On Tue, Jul 1, 2014 at 4:11 PM, Rick van Rein wrote:
>> I've an Internet-Draft on the subject. I intend to update it soon.
>
> Excellent! Bookmarked it on http://realm-xover.arpa2.net/kerberos.html
> and am printing it for review.
Great! That'd be very welcome.
>> If all goes well I might fin
> > If all goes well I might find myself implementing a few months from
> > now, or if not maybe we can con someone else into doing it.
>
> Hero!
+1
This electronic message contains information generated by the USDA solely for
the intended recipients. Any unauthorized interception of this m
Hi Nco,
> I've an Internet-Draft on the subject. I intend to update it soon.
Excellent! Bookmarked it on http://realm-xover.arpa2.net/kerberos.html
and am printing it for review.
> If all goes well I might find myself implementing a
> few months from now, or if not maybe we can con someone els
I'll add that it's really shocking that we don't yet have PKCROSS.
Lack of PKCROSS greatly hurts Kerberos' scalability.
Also, Kerberos w/ PKCROSS is much closer to something like what PKI
should have been: short-lived credentials, no need for revocation
protocols (CRLs, OCSP).
Nico
--
___
> Hello Bryce,
>
> I'm not sure what status postings on the FreeIPA wiki have - is this like an
> official project, or is it a place where you develop your thoughts and maybe
> someday propose an enhancement?
I'm an interloper. The associated enhancement request page has to do with
support for ex
On Tue, Jul 1, 2014 at 1:01 PM, Rick van Rein wrote:
> I’ve been thinking about realm-crossing lately, specifically between hitherto
> unknown parties — that is, for use across the general Internet.
I have too. I've an Internet-Draft on the subject. I intend to
update it soon. If all goes wel
Hi all,
I have a Kerberos server and Apache running on Linux and am trying to
access the Apache from a Windows 7 box with Firefox. I'm using Heimdal
1.6.2.0 and netidmgr 2.0.102.907 and have configured
network.negotiat-auth.trusted-uris and network.negotiat-auth.trusted-uris
to my Apache and hostna
Hello Bryce,
I’m not sure what status postings on the FreeIPA wiki have — is this like an
official project, or is it a place where you develop your thoughts and maybe
someday propose an enhancement?
> I've spent a bit of time pecking away at this over the last six months or so.
> Current thoug
Hi Rick,
I've spent a bit of time pecking away at this over the last six months or so.
Current thoughts are here:
http://www.freeipa.org/page/Collaboration_with_Kerberos please feel free to
edit/criticize/improve. I really haven't looked at DANE.
First thing is that Kerberos for desktops will
Hello,
I’ve been thinking about realm-crossing lately, specifically between hitherto
unknown parties — that is, for use across the general Internet.
With DANE installed as an RFC, I can see ways of placing public keys and/or
X.509 certificates in signed DNS, thus enabling strong security for a
On 07/01/2014 12:34 PM, Matt Garman wrote:
> Nothing unusual or surprising so far. Now, let’s say that particular
> slave server is rebuilt (OS wiped, re-installed, re-configured). Note
> that the rebuilding process involves re-generating the host keytab
[...]
This is the "destructive service re
On Tue, Jul 1, 2014 at 9:34 AM, Matt Garman
wrote:
> As far as I can tell, re-creating the keytab
> file causes the key version number (“KVNO”) to be incremented.
>
>
The "standard" way to deal with this problem is to keep both key version
numbers in the keytab file on the machine. The KDC only
We use an internally developed job-dispatching system, which is
implicitly built on Kerberos. Jobs are basically dispatched via “ssh
servername command”. Furthermore, the jobs need to access NFSv4
shares mounted with the “sec=krb5p” option. To facilitate this, the
ssh client and daemon need to b
Hi,
I have installed Kerberos 5. But i am facing error while adding users to
Kerberos like this:
[cid:image002.png@01CF9528.50BE4130]
Following is the error which i am facing:
[cid:image004.png@01CF9528.50BE4130]
Here is how my kadm5.acl looks like:
[cid:image006.png@01CF9
14 matches
Mail list logo