: exit (ignore) Mar 1 16:39:08 myhost sshd[22409]: fatal: Access denied for user jwedgeco by PAM account configuration The first thing that jumps out here is that apparently the auth functionality of pam-krb5 never ran. Either that, or debug wasn't enabled for auth, but the account group is also saying that the user didn't log on with Kerberos. Contents of /etc/pam.d/system-auth-ac: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. authoptional pam_group.so authrequired pam_env.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid= 104 quiet authsufficient/usr/local/lib/security/pam_krb5.so use_first_pass authrequired pam_deny.so Does the user's UNIX password match their Kerberos password? If so, then pam_unix will succeed and nothing subsequent to that will run, so no Kerberos authentication was ever performed. No, the local users are locked in the shadow file. The users have a * in the password field for the /etc/shadow file. I'm using nssdb for passwd and shadow file if that matters. Here is the log from the kerberized login: This is a different problem. Mar 1 16:39:15 myhost sshd[22412]: Authorized to jwedgeco, krb5 principal jwedgeco@MYREALM (krb5_kuserok) Mar 1 16:39:15 myhost sshd[22412]: pam_krb5(sshd:account): pam_sm_acct_mgmt: entry Mar 1 16:39:15 myhost sshd[22412]: pam_krb5(sshd:account): skipping non-Kerberos login Mar 1 16:39:15 myhost sshd[22412]: pam_krb5(sshd:account): pam_sm_acct_mgmt: exit (ignore) This part is expected, I think. The account group for pam-krb5 only makes sense in combination with a password authentication. If you authenticate via GSS-API, sshd is responsible for doing the authorization check and there isn't anything for PAM to do. Mar 1 16:39:15 myhost sshd[22412]: fatal: Access denied for user jwedgeco by PAM account configuration account required pam_unix.so broken_shadow account sufficientpam_succeed_if.so uid 104 quiet account [default=bad success=ok user_unknown=ignore] /usr/local/lib/security/pam_krb5.so account required pam_permit.so default=bad is mapping ignore to fail. You need to add ignore=ignore to your configuration for the pam_krb5 line. (You don't need user_unknown=ignore for my PAM module; it won't return user_unknown unless validation of a Kerberos login actually fails.) Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Can't get Russ' pam_krb5 module to work with ssh on RHEL5
On 03/01/2012 07:38 PM, Russ Allbery wrote: Jason Edgecombeja...@rampaginggeek.com writes: No, the local users are locked in the shadow file. The users have a * in the password field for the /etc/shadow file. I'm using nssdb for passwd and shadow file if that matters. If you lock users in /etc/shadow, pam_unix will reject all logins via whatever mechanism for those users. So you either have to arrange to bypass pam_unix entirely in PAM, or you need to not lock users and instead just give them invalid password entries. However, * isn't locking the account; ! is locking the account. At least on Debian; maybe pam_unix works differently on Red Hat? Well, pam_unix worked fine with RedHat's pam_krb5. Console and GDM logins work; only ssh is broken. I don't think that the password entries is a problem. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Help: Can OpenSSH get OpenAFS token after the client login?
