kinit to more than one realm

[Ken Dreyer]

Hello,

I am trying to get TGTs from two realms into my cache at the same
time. After reading
http://mailman.mit.edu/pipermail/kerberos/2003-July/003541.html, I see
that this isn't possible with MIT's kinit (I'm trying to do this in
Linux, if it matters). I am curious why kinit is designed this way? I
was able to do it through MIT's Kerberos for Windows GUI.

- Ken

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Using ksu/sudo with Kerberos

[Ken Dreyer]

On Mon, Oct 4, 2010 at 3:38 PM, Russ Allbery  wrote:
>
> Yup.  You may want to also disable public key authentication.

We're enabling kerberos for several services at my organization, and
we were just having this same discussion. Can you elaborate on why you
would disable pubkey?

- Ken

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: trouble deciding which kerberos flavor

[Ken Dreyer]

On Thu, Oct 21, 2010 at 1:10 PM, eric  wrote:
> I just want to know any differences that MIT and Heimdal have with each
> other:

I think someone at the 2010 Kerberos Conference summarized it this way:

 MIT is likely to be what your OS vendor ships. Heimdal has more features.

- Ken

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

PKINIT and cross-signed certs

[Ken Dreyer]

I've recently been testing PKINIT with the FBCA (Federal Bridge
Certificate Authority) certs. I've got it working with my agency's
Active Directory servers with a minor adjustment. I'm using Fedora 13,
krb5-pkinit-openssl-1.7.1-17.fc13.1.

cms_signeddata_create() has a parameter "include_certchain". When set
to 1, the function is supposed to automatically construct a
certificate chain based on the user's SSL certificate, and send that
in the AS-REQ. When include_certchain is 0, the code appears to just
bundle up everything in the "pkinit_anchors" configuration and send
it.

In src/plugins/preauth/pkinit/pkinit_clnt.c , cms_signeddata_create()
is called with include_certchain parameter of 1.

OpenSSL does not seem to handle the circular signing among the various
Federal Bridge CAs. In short, if "CA1" is issued by "CA2", and "CA2"
is also issued by "CA1", the OpenSSL chain functions will just spin
around until they hit the maximum verification depth. The error
returned is X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT (an unfortunate
misnomer; I wonder why OpenSSL doesn't use
X509_V_ERR_CERT_CHAIN_TOO_LONG ...)

I was able to solve this by patching the MIT client PKINIT plugin to
set include_certchain to 0, so OpenSSL wouldn't trip up. This doesn't
seem to be a great solution.

Does anyone have any opinion on the best way to handle this situation?
Maybe someone had had a similar idea once upon a time, if there is an
"include_certchain" parameter in the code ...

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: IIS, Tomcat & Kerberos

[Ken Dreyer]

On Wed, Apr 20, 2011 at 5:03 AM, dirweis  wrote:
>
> I'm trying to use the Kerberos authentication on IIS for reading out the
> user's name.

What is the specific error you're getting?

Is your problem that you cannot authenticate to the web server, or
that your Java app doesn't see the username, or ?

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: when would you not want +requires_preauth?

[Ken Dreyer]

On Tue, Jul 19, 2011 at 12:39 PM, Greg Hudson  wrote:
> The best practice is to set +requires-preauth (and probably
> -allow_tgs_req) on principals with password-derived keys and leave it
> unset on principals with random keys.

I thought the "best practice" would be to set requires-preauth on
every principal? I don't want to give someone the ability to offline
attack any of my principals...

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

msktutil and upstream

[Ken Dreyer]

(This seemed to be the most appropriate list, please redirect me if not.)

I'm attempting to get msktutil into Fedora
(https://bugzilla.redhat.com/713313), and I've got a few patches ready
to go upstream. The author (James Knight, f...@fuhm.net) hasn't
responded to my emails. I'd prefer to avoid forking and to keep this
all in one place, but it has been several months, and I'm ready to
start a fork at this point.

If anyone knows James, or alternate ways to get in touch with him,
please do let him know.

Thank you to each of the previous authors of msktutil. If anyone is
carrying patches that you want to go into msktutil, please get in
touch with me.

- Ken

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Re: MIT Kerberos 5 v1.9.1 krb5_set_password_using_ccache() fails with Windows 2003 R2

[Ken Dreyer]

On Tue, Nov 15, 2011 at 7:32 AM, Mark R Bannister
 wrote:
>> I am guessing that this version of AD is implementing the behavior
>> described in appendix A of the referrals draft.  It wants to change the
>> client-visible server name, and the way it does so is by returning a
>> TGTto the same realm with a PA-SVR-REFERRAL-DATA entry in the encrypted
>> padata.
>> This should be easy enough to fix, since I have a test case in a local
>> AD realm.  If you are in a position to test a patch, I can furnish one;
>> otherwise it should hit a 1.9 patch release at some point.
>
> Yes please Greg, happy to test a patch.

