Re: kerberos and freeradius
On Fri, Dec 19, 2003 at 08:47:27AM -0600, dave schrader wrote: Are there any modules available that will allow freeradius to do kerberos authentication under netbsd ? Dave Schrader There is an rlm_krb5 module included in the freeradius source. I believe one of the developers who've worked on it uses NetBSD. -- Steve Langasek postmodern programmer Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: kerberos and freeradius
On Friday, December 19, 2003 08:47:27 -0600 dave schrader [EMAIL PROTECTED] wrote: Are there any modules available that will allow freeradius to do kerberos authentication under netbsd ? Dave Schrader Freeradius includes a 'rlm_krb5' module which will verify passwords against your krb5 KDC. Note that this is not the same as using Kerberos to authenticate the RADIUS protocol spoken between the NAS and RADIUS server. I have attached a patch against freeradius-0.3 which makes some improvements to the rlm_krb5 module, including actually validating the tickets it obtains in the process of verifying a password. We've been running this for a couple of years with good results. It won't be exactly what you need, but it should serve as a good starting point. Notably... - We've run this on Linux, but not any of the BSD's - I've made no attempt to port to newer versions of freeradius - We build against Heimdal, and there are some API differences. I can't promise this will build as-is against MIT krb5. If you have an AFS client (see www.openafs.org), you can find our full source tree in /afs/cs.cmu.edu/misc/nettools/src/freeradius-0.3 (and patches in ../Patches), and our configuration (minus the actual keys) in /afs/cs.cmu.edu/data/domain/config/raddb Good luck... -- Jeffrey T. Hutzelman (N3NHS) [EMAIL PROTECTED] Sr. Research Systems Programmer School of Computer Science - Research Computing Facility Carnegie Mellon University - Pittsburgh, PA freeradius-krb5.patch Description: Binary data Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: kerberos and freeradius
On Fri, Dec 19, 2003 at 03:00:05PM -0500, Jeffrey Hutzelman wrote: On Friday, December 19, 2003 08:47:27 -0600 dave schrader [EMAIL PROTECTED] wrote: Are there any modules available that will allow freeradius to do kerberos authentication under netbsd ? Dave Schrader Freeradius includes a 'rlm_krb5' module which will verify passwords against your krb5 KDC. Note that this is not the same as using Kerberos to authenticate the RADIUS protocol spoken between the NAS and RADIUS server. I have attached a patch against freeradius-0.3 which makes some improvements to the rlm_krb5 module, including actually validating the tickets it obtains in the process of verifying a password. We've been running this for a couple of years with good results. It won't be exactly what you need, but it should serve as a good starting point. Notably... freeradius 0.3 is substantially out of date, and probably has remotely exploitable vulnerabilities (or then again, maybe it's too old for them...). The current version of the rlm_krb5 module (0.9+) includes the enhancements you describe, including improved portability between MIT KRB5 and Heimdal (though I recently made some changes to CVS HEAD that I haven't tested on Heimdal, so I may have ruined that again ;). -- Steve Langasek postmodern programmer Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: kerberos and freeradius
On Friday, December 19, 2003 14:12:52 -0600 Steve Langasek [EMAIL PROTECTED] wrote: On Fri, Dec 19, 2003 at 03:00:05PM -0500, Jeffrey Hutzelman wrote: On Friday, December 19, 2003 08:47:27 -0600 dave schrader [EMAIL PROTECTED] wrote: Are there any modules available that will allow freeradius to do kerberos authentication under netbsd ? Dave Schrader Freeradius includes a 'rlm_krb5' module which will verify passwords against your krb5 KDC. Note that this is not the same as using Kerberos to authenticate the RADIUS protocol spoken between the NAS and RADIUS server. I have attached a patch against freeradius-0.3 which makes some improvements to the rlm_krb5 module, including actually validating the tickets it obtains in the process of verifying a password. We've been running this for a couple of years with good results. It won't be exactly what you need, but it should serve as a good starting point. Notably... freeradius 0.3 is substantially out of date, and probably has remotely exploitable vulnerabilities (or then again, maybe it's too old for them...). The current version of the rlm_krb5 module (0.9+) includes the enhancements you describe, including improved portability between MIT KRB5 and Heimdal (though I recently made some changes to CVS HEAD that I haven't tested on Heimdal, so I may have ruined that again ;). Yeah; that doesn't surprise me. We don't actually use it much, and keeping it up to date hasn't been a high priority for me... I'm glad to hear that work has been done on improving the rlm_krb5 module; I seem to recall last I looked that it was still broken, but that was quite some time ago. -- Jeffrey T. Hutzelman (N3NHS) [EMAIL PROTECTED] Sr. Research Systems Programmer School of Computer Science - Research Computing Facility Carnegie Mellon University - Pittsburgh, PA Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