On 06/11/2011 08:31 AM, Lee Eric wrote: Hi, The systems are using Fedora 14 and the systems can log in each other by using Kerberos. But it seems after OpenSSH login the client side cannot get the OpenAFS token. So is there any way to let the client side get the OpenAFS token after login? Just a guessing, could I use pam_afs_session in /etc/pam.d/sshd to do this? [root@client1 ~]# kinit huli Password for huli@HERDINGCAT.INTERNAL: [root@client1 ~]# ssh huli@submit.herdingcat.internal Last login: Sat Jun 11 08:30:24 2011 from client1.herdingcat.internal Could not chdir to home directory /afs/herdingcat.internal/home/huli: Permission denied -bash: /afs/herdingcat.internal/home/huli/.bash_profile: Permission denied -bash-4.1$ yes, pam_afs_session can do that. In addition, for single sign-on to work, the remote machine must have a host keytab installed and put the following in your local ssh config (/etc/ssh/ssh_config or ~/.ssh/config): GSSAPIAuthentication yes GSSAPIDelegateCredentials yes Jason Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
SpywareTerminator is flagging MIT kerberos as Malware
*Has anyone else seen this?* *Thanks,* *Jason * * * *From:* Andrew Stein [mailto:andrew1st...@gmail.com] *Sent:* Wednesday, July 14, 2010 12:07 AM *To:* Stein, Jack; Edgecombe, Jason *Subject:* MIT Kerberos -- spyware? No way http://www.spywareterminator.com/item/5472/details.html I scanned my computer for spyware and it is saying that the MIT Kerberos install I have on my machine (from the UNCC website) is the CrystalysMedia spyware. It has to be a false positive, but look at the description for this spyware -- *Adware Software that is displaying pop-up/pop-under windows containing advertisements when the primary user interface is not visible or displayed advertisements are not related to the product. * Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
remctld on windows XP
Hi Everyone, Looking at the remctl web site, it says that the remctl server is not supported on windows. We would like to use remctld on Windows XP. What would be involved in making that work? Is that possible? Thanks, Jason Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: remctld on windows
Jeffrey Altman wrote: On 2/25/2010 9:52 PM, Russ Allbery wrote: Jason Edgecombe ja...@rampaginggeek.com writes: Dang. Thanks. The drawback to the Java server implementation is that it doesn't actually run anything, just provides a Java class that handles the protocol and lets you get the command to do with what you want. But with that said, if you have any Java developers on staff, you may want to try that approach and see if that gives you what you want. I expect to have some resources allocated to do additional work on the Java code (both client and server) within the next six months if there's anything anyone would particularly like to see. The important question is what commands do you want to execute on Windows using remctld? I want to add a remctl interface to Network Identity Manager for the client side and create a native remctld that adds commands via a dll based plugin interface for the server side. Jeffrey Altman We want to have a tool for our help desk students to list and kill processes for other users on workstations along with being able to trigger a remote shutdown or reboot. Sincerely, Jason Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: remctld on windows
Christopher D. Clausen wrote: Jason Edgecombe ja...@rampaginggeek.com wrote: We want to have a tool for our help desk students to list and kill processes for other users on workstations along with being able to trigger a remote shutdown or reboot. Tasklist.exe, taskkill.exe and shutdown.exe are already on Windows systems and already do this, assuming you have the proper admin share access enabled on the remote system. The more generic psexec.exe is available from sysinternals: http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx and the Linux version of it at: http://eol.ovh.org/winexe/ There is also the wmic.exe command and its associated options: http://technet.microsoft.com/en-us/library/bb742610.aspx Can this be run by non-priviledged used without needing the admin password? I need a kind of remote sudo to do the task list and such, preferably cross-platform. We have an in-house system that I would like to replace for various reasons. Jason Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
remctld on windows
hi Everyone, I noticed that remctld is not supported on windows. Is it possible to run on windows XP? It would be ideal for some in-house programs that are needed. what issues are involved when running remctld on windows? Thanks, Jason Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: URG: Details abt Kerberos