I have a user at my site who has reported an identical error today,
using msktutil on CentOS 6. Is there a patch available?


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Convert ldap user principal

[Ken Dreyer]

On Thu, Jan 26, 2012 at 12:43 PM, Raffael Sahli  wrote:
> Hi
>
> How can I convert a principal which was created with -x
> dn="cn=myuser,dc=exam,dc=com" on a ldap backend
> into a normal principal located under
> krbPrincipalName=myu...@myrealm.com,cn=MYREALM.COM,dc=exam,dc=com.
> I have to convert all my user principals to "normal" principals.

I'm a newbie to using LDAP as the krb5 backend... but I am thinking
that this may not be possible. From what I've seen you must have two
LDAP DNs for each user. I'd be happy to be corrected, because it would
certainly make things simpler.

- Ken

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

find the authorized principal

[Ken Dreyer]

I have a local system account "git" on my server. In git's home
directory, several usernames are present in ~/.k5login. These accounts
can use GSSAPI to log in with SSH.

I'm interested to keep closer tabs on who is logging into this
account, and maybe doing something with the information using git
hooks. I know that my server's authentication log will contain the
username of the principal that authenticated to the git account:

  Authorized to git, krb5 principal kdre...@example.com (krb5_kuserok)

Is there any way for the git user account itself to find this
information? I was hoping for an environment variable like $KRB5_USER
or something.

- Ken

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

new msktutil release (v0.4.1)

[Ken Dreyer]

I'm pleased to announce release 0.4.1 of msktutil.

msktutil is a program for interoperability with Active Directory. It
can create a computer account in Active Directory, create a system
Kerberos keytab, add and remove principals to and from that keytab,
and change the computer account's password automatically.

Changes from previous release:

   User-visible changes:
   Fix a LDAP SASL error to be non-fatal. (Thanks to James Knight and
   Thomas Bodenmann). James pushed this fix to Git, but it was not in
   any released version.

   Fix --enctypes when used with Win2K3. Win2k3 doesn't support the
   msDS-supportedEncryptionTypes ldap field, and in such a case, the
   local variable holding what encryption types to use didn't get
   properly updated.  (Thanks to James Knight and Thomas Bodenmann).
   James pushed this fix to Git, but it was not in any released version.

   Other build-related changes:
   The compiler steps in the Makefile are now more verbose to give
   greater visibility into the build process.

   Rely on autoconf to find the proper Kerberos and LDAP $LIBS flags.

   Add a --with-krb5-config option to determine the appropriate
   compilation flags. (With help from Russ Allbery.)

For the present the Git repository remains at:

   

You can download tarballs from:

   

I'm working on getting the package submitted into Fedora and EPEL, at

   

James Knight was the most recent in a long line of maintainers for the
msktutil project, and I want to say thank you to him and the other
maintainers recognized in the README (Dan Perry, Brian Elliott Finley,
Doug Engert). I welcome any patches or help with maintenance.

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Error: krb5_set_password_using_ccache failed (Cannot contact any KDC for requested realm)

[Ken Dreyer]

On Wed, Mar 7, 2012 at 9:38 PM, Simon Dwyer  wrote:
> Error: krb5_set_password_using_ccache failed (Cannot contact any KDC for
> requested realm)
> Error: set_password failed

Hi Simon,

It looks like msktutil was able to successfully create the computer
object in AD. This error message means that your computer could not
contact your domain controller in order to set the computer object's
password after it's created.

I recommend firing up tcpdump or Wireshark to confirm that the
Kerberos password change is getting through to your DC. Kerberos does
use a different port for password changes (port 464) than normal
traffic (port 88), so it's possible a firewall is involved. You could
also test it out by changing your own AD password on this box using
the kpasswd command.

- Ken

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Will pam_mkhomedir work for non-existing unix accounts

[Ken Dreyer]

On Thu, Mar 22, 2012 at 11:01 AM, Tiago Elvas  wrote:
>
> Can I make pam to work so that I don't need to create a unix account for
> each new kerberos user?

You don't mention which platform you're on, so I'm guessing Linux...

