Re: Hi All,
Thanks for your great suggestion, it solves my problem! On Wed, May 27, 2020 at 6:01 AM Greg Hudson wrote: > On 5/26/20 2:54 AM, Ming Zhi wrote: > > But with GSSAPI, I cannot find an official way to set the hook between > the > > `context' creation and the start of kdc traffic, as is done in a single > > function `gss_init_sec_context'. The worst situation is that I need to > get > > hands dirty to change the source code. > > Unfortunately I don't think we have a good solution here. We have a > "locate" pluggable interface [1] which might work (basically, have it > always return a local service, which then parses out the realm name from > the request). > > I am personally fond of the idea of having a krb5 interface to control > the per-thread krb5_context object used by the GSS mech, for situations > like these. But other people have disliked the idea, so I haven't > implemented it. > > [1] https://web.mit.edu/kerberos/krb5-latest/doc/plugindev/locate.html > Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Hi All,
On 5/26/20 2:54 AM, Ming Zhi wrote: > But with GSSAPI, I cannot find an official way to set the hook between the > `context' creation and the start of kdc traffic, as is done in a single > function `gss_init_sec_context'. The worst situation is that I need to get > hands dirty to change the source code. Unfortunately I don't think we have a good solution here. We have a "locate" pluggable interface [1] which might work (basically, have it always return a local service, which then parses out the realm name from the request). I am personally fond of the idea of having a krb5 interface to control the per-thread krb5_context object used by the GSS mech, for situations like these. But other people have disliked the idea, so I haven't implemented it. [1] https://web.mit.edu/kerberos/krb5-latest/doc/plugindev/locate.html Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Hi All,
I have met a development issue about the kerberos's GSSAPI. The krb5 library has a `send hook' support as is done in `krb5_set_kdc_send_hook'. This is very useful for me, in a project where the network traffic is restricted to a single TCP connection, which is shared between different clients by multiplexing. And a dedicated KDC communication channel is not available. The hook provides a perfect way for the KDC messages to its destination over the shared tcp connection. On the other hand, GSSAPI is cool to have a uniformed interface to different authentication mechanisms as well as the kerberos, and it saves a lot of effort compared to using the native krb API. And I would like to use it for the kerberos development. But with GSSAPI, I cannot find an official way to set the hook between the `context' creation and the start of kdc traffic, as is done in a single function `gss_init_sec_context'. The worst situation is that I need to get hands dirty to change the source code. Does any of you have some suggestions on this issue ? looking forward to your comments. woodhead99 Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
hi,how can i add a client to KDS? kadmin: Incorrect password while initializing kadmin interface
hi,maillist: i do the following action but seems not work # yum install krb5-workstation copy krb5.conf from KDS host and here is my krb5.conf content [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms] BENCHMARK.COM = { kdc = kerberos.benchmark.com:88 admin_server = kerberos.benchmark.com:749 default_domain = benchmark.com } [domain_realm] .benchmark.com = BENCHMARK.COM benchmark.com = BENCHMARK.COM [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } also, client can find KDS # nslookup 192.168.10.124 Server: 192.168.10.124 Address:192.168.10.124#53 124.10.168.192.in-addr.arpa name = kerberos.benchmark.com. # ping kerberos.benchmark.com PING kerberos.benchmark.com (192.168.10.124) 56(84) bytes of data. 64 bytes from CH124 (192.168.10.124): icmp_seq=1 ttl=64 time=0.109 ms 64 bytes from CH124 (192.168.10.124): icmp_seq=2 ttl=64 time=0.166 ms when i do this from client ,it not work # kadmin -r BENCHMARK.COM -p host/monitor.benchmark@benchmark.com -w root -q ktadd -k /etc/krb5.keytab host/monitor.benchmark@benchmark.com Authenticating as principal host/monitor.benchmark@benchmark.com with password. kadmin: Incorrect password while initializing kadmin interface but i can do on KDS with same password,i do not know why? anyone can help? # kadmin -r BENCHMARK.COM Authenticating as principal root/ad...@benchmark.com with password. Password for root/ad...@benchmark.com: kadmin: Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: hi,how can i add a client to KDS? kadmin: Incorrect password while initializing kadmin interface
