> "Leland" == Leland Wallace <[EMAIL PROTECTED]> writes:
Leland> sounds reasonable, is there a way to have the kdc launched
Leland> on demand (not for every request, but for 5 min at a time
Leland> or so, or the replay cache ttl) possibly separating the
Why would you want to? I
[EMAIL PROTECTED] wrote on 02/25/2004 02:14:44 PM:
> I am defining a security approach involving use of delegatable
> service tickets using Microsoft Kerberos implementation. I heard
> from a colleague that this is ill-advised as the Microsoft
> implementation does not properly limit the ticke
>According to strace ...
>
>1.2.8 app server with named credential - opens an rcache.
>1.3.1 app server with no credential - no evidence of rcache being
>opened.
Hm, regarding my previous note
It looks like I was wrong, krb5_rd_req() will get a replay cache even if
the passed-in server is NU
According to strace ...
1.2.8 app server with named credential - opens an rcache.
1.3.1 app server with no credential - no evidence of rcache being
opened.
wrt to krb5_rd_req - it looks like rcache is obtained only if
auth_context_flags includes KRB5_AUTH_CONTEXT_DO_TIME.
accept_sec_context clea
On Feb 25, 2004, at 11:50 AM, Sam Hartman wrote:
"Leland" == Leland Wallace <[EMAIL PROTECTED]> writes:
The KDC does not support running out of inetd. Reasons adding this
support would be a b bad idea include:
* Setting up the PRNG for key generation
* The lookaside cache for retransmitting rep
>I think that's false. I believe that krb5_rd_req will end up setting
>up a rcache later.
I think Cesar is right, actually. krb5_rd_req will only set up a replay
cache if you pass in the "server" argument, which is set from creds->princ,
which is NULL if you call the gss function with GSS_C_NO_C
Sam Hartman wrote:
>
> > "Douglas" == Douglas E Engert <[EMAIL PROTECTED]> writes:
>
> Douglas> That may be true. But just getting the OpenSSH people to
> Douglas> add the the gssapi authenticaiton to OpenSSH-3.8 was a
> Douglas> big step forward.
>
> Sure but when people want
> "Douglas" == Douglas E Engert <[EMAIL PROTECTED]> writes:
Douglas> That may be true. But just getting the OpenSSH people to
Douglas> add the the gssapi authenticaiton to OpenSSH-3.8 was a
Douglas> big step forward.
Sure but when people want to go for the whole solution don't
di
> "Cesar" == Cesar Garcia <[EMAIL PROTECTED]> writes:
Cesar> wrt to gssapi and 1.3.1 ...
Cesar> Since we're pointing out lack of replay cache detection,
Cesar> note that if acquiring creds for GSS_C_NO_NAME, then no
Cesar> replay cache is used. (specifically looking at 1.3.1
Add suffix '/src': --with-kerberos5=/.../krb5-1.3.1/src
That works for us with OpenSSH 3.7.1p2 (haven't tried 3.8 yet).
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
And I would've gotten away with it, too, if it wasn't for those meddling
kids!
--
Steve Langasek
postmodern programmer
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
> "Leland" == Leland Wallace <[EMAIL PROTECTED]> writes:
Leland> The KDC launches just fine, but it does not complete the
Leland> request that triggered the launch. If I quit kinit & try
Leland> again, it all works as the kdc is running. Is there
Leland> something I'm doing wr
> "Ken" == Ken Hornstein <[EMAIL PROTECTED]> writes:
>> It is also worth noting, that, while Heimdal is not thread safe (at least there
>> are no guarantees), it has proven to be much more thread-robust than MIT.
>> OpenLDAP page and a couple of users have expirienced problems with MIT and
Sam Hartman wrote:
>
> > "Douglas" == Douglas E Engert <[EMAIL PROTECTED]> writes:
>
> Douglas> OpenSSH-3.8 released yesterday contains the gssapi
> Douglas> patch. It also contains changes to use the krb5-config,
> Douglas> which loks like your problem.
>
> Doug, OpenSSH does
I am investigating the feasibility of launching krb5kdc out of xinetd.
Currently I am using the following config in /etc/xinetd.d/
service = kerberos
{
disable = no
socket_type = stream
server = /usr/sbin/krb5kdc
server_args = -n
I am defining a security approach involving use of delegatable service tickets using
Microsoft Kerberos implementation. I heard from a colleague that this is ill-advised
as the Microsoft implementation does not properly limit the ticket to delegation only
by the specific service it was issued f
Hi,
Does anyone have a link to RFC 1510bis? For some reason, I see references
to this RFC everywhere yet can't find the actual document. Thanks.
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
> "Inger," == Inger, Slav ( ) <[EMAIL PROTECTED]> writes:
Inger,> Hi, Does anyone have a link to RFC 1510bis? For some
Inger,> reason, I see references to this RFC everywhere yet can't
Inger,> find the actual document. Thanks.
Inger,> _
> "Lukas" == Lukas Kubin <[EMAIL PROTECTED]> writes:
Lukas> How complicated is it to move to Heimdal from MIT? I need
Lukas> a solution to enable users' authentication to LDAP in our
Lukas> network which uses MIT Kerberos 5. What do you use?
On a Debian system using the native LD
> "Sensei" == Sensei <[EMAIL PROTECTED]> writes:
Sensei> On AIX we have a really different thing:
Sensei> 1. AS-REQ Client name:host type:Principal name:host
Sensei> name:aix realm:MYREALM Server name:kadmin type:Principal
Sensei> name:kadmin name:admin end time:1970-01-01 00:
> "Ken" == Ken Hornstein <[EMAIL PROTECTED]> writes:
>> It is also worth noting, that, while Heimdal is not thread safe
>> (at least there are no guarantees), it has proven to be much
>> more thread-robust than MIT. OpenLDAP page and a couple of
>> users have expirienced probl
i lost that
<>
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
> "Douglas" == Douglas E Engert <[EMAIL PROTECTED]> writes:
Douglas> OpenSSH-3.8 released yesterday contains the gssapi
Douglas> patch. It also contains changes to use the krb5-config,
Douglas> which loks like your problem.
Doug, OpenSSH does not contain support for gss-keyex, whi
> "John" == John Hayes <[EMAIL PROTECTED]> writes:
John> I know this does not make much sense, however it is how it
John> must be approached in the implementation environment.
You're right about that. I couldn't understand what you were asking
well enough to respond;)
Can you more c
Doug:
KfW requires Aug 2001. There is nothing in the newer SDKs that is
required. Using newer SDKs is advised but not required.
- Jeff
Douglas E. Engert wrote:
> Have se this before. You need a the Microsoft SDK.
> See [krbdev.mit.edu #1675] Windows build needs Feb 2003 Platform SDK
>
___
Scott Ehrlich wrote:
>
> On Wed, 25 Feb 2004, Douglas E. Engert wrote:
>
> > Date: Wed, 25 Feb 2004 09:56:53 -0600
> > From: Douglas E. Engert <[EMAIL PROTECTED]>
> > To: Scott Ehrlich <[EMAIL PROTECTED]>
> > Cc: [EMAIL PROTECTED]
> > Subject: Re: Need help with compiling gss-api into patched o
On Wed, 25 Feb 2004, Douglas E. Engert wrote:
> Date: Wed, 25 Feb 2004 09:56:53 -0600
> From: Douglas E. Engert <[EMAIL PROTECTED]>
> To: Scott Ehrlich <[EMAIL PROTECTED]>
> Cc: [EMAIL PROTECTED]
> Subject: Re: Need help with compiling gss-api into patched openssh
>
> OpenSSH-3.8 released yesterda
>It is also worth noting, that, while Heimdal is not thread safe (at least there
>are no guarantees), it has proven to be much more thread-robust than MIT.
>OpenLDAP page and a couple of users have expirienced problems with MIT and
>threaded OpenLDAP server, while Heimdal performed flawlessly.
>
Marcel wrote:
> hey together,
>
> can anyone tell me the differences between kerberos v5 sources 1.3.1 for linux and
> windows.
the windows sources are enhanced with support for Windows.
> is it possible to compile and use the original unix sources on a windows maschine.
as documented in th
OpenSSH-3.8 released yesterday contains the gssapi patch. It also contains
changes to use the krb5-config, which loks like your problem.
Scott Ehrlich wrote:
>
> I just upgraded my Cygwin installation on my XP laptop, downloaded the
> gssapi patch from www.sxw.org.uk, obtained the correspondi
Have se this before. You need a the Microsoft SDK.
See [krbdev.mit.edu #1675] Windows build needs Feb 2003 Platform SDK
Marcel wrote:
>
> hello, can anybody help me out. i'm trying to compile kfw-2.5-src on a windows XP
> machine
> with visual studio 6 c++. but when I try to compile the source
I just upgraded my Cygwin installation on my XP laptop, downloaded the
gssapi patch from www.sxw.org.uk, obtained the corresponding
openssh/portable from ftp.openbsd.org, patched without error, downloaded
the Krb5 source and compiled, pointing to the kerb5 source directory, and,
towards the end of
hey together,
can anyone tell me the differences between kerberos v5 sources 1.3.1 for linux and
windows.
is it possible to compile and use the original unix sources on a windows maschine.
and last but not least. is there an "in memory credential" cache in linux sources,
which I can
use, if i
To anybody who may know if this is possible and how to do it.
I want to proxy a kerberos 5 server. I would like to configure a ker beros 5
server to consult a kerberos 4 server for authentication and if it gets a
ticket from the 4 server for a given user, to generate a ticket of its own
to return
Hi. Sorry for the cross-post but it involves all the two fields.
We abandoned the idea of making aix the authentication server and we
built a linux kerberos server, with MIT kerberos V5.
Our realm is MYREALM, the linux client is ``linux'' and the aix client
is ``aix''. We use no preauthorizatio
Well... I'm looking for a new solution: enabling login from SOME users
based on some requisites.
The project has changed to this: every student will belong to one o more
groups, the group name is the lab they're authorized to use.
The kerberos authorization we have can be so... handful?
--
Sens
hello, can anybody help me out. i'm trying to compile kfw-2.5-src on a windows XP
machine
with visual studio 6 c++. but when I try to compile the source I always got the
following
message. I already looked in google but didn't find any solution.
--
Microsoft (R) Program Maintenance Utili
How complicated is it to move to Heimdal from MIT?
I need a solution to enable users' authentication to LDAP in our network
which uses MIT Kerberos 5. What do you use?
Originally I (after I've found I can't use MIT's kerberos with OpenLDAP)
wished to try to use the krb5kdc LDAP schema and let LDA
38 matches
Mail list logo