Kerberos provides authentication, but not identity information. PAM is
a framework for handling authentication, whereas NSS is the framework
for handling identification on Linux. Your best option for a
centralized identity solution is probably LDAP. You'll want to look at
something like nss_ldap, nss-pam-ldapd, or sssd.

pam_mkhomedir is really just the equivalent of running "mkdir $HOME"
when a user first logs in; it doesn't actually set $HOME to begin
with.

- Ken

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Will pam_mkhomedir work for non-existing unix accounts

[Ken Dreyer]

On Thu, Mar 22, 2012 at 11:19 AM, Ken Dreyer  wrote:
> You don't mention which platform you're on, so I'm guessing Linux...

Er, yes you said Linux, sorry about that :)

- Ken

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: cannot get msktutil

[Ken Dreyer]

On Thu, Apr 5, 2012 at 8:20 AM, Douglas E. Engert  wrote:
>
> On 4/4/2012 4:36 PM, Simon Dwyer wrote:
>> Hi All,
>>
>> I have been banging my head against this for a few weeks now.
>>
>> I am trying to use squid with kerberos and so i need to get my machine
>> into the Active Directory domain.
>>
>> My config follows: http://pastebin.com/PNTwGKLf
>>
>> The output for when i run msktutil: http://pastebin.com/aQQavMJd
>
> It looks like it can not change the password in AD.
> Error: krb5_set_password_using_ccache failed (Cannot contact any KDC for 
> requested realm)

The error text is sort of misleading. There was a bug in MIT Kerberos
1.9 that causes this function to fail in certain AD scenarios. The
client sends a TGS-REQ is for "kadmin/changepw", but AD responds with
a TGT. It's fixed by
https://github.com/krb5/krb5-anonsvn/commit/1c885dbaab63c29ffcf4d455a75f3ba26ca1fd1a,
but this patch is not in RHEL 6.2's kerberos libraries.

If you have a support contract with Red Hat and you are experiencing
this issue in your environment, I encourage you to file a support
request with them to get this patch into RHEL 6's krb5 package.

- Ken

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: cannot get msktutil

[Ken Dreyer]

On Thu, Apr 5, 2012 at 10:41 AM, Douglas E. Engert  wrote:
> I was responding to the original message, as one of the early
> developers of msktutil, I did not see that you had found the bug
> yesterday.
>
> But good to know there is a fix.

Whoops, I didn't meant to imply you yourself should file a ticket with
RH. I should have phrased "if you are experiencing this in your
environment" to be "if anyone is experiencing this in his or her
environment".

And thanks for your work on msktutil :)

- Ken

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

remctl endpoints

[Ken Dreyer]

In the course of setting up remctl for our AFS infrastructure, I was
wondering how other sites expose remctld servers to their users. Do
you have a hostname that's dedicated to this service, such as
remctl.example.edu ?

In our environment we're going to run remctld on our AFS VLDB servers
and our Kerberos KDCs. I was brainstorming about how useful and
feasible it would be to have remctl look up SRV records for a domain,
and then contact those hosts, like Kerberos or AFS does? One of the
problems I foresee is that sometimes you want a task to run on an AFS
VLDB server, and sometimes you want it to run on a Kerberos KDC. If
your cell name matches your realm name, having a generic
"_remctl._tcp.cell.example.com" SRV entry would not allow you to
distinguish between server types.

Does anyone else have ideas for remctl routing and high availability?
I guess each remctl application could do a SRV lookup on
_kerberos._udp, or _afs3-vlserver._udp, and then contact those servers
individually.

- Ken

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: remctl endpoints

[Ken Dreyer]

On Fri, Aug 10, 2012 at 8:34 AM, Andy Cobaugh  wrote:
> On 2012-08-09 at 15:15, Ken Dreyer ( ktdre...@ktdreyer.com ) said:
>>
>> In the course of setting up remctl for our AFS infrastructure, I was
>> wondering how other sites expose remctld servers to their users. Do
>> you have a hostname that's dedicated to this service, such as
>> remctl.example.edu ?
>
>
> I wrote a little wrapper script for remctl for afs purposes:
>
> http://www.personal.psu.edu/~atc135/afs-control
>
> In theory you could have several remctld servers that can be used for afs
> operations (in my case, calling afs-backend with some hacks to make it use
> LDAP for access contorl). The afs-control wrapper would randomize over a
> list of hostnames in $AFS_BACKEND_SERVERS, and continue trying until it
> found one that worked.

Thank you to everyone who replied! It sounds like the best option is
to treat remctl only as a network protocol for talking to individual
servers, and build HA at a higher layer, depending on the application.