and here is log output from KDS Dec 19 14:49:48 CH124 krb5kdc[16324](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 192.168.10.126: SERVER_NOT_FOUND: host/monitor.benchmark@benchmark.com for kadmin/kerberos.benchmark@benchmark.com, Server not found in Kerberos database Dec 19 14:49:48 CH124 krb5kdc[16324](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 192.168.10.126: ISSUE: authtime 1387435788, etypes {rep=18 tkt=18 ses=18}, host/monitor.benchmark@benchmark.com for kadmin/ad...@benchmark.com On Thu, Dec 19, 2013 at 2:57 PM, ch huang justlo...@gmail.com wrote: hi,maillist: i do the following action but seems not work # yum install krb5-workstation copy krb5.conf from KDS host and here is my krb5.conf content [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = EXAMPLE.COM http://example.com/ dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms] BENCHMARK.COM http://benchmark.com/ = { kdc = kerberos.benchmark.com:88 admin_server = kerberos.benchmark.com:749 default_domain = benchmark.com } [domain_realm] .benchmark.com = BENCHMARK.COM http://benchmark.com/ benchmark.com = BENCHMARK.COM http://benchmark.com/ [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } also, client can find KDS # nslookup 192.168.10.124 Server: 192.168.10.124 Address:192.168.10.124#53 124.10.168.192.in-addr.arpa name = kerberos.benchmark.com. # ping kerberos.benchmark.com PING kerberos.benchmark.com (192.168.10.124) 56(84) bytes of data. 64 bytes from CH124 (192.168.10.124): icmp_seq=1 ttl=64 time=0.109 ms 64 bytes from CH124 (192.168.10.124): icmp_seq=2 ttl=64 time=0.166 ms when i do this from client ,it not work # kadmin -r BENCHMARK.COM http://benchmark.com/ -p host/monitor.benchmark@benchmark.com -w root -q ktadd -k /etc/krb5.keytab host/monitor.benchmark@benchmark.com Authenticating as principal host/monitor.benchmark@benchmark.com with password. kadmin: Incorrect password while initializing kadmin interface but i can do on KDS with same password,i do not know why? anyone can help? # kadmin -r BENCHMARK.COM http://benchmark.com/ Authenticating as principal root/ad...@benchmark.com with password. Password for root/ad...@benchmark.com: kadmin: Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Hi
Deepak, Actually if your sites are for internal users only you might as well just protect the entire site with kerberos authentication, using Apache's mod_krb5 When your entire site is protected you don't need any special login code in your application. Just get the user identity from REMOTE_USER variable. If you are on IIS, all you need to do is to click the checkbox that says 'Enable Integrated Windows Authentication' If you have a hybrid site that is accessible to both internal and external users, you have to go with the Ken's suggestion. Good thing about having the entire site proctected is that every browser request will be protected by unique token. This way you will get extra protection against people who try to steal authenitcation cookies Don't worry about the performance, kerberos authentication is ligthningly fast. However, if your traffic goes outside of your corporate network you have to use encrypted channels either through VPN or HTTPS. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Hi
On Wed, Jan 16, 2013 at 6:05 AM, Deepak Bhatia toreachdeep...@gmail.com wrote: Hi Ken, Thanks for your mail. Yes, we are using Apache as the web server. Also we are using ldap_bind to authenticate a user from active directory. Do you think if we replace ldap_bind by mod_authnz_ldap and then use modauthkerb, it will solve our problem ? Regards Deepak Bhatia Hi Deepak, In order to use single-sign-on in a web application like this, you should extend the web application to have a special HTTP login URL. For example, let's say that currently your web application has a username/password web form, and that form posts to something like auth.php. Your auth.php file gets the username and password from $_POST, and then submits those via the PHP ldap_bind() function. To add Kerberos support, you'd want to create a parallel authentication URL, say, auth-http.php. In terms of a GUI, for your login form page, you can have users click a link that says sign in with Kerberos. You'll use mod_auth_kerb to protect that URL. You don't have to protect the entire web app, just that single /auth-http.php page. This will allow you to still support LDAP authentication, or even no authentication for some parts. This auth-http.php page should check if the is set. If it is set, then you know that Apache successfully authenticated the user, and you can pass them through to your application, setting the appropriate session cookies, etc. Depending on your use case, you may want to then look this user up in LDAP to get more attributes, like a UID, email, or full name. If the $_SERVER['REMOTE_USER'] variable is not set, then either the user did not have proper Kerberos credentials, or the user's browser is misconfigured. You can even show a custom 401 HTTP error to the user, indicating that he or she should check their Kerberos ticket and browser settings. I'm simplifying a lot, but hopefully you get the idea. It would be a good idea to look at some existing open source web applications that already implement this in order to understand it. Fedora's Koji (Python) and Gitorious (Ruby) are the web apps I know that do this already. I think Cacti has support for general HTTP authentication as well, but I'm pretty sure that they assume you'll restrict the entire web app (/cacti/) with Apache. When you restrict only a sub-URL (such as /auth-http.php), then you have the ability to support Kerberos without making it a requirement to use your web app at all. - Ken Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Hi
Thanks a lot Ken, I will get back to you soon after analyzing your detailed mail below. On Mon, Jan 28, 2013 at 10:02 PM, Ken Dreyer ktdre...@ktdreyer.com wrote: On Wed, Jan 16, 2013 at 6:05 AM, Deepak Bhatia toreachdeep...@gmail.com wrote: Hi Ken, Thanks for your mail. Yes, we are using Apache as the web server. Also we are using ldap_bind to authenticate a user from active directory. Do you think if we replace ldap_bind by mod_authnz_ldap and then use modauthkerb, it will solve our problem ? Regards Deepak Bhatia Hi Deepak, In order to use single-sign-on in a web application like this, you should extend the web application to have a special HTTP login URL. For example, let's say that currently your web application has a username/password web form, and that form posts to something like auth.php. Your auth.php file gets the username and password from $_POST, and then submits those via the PHP ldap_bind() function. To add Kerberos support, you'd want to create a parallel authentication URL, say, auth-http.php. In terms of a GUI, for your login form page, you can have users click a link that says sign in with Kerberos. You'll use mod_auth_kerb to protect that URL. You don't have to protect the entire web app, just that single /auth-http.php page. This will allow you to still support LDAP authentication, or even no authentication for some parts. This auth-http.php page should check if the is set. If it is set, then you know that Apache successfully authenticated the user, and you can pass them through to your application, setting the appropriate session cookies, etc. Depending on your use case, you may want to then look this user up in LDAP to get more attributes, like a UID, email, or full name. If the $_SERVER['REMOTE_USER'] variable is not set, then either the user did not have proper Kerberos credentials, or the user's browser is misconfigured. You can even show a custom 401 HTTP error to the user, indicating that he or she should check their Kerberos ticket and browser settings. I'm simplifying a lot, but hopefully you get the idea. It would be a good idea to look at some existing open source web applications that already implement this in order to understand it. Fedora's Koji (Python) and Gitorious (Ruby) are the web apps I know that do this already. I think Cacti has support for general HTTP authentication as well, but I'm pretty sure that they assume you'll restrict the entire web app (/cacti/) with Apache. When you restrict only a sub-URL (such as /auth-http.php), then you have the ability to support Kerberos without making it a requirement to use your web app at all. - Ken Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Hi
Hi, Can you please help in setting up the kerberos ? Actually we already have a active directory and kerberos setup in our organization ? Only thing we need to do is to kerberize the Web Server. We have lot of internal web sites on a web server in which users authenticate against active directory and log into the web site. But they have to do it for every web site they access in our company. The websites are PHP Sites. Thanks Deepak On Friday, May 25, 2012 12:08:57 AM UTC+5:30, Neelam Shah wrote: Hi, I have implemented Kerberos authentication in my organization. I have implemented it in around 15 servers.. Its working fine for almost 4 months..but recently I am facing some issues and need your help.. 1st issue - When I type okinit command, I am getting OSD error.. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Hi
On Tue, Jan 8, 2013 at 3:02 AM, toreachdeep...@gmail.com wrote: Hi, Can you please help in setting up the kerberos ? Actually we already have a active directory and kerberos setup in our organization ? Only thing we need to do is to kerberize the Web Server. What software does your web server run? Apache, or IIS? If it's Apache, you should look into http://modauthkerb.sourceforge.net/ . I recommend getting Basic auth working first, then moving on and setting up Negotiate auth. We have lot of internal web sites on a web server in which users authenticate against active directory and log into the web site. But they have to do it for every web site they access in our company. What specific software does this AD authentication? Is it Apache's mod_authnz_ldap, or is it in PHP code? If it's Apache's mod_authnz_ldap, it will probably be easier to drop in mod_auth_kerb as an authentication replacement. If it's PHP code that uses ldap_bind(), it will probably be trickier to implement single sign-on. - Ken Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Hi
Hi, I have implemented Kerberos authentication in my organization. I have implemented it in around 15 servers.. Its working fine for almost 4 months..but recently I am facing some issues and need your help.. 1st issue - When I type okinit command, I am getting OSD error.. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
HI
HI all Nice to meet you here. I have a question. Below is it. [EMAIL PROTECTED] sbin]# krlogin 172.26.26.77 -k EXAMPLE.COM -l stevezhang error getting credentials: Server not found in Kerberos database Trying krb4 rlogin... krb_sendauth failed: You have no tickets cached [EMAIL PROTECTED] sbin]# If you know about how to resolve it as to login by using krlogin with Kerberos ,please let me know. Thks. Best regards Steve zhang Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
hi
hi is kerberos uesd for LAN , how instulation for windows xp ? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
hi
i need requires authorization for kerberos name and password for ues leash kerberos for windows __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
hi
Hi, I am facing an issue with Kerberos authentication using Java GSS API. Following is the scenario. I have a web application running on a solaris box. The KDC is running on a Win2K server which is also a domain controller. Whenever a user logs into the domain and tries to access teh web app running on the solaris box, he should be authenticated using Kerberos. To make this happen an account is created for the Unix Server(HTTP service) on the KDC. The account was tested from UNIX using kinit and it works fine. To do the Kerberos authentication, the Kerberos token is requested from IE. This was achieved by making the Webapplication running on Solaris set a WWW-Authenticate header in the response and the status code as 401. On receiving this, the client (IE) contacts the KDC and fetches the Kerberos service ticket for the server. IE sends the Kerberos Token wrapped as a SPNEGO token and send back this data in the Authorization header. I am using a C library to parse out the Kerberos token and validate it. The token I receive passes through the validation successfully. This was verified by accessing the webapp without logging into domain, during which the parsing and validation failed. Now I have a valid Kerberos token which contains the client authentication infomation. From the server application I am verifying the authenticity of client using JAVA GSS API. I am logging into the KDC using the account created for the server and create a GSSContext (part of GSS API spec) . The next step to do is to pass in the Kerberos token to the acceptSecContext method of GSSCotext. This method will check the client info and returns a token back. The returned token will contain information whether the client was authenticated correctly, or the server requires more information (for further exchanges between client and server) or whether the client authentication faled etc. Now I am facing an issue with the acceptSecurityContext call. When I pass in the token which was already verified as a valid Kerberos 5 token, I am getting error. Following is the error. GSSException: Defective token detected (Mechanism level: AP_REQ token id does not match!) at sun.security.jgss.krb5.InitSecContextToken.init(InitSecContextToken.java:7 2) at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:719) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:300) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:246) at com.iormyx.webapp.security.GSSCallImpl.run(GSSCallImpl.java:85) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:320) at com.iormyx.webapp.security.GSSCallImpl.startServer(GSSCallImpl.java:59) at com.iormyx.webapp.security.Authenticate.verifyCredential(Authenticate.java:5 0) at com.iormyx.webapp.actions.LoginAction.execute(LoginAction.java:67) at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProces sor.java:484) at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:274) at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1482) at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:507) at javax.servlet.http.HttpServlet.service(HttpServlet.java:689) at javax.servlet.http.HttpServlet.service(HttpServlet.java:802) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application FilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh ain.java:157) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.ja va:214) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContex t.java:104) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520) at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContext Valve.java:198) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.ja va:152) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContex t.java:104) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137 ) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContex t.java:104) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:118 ) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContex t.java:102) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java :109) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContex t.java:104) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:929) at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:160
Hi,I got an Error 70
Hi, I downloaded the kerberos for windows from the url: http://web.mit.edu/kerberos/www/dist/index.html#KFW2.6.4 .After I installed it , I run the Leash Kerberos ticket manager. I can get a ticket from my kdc, it has no problem. But when I select the Action menu and click the change password button, and type my new password, It report an error 70. It says that the remote server has closed the current connection. I am sure my kdc doesn't have a problem. Because I can change password, add new principals on it. And Actually what I want to do with leash is that I found it has a dll, and the dll has a interface to change password remotely. I want to integrate this function to my Login program. Because I used JAAS to authenticate user, It only can verfiy user, cannot change password or add new user. But the customer wants a GUI for admin kerberos principal. So I found leash. I have also searched Error 70 on google, and Found some messages below. But I have tried that, It doesn't help. Please give me some advices. Q: Kerberos Error 70 (get_intkt) A: The system has lost its TEMP variable. Unless instructed otherwise, ticket files are created in the TEMP directory. If the temp variable disappears, then Kerberos 4 has no idea what to do and it quits with the Kerberos error 70. Solution: Edit autoexec.bat (in Windows 3.1 or 95) or the environment pane in the System control of NT to SET TEMP=C:\TEMP or the equivalent. Then restart the system. === Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Hi,I got an Error 70
Error 70 is a Kerberos 4 error. Does your KDC not support Kerberos 5? You should not be receiving any Kerberos IV error messages for change password unless your KDC does not speak Kerberos 5; or you have deleted the krb5_32.dll file Jeffrey Altman jiangsukid wrote: Hi, I downloaded the kerberos for windows from the url: http://web.mit.edu/kerberos/www/dist/index.html#KFW2.6.4 ..After I installed it , I run the Leash Kerberos ticket manager. I can get a ticket from my kdc, it has no problem. But when I select the Action menu and click the change password button, and type my new password, It report an error 70. It says that the remote server has closed the current connection. I am sure my kdc doesn't have a problem. Because I can change password, add new principals on it. And Actually what I want to do with leash is that I found it has a dll, and the dll has a interface to change password remotely. I want to integrate this function to my Login program. Because I used JAAS to authenticate user, It only can verfiy user, cannot change password or add new user. But the customer wants a GUI for admin kerberos principal. So I found leash. I have also searched Error 70 on google, and Found some messages below. But I have tried that, It doesn't help. Please give me some advices. Q: Kerberos Error 70 (get_intkt) A: The system has lost its TEMP variable. Unless instructed otherwise, ticket files are created in the TEMP directory. If the temp variable disappears, then Kerberos 4 has no idea what to do and it quits with the Kerberos error 70. Solution: Edit autoexec.bat (in Windows 3.1 or 95) or the environment pane in the System control of NT to SET TEMP=C:\TEMP or the equivalent. Then restart the system. === Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos -- - This e-mail account is not read on a regular basis. Please send private responses to jaltman at mit dot edu Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: hi
hey its me again.. did you see this site? Every day thousands of Americans are saving money, don't be one of the few who miss out! I personally couldnt have got out of the mess I was in without this site http://btrack.iwon.com/r.pl?redir=http://[EMAIL PROTECTED]/viewso65/index.asp?RefID=198478 Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Hi there
¿Â¶óÀÎ »ó´ãÀÌ µé¾î¿Ô½À´Ï´Ù. ([EMAIL PROTECTED]) on Thursday, January 17, 2002 at 12:45:58 --- message: Hello, Sir. We have got something that will interest you. Three great books to help you master and WIN in the game of love. The information offerred at our website will help you pick up the hottest woman, and educate you to exactly what their deepest needs arebrbr a href=http://www.joinfreee.com;Pornstar's Guide to All Natural Penis Enlargement/a-brThe best online guide to a bigger cock, naturally!brbr a href=http://www.joinfreee.com;How to Pickup Woman 2000/a-brThe ultimate guide to survival in the deadly world of modern datingbrbr a href=http://www.joinfreee.com;How to give your Woman a Screaming Orgasm/a-brShe will be forever grateful, and your sex life will be awesome.brbrClick below or on any of the other links to enterbr a href=http://www.joinfreee.com;http://www.joinfreee.combrbr/aNote: For mature viewers only (18 ). You will get full access to all three online books instantly for a whole year after you joi! n.br ---