scoco wrote:
> Hi Kerberos experts,
>
> could anyone help me in addressing this issue since I am a T-O-T-A-L
> newbie in Kerberos.
>
> I have to retrieve kerberos credential in Solaris 5.8 (SEAM 1.0.1)
> using a windows2003 Active Directory as KDC, and I am compelled to use
> the credential of
Hi,
I have heard recently that with RC4 there appears to be a generic
weakness with the standard implementation of the algorithm. Research by
Fluhrer, Mantin and Shamir demonstrated that all RC4 keys are vulnerable
to brute-forcing attacks as the first few bytes of output keystream are
non-rando
Are the kftp, kftp-data, ktelnet port assignments 6621,6620 and 6623
referenced in any rfc ?
Thanks
Markus
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
>Are the kftp, kftp-data, ktelnet port assignments 6621,6620 and 6623
>referenced in any rfc ?
AFAIK, the answer to that is "no".
Why are they there? Well, the short answer is: firewall administrators
are stupid.
--Ken
Kerberos mailing list
On Nov 1, 2006, at 12:53, Markus Moeller wrote:
> Are the kftp, kftp-data, ktelnet port assignments 6621,6620 and 6623
> referenced in any rfc ?
I see them in the IANA assignments, but I think this is the first
I've heard of them.
It looks like they were registered by Robert Scott a bit over a
OK. So it seems I am not so only one who is puzzled abput it.
Thanks
Markus
"Ken Raeburn" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> On Nov 1, 2006, at 12:53, Markus Moeller wrote:
>> Are the kftp, kftp-data, ktelnet port assignments 6621,6620 and 6623
>> referenced in any rfc
Hi,
I have a query which I hope someone can enlighten me on.
As I understand it, a random session key is issued by the KDC when the
TGS-REQ is sent back to the client and this same session key is also stored
inside the service ticket. The service ticket is sent to the server where it
is decrypted
I'd like to know if anyone has any practical experience in migrating a
Kerberos realm.
Back in the day, when I was learning about Kerberos, I set up the local
realm with the name 'OFFICE'. Since we had a local domain of the same
name, this was fine, and I propergated information via DNS and
everyt
Hi kerberos folks--
Could anyone point me to information about the security concerns
involved with opening a krb5 realm to the Internet (or any other
untrusted WAN)?
I've looked in several places, but could only find a couple of remarks
on this list from last year:
http://mailman.mit.edu/piper
> "Daniel" == Daniel Kahn Gillmor <[EMAIL PROTECTED]> writes:
Daniel> Hi kerberos folks--
Daniel> Could anyone point me to information about the security concerns
Daniel> involved with opening a krb5 realm to the Internet (or any other
Daniel> untrusted WAN)?
Authentication over an untrusted
Daniel Kahn Gillmor <[EMAIL PROTECTED]> wrote:
> I think i understand the basic K5 protocol, but i don't have my head
> wrapped around the different possible attack vectors well enough to
> know if opening up a KDC to the internet is really asking for trouble
> (e.g. how much krb5 traffic needs to
On Wed, 1 Nov 2006 17:14:17 +
"Nali Miah" <[EMAIL PROTECTED]> wrote:
> Hi,
>
> I have a query which I hope someone can enlighten me on.
>
> As I understand it, a random session key is issued by the KDC when the
> TGS-REQ is sent back to the client and this same session key is also stored
> i
As Tom says, Kerberos was designed to be used on open networks. With
the exception of the old DES-based types (a bad idea to use nowadays,
but supported for backwards compatibility for places that haven't
updated yet), the encryption schemes should be reasonably solid, and
all of the data
On Nov 1, 2006, at 12:14, Nali Miah wrote:
> So, with this in mind, if somebody manages to get a copy of the key
> in the
> key table file (it's not important how, but imagine if they did),
> they could
> use this key to decrypt a service ticket as it is transmitted
> across the
> network ins
On Nov 1, 2006, at 17:38, Edward Murrell wrote:
> I'd like to know if anyone has any practical experience in migrating a
> Kerberos realm.
>
> Back in the day, when I was learning about Kerberos, I set up the
> local
> realm with the name 'OFFICE'. Since we had a local domain of the same
> name,
Ken Raeburn wrote:
> You can, but you have to write the config files to specify different
> port numbers for them. (The code doesn't currently support using only
> some of a machine's IP addresses, if you wanted to put one on one
> address and one on another.) The code theoretically supports servin
On Nov 1, 2006, at 20:55, Edward Murrell wrote:
> Given the size of the company (eight people, twice that many
> machines),
> I won't be able to justify the work of writing code to reconstruct
> database records, and re-entering passwords isn't too big a deal.
> So it
> looks like I'll be runni
> But the database can store a special
> salt string for a principal's key, so you'd modify some (most?)
> entries for users to have the salt string computed based on the old
> realm name.
If anyone is thinking of going down this road, be aware that
th
On Nov 1, 2006, at 22:04, John Hascall wrote:
>If anyone is thinking of going down this road, be aware that
>there are some crappy client implementations out there
>(* looks in the direction of WebCT Vista and coughs *)
>that don't handle a non-default salt correctly...
And here I
19 matches
Mail list logo
