Srinivas Kakde <[EMAIL PROTECTED]> writes:
> Is this right? How does it not fail mutual authentication?
>
> Does not mutual authentication requires exchange of AP-REQ and AP-REP.
> How would a malicious service (a service that pretending to be another
> service in the realm) acquire the session k
Russ,
Thank you for responding.
Russ Allbery wrote:
> If the client trusts the server's assertion of what Kerberos service it
> is, a server with any service principal in either the client's realm or
a
> realm with which it has cross-realm trust can then pretend to be any
> service withou
Srinivas Kakde wrote:
Jeffrey Altman wrote:
The security of the authentication is based upon the name. By asking
you to authenticate to a name selected by the attacker, you can be
tricked into using a KDC that is in fact under the control of the
attacker.
Are you sure this is right? I th
Jeffrey,
Thank you for your response. Now I have more questions:
Jeffrey Altman wrote:
> It would be like walking down the street looking
> for an undercover police officer and instead finding a drug dealer.
You
> decide to authenticate the undercover officer by calling the police
> prec
Srinivas Kakde wrote:
This message says: From a security standpoint, allowing the server to specify its
service principal is a "bad idea".
Why it a bad idea?
It is a bad idea because it permits an untrusted party, the server you
want to communicate with, to decide who it is that the clien
Once you go down that route (e.g. allowing SPNEGO to specify service
principal), you no longer have mutual auth, because you no longer are
connecting to precisely the server the client / client application
specified. You could be talking w/ whomever intercepted that traffic,
and returned t
On Jan 14, 2008, at 16:57, Srinivas Kakde wrote:
> Hello,
>
> There is an old posting to samba-technical
>
> http://lists.samba.org/archive/samba-technical/2007-July/054354.html
>
> This message says: From a security standpoint, allowing the server
> to specify its
> service principal is a "bad i
Srinivas Kakde <[EMAIL PROTECTED]> writes:
> There is an old posting to samba-technical
>
> http://lists.samba.org/archive/samba-technical/2007-July/054354.html
>
> This message says: From a security standpoint, allowing the server to
> specify its service principal is a "bad idea".
>
> Why it a b
Hello,
There is an old posting to samba-technical
http://lists.samba.org/archive/samba-technical/2007-July/054354.html
This message says: From a security standpoint, allowing the server to specify
its
service principal is a "bad idea".
Why it a bad idea?
I am writing to the Kerber
"Greg Wallace" <[EMAIL PROTECTED]> writes:
> At the Fedora Users and Developer Conference yesterday they announced a
> new remote maagement project that might be interesting to people
> following this thread.
>
> You can find out more about it here: https://fedorahosted.org/func
func a lot like
that's not a bad comparison, but I think (and this is how the guys
presenting the project at FUDcon explained the difference) func is like
puppet-lite (or, better, puppet really really really lite)
for example - with puppet, you get revision control, not so with func, and
this is just one example
On Sun, Jan 13, 2008 at 05:59:07PM -0500, Greg Wallace wrote:
> Hi All,
>
> At the Fedora Users and Developer Conference yesterday they announced a
> new remote maagement project that might be interesting to people following
> this thread.
>
> You can find out more about it here: https://fedorah
On 14 Jan 2008, at 16:17, Jeff Blaine wrote:
> How are people approaching the creation of host/host.foo.com
> without human intervention?
There have been a couple of talks on this subject at recent AFS &
Kerberos Best Practices Workshops:
http://workshop.openafs.org/afsbpw05/talks/kerb-auto.htm
You've got a new UNIX box to stand up for users (or,
more appropriate for the topic, you've got 50 new UNIX
boxes...).
How are people approaching the creation of host/host.foo.com
without human intervention?
Kerberos mailing list Kerberos@
> > You don't need two databases. Both heimdal and MIT current versions
> > allow LDAP as "database" for credentials so you have a single
> > database. I've not used MIT, but I've been using heimdal-ldap for a
> > long time without problems.
>
> This is true. I'm doing the same with heimdal as you.
Am Montag, den 14.01.2008, 12:27 +0100 schrieb Javier Palacios:
> On Jan 14, 2008 12:06 PM, Volkmar Glauche
> <[EMAIL PROTECTED]> wrote:
> > > Sure. But this again means the toil of maintaining two databases: the
> > > NIS map and the KDC database.
> >
> > I think you will need two databases: one
On Jan 14, 2008 12:06 PM, Volkmar Glauche
<[EMAIL PROTECTED]> wrote:
> > Sure. But this again means the toil of maintaining two databases: the
> > NIS map and the KDC database.
>
> I think you will need two databases: one for kerberos credentials and
> another one for account information. Kerberos
Am Freitag, den 11.01.2008, 17:29 + schrieb Victor Sudakov:
> Javier Palacios wrote:
> > > BTW what about Unix? Is there a way to automatically create a local
> > > user if a Kerberos principal successfully authenticates on the box?
> > > Oh well, it is not very useful after all, who in the wo
18 matches
Mail list logo