vinay kumar wrote: *Hi,* I am new to kerberos, I have been asked to setup KDC, kerberos client and application server. Using these i have to capture AP_REQ, AP_REP, AS_REQ and AS_REP in wireshark. I have two systems both are working on Red Hat Linux. I downloaded Kerberos from MIT version 5. I went through installation and user guide of kerberos. I successfully constructed KDC server and able to capture AS_REQ and AS_REP, but i was not able to setup kerberos client and application server. *I have few doubts like can application server and client can be on the same system? How client machine differs from application server? Is client recognized by IP address or Principal by the KDC? For configuration setting we need to modify /etc/inetd.conf but this file is not there in Red Hat, so which file to edit? What exactly client means (I have understood it as a system on which u can get ticket for any principal in that realm)? What exactly application server means(I have confusion like ftp, telnet ... etc are available on client system only, then what is the function of application server)? What is the difference between host and usernames? *Plz help me by showing how to configure client and application server.*Kindly help me out. Waiting for ur reply. Regards, Vinay It's time to read the fine manual. Kerberos comes with RedHat Enterprise Linux, although it's not the latest version, it is kept patched for security vulnerabilities. Read this: http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.4/html/Deployment_Guide/ch-kerberos.html The next link explains some of the kerberos terms. Kerberos is normally run as it's own service, not through inetd. Redhat uses xinetd instead of inetd. Please read the manual page if you aren't familiar with xinetd, especially the part about the HUP signal. What's the difference between hosts and usernames, seriously? Jason Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: URG: Details abt Kerberos
Max (Weijun) Wang wrote: What's the difference between hosts and usernames, seriously? I guess Vinay is talking about the different type of principal names. A username, say, du...@example.com, is used on the client side. The client gets an initial TGT for it at the kinit time. A host, prepended with a service name, say, ftp/me.example@example.com, is used on the server side. Normally, you create a keytab file holding secret keys for this name and it's readable by the server process. Both names are created using the kadmin tool. --Max On Jan 19, 2010, at 4:28 AM, Jason Edgecombe wrote: vinay kumar wrote: *Hi,* I am new to kerberos, I have been asked to setup KDC, kerberos client and application server. Using these i have to capture AP_REQ, AP_REP, AS_REQ and AS_REP in wireshark. I have two systems both are working on Red Hat Linux. I downloaded Kerberos from MIT version 5. I went through installation and user guide of kerberos. I successfully constructed KDC server and able to capture AS_REQ and AS_REP, but i was not able to setup kerberos client and application server. *I have few doubts like can application server and client can be on the same system? How client machine differs from application server? Is client recognized by IP address or Principal by the KDC? For configuration setting we need to modify /etc/inetd.conf but this file is not there in Red Hat, so which file to edit? What exactly client means (I have understood it as a system on which u can get ticket for any principal in that realm)? What exactly application server means(I have confusion like ftp, telnet ... etc are available on client system only, then what is the function of application server)? What is the difference between host and usernames? *Plz help me by showing how to configure client and application server.*Kindly help me out. Waiting for ur reply. Regards, Vinay It's time to read the fine manual. Kerberos comes with RedHat Enterprise Linux, although it's not the latest version, it is kept patched for security vulnerabilities. Read this: http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.4/html/Deployment_Guide/ch-kerberos.html The next link explains some of the kerberos terms. Kerberos is normally run as it's own service, not through inetd. Redhat uses xinetd instead of inetd. Please read the manual page if you aren't familiar with xinetd, especially the part about the HUP signal. What's the difference between hosts and usernames, seriously? Hello Vinay and everyone, I'm sorry for my grumpy response. I'm not normally that grouchy. Sorry, Jason Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Kerberos LDAP
Prasad (普拉萨德) wrote: I am ok that we normally use the Kerberos to keep the password and LDAP is just for authorization. But then if my DNS Goes down, then no one can login to the system because Kerberos is highly dependent on the DNS and NTP. Thats why I am thinking of having the username and password in LDAP too. I am not allowing my DNS to crash but just in case. So preparing backup for disaster before it come to me. And for that I am looking somthing so that I can sync OpenLDAP and Kerberos username and password. Thanks, If you use IP addresses in your kerberos and NTP files, then you're less dependent on DNS. Jason Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Adding users with a script
Jaap Winius wrote: Hi all, If you have 1,000 user names and passwords to add to an MIT Kerberos V database on a Linux system, you could add them all manually with kadmin, but that would be a terrible waste of time. The proper way would be to automate this process with a script, but I have no idea how. ssh to your master kdc and runthe following as root: kadmin.local -q addprinc -randkey username for each user to create a userwith a random password With a few lines of scripting, you can automate that. If you have a keytab for an admin account, then you don't have to ssh to the kdc, and you can use normal kadmin instead of kadmin.local. Jason Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Long-running jobs with renewal of krb5 tickets and AFS tokens
Nicolas Williams wrote: On Sat, Feb 28, 2009 at 11:40:26PM -0500, Jason Edgecombe wrote: I guess setting things for renewable tickets longer than 7 days or running the jobs in local disk will be easiest. We have a 7 day normal/renewable lifetime. What length do other sites have? I have seen sites use on the order of months for the renewable ticket lifetime, but still hours for normal ticket lifetime. If you already use seven days for renew life you might as well double it -- whatever your threat model is, if you can accept seven days then chances are you can accept fourteen. Doubling it wouldn't really help. It would probably need to be on the order of a month. If I were to change the renewable lifetime, I need to change all principals, the client krb5.conf and the server kdc.conf. Is that correct? Thanks, Jason Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Long-running jobs with renewal of krb5 tickets and AFS tokens
We have users who need to run long-running jobs and store their files in AFS during the run. I've read the k5start and k5renew man pages, but I don't see how I can have users type in their password when they start a job and have the tickets and tokens keep being renewed. How can I do this? Thanks, Jason Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Long-running jobs with renewal of krb5 tickets and AFS tokens
Russ Allbery wrote: Jason Edgecombe ja...@rampaginggeek.com writes: We have users who need to run long-running jobs and store their files in AFS during the run. I've read the k5start and k5renew man pages, but I don't see how I can have users type in their password when they start a job and have the tickets and tokens keep being renewed. How can I do this? If you're not dealing with a batch environment, where the execution happens some time after the user authenticates, then krenew is what you want. It just doesn't do the initial ticket acquisition. You configure your PAM module and krb5.conf to get renewable tickets by default, so that the user already has renewable tickets when they start the job. Then run the job under krenew. It will make a private copy of the existing ticket cache and then keep renewing tickets and tokens until either it can't any more or the job ends. If you *are* dealing with a batch environment, you want Kula's approach. Sigh, I guess setting things for renewable tickets longer than 7 days or running the jobs in local disk will be easiest. We have a 7 day normal/renewable lifetime. What length do other sites have? I might need use the job scheduler approach, but that's a pain. I would guess 10-20 people would want that ability. I ether need to modify our account maintenance processes or do it all manually. Has anyone automated the management of user.cron principals? unfortunately, I have had to tell people that they can't have an infinite ticket lifetime. :P Thanks for the help! Thanks, Jason Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
How do I change the ticket lifetime in the default policy?
Hi everyone, We are extending the ticket lifetime for all of the users in our realm from 1 day to 7 days. We use MIT Kerberos in our realm. I know that modprinc -maxlife 7day u...@realm.com will extend the ticket lifetime for an existing user, but how to I make it the default for new users? To handle our existing users, I plan to script the modprinc command for all of our users. the users have a mix of ticket lifetimes from 1day to 7 days. Is there a more elegant way than to run modprinc on everybody? Thanks, Jason Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: How do I change the ticket lifetime in the default policy?
Russ Allbery wrote: Jason Edgecombe ja...@rampaginggeek.com writes: We are extending the ticket lifetime for all of the users in our realm from 1 day to 7 days. We use MIT Kerberos in our realm. I know that modprinc -maxlife 7day u...@realm.com will extend the ticket lifetime for an existing user, but how to I make it the default for new users? I believe the default for new users is taken from the max_life setting in kdc.conf. hmm, my kdc.conf already has max_life = 7d 0h 0m 0s and the users don;t get 7 day tickets by default. Am I missing something? Thanks, Jason Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: How do I change the ticket lifetime in the default policy?
Kevin Coffman wrote: On Tue, Feb 17, 2009 at 4:49 PM, Jason Edgecombe ja...@rampaginggeek.com wrote: Russ Allbery wrote: Jason Edgecombe ja...@rampaginggeek.com writes: We are extending the ticket lifetime for all of the users in our realm from 1 day to 7 days. We use MIT Kerberos in our realm. I know that modprinc -maxlife 7day u...@realm.com will extend the ticket lifetime for an existing user, but how to I make it the default for new users? I believe the default for new users is taken from the max_life setting in kdc.conf. hmm, my kdc.conf already has max_life = 7d 0h 0m 0s and the users don;t get 7 day tickets by default. Am I missing something? The ticket lifetime is the minimum of 4 values: 1) maxlife for the user principal 2) maxlife for the service [principal] 3) max_life in the kdc.conf 4) requested lifetime in the ticket request Sounds like you have changed 1) and 3). You'll also need to modify the maxlife for principal krbtgt/REALM@REALM to get TGTs with a longer lifetime. (You will have to alter other service principals if you want to issue service tickets with longer lifetimes for those services.) I believe there is a default (requested) lifetime in kinit as well, so you may need to specify a longer requested lifetime there (kinit -l 7d). I can already get a 7 day ticket length when I kinit because my principal is set for 7 days lifetime. That works. I'm just wondering how I can run addprinc user -maxlife 7day without having to specify -maxlife 7day or modprinc user -maxlife 7day after the addprinc. Thanks, Jason Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: ktutil get
Victor Sudakov wrote: Victor Sudakov wrote: There is a very useful command ktutil get in Heimdal. It allows to conveniently join a host into a Kerberos domain, without bothering about transferring the keytab. What is the analogous command in the Solaris Kerberos implementation? No Solaris Kerberos experts here? Well, what is the analogous command in MIT Kerberos? Am I asking something stupid? How do you securely transfer a keytab for the host principal to the host? ktutil get does just that. Is 'kadmin -q ktadd /tmp/keytab ' what you're looking for? Jason Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Where should the source for the maemo krb5 packages be hosted?
Hi everyone, I have successfully packaged mit krb5 for maemo, the OS for the Nokia N8X0 tablets. I remove the appl folder from the package, though. Where should the debian source package be hosted? Should they be in the MIT krb5 cvs or hosted separately? Thanks, Jason Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: cross compilation problem with krb5_1.6.3
Ken Raeburn wrote: On May 6, 2008, at 15:36, Mahmudul Haque wrote: I am stuck in cross compiling the krb5-1.6.3 for my mips board. i am getting the following error whenever i try to compile it:- checking for constructor/destructor attribute support... configure: error: Cannot test for constructor/destructor support when cross compiling any suggestion would be highly appreciable.thnx Unfortunately, cross-compilation hasn't been a priority for us in the past; we've heard some interest in that area, but haven't yet begun to really explore it. Hi there, I have successfully cross-compiled MIT kerberos5 1.6.3 for the ARMEL platform using scratchbox. Perhaps that would work. Sincerely, Jason Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
krb5 packages available for Maemo OS2008 (Nokia N800/N810)
Hi everyone, I have uploaded a orb5 package for the the Nokia N810 and Nokia N800 (running OS2008) to the Maemo extras repository. I welcome anyone who would like to test it out. The package is small and only includes kinit and libkrb5. Feedback is welcome. If you can't find it in the repository, then try this: http://repository.maemo.org/extras/dists/chinook/install/ (click on krb5.install) Next, I'll work on the openafs packages. Sincerely, Jason Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: delegating principal creation to a web process
Simon Wilkinson wrote: On 21 Mar 2008, at 01:36, Jason Edgecombe wrote: The script will check that the user is in the /etc/password file. The keytab will only have privileges to add accounts, so existing accounts like admin/root are safe. Bear in mind that if you wildcards anywhere in your ACLs, you don't just care about existing accounts, but also about creating new accounts that may match existing wildcards. How would remctl give me more security in this arrangement? It lets you protect the access to your kadmind better, by allowing you to do all of the sanity checking at the point of privilege escalation. In your current model, anyone who has access to the keytab on your web server machine (which probably means anyone who can execute scripts on your web server), can bypass the sanity checking that your script performs. If you use remctl, then the web server machine purely has a keytab that lets it talk to remctl, which then performs sanity checking before passing the request on to the kadmind. In that way, you can guarantee that any request _must_ have been sanity checked in order to reach kadmind. Simon. Is this shifting the script that does the actual work from the webserver to the KDC (or some other better trusted host)? How would remctl verify that the request came from the trusted php page? Perhaps the user-supplied hashed username from the HTTP request must be passed to remctl? hmmm. Should I use the host keytab or a service-specific keytab so that I don't have to use a suid root program. My rules for creating the new principal are as follows: 1. The principal must not exist 2. The username must be in the /etc/passwd file (users have an entry in /etc/passwd before their principal is created. Thanks, Jason Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Problem compiling kerberos for maemo: cannot find add_error_table in com_err library
[EMAIL PROTECTED] wrote: Jason, I just successfully compiled kerberos and installed it on my N810 (so it can be done!) I am using vanilla krb5-1.6.3 downloaded from the MIT website. I unpack it into my home area in scratchbox. When I run configure in scratchbox (using the CHINOOK_ARMEL target). During the configure step, I get the message: checking which version of com_err to use... krb5 so I am picking up a different version from you. After compiling and installing, I was able to compile kerberos support into ssh and have that working as well. Thanks! I got kerberos to compile as well. I also used the internal comerr library, but I had to skip compiling the applications because libcurses was too old. I did get knint, which was the major thing that I needed. Sincerely, Jason Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: HELP!!! I am also having the kpropd problem
[EMAIL PROTECTED] wrote: Hello All, I am having the problem with database propagation that so many before me have apparently had. I have read and tried so many suggestions in various posts that I've lost count. I can't seem to find anyone who actually reported that they had solved the problem. Is this function broken? Is there some secret solution to the problem? I like many others also wrote a script so that I could respin the config more easily. I could sure use some help on this. I guess the next step is to dive into the code ;( Would you please be more specific? Without more info, I can only suggest manually copying the krb5kdc folder from the master to the slave before running kprop. Jason Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: HELP!!! I am also having the kpropd problem
[EMAIL PROTECTED] wrote: Hi, I tried copying the krb5kdc directory to the slave. I get the same result (Decrypt integrity check failed while getting initial ticket). Is there something else I could try? Thanks, -G Decrypt integrity check failed usually means that the password is wrong. Jason Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Problem compiling kerberos for maemo: cannot find add_error_table in com_err library
Hi There, I'm trying to compile kerberos for the Nokia N800/810 running Maemo. I'm using scratchbox to compile and I get the following configure messages: checking which version of com_err to use... system checking for add_error_table in -lcom_err... no configure: error: cannot find add_error_table in com_err library ls shows lrwxrwxrwx 1 maemo maemo17 Feb 28 22:07 /lib/libcom_err.so.2 - libcom_err.so.2.1 -rw-r--r-- 1 maemo maemo 5728 May 26 2006 /lib/libcom_err.so.2.1 I saw several other mailing list messages about lib com_err, but I don't know what to do. My eventual goal is to get openafs with krb5 support on the N800, but right now, I need to get kerberos working. dpkg -l | grep err gives: ii comerr-dev 2.1-1.37-2sarge1 common error description library - headers a ii libcomerr2 1.37-2sarge1 common error description library I'm trying to recompile the debian kerberos 1.4.4 source packages for the N800/N810. Any help is appreciated. Thanks, Jason Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos