Re: Anonymous kerberos and bootstrapping new hosts - how to?

2013-09-06 Thread Greg Hudson
On 09/06/2013 07:22 PM, James Croall wrote: > What I can't figure out what to do is automatically bootstrap a keytab for a > new host using anonymous Kerberos. The documentation is a bit fuzzy, and most > forum posts I read on the topic suggest using custom scripts and > back-channels to accompl

Re: Anonymous kerberos and bootstrapping new hosts - how to?

2013-09-06 Thread Russ Allbery
Russ Allbery writes: > Try also explicitly specifying the realm with -r, and possibly also the > host with -a. Sorry, that should be -s. Too much switching back and forth between different Kerberos implementations. -- Russ Allbery (r...@stanford.edu)

Re: Anonymous kerberos and bootstrapping new hosts - how to?

2013-09-06 Thread Nico Williams
Make sure you're using the right kadmin. Maybe kadmin(1) lacks support for this? In that case use kinit(1) -S then kadmin -c . Nico -- Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Anonymous kerberos and bootstrapping new hosts - how to?

2013-09-06 Thread Russ Allbery
James Croall writes: > Thanks for the suggestion! Unfortunately that's not the problem - I gave > that a try, and it's not even communicating with the KDC. There are zero > packets being sent to the server, and per the error message: > Authenticating as principal WELLKNOWN/ANONYMOUS@WELLKNOWN:AN

Re: Anonymous kerberos and bootstrapping new hosts - how to?

2013-09-06 Thread Nico Williams
Roland Dowdeswell's krb5_admin and krb5_keytab tool suite support bootstrapping and changing host keys using N-way Diffie-Hellman key exchanges (which includes support for race-free clustered host key updates). Bootstrapping keys requires a locally-defined (site-specific) process for verifying hos

Re: Anonymous kerberos and bootstrapping new hosts - how to?

2013-09-06 Thread James Croall
Hi Russ, Thanks for the suggestion! Unfortunately that's not the problem - I gave that a try, and it's not even communicating with the KDC. There are zero packets being sent to the server, and per the error message: Authenticating as principal WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS with password

Re: Anonymous kerberos and bootstrapping new hosts - how to?

2013-09-06 Thread Russ Allbery
James Croall writes: > Kadmin just won't let me in. When using the WELLKNOWN principal, it > cannot find the KDC/Kadmin server: >> kinit -n >> kadmin -n @TRIAL.COVERITY.COM > Authenticating as principal WELLKNOWN/admin@WELLKNOWN:ANONYMOUS with > password; anonymous requested. kadmin is "helpfu

Anonymous kerberos and bootstrapping new hosts - how to?

2013-09-06 Thread James Croall
Hi All, I have been scratching my head on this for days. I have set up Kerberos with PKinit, and everything works nicely. Kerberos works as expected, I can generate X509 certificates that can authenticate as a principal, all good. What I can't figure out what to do is automatically bootstrap a