- Ken

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Solaris 10 & Windows 2008R2 KDC's

[Ken Dreyer]

On Wed, Nov 14, 2012 at 9:42 AM, Douglas E. Engert  wrote:
> msktutil   can be used to create keytabs and add serveros accounts in AD.
> One version can be found here:
> https://fuhm.net/software/msktutil/
> I believe RedHat also has a version. Msktutil has a --enctype n
> option where n is the decimal value used to set the
> msDs-supportedEncryptionTypes

Side note on this: Red Hat itself doesn't provide binaries for
msktutil, but EPEL does.

https://code.google.com/p/msktutil/

Please file bugs if you find problems building on Solaris! I'd like to
support that platform, particularly since I still manage several
Solaris severs at work. I just haven't had time to test it out,
personally.

- Ken

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

determining rdns capability

[Ken Dreyer]

For msktutil, I recently received a patch to optionally set "rdns =
false". In older versions of MIT (eg. on RHEL 5), this parameter has
no effect. I'd like to display a warning message if msktutil is built
against a version of MIT that does not support toggling rdns, so users
don't get confused.

What is the best way to determine MIT's rdns capability?

I initially thought I could check if KRB5_CONF_RDNS was defined, but
that header (src/include/k5-int.h) seems to be private.

- Ken

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: determining rdns capability

[Ken Dreyer]

On Thu, Nov 15, 2012 at 10:18 AM, Greg Hudson  wrote:
> On 11/15/2012 11:46 AM, Ken Dreyer wrote:
>> For msktutil, I recently received a patch to optionally set "rdns =
>> false".
> [...]
>> What is the best way to determine MIT's rdns capability?
>
> I don't believe there is one, because that knob was never envisioned as
> being application-controllable.

That's too bad. Is there any sort of version number I could check at
least, just to offer some sort of warning in the interface?

> I'm kind of curious how such a patch
> could even work, and I'd question whether it's a good idea for some
> applications to turn off rdns while others don't.

msktutil writes out a temporary krb5.conf file and then does the
kerberos operations with those settings. The msktutil feature
optionally writes "rdns = false" into the temporary krb5.conf file.

To give a bit of background on my own situation, in my environment at
work, the main intranet DNS servers are unable to reverse-resolve the
domain controllers. Possible workarounds we've considered:
- Add the PTRs on the name servers
- Use AD for DNS
- Add IP addresses in /etc/hosts

None of these options are optimal for technical or political reasons.
It's best to just diable rdns for this particular application.

> Whether "rdns = false" will work is complicated by the odd, probably
> buggy behavior of getaddrinfo in some (maybe all) versions of glibc.
> glibc does a PTR lookup for AI_CANONNAME if AI_ADDRCONFIG or
> hints.ai_family is also used.  We worked around this behavior in 1.10.2
> by changing how we call getaddrinfo().

Yes, a couple users on Ubuntu hit this bug too. At this point we're
just waiting for the patches to trickle down to the distros.

- Ken

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

new msktutil release (v0.4.2)

[Ken Dreyer]

I'm pleased to announce release 0.4.2 of msktutil.

msktutil is a program for interoperability with Active Directory. It
can create a computer account in Active Directory, create a system
Kerberos keytab, add and remove principals to and from that keytab,
and change the computer account's password automatically.

Changes from previous release:

   User-visible changes:

   Increase computer name character limit from 18 to 19 characters,
   matching AD's own limits.

   Add option ("-N") to disable reverse lookups on DCs.

   Add option ("--old-account-password") to use the old computer account
   password to create a new keytab on a host.

   Return the proper error code when krb5_change_password fails.

   Update man page documentation for single-DES and AFS.

   Other build-related changes:

   Improve krb5-config detection and handling.

   Compatibility with autoconf >= 2.68.

   Build fixes for Red Hat and Ubuntu.

The Git repository is available at:

   <http://repo.or.cz/w/msktutil.git>

You can download tarballs from:

   <https://code.google.com/p/msktutil/>

Please report any bugs in the Google Code issue tracker.

I now have a new co-maintainer for msktutil, Mark Pröhl. Welcome, and
thank you, Mark!

Also, thank you to the other people who contributed to 0.4.2 (bug
reports, fixes, or patches):

   Jaroslaw Polok
   Jurjen Bokma
   Olaf Flebbe
   Michael Weiser
   Vladimir V Kanischev

(If I've accidentally missed your name, please let me know, and I will
credit you in the next release.)

