Re: One Time Identification, a request for comments/testing.
Perhaps I'm completely wrong, but ... It seems to me that if you're talking about a simple dumb USB thumb drive/data stick, that you're not going to be able to do anything to prevent an adversary from copying that data to a local host, and then brute-forcing the data over time. So, essentially, the only advantage over just putting a non-protected keytab on a USB drive and any other dumb-data-stick process is some amount of time it takes to overcome whatever encryption you've done on the keytab. I think a more interesting approach would be a non- dumb data stick approach. It might start to sound like a variation of a smartcard, but why not think about a new USB device that's perhaps about the size of a USB data stick. It might present itself to the host computer as 2 devices: 1) a small storage area which contains a java application (not an applet: it shouldn't run in a protect environment that keeps it from reading and storing files on the host, etc.). (it doesn't have to be java, it could be a selection of java, perl, python, native-windows, native-mac, native-linux, native-freebsd, and native-solaris apps if you want; the point is, it should be some selection that allows the stick to be used pretty much anywhere) 2) an embedded computer with a thumb scanner like the ones we're starting to see on lots of laptops. The embedded computer should never present the actual thumb scanning data to the host computer. When the user plugs in the smartstick: a) The user runs the whichever app in device#1 is appropriate. b) The app asks the user for a principle, and tells them to scan their thumb. c) The app asks the KDC (indicated in the local host config?) for the encrypted tgt, just like it was kinit. d) The app sends the encrypted tgt to the embedded computer. e) The embedded computer tries to use the thumb print to decrypt the tgt. If it is successful, it hands the decrypted tgt back to the app. f) The app uses the host's config information to determine how and where to store the tgt, so that it is usable by the host's kerberos applications. Upside: The user doesn't need to remember a passphrase, nor a PIN. The process is no more vulnerable to an adversary than kinit is already (perhaps less, because the adversary can't run something akin to a keyboard-logger to intercept the passphrase/thumb-print). Downsides: It may require that a user has both passphrase based principles/keys and thumb print based principles/keys, and some mechanism to pick between them. And, obviously, it depends upon a device that, as far as I know, does not yet exist. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Mail.app with multiple accounts using Kerberos
Jeffrey Altman wrote: The reality is that in the current day you either need to use cross-realm or your applications have to maintain knowledge of which principal should be used to access the given resource. This is a non-trivial problem. That seems almost like an over-engineered type response. What is wrong with making the application maintain that knowledge? Afterall, that's exactly the purpose of preferences databases and rc-files. Using your email example: 1) Have the application record: a) A default principle for the application, b) A default principle for each mail personality (which may itself default to [EMAIL PROTECTED] and let the user change that manually), and c) A specific principle for each folder/resource. 2) If none of those preferences exist, ask the user which of the principles in their cache is the right one to use for that resource (and offer a none of these option; if they choose that, then invoke your kinit type program, and update your list of choices to offer when it returns). And give them a checkbox for remember this principle for this resource. If they end up with a lesser degree of access to a folder because they didn't specify 1c, then they need to specify 1c. For AFS, access to the local cell is presumably going to happen at a point where you only have 1 principle to choose from (assuming you're doing a kerberos PAM and then an afs PAM that leverages your kerberos ticket; otherwise, it should default to username@(an explicit realm setting for that AFS cell) ). Once you've got a home directory that you can read from, have a .afsrc file in your home directory which tells AFS which principle goes with which cell (or even which principle goes with directory within a volume within a cell). Same thing as for email, really, just a slightly different implementation. As for multiple principles in one cache: if the limitation is that there's only one KDC time-offset entry in the cache, then extend the cache format so that it can have a different time-offset for each KDC that it needs to deal with. (the idea that you would need to have a different cache file for each principle is rather repugnant) Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
1.4.x and perl modules
I'm sorry if this is overly vague, I'll try to follow up with details if my question is only met with confusion. I have been developing a local module for managing our kerberos accounts that makes use of Authen::Krb5, Authen::Krb5::Admin, and Authen::Krb5::Simple. This module would replace some existing modules (that make direct command-line calls to kadmin, and/or use Authen::Krb5::Simple). When I tried to upgrade my development machine to krb5 1.4.1, that all fell apart (so I downgraded). It looks like the API change in 1.4.x makes Authen::Krb5 stop working. But I'm not actually sure that the problem is within Authen::Krb5 and not Authen::Krb5::Admin (nor if Authen:Krb5::Simple is immune to this problem). Does anyone know what problem I'm talking about, and which Module is the problem? Does anyone know when the affected modules will get fixed? I can't really upgrade my systems to krb5 1.4.x until the perl modules are up to speed. Thanks. (I'm bcc'ing (to protect their email addresses from usenet bots) the maintainers of each module, according to the most recent READMEs at CPAN) Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Six Kerberos/OS X/SSH observations and questions
Russ Allbery wrote: In comp.protocols.kerberos, Yeechang Lee [EMAIL PROTECTED] writes: 3) I've had public key SSH logins working well between all three boxes for some time. Given that fact, I wonder if I should even bother to switch to Kerberized SSH logins in the first place on any of my boxes. Put another way, is there any reason to believe that using a Kerberos ticket to authenticate myself in OpenSSH is better than a public key? Or vice versa? Kerberos has the following advantages, which may or may not be of interest in your situation: * No need to copy keypairs around to different systems. Any system that uses Kerberos and has the right SSH installed can be used to authenticate to any other system that uses Kerberos authentication without requiring any additional key exchange. If you're the only user, the amount of required configuration may be roughly equivalent; if there are a lot of users, Kerberos becomes easier. * Central management. If you want to revoke the access of someone who has been using public key pairs for authentication, you have to remove their authorized key or their account from every individual system. With Kerberos, you can deactivate their account centrally and know that all access will be shut off within the ticket expiration lifetime. * SSH public key authentication only works for SSH. If you have other Kerberized services, you may need to obtain a Kerberos credential anyway, in which case using that for SSH as well simplifies matters considerably. * Ticket forwarding. Kerberos can allow you to authenticate only once and then pass your credentials to other systems and then use those to log on to other systems, as well as use those same Kerberos credentials to access other Kerberos-protected services. And these build together to help you put together a single-sign-on environment. You authenticate once on your laptop, and then you can use that one authentication event to access email, access remote servers, get an AFS token (if you use AFS) for accessing files, etc. As far as I know, SSH keys can't do that for you. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Building Krb5 1.3.6 on Mac OS X
John Rudd wrote: When I try to build on Mac OS X (10.3.7), everything is fine until lib/rpc/unit-test: making all in lib/rpc/unit-test... gcc -L../../../lib -g -O2 -Wall -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -Wno-comment -pedantic -o client client.o rpc_test_clnt.o \ -lgssrpc -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err ld: Undefined symbols: _krb5_gss_dbg_client_expcreds _gss_mech_krb5 _gss_mech_krb5_old But all I really want is rlogin, klogind, rsh, rcp, and krshd. So, if I go to the appl/bsd dir and do a make, I get: gcc -L../../lib -g -O2 -Wall -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -Wno-comment -pedantic -o rsh krsh.o kcmd.o forward.o -lkrb4 -ldes425 -lkrb5 -lk5crypto -lcom_err ld: Undefined symbols: _krb5_net_read _krb5_random_confounder _krb5_write_message _krb_net_read Anyone know what's going on and how to fix/avoid it? I did a configure with --with-krb4 as its only argument. It's a pretty vanilla Mac OS X install, with the apple developer tools (which are what I'm building with). If you need more information, just ask. No one has thoughts, comments, suggestions, commiserations? Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Building Krb5 1.3.6 on Mac OS X
Thanks for the info, I greatly appreciate it. I'm guessing my choices are: 1) use that configure option, and have my command-line tools not work with the tickets that the GUI apps use (which means I'll have 2 different kinit's and kdestroy's, as well, right? because the stock ones that come with Panther do work with those same tickets) 2) figure out what all of the things I to do in order to link with KfM instead of static linking; which includes making copies of certain BSD networking functions, and figuring out what configure options go with the KfM libs (are those the default ones?) I'd rather they all use one set of tickets, but I don't know how much time I have to throw at this process. On Jan 21, 2005, at 14:52, Alexandra Ellwood wrote: To build stock krb5 on Mac OS X, try building with LDFLAGS=-Wl,-search_paths_first as an option to configure. See http://mailman.mit.edu/pipermail/krbdev/2003/001714.html for more information. Note that if you build the appl/bsd utilities statically linked against your own stock krb5 libraries, you won't be able to share tickets with Kerberos for Macintosh (the Kerberos in Mac OS X) because KfM uses an in-memory ccache to store tickets which the stock krb5 currently doesn't support. However, you should be able to work around the undefined symbols in the appl/bsd programs and link with KfM. krb5_net_read/write and many of the other symbols are just simple BSD networking functions which you can copy into the sources of utilities you want to build. I'm not sure about krb5_random_confounder(), though. You'd have to look at it. John Rudd wrote: When I try to build on Mac OS X (10.3.7), everything is fine until lib/rpc/unit-test: making all in lib/rpc/unit-test... gcc -L../../../lib -g -O2 -Wall -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -Wno-comment -pedantic -o client client.o rpc_test_clnt.o \ -lgssrpc -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err ld: Undefined symbols: _krb5_gss_dbg_client_expcreds _gss_mech_krb5 _gss_mech_krb5_old But all I really want is rlogin, klogind, rsh, rcp, and krshd. So, if I go to the appl/bsd dir and do a make, I get: gcc -L../../lib -g -O2 -Wall -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -Wno-comment -pedantic -o rsh krsh.o kcmd.o forward.o -lkrb4 -ldes425 -lkrb5 -lk5crypto -lcom_err ld: Undefined symbols: _krb5_net_read _krb5_random_confounder _krb5_write_message _krb_net_read Anyone know what's going on and how to fix/avoid it? I did a configure with --with-krb4 as its only argument. It's a pretty vanilla Mac OS X install, with the apple developer tools (which are what I'm building with). If you need more information, just ask. No one has thoughts, comments, suggestions, commiserations? Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Hope this helps, -- --lxs Alexandra Ellwood [EMAIL PROTECTED] MIT Kerberos Development Team http://mit.edu/lxs/www/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Building Krb5 1.3.6 on Mac OS X
When I try to build on Mac OS X (10.3.7), everything is fine until lib/rpc/unit-test: making all in lib/rpc/unit-test... gcc -L../../../lib -g -O2 -Wall -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -Wno-comment -pedantic -o client client.o rpc_test_clnt.o \ -lgssrpc -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err ld: Undefined symbols: _krb5_gss_dbg_client_expcreds _gss_mech_krb5 _gss_mech_krb5_old But all I really want is rlogin, klogind, rsh, rcp, and krshd. So, if I go to the appl/bsd dir and do a make, I get: gcc -L../../lib -g -O2 -Wall -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -Wno-comment -pedantic -o rsh krsh.o kcmd.o forward.o -lkrb4 -ldes425 -lkrb5 -lk5crypto -lcom_err ld: Undefined symbols: _krb5_net_read _krb5_random_confounder _krb5_write_message _krb_net_read Anyone know what's going on and how to fix/avoid it? I did a configure with --with-krb4 as its only argument. It's a pretty vanilla Mac OS X install, with the apple developer tools (which are what I'm building with). If you need more information, just ask. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Prioritizing KDC's
I have a question about the ordering of KDC's in the krb5.conf file. Do clients use the order listed in the file as the order to try for queries (sort of like the way resolv.conf works), or is the order determined in another fashion? My specific reason for asking is that we're considering setting up a secondary KDC or two that will be dedicated to a specific application group. We want machines within that group to query those KDC's first, and only reach out to the the main KDC's when the local KDC's are down. I've never toyed with this type of arrangement, so I'm curious about what the right way to tackle it might be. And now a word from our sponsor - For a secure high performance FTP using SSL/TLS encryption upgrade to SurgeFTP See http://netwinsite.com/sponsor/sponsor_surgeftp.htm Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Mozilla and GSSAPI (Was: Re: Apache modules compatible with kerberos in 1.7b)
[EMAIL PROTECTED] (Wyllys Ingersoll) wrote in message news:[EMAIL PROTECTED]... Travis Crawford wrote: The negotiateauth extension in Mozilla 1.7b uses GSSAPI for authentication in the same manner that Microsoft IE and IIS use it. Any idea when Mozilla might roll their GSSAPI support into supporting GSSAPI SASL in their mail clients? (anyone know of any similar plans from MS for Entourage and Outlook?) I'm trying to convince Stalker to add Kerberos support to CommuniGate Pro (SMTP/IMAP/POP/LDAP?WebMail server, which can also do some bits of regular web service), and they're being wishy-washy on me. They keep going back to no windows clients support kerberized protocols. In the past I pointed out Eudora. Today I pointed out Eudora and Mulberry, as well as pointing out servers that support GSSAPI SASL. I'm hoping to find more ammunition. Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Interoperability with windows 2003 KDC and MIT kerberos V
Forgive me for being a little dense here, as I've never directly used an MS KDC, but does this mean MS didn't impliment the standard kadmin protocol so that you could just use the MIT kadmin for these types of things? Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Interoperability with windows 2003 KDC and MIT kerberos V
What product? Frank van Rijt wrote: Take a look at this product, as it may fill in your needs (create keytab files for *nix systems on the fly) Regrads, Frank mings heo [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I've tested interoperability with windows 2003 KDC and MIT kerberos V. when I create linux's service/host account on Windows 2k3, manually I have to make the keytab file on windows and send it to linux. I'd like to make generating keytab file on linux automatically without making the keytab file manually. please tell me how to do. Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Windows 2000 Server as KDC
On Tuesday, Jul 22, 2003, at 07:52 US/Pacific, Ken Hornstein wrote: an easier solution would be to setup a windows realm for Win2k KDC and a cross re alm trust with a linux box in a different realm. We were doing this (with Solaris, not Linux), but when the bug and fix for the cross-realm security hole came out a few months ago, that caused it all to break (we need krb4 cross-realm auth because AFS is in the picture). So, we're basically running an older un-patched krb524d in order to keep things working ... but that doesn't make me comfortable in the long run, so I'm looking for other solutions. So why haven't you switched to a V5 solution for AFS? Lots of people have done this, and it works just fine, even with cross-realm. This is assuming you're running a new enough version of OpenAFS, of course. We're not running OpenAFS. Still Transarc AFS. I hadn't heard that there's a pure krb5 solution for AFS, though ... even with OpenAFS. John Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Windows 2000 Server as KDC
Mel Riser wrote: the Win2k KDC has to be the primary, That's annoying. but Linux boxes or other OS's running kerberos can be backups. Replication is the problem though. Any pointers on how to make that work? an easier solution would be to setup a windows realm for Win2k KDC and a cross realm trust with a linux box in a different realm. We were doing this (with Solaris, not Linux), but when the bug and fix for the cross-realm security hole came out a few months ago, that caused it all to break (we need krb4 cross-realm auth because AFS is in the picture). So, we're basically running an older un-patched krb524d in order to keep things working ... but that doesn't make me comfortable in the long run, so I'm looking for other solutions. Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Windows 2000 Server as KDC
Wayne Rasmussen wrote: A few questions: 1) Does Windows 2000 server have a kerberos administrator server installed? Doesn't appear to have one as posts 749/750 are not open. Is there supposed to be one and at what port. 2) Is there a way on the Windows 2000 Server to test the TGT and TST say via command prompt in cmd.exe? Not sure that I have everything setup on my solaris 9 client side krb.conf and kdc.conf files. As a sort of side question to this... Is it possible to use an MS Active Directory machine as a secondary KDC in realm where the primary is an MIT KDC (running on Solaris)? Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: [Fwd: Re: krb5 ticket cache]
Donn Cave schrieb: Yes! Try this: $ KRB5CCNAME=MEMORY:0 kinit Hm. So, how would I put that into the krb5.conf? (before you ask why the heck would you want to do THAT? ... our pop server uses PAM for authenticating non-kpop users against their kerberos password, and in doing so it leaves behind a TON of key caches ... I'm wondering if this might be one way to get rid of them) (and, before you suggest specific alternatives to handle this goal, it's solaris 8, and we're using the solaris 8 pam_krb5 module) Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: [Fwd: Re: krb5 ticket cache]
Ken Hornstein wrote: You don't need to put it in the krb5.conf; just make sure it's in the POP server's environment. Heh. I should have thought of that. Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: [Fwd: Re: krb5 ticket cache]
Steve Langasek wrote: On Thu, Feb 06, 2003 at 11:36:36AM -0800, John Rudd wrote: (before you ask why the heck would you want to do THAT? ... our pop server uses PAM for authenticating non-kpop users against their kerberos password, and in doing so it leaves behind a TON of key caches ... I'm wondering if this might be one way to get rid of them) (and, before you suggest specific alternatives to handle this goal, it's solaris 8, and we're using the solaris 8 pam_krb5 module) :) Just to comment, it sounds like your pop server has buggy PAM support. It's calling the PAM function that's writing out the ccache, but not calling the corresponding function to remove it (I'm assuming Solaris's pam_krb5 *does* implement this) when the session is over. I have no idea. I don't claim to be a PAM expert (nor, really, a kerberos expert ... I just sort of wound up in that role at this job because I _used_ to work around a bunch of kerberos experts, back when I was at Cygnus). I'd be happy to share the pam.conf for that machine if people would like to make suggestions (and give me the reasons for them and stuff, so that I learn from it). Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Books on kerberos
I don't know if this one was mentioned yet, but there's also Kerberos: A Network Authentication System by Brian Tung (addison wesley) It's more of a booklet than a book, and it doens't go in to deep detail, but it does a good job as an intro to kerberos. Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
Re: Books on kerberos
I disagree that it's a POS. It's lacks depth, and it's certainly not the document that you should use to administrate your KDC, but it's not a bad intro to kerberos for people who have little to no experience with it, and are approaching it mostly from a user's perspective. On the otherhand, if you WERE expecting to be a definitive reference, the blame for your disappointment should be more internal than external. I certainly didn't find any more mistakes in it than I found in the actual MIT docs. From: Steve Freed [EMAIL PROTECTED] Yes, this is the 60 page POS that the original posting was about. On Mon, 23 Sep 2002, John Rudd wrote: I don't know if this one was mentioned yet, but there's also Kerberos: A Network Authentication System by Brian Tung (addison wesley) It's more of a booklet than a book, and it doens't go in to deep detail, but it does a good job as an intro to kerberos. Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
Re: -x not working with rlogin.
Sandeep Gopal Nijsure wrote: Hi all, I am running a klogind with the options -e5c. I am trying to run Kerberos version of rlogin to connect to it. If I use -x option with rlogin, then it does not work. Shows me the message Connection refused. I am running Debian Linux 3.0 with 2.4.6 kernel, and Kerberos 1.2.3. What could be the reason? In inetd.conf, which service/port are you using? Are you using the klogin service/port (543/tcp), or the eklogin service/port (2105/tcp)? I think rlogin -x expects to connect to the eklogin port, not the klogin port. So, even if you have the klogind set to use encryption, if it's running on the klogin port instead of the eklogin port, it might not work. But I could be wrong :-} Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
Re: kpop?
David Stern wrote: I have a pop client that I'd like to speak kerberos to our DCE/DFS kerberos unix Solaris2.7/8 servers. I found a client package (fetchmail) that handles kerberos. I found instructions on the appropriate entries for /etc/services (kpop 1109/tcp) and inetd.conf on the mail server but can't find the kpop binary (or source) anywhere. We're using kerberos5-1.2.1 TIA The qualcomm popper supports kpop (if you build it against kerb libs). Cygnus used to include a kpop server in their kerb distribution, I think ... but I don't think MIT ever did. -- John kzin Rudd http://people.ucsc.edu/~jrudd Truth decays into beauty, while beauty soon becomes merely charm. Charm ends up as strangeness, and even that doesn't last. (Physics of Quarks) -= Kein Mitleid Fu:r MicroSoft (www.kmfms.com) ==-