- Ken Dreyer


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Problems with SSH-GSSAPI ticket authentication and NAT

[Ken Dreyer]

On Wed, Jan 2, 2013 at 1:56 PM, Greg Hudson  wrote:
> On 01/02/2013 12:33 PM, nomike wrote:
>> I strace'd the call to ssh and I could clearly seeing it doing a forward
>> and a reverse lookup after reading "krb5.conf".
>
> For some versions of krb5 (anything prior to 1.10.2) on most Linux
> systems, rdns=false does not work due to a glibc bug, unfortunately.

Yeah, I have to set entries in /etc/hosts for this reason (Fedora 17).

- Ken

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Hi

[Ken Dreyer]

On Tue, Jan 8, 2013 at 3:02 AM,   wrote:
> Hi,
>
> Can you please help in setting up the kerberos ? Actually we already
> have a active directory and kerberos setup in our organization ? Only
> thing we need to do is to kerberize the Web Server.

What software does your web server run? Apache, or IIS?

If it's Apache, you should look into
http://modauthkerb.sourceforge.net/ . I recommend getting "Basic" auth
working first, then moving on and setting up "Negotiate" auth.

> We have lot of internal web sites on a web server in which users
> authenticate against active directory and log into the web site. But
> they have to do it for every web site they access in our company.

What specific software does this AD authentication? Is it Apache's
mod_authnz_ldap, or is it in PHP code?

If it's Apache's mod_authnz_ldap, it will probably be easier to drop
in mod_auth_kerb as an authentication replacement. If it's PHP code
that uses ldap_bind(), it will probably be trickier to implement
single sign-on.

- Ken

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Hi

[Ken Dreyer]

On Wed, Jan 16, 2013 at 6:05 AM, Deepak Bhatia  wrote:
> Hi Ken,
>
> Thanks for your mail.
>
> Yes, we are using Apache as the web server.
>
> Also we are using ldap_bind to authenticate a user from active directory.
>
> Do you think if we replace ldap_bind by mod_authnz_ldap and then use
> modauthkerb, it will solve our problem ?
>
> Regards
>
> Deepak Bhatia


Hi Deepak,

In order to use single-sign-on in a web application like this, you
should extend the web application to have a special "HTTP login" URL.
For example, let's say that currently your web application has a
username/password web form, and that form posts to something like
auth.php. Your auth.php file gets the username and password from
$_POST, and then submits those via the PHP ldap_bind() function.

To add Kerberos support, you'd want to create a parallel
"authentication" URL, say, "auth-http.php". In terms of a GUI, for
your login form page, you can have users click a link that says "sign
in with Kerberos".

You'll use mod_auth_kerb to protect that URL. You don't have to
protect the entire web app, just that single /auth-http.php page. This
will allow you to still support LDAP authentication, or even no
authentication for some parts.

This auth-http.php page should check if the  is set. If it is set,
then you know that Apache successfully authenticated the user, and you
can pass them through to your application, setting the appropriate
session cookies, etc. Depending on your use case, you may want to then
look this user up in LDAP to get more attributes, like a UID, email,
or full name.

If the $_SERVER['REMOTE_USER'] variable is not set, then either the
user did not have proper Kerberos credentials, or the user's browser
is misconfigured. You can even show a custom 401 HTTP error to the
user, indicating that he or she should check their Kerberos ticket and
browser settings.

I'm simplifying a lot, but hopefully you get the idea. It would be a
good idea to look at some existing open source web applications that
already implement this in order to understand it. Fedora's Koji
(Python) and Gitorious (Ruby) are the web apps I know that do this
already. I think Cacti has support for general "HTTP" authentication
as well, but I'm pretty sure that they assume you'll restrict the
entire web app ("/cacti/") with Apache. When you restrict only a
sub-URL (such as "/auth-http.php"), then you have the ability to
support Kerberos without making it a requirement to use your web app
at all.

- Ken

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Help: Clear Kerberos Logins Information

[Ken Dreyer]

Hi Lee,

The way that I do this is I combine PHP's sessions with mod_auth_kerb.
I use mod_auth_kerb to protect only a single "login" or "session" URL,
say, "/session/http". When the user successfully does Kerberos auth to
Apache, I grab the REMOTE_USER variable as the user's login name, and
store that in a PHP session.

The rest of the web application is not protected by mod_auth_kerb. I
just rely on the PHP session to determine whether a user is logged in
or not.

To cause the user to log out, I just have to discard the PHP session
in the application's code.

This method also has the added bonus of loosely coupling Kerberos from
your application. Kerberos can be just one of several available login
mechanisms that you present to the user.

The downside is that instead of simply checking REMOTE_USER
everywhere, you now need to use PHP's session handling. Ideally, if
you're using some sort of web application framework, the intricacies
of session handling are abstracted away for you, and it's simple to
register new sessions, "login" or "logout" a user, etc.

- Ken


On Tue, Mar 5, 2013 at 9:53 AM, Lee Eric  wrote:
> Hi,
>
> My site(Apache httpd + mod_auth_kerb) is using Kerberos as
> authentication method and written by PHP. Is there possible that I can
> use PHP codes like Logout to "cleat" Kerberos login credentials? Then
> after page refresh user can input username/password again.
>
> I noticed that Firefox and Chrome can do this to clean active logins.
> Just don't know how to do that.
>
> Here's my Kerberos configs in httpd.
>
>   AuthType Kerberos
>   AuthName "Kerberos Login"
>   require valid-user
>   KrbMethodNegotiate On
>   KrbAuthRealms GARFIELD.INTERNAL
>   Krb5Keytab "/etc/httpd/httpd.keytab"
>
> Thanks.
>
> Eric
> 
> Kerberos mailing list   Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Leverage Kerberos/Wallet for non-interactive SSH and script execution

[Ken Dreyer]

On Wed, May 22, 2013 at 1:20 PM, Russ Allbery  wrote:
> Then, use wallet to create that keytab on the build server, and then have
> your Jenkins server end its tasks by running:
>
> k5start -qUf /path/to/keytab/file -- /path/to/upload/script

I recently set up something just like this to do Jenkins deploys out
of an SCM into AFS (instead of SSH or SCP). k5start works like a charm
and I'd highly recommend it.

Also, I'd second Russ's point about separate keytabs per build
"server". Out of the box, Jenkins doesn't do privilege separation well
at all. I worked around this by using separate Jenkins shell accounts
on the build servers, one account per project, with separate keytabs
for each shell account/project. They are all prefixed by "jenkins/",
so the keytab that can deploy to an Apache virtualhost in AFS is named
"jenkins/vhost.example.com". It's a pain to manage all these extra
pieces at scale, although Puppet helps a bit.

- Ken

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

new msktutil release (v0.5)

[Ken Dreyer]

I'm pleased to announce release 0.5 of msktutil.

msktutil is a program for interoperability with Active Directory. It can
create computer and user accounts in Active Directory, create a Kerberos
keytab, add and remove principals to and from that keytab, and change
the computer or user account's password automatically.

A major new feature in version 0.5 is that msktutil can now manage user
accounts in addition to computer accounts. Big thanks to Mark Pröhl for
implementing this feature.

Other changes from the previous release:

   Add option to set the samba secret password

   Add option ("--realm") to specify a custom realm

   Various build fixes

   Add support for clients behind a NAT firewall

The Git repository is available at:

   

You can download the tarball from:

   

Please report any bugs in the Google Code issue tracker.

Mark Pröhl and I now have an additional co-maintainer for msktutil, Olaf
Flebbe. Welcome, and thank you, Olaf!

Thank you to everyone who contributed to 0.5 (bug reports, fixes, or
patches):

   Austin Murphy
   Jaroslaw Polok
   Mark Pröhl
   Michael Weiser
   Olaf Flebbe

(If I've accidentally missed your name, please let me know, and I will
credit you in the next release.)


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

new msktutil release (v0.5.1)

[Ken Dreyer]

I'm pleased to announce release 0.5.1 of msktutil.

msktutil is a program for interoperability with Active Directory. It
can create computer and user accounts in Active Directory, create a
Kerberos keytab, add and remove principals to and from that keytab,
and change the computer or user account's password automatically.

A major new feature in version 0.5.1 is the --keytab-auth-as and
--allow-weak-crypto options. With these options, OpenAFS cells using
Active Directory for authentication can use msktutil to migrate away
from the original AFS rxkad encryption onto stronger encryption types
(rxkad-k5 and rxkad-kdf). Thanks to Andrew Deason and Mark Pröhl for
implementing this feature.

This release also fixes the bug with uninitialized boolean variables
leading to the wrong values used in some cases. Thanks Jaroslaw Polok
and Mark Pröhl.

Other changes from the previous release:

   Add support for clients behind a NAT firewall

   If servicePrincipalName begins with "HOST/", rewrite to "host/" (thanks
   Boleslaw Tokarski for the report)

   msktutil manual page fixes (thanks Andrew Deason and Mark Pröhl)

   Adjust --precreate to match ADUC's behavior with long account names
   (thanks Erik de Vries)

   Build fixes for HPUX and NetBSD

   Fix issue with private glibc function on RHEL5 (thanks Daniel Kobras)

   Incorporate hardening patches from Debian (thanks Tony Mancill)

The Git repository is available at:

   

You can download the 0.5.1 tarball from:

   

The tarballs are also available from the older location at Google
Code, but Google will be discontinuing their tarball download service
in 2014, so we are moving the tarball hosting to Sourceforge.

Please report any bugs in the Google Code issue tracker.

Thank you to everyone who contributed to 0.5.1 (bug reports, fixes, or patches):

   Andrew Deason
   Boleslaw Tokarski
   Daniel Kobras
   Erik de Vries
   Jaroslaw Polok
   Mark Pröhl
   Olaf Flebbe
   Tony Mancill

(If I've accidentally missed your name, please let me know, and I will
credit you in the next release.)


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: k5start -K and ticket renewals

[Ken Dreyer]

On Wed, Jan 15, 2014 at 7:51 PM, Russ Allbery  wrote:
> I think this would be more straightforward, would prevent the above
> issues, and would mean that I wouldn't have to merge various patches
> people have sent me to work around this or configure this in other ways.
> The only drawback I can think of is that it may mean somewhat more
> Kerberos KDC traffic, since I suspect a lot of people have set -K values
> to be fairly short, but the minimum time is one minute anyway.  An
> authentication every minute isn't a huge amount, and people can adjust
> their -K arguments after this release.
>
> Does anyone think this is a bad idea?  Am I missing any problem with this?

For what it's worth, I checked what we're using at work to
authenticate our Apache systems, and it's "-K 30", so I don't
anticipate that such a change would noticeably impact us.

- Ken

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Fwd: Kerberos5 ticket auto renewal

[Ken Dreyer]

On Tue, Mar 18, 2014 at 11:56 AM, Russ Allbery  wrote:
> Other options are sssd, as mentioned, and I believe there's a GNOME ticket
> management program that will do automatic ticket renewal as well (although
> I don't recall what it's called).

krb5-auth-dialog is the one I use with GNOME and Xfce:
https://honk.sigxcpu.org/piki/projects/krb5-auth-dialog/

It works great with FILE: based caches, though it is a bit buggy with
DIR: caches.

One of the features I like is that it integrates with aklog to
automatically get AFS tokens after the TGT is acquired.

- Ken

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Problems parsing old krbPrincipalKey attributes from LDAP backend

[Ken Dreyer]

On Mon, May 26, 2014 at 4:45 AM, Frank Steinberg
 wrote:
> Am 25.05.2014 um 05:14 schrieb Greg Hudson :
>> If you decide to go with patching the KDC, the candidate fixes are here:
>>
>> https://github.com/krb5/krb5/pull/129
>>
>> These changes should get pushed to master within a week or so, and
>> will eventually make their way into 1.12 and probably 1.11 patch releases.
>
> I took some time to find a python ASN.1 decoder/encoder and came up with
> the following python script. It should be able to convert the key data,
> so that a KrbSalt with only a type == 0 will be added where it's missing.
> With two test cases it seemed to work for me. However I did not yet apply
> it to our whole user database. If you have any comments, please let me know.
>

Hi Frank,

I converted my MIT KDC from CentOS 6 to CentOS 7 today, and your
kdb_ldap_fixkeys Python script was invaluable for repairing some
entries. Thanks!

(Looks like the -b option and the filter options are not documented in
usage() :-)

I was using krb5-server-1.11.3-49.el7. It looks like
https://github.com/krb5/krb5/pull/129 did get cherry-picked to the
krb5-1.12 branch, but not to krb5-1.11 yet.

- Ken

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

msktutil under new management

[Ken Dreyer]

Hi all,

I've accepted a new job at Red Hat working with the Ceph engineering
team, and I'll be leaving USGS on October 31. Since my work on msktutil
was related to my job at USGS, I'm stepping down as a maintainer on the
project. (This isn't a request from my new employer - it's just that my
wife and I had a new baby this summer, and I can't commit the time that
I once could when I was on staff at USGS.)

Mark Pröhl and Olaf Flebbe have been essentially carrying on the
msktutil project for the past year or two, so they are going to be the
official maintainers going forward. Mark and Olaf have full
administrator access to the Git repository, SourceForge, and Google
Code.

Previous releases of msktutil were signed by my personal GPG key; since
Mark doesn't have that key, please note that future releases won't be
signed with it :)

msktutil comes from a long line of previous maintainers and I thank each
of you for allowing me to add a tiny bit to your work. Thanks also to
Mark and Olaf for the work they've done over the past years - I'm sure
you will do a great job going forward.

I currently maintain the msktutil packages for Fedora and EPEL, and I'm
tentatively planning to continue to do so, at least for the immediate
future. I definitely welcome co-maintainers, and please get in touch if
you'd like to take over this part of msktutil.

- Ken


signature.asc
Description: Digital signature

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: KEYRING:persistent and ssh

[Ken Dreyer]

On Tue, Apr 7, 2020 at 8:39 AM Charles Hedrick  wrote:
>
> we use a pam module that normalizes the credential cache. If krb5.conf
> asks for KEYRING and sshd leaves the cache in /tmp, the code moves it
> into KEYRING and updates KRB5CCNAME.

Is this pam module open-source? It sounds like you've implemented what
Russ described earlier in this thread.

> However there’s a gotcha. Kerberized NFS uses (by default) the
> currently selected principal. So for a collection to be useful, we
> also have a ccselect plugin to make sure that NFS (actually rpc.gssd)
> always gets the right principal from the collection.

I'm interested in this as well, if it's open-source!

- Ken


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

rdns, past and future

[Ken Dreyer]

Hi folks,

In public cloud environments or Kubernetes environments, PTR records
are difficult or impossible for administrators to set. We increasingly
have to tell users to set "rdns = fallback" or "rdns = false".

I'm wondering what the original purpose of Kerberos' rdns feature was.
Why would a client want or need to do hostname canonicalization?

I'm also wondering if we will ever be able to default MIT Kerberos'
rdns setting to "fallback" or "false" in a future version. IMHO this
would make it easier to deploy Kerberos applications in modern hosting
environments.

- Ken

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: rdns, past and future

[Ken Dreyer]

On Tue, May 26, 2020 at 3:56 PM Greg Hudson  wrote:
> On 5/26/20 5:09 PM, Ken Dreyer wrote:
> > In public cloud environments or Kubernetes environments, PTR records
> > are difficult or impossible for administrators to set. We increasingly
> > have to tell users to set "rdns = fallback" or "rdns = false".
>
> Note that dns_canonicalize_hostname and rdns are separate settings.
> dns_canonicalize_hostname supports "fallback", but rdns only supports
> true or false (and only takes effect when DNS canonicalization happens).

My bad, you're right. I meant dns_canonicalize_hostname=fallback.

I've found some public cloud providers with some very weird PTR
records for IP addresses that they hand out. These records are worse
than NXDOMAIN, and I was confused to see these in my logs.

- Ken

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: rdns, past and future

[Ken Dreyer]

On Tue, May 26, 2020 at 3:58 PM Jeffrey Altman
 wrote:
>
>  2. Before the existence of DNS SRV records, CNAME records were the
> only method of offering a service on multiple hosts.  However,
> its a poor idea to share the same key across all of the hosts.

I'm curious about this. What makes it a poor idea?

It seems like a very convenient way to scale a service up and down
dynamically quickly when you share a key among all instances.

> Again, disabling "rdns" by default will break an unknown number
> of application clients.

Sure. My point is that it breaks the other way for modern
architectures where PTR records will never be under an application
developer's control. With Kubernetes a service can appear to clients
to move IPs very quickly. I'm not defending Kubernetes or anything
here, I'm wildly speculating that maybe breaking with the past is a
good idea as more applications and developers move in this direction.

- Ken

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: rdns, past and future

[Ken Dreyer]

On Tue, May 26, 2020 at 4:59 PM Jeffrey Altman
 wrote:
>
> On 5/26/2020 6:31 PM, Ken Dreyer wrote:
> > On Tue, May 26, 2020 at 3:58 PM Jeffrey Altman
> >  wrote:
> >>
> >>  2. Before the existence of DNS SRV records, CNAME records were the
> >> only method of offering a service on multiple hosts.  However,
> >> its a poor idea to share the same key across all of the hosts.
> >
> > I'm curious about this. What makes it a poor idea?
> >
> > It seems like a very convenient way to scale a service up and down
> > dynamically quickly when you share a key among all instances.
>
> Because if you hack into one of the hosts you now have the key for all
> of the hosts.  The holder of the key can forge tickets for any user.

This is true only if the administrator has enabled constrained
delegation for that key (eg. ok_to_auth_as_delegate) right? Is there
some other scenario I'm missing?

> Since the key isn't unique the entire distributed service has to be
> shutdown to address the vulnerability.

Ok, that makes sense. I was thinking of a homogeneous environment
where each app server runs the exact same versions of code, so an
attacker entry through a vulnerability on one system means that all
systems almost certainly have the same vulnerability.

> It is also much harder to trace where the key was stolen from.

Yeah, that's fair.

- Ken

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos