Re: Kerberos TCP retries

>We discovered that kerberos clients retries to send request after 10sec >and unfortunately it means that another MFA request is sent. Is there >any way howto extend this period(10sec to 60sec)? > >I have found one commit which can fix this issue, it is #9105 "Wait >indefinitely on KDC TCP

Kerberos TCP retries

Hello, We have been testing integration between linux servers(rhel) and Windows active directory + MFA solution from Silverfort. Linux servers(rhel 9.4) are using sssd + kerberos 1.21.1. When user wants to login to linux, kerberos client running on linux successfully open TCP session towards

Re: one time password integration

Yes, a data gets a service ticket. > On Jul 31, 2024, at 4:55 PM, Ken Hornstein wrote: > >  >> >> One surprise in doing all of this is that there seems to be no standard >> utility to let us see the auth indicator for the user's credentials. I'm >> probably doing to use one of the test

Re: one time password integration

>One surprise in doing all of this is that there seems to be no standard >utility to let us see the auth indicator for the user's credentials. I'm >probably doing to use one of the test programs (adata). It seems to be >complicated by having the auth indicator in the encrypted part of the >ticket.

Re: one time password integration

Since it will take years for all of our systems to get the new kerberos, we're going to add duo explicitly. We use ansible, so we can update the pam configuration of all our systems pretty easily. We'll just add a pam call to our own code after the normal authentication. To avoid having to set

Re: one time password integration

>We're looking at one time password integration (DUO). A while ago >changes were made to allow a longer timeout, since users may take a >while to respond to DUO requests. Since this isn't in a release yet, and >it takes years for new versions to show up on all of our systems, we >can't depend upon

Re: one time password integration

On 7/31/24 14:22, Charles Hedrick via Kerberos wrote: The comments suggest that with TCP if there isn't an answer within 10 sec, it then tries all servers. This comment is outdated; I missed it when making the behavior changes. Starting in release 1.22, once a KDC accepts a connection, the

one time password integration

We're looking at one time password integration (DUO). A while ago changes were made to allow a longer timeout, since users may take a while to respond to DUO requests. Since this isn't in a release yet, and it takes years for new versions to show up on all of our systems, we can't depend upon

Re: recent certificate failure for pkinit

>> KDC: >> KDC_RETURN_PADATA:WELLKNOWN/anonym...@example.com for krbtgt/ >> example@example.com, Failed to verify own certificate (depth 0): unable >> to get local issuer certificate > >I've run into this error before. MIT's KDC, for some bizarre reason, >insists that its server cert

Re: recent certificate failure for pkinit

On 7/8/2024 2:54 PM, Matt Zagrabelny via Kerberos wrote: Greetings Kerberos-users, I've been successfully using OTP and pkinit for the past year or so. Within the last week, or so, it has started to fail with: client: $ /usr/bin/kinit -n -c /tmp/.kerberos_cache kinit: Preauthentication

recent certificate failure for pkinit

Greetings Kerberos-users, I've been successfully using OTP and pkinit for the past year or so. Within the last week, or so, it has started to fail with: client: $ /usr/bin/kinit -n -c /tmp/.kerberos_cache kinit: Preauthentication failed while getting initial credentials KDC: KDC_RETURN_PADATA:

Re: honoring the TRUSTED_FOR_DELEGATION KDC MS-SFU Kerberos Protocol Extensions flag?

To wrap up this thread: after discussing this issue with our Windows admins over the past few months, we have concluded that the correct course of action here is to set the TRUSTED_FOR_DELEGATION flag in the userAccountControl attribute for all Linux host machine accounts that we control. This

krb5-1.21.3 is released

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 The MIT Kerberos Team announces the availability of MIT Kerberos 5 Release 1.21.3. Please see below for a list of some major changes included, or consult the README file in the source tree for a more detailed list of significant changes.

Re: Error - sudo: account validation failure, is your account locked?

On Wed, 05.Jun.24 12:00:55 -0400, kerberos-requ...@mit.edu wrote: > > > On May 29, 2024, at 08:21, hareesh kumar > > wrote: > > > > Hi Team > > > > I am upgrading kerberos latest version 1.21.2 from 1.18 version using > > docker file . > > Basically I am installing the kerberos from the

Re: Error - sudo: account validation failure, is your account locked?

> On May 29, 2024, at 08:21, hareesh kumar > wrote: > > Hi Team > > I am upgrading kerberos latest version 1.21.2 from 1.18 version using > docker file . > Basically I am installing the kerberos from the community page, unzip and > use it in our application. > > After i installed kerberos

Re: How to get Kerberos token for proxy authentication

On Tue, 2024-06-04 at 12:31 +, m_a_n_j_u_...@yahoo.com wrote: > Hi again, > > I am looking at the implementing this (getting Kerberos service > token) in C using Heimdal Kerberos library. > > In Golang using this go package https://github.com/alexbrainman/sspi > it was simply two calls as

Re: How to get Kerberos token for proxy authentication

> Hi again, I am looking at the implementing this (getting Kerberos >service token) in C using Heimdal Kerberos library. In Golang using >this go package https://github.com/alexbrainman/sspi it was simply two >calls as below: > >cred=negotiate.AcquireCurrentCredentials()token =

Re: How to get Kerberos token for proxy authentication

Hi again, I am looking at the implementing this (getting Kerberos service token) in C using Heimdal Kerberos library. In Golang using this go package https://github.com/alexbrainman/sspi it was simply two calls as below: cred=negotiate.AcquireCurrentCredentials()token =

Error - sudo: account validation failure, is your account locked?

Hi Team I am upgrading kerberos latest version 1.21.2 from 1.18 version using docker file . Basically I am installing the kerberos from the community page, unzip and use it in our application. After i installed kerberos and added a new user named kdcuser , gave all the root access to it in the

KRB_AP_ERR_MODIFIED w/ msDS-SupportedEncryptionTypes AES128 but not w/ AES256

Hi, I have Windows client / server progs that exercise AcceptSecurityContext / InitializeSecurityContext. I'm studying SSPI behavior by running through the many variations in package, enctype, mutual, qop, ... etc. I have all of this working in Java too (from scratch, not sun.security.kerberos)

Re: honoring the TRUSTED_FOR_DELEGATION KDC MS-SFU Kerberos Protocol Extensions flag?

>I looked at the Apple fork of Heimdal and didn't find any obvious code >change to honor ok-as-delegate by default. In fact, it doesn't even >implement enforce_ok_as_delegate. But both versions do implement a >ccache config setting called "realm-config" and enforce ok-as-delegate >if the 1

Re: honoring the TRUSTED_FOR_DELEGATION KDC MS-SFU Kerberos Protocol Extensions flag?

On 4/30/24 12:49, Ken Hornstein via Kerberos wrote: First off, I would advise you to NOT look at upstream Heimdal, because that's not helpful because it's not actually the code in question. Instead maybe look at the actual Heimdal source code used on MacOS X? To expand on this: the Apple forks

Re: honoring the TRUSTED_FOR_DELEGATION KDC MS-SFU Kerberos Protocol Extensions flag?

>I think the core issue here is that RFC4120§2.8 was unclear in >defining the ok-as-delegate flag. I have to say that IMHO, the explanation in RFC 4120 is clear to me and the current implementations within the MacOS X Kerberos code fall squarely within the scope of the RFCs explanation. The

Re: honoring the TRUSTED_FOR_DELEGATION KDC MS-SFU Kerberos Protocol Extensions flag?

On Tue, Apr 16, 2024 at 9:31 PM Ken Hornstein wrote: > Simo already explained the thinking there, but I think the thing > you're not considering is that not all services require delegated > credentials. Yes, in your environment (and ours) delegated > credentials for host principals is

Re: honoring the TRUSTED_FOR_DELEGATION KDC MS-SFU Kerberos Protocol Extensions flag?

On Tue, Apr 16, 2024 at 1:46 PM Simo Sorce wrote: > The correct action is for you to ask the Domain Administrators to > mark the target hosts as ok for delegation, it is unclear why MIT > Kerberos should make it easy to override Realm policies. I think the core issue here is that RFC4120§2.8

Re: Force to change password for users

>User acquires kerberos ticket and login session is authorized. This log >is for a ssh access ... I think you're missing some of the details that Greg is asking. When you say "ssh access", do you mean that you are using gssapi-with-mic or gssapi-keyex authentication with ssh, or does ssh ask for

Re: Force to change password for users

User acquires kerberos ticket and login session is authorized. This log is for a ssh access ... Best regards, C. L. Martinez From: Greg Hudson Sent: 19 April 2024 18:27 To: Carlos Lopez; kerberos@mit.edu Subject: Re: Force to change password for users

Re: Force to change password for users

On 4/19/24 08:06, Carlos Lopez wrote: [...] AS_REQ [...] REQUIRED PWCHANGE: us...@mydom.org for krbtgt/mydom@mydom.org, Password has expired [...] AS_REQ [...] NEEDED_PREAUTH: us...@mydom.org for kadmin/chang...@mydom.org, Additional pre-authentication required [...] AS_REQ [...] ISSUE:

Force to change password for users

Hi all, I have installed a new Kerberos server under RHEL9. All it is working ok, except when I try to create users. All users are created with "+needchange" flag enabled to force to the user to change own password. At first user login, kerberos server reports password has expired:

Re: honoring the TRUSTED_FOR_DELEGATION KDC MS-SFU Kerberos Protocol Extensions flag?

>> I'm a LITTLE confused as to what you're describing here. As I >> understand you, the TRUSTED_FOR_DELEGATION flag doesn't appear on >> the wire and only in the account properties. > >Yes. Apologies; I should have been more precise: when Microsoft AD is >acting as the KDC, whether AD sets the the

Re: honoring the TRUSTED_FOR_DELEGATION KDC MS-SFU Kerberos Protocol Extensions flag?

The correct action is for you to ask the Domain Administrators to mark the target hosts as ok for delegation, it is unclear why MIT Kerberos should make it easy to override Realm policies. Delegating a whole TGT is generally a bad idea, and often clients are misconfigured to broadly forward it

Re: honoring the TRUSTED_FOR_DELEGATION KDC MS-SFU Kerberos Protocol Extensions flag?

On Mon, Apr 15, 2024 at 7:56 PM Ken Hornstein wrote: > I'm a LITTLE confused as to what you're describing here. As I > understand you, the TRUSTED_FOR_DELEGATION flag doesn't appear on > the wire and only in the account properties. Yes. Apologies; I should have been more precise: when Microsoft

Re: honoring the TRUSTED_FOR_DELEGATION KDC MS-SFU Kerberos Protocol Extensions flag?

Greetings, * Ken Hornstein via Kerberos (kerberos@mit.edu) wrote: > >Has anyone else struggled with ssh clients being unable to delegate > >As far as we can tell, for reasons we still have been unable to > >fathom, Microsoft decided that simply permitting credential delegation > >based on whether

Re: honoring the TRUSTED_FOR_DELEGATION KDC MS-SFU Kerberos Protocol Extensions flag?

>Has anyone else struggled with ssh clients being unable to delegate >As far as we can tell, for reasons we still have been unable to >fathom, Microsoft decided that simply permitting credential delegation >based on whether the TGT has the forwardable flag set was >insufficient. Instead, Microsoft

honoring the TRUSTED_FOR_DELEGATION KDC MS-SFU Kerberos Protocol Extensions flag?

Has anyone else struggled with ssh clients being unable to delegate Kerberos credentials to a remote host because the Kerberos library that the ssh client uses implements the MS-SFU Kerberos Protocol Extensions and therefore honors the TRUSTED_FOR_DELEGATION flag of the target host? More

Re: Impersonate Kerberos user on HDFS

On Thu, 2024-04-11 at 08:24 -0400, Ken Hornstein via Kerberos wrote: > > - impersonate the user as, say, admin, with kinit; e.g. kinit > > - scan all HDFS directories and try to read or write > > > > Does anyone have suggestions? > > In general, your options are: > > - Have access to to user's

Re: Impersonate Kerberos user on HDFS

Ken Hornstein via Kerberos writes: > - Have access to to user's key/password and generate a ticket for that > user using kinit. As someone else already noted, this isn't really > impersonating a user. > - Have access to the TGS key and generate a TGT for that user (or any user). > This is

Re: Impersonate Kerberos user on HDFS

>- impersonate the user as, say, admin, with kinit; e.g. kinit >- scan all HDFS directories and try to read or write > >Does anyone have suggestions? In general, your options are: - Have access to to user's key/password and generate a ticket for that user using kinit. As someone else already

Re: Impersonate Kerberos user on HDFS

On Thu, 11 Apr 2024 at 16:43, Philippe de Rochambeau wrote: > > Hello, > > Let's say a user has the following rights on HDFS (which are constrained > Apache Ranger): > > /prd/a/b/c <- read right > /prd/a/b/d <- read/write right > > I would like to get a broad picture of his/her complete access

Impersonate Kerberos user on HDFS

Hello, Let's say a user has the following rights on HDFS (which are constrained Apache Ranger): /prd/a/b/c <- read right /prd/a/b/d <- read/write right I would like to get a broad picture of his/her complete access rights. I could look at the general policies in Apache Ranger and try to

Re: How to get Kerberos token for proxy authentication

Thank you. Yes, as suggested here, I am looking into using ether MIT or Heimdal Kerberos implementation. On Friday, 22 March 2024 at 10:05:38 GMT, Simo Sorce wrote: On Thu, 2024-03-21 at 11:24 -0400, Thomas Kula wrote: > On Wed, Mar 20, 2024 at 11:33:16AM -0400, Ken Hornstein via

Re: Kerberos token

Thanks Ken, I'm getting the token every time I communicate with the proxy. I was wondering if the token could be reused so that I could optimize code.  Thanks for the clarification . Yahoo Mail: Search, organise, conquer On Fri, 22 Mar 2024 at 7:27 pm, Ken Hornstein wrote: >Hi, I have

Re: Kerberos token

>Hi, I have an application that authenticates against a Proxy server >which user Kerberos authentication scheme. My application is using SSPI >library (github/alexbrainman/sspi Golang package to be exact) generate >a kerberos token and this token is passed to the Proxy server through

Kerberos token

Hi, I have an application that authenticates against a Proxy server which user Kerberos authentication scheme. My application is using SSPI library (github/alexbrainman/sspi Golang package to be exact) generate a kerberos token and this token is passed to the Proxy server through

Re: How to get Kerberos token for proxy authentication

On Thu, 2024-03-21 at 11:24 -0400, Thomas Kula wrote: > On Wed, Mar 20, 2024 at 11:33:16AM -0400, Ken Hornstein via Kerberos wrote: > > > Thanks again Ken. My application is written in Go. So I'm looking > > > for Kerberos implementation that can be easily integrated with my > > > application.

Re: How to get Kerberos token for proxy authentication

>Are you familiar with https://github.com/jcmturner/gokrb5? I've used it >in the past with some experiments in some Go code I was working on, I >wasn't touching GSSAPI but there's at least some GSSAPI code in there. >Might be worth checking out as it's native Go code, no cgo wrapping. I would

Re: How to get Kerberos token for proxy authentication

On Wed, Mar 20, 2024 at 11:33:16AM -0400, Ken Hornstein via Kerberos wrote: > >Thanks again Ken. My application is written in Go. So I'm looking > >for Kerberos implementation that can be easily integrated with my > >application. Hence I  was considering MIT Kerberos and using C bindings > >to

Re: How to get Kerberos token for proxy authentication

>Thanks again Ken. My application is written in Go. So I'm looking >for Kerberos implementation that can be easily integrated with my >application. Hence I  was considering MIT Kerberos and using C bindings >to call those APIs from my Go code. "MacOS X it might be easier to use >the native

Looking for a "Kerberos Router"?

Thank you, I will put this on test. This is well tested: https://github.com/latchset/kdcproxy On Wed, 2024-03-13 at 17:32 +0100, Yoann Gini wrote: > > > Le 13 mars 2024 à 17:21, Ken Hornstein a écrit : > > > > It does occur to me that maybe if you have different KDC hostnames but > > the

Re: How to get Kerberos token for proxy authentication

Thanks again Ken. My application is written in Go. So I'm looking for Kerberos implementation that can be easily integrated with my application. Hence I  was considering MIT Kerberos and using C bindings to call those APIs from my Go code. "MacOS X it might be easier to use the native GSSAPI

Re: How to get Kerberos token for proxy authentication

>Thanks Ken,I understand I need to use GSSAPI for Linux/MacOS >platforms. I was wondering if I can use MIT Kerberos GSSAPI for the >same. Does libcurl use MIT Kerberos gssapi ? Yes my proxy header would >look exactly like you mentioned. Thank-you. You should be able to use the MIT Kerberos

Re: query about a possible "KRB5KEYLOGFILE" feature, to log session keys

On 3/17/24 23:33, Richard E. Silverman wrote: I have a patch to libkrb5 which implements a feature similar to the SSLKEYLOGFILE environment variable that’s now in pretty wide use for TLS: it logs session keys to a keytab named by KRB5KEYLOGFILE. The main use for this, just as with the TLS

Re: How to get Kerberos token for proxy authentication

Thanks Ken,I understand I need to use GSSAPI for Linux/MacOS platforms. I was wondering if I can use MIT Kerberos GSSAPI for the same. Does libcurl use MIT Kerberos gssapi ? Yes my proxy header would look exactly like you mentioned. Thank-you. Yahoo Mail: Search, organise, conquer On Mon,

Re: query about a possible "KRB5KEYLOGFILE" feature, to log session keys

2. A client may not have access to the session keys in its ccache, e.g. if it’s using gssproxy. Oops, sorry -- that’s a little off the mark. In that case of course session-key logging won’t help the client directly, since it doesn’t perform those operations or call libkrb5 itself at all;

query about a possible "KRB5KEYLOGFILE" feature, to log session keys

Hello, I have a patch to libkrb5 which implements a feature similar to the SSLKEYLOGFILE environment variable that’s now in pretty wide use for TLS: it logs session keys to a keytab named by KRB5KEYLOGFILE. The main use for this, just as with the TLS version, is to decrypt packet captures

Re: How to get Kerberos token for proxy authentication

>Hi, I have a requirement to authenticate my application >(Golang)  against a proxy server which requires Kerberos >authentication. I have achieved this on Windows using >github/alexbrainman/sspi Golang package.From that package I >basically call  negotiate.AcquireCurrentUserCredentials() and

How to get Kerberos token for proxy authentication

Hi, I have a requirement to authenticate my application (Golang)  against a proxy server which requires Kerberos authentication. I have achieved this on Windows using github/alexbrainman/sspi Golang package.From that package I basically call   negotiate.AcquireCurrentUserCredentials() and

Re: Stateless PKINIT?

> Le 15 mars 2024 à 17:17, Greg Hudson a écrit : > > On 3/15/24 06:15, Yoann Gini wrote: >> Informations about the principal (name and everything) could be extracted >> from the certificate. Principal and certificate contains the same >> informations. > > To issue a ticket, the KDC doesn't

Re: Stateless PKINIT?

On 3/15/24 06:15, Yoann Gini wrote: Informations about the principal (name and everything) could be extracted from the certificate. Principal and certificate contains the same informations. To issue a ticket, the KDC doesn't need to know directory-type information such as real names, but it

Re: Stateless PKINIT?

Hi > Le 14 mars 2024 à 21:56, Greg Hudson a écrit : > > On 3/14/24 15:27, Ken Hornstein via Kerberos wrote: >>> Is there a way when using PKINIT to not need any internal list of >>> principals but to rely on the validity of the certificate to proxy the >>> certificate identity into the Kerberos

Re: Stateless PKINIT?

On 3/14/24 15:27, Ken Hornstein via Kerberos wrote: Is there a way when using PKINIT to not need any internal list of principals but to rely on the validity of the certificate to proxy the certificate identity into the Kerberos ticket? I know what all of those words are, but I'm unclear what

Re: Stateless PKINIT?

>Is there a way when using PKINIT to not need any internal list of >principals but to rely on the validity of the certificate to proxy the >certificate identity into the Kerberos ticket? I know what all of those words are, but I'm unclear what they mean all together. I think you mean _this_

Re: Looking for a "Kerberos Router"?

The site philosophy can be expressed as fail open / fail closed /fail safe / fail deadly... From: Brent Kimberley Sent: Wednesday, March 13, 2024 5:41:58 PM To: Simo Sorce ; Yoann Gini ; Ken Hornstein Cc: kerberos@mit.edu Subject: RE: Looking for a "Kerberos

RE: Looking for a "Kerberos Router"?

To the best of my knowledge, all IPV6 ports should be closed by design and only opened if/when approved. -Original Message- From: Kerberos On Behalf Of Simo Sorce Sent: Wednesday, March 13, 2024 4:48 PM To: Yoann Gini ; Ken Hornstein Cc: kerberos@mit.edu Subject: Re: Looking for a

Re: Looking for a "Kerberos Router"?

This is well tested: https://github.com/latchset/kdcproxy On Wed, 2024-03-13 at 17:32 +0100, Yoann Gini wrote: > > > Le 13 mars 2024 à 17:21, Ken Hornstein a écrit : > > > > It does occur to me that maybe if you have different KDC hostnames but > > the same IP address you could use TLS SNI or

Re: Looking for a "Kerberos Router"?

See RFC 4559 and related  MS support keep via https Quest Vintela and others field kit that supports this IBM and SiteMider have guidance and support On Wednesday, March 13, 2024, 9:56 AM, Brent Kimberley via Kerberos wrote: [MS-KKDCP]: Kerberos Key Distribution Center (KDC) Proxy Protoco

Stateless PKINIT?

Hello, I'm trying to achieve a deployment of Kerberos and PKINIT as some sort of authentication proxy. I'm working for an IDP startup. Is there a way when using PKINIT to not need any internal list of principals but to rely on the validity of the certificate to proxy the certificate identity

RE: Looking for a "Kerberos Router"?

[MS-KKDCP]: Kerberos Key Distribution Center (KDC) Proxy Protoco https learn.microsoft.com/en-us/openspecs/windows_protocols/ms-kkdcp/5bcebb8d-b747-4ee5-9453-428aec1c5c38?source=recommendations 1 Introduction The Kerberos Key Distribution Center (KDC) Proxy Protocol (KKDCP) is used by an

Re: Looking for a "Kerberos Router"?

> Le 13 mars 2024 à 17:21, Ken Hornstein a écrit : > > It does occur to me that maybe if you have different KDC hostnames but > the same IP address you could use TLS SNI or hostname routing which > you indicated you already use and maybe that would be simpler? That > presumes the client

Re: Looking for a "Kerberos Router"?

>Looking at Apple documentation I see the support for something I had >never heard of: Kerberos Key Distribution Center Proxy. > >Looks like a solution to encapsulate Kerberos requests into an HTTPS. > >Any experience on this here? I personally have not used that, but I know that MIT Kerberos

Re: Looking for a "Kerberos Router"?

Looking at Apple documentation I see the support for something I had never heard of: Kerberos Key Distribution Center Proxy. Looks like a solution to encapsulate Kerberos requests into an HTTPS. Any experience on this here? Kerberos mailing list

Re: Looking for a "Kerberos Router"?

>> A long time ago we had developed a small Kerberos proxy that forwarded >> on Kerberos messages by prepending the source IP address/port to the >> UDP message (our KDC at the time was modified to recognize this and >> sent the prepended bytes back to the proxy so it could send it to the >>

Re: Looking for a "Kerberos Router"?

> Le 13 mars 2024 à 15:52, Ken Hornstein a écrit : > >>> One thing that leaps out at me is that by default a lot of Kerberos >>> messages default to UDP transport so that might be a bit trickier to >>> proxy them (but not impossible). >> >> Yes, that's another aspect of the issue, our

Re: Looking for a "Kerberos Router"?

> Le 13 mars 2024 à 15:44, Marco Rebhan a écrit : > >> On 13. Mar 2024, at 12:48, Yoann Gini > > wrote: >> >> Which allow us to have end to end TLS communication between our customers >> and their tenant. Which is mandatory for our mTLS. But without consuming one

Re: Looking for a "Kerberos Router"?

>> One thing that leaps out at me is that by default a lot of Kerberos >> messages default to UDP transport so that might be a bit trickier to >> proxy them (but not impossible). > >Yes, that's another aspect of the issue, our expectations so far are on >support for TCP only clients. Since it's

Re: Looking for a "Kerberos Router"?

> On 13. Mar 2024, at 12:48, Yoann Gini wrote: > > Which allow us to have end to end TLS communication between our customers and > their tenant. Which is mandatory for our mTLS. But without consuming one > public IP per tenant to keep cost under control. > > Here with Kerberos, I'm wondering

Re: Looking for a "Kerberos Router"?

Hello, > Le 13 mars 2024 à 15:16, Ken Hornstein a écrit : > >> Here with Kerberos, I'm wondering how we can achieve something >> equivalent, using a shared IP for multiple Kerberos realms and having >> the incoming requests routed to the appropriate backend by some kind of >> inspection. > > I

Re: Looking for a "Kerberos Router"?

>Here with Kerberos, I'm wondering how we can achieve something >equivalent, using a shared IP for multiple Kerberos realms and having >the incoming requests routed to the appropriate backend by some kind of >inspection. I think that is certainly _possible_, but I don't believe there is anything

Looking for a "Kerberos Router"?

Hello, I'm looking for a way to "route" Kerberos requests incoming to a single IP to different backend depending on the requested realms. This issue I'm trying to solve is related to the scalability of automated deployment for new Kerberos realms on a cloud infrastructure. My company is an

Re: Applying policy results in Bad encryption type

You nailed it - we dropped DES and switched to AES keys everywhere else a long time ago but somehow missed that. Thank you! On Tue, Mar 12, 2024 at 4:12 PM Ken Hornstein wrote: > > >We did a server replacement of our master KDC that had been on RHEL7 > >for years to finally upgrade to RHEL8.

Re: Applying policy results in Bad encryption type

>We did a server replacement of our master KDC that had been on RHEL7 >for years to finally upgrade to RHEL8. We did a dump of the database >prior to the swap, we still have the old server sitting around as >well. Principal database is on disk in old db2 style. Kerberos >version is 1.18 for

Applying policy results in Bad encryption type

We did a server replacement of our master KDC that had been on RHEL7 for years to finally upgrade to RHEL8. We did a dump of the database prior to the swap, we still have the old server sitting around as well. Principal database is on disk in old db2 style. Kerberos version is 1.18 for RHEL8,

Re: How to generate TGT using java GSS API

>Hi, We can generate a TGS with GSS API in Java. >But is there a way to get TGT in java, assuming I have account/password? With the pure, standards based GSS, the answer is "no". There is this, but I do not know if all Java implementations support it:

How to generate TGT using java GSS API

Hi, We can generate a TGS with GSS API in Java. But is there a way to get TGT in java, assuming I have account/password? Thanks Jim Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

RE: kdb5_util-1.15.1: Invalid argument while making newly loaded database live

A message queue is typically a better way to synchronize a cluster. The bonus is that you can track adds, deletes, and modifies via historian. Anchors in Relative Time!? -Original Message- From: Kerberos On Behalf Of Ken Hornstein via Kerberos Sent: Monday, March 4, 2024 10:56

Re: kdb5_util-1.15.1: Invalid argument while making newly loaded database live

>We have a setup where the kerberos database (db2) is hosted on an NFS >server. There are multiple KDC servers each mounting the NFS share and >serving traffic. I have to say up front that it is generally agreed that putting any database file on a NFS filesystem is a bad idea. Also, it kind of

kdb5_util-1.15.1: Invalid argument while making newly loaded database live

Hello, We have a setup where the kerberos database (db2) is hosted on an NFS server. There are multiple KDC servers each mounting the NFS share and serving traffic. For replicating data into the NFS hosted database from an external master KDC. We have a sync job setup that runs "kdb5_util load"

Re: 3 kerberos security issues

On 3/1/24 07:13, Alexander Bergmann via Kerberos wrote: We got notified via NVD about 3 new security issues. Right now there seams to be no upstream reference. Could someone please comment on this? CVE-2024-26458: Memory leak at /krb5/src/lib/rpc/pmap_rmt.c CVE-2024-26461: Memory leak at

3 kerberos security issues

Hi everyone, We got notified via NVD about 3 new security issues. Right now there seams to be no upstream reference. Could someone please comment on this? CVE-2024-26458: Memory leak at /krb5/src/lib/rpc/pmap_rmt.c CVE-2024-26461: Memory leak at /krb5/src/lib/gssapi/krb5/k5sealv3.c

Re: Protocol benchmarking / auditing inquiry

Ehlo. On Wed, Feb 14, 2024 at 05:43:47PM +, Brent Kimberley via Kerberos wrote: > Can anyone point me to some methods to benchmark and/or audit Kerberos v5? A short while ago I submitted a PR[1] for the Lynis project that does something like that. I also started documenting some of my own

Re: Using PKINIT with ECC

> So is there a way to submit a feature request for ECDSA support in MIT > Kerberos ? I've filed a PR for this at https://github.com/krb5/krb5/pull/1328 . If you're in a position to test it, that would be helpful, as the internal softpkcs11 (which we use for testing) didn't previously have ECDSA

RE: Protocol benchmarking / auditing inquiry

Correction: - Physical systems tend to wear out + fail spectacularly. - Cyber systems tend to fail silently + inconveniently - CPS systems tend to wear out + fail spectacularly + fail silently + inconveniently (case in point colonial pipeline) The purpose of said tools is to evaluate & maintain

RE: Protocol benchmarking / auditing inquiry

The purpose of non-destructive testing is to validate form/fit/function - across the entire operational mission/ asset lifecycle/ whatever - contrasted with the STIG/CIS benchmark which throws the real problems "over the wall" to Ken H. Using the outputs, the lifecycle manager constructs their

Re: Protocol benchmarking / auditing inquiry

>This approach is taught in first year engineering. Geez dude, no need to drag me; I'll be the first one to admit that I'm old and don't know everything! Back in my day our curriculums didn't cover any computer security topics at all. But I stand by my original statements: I, personally, have

RE: Protocol benchmarking / auditing inquiry

At higher levels it falls under "Non Destructive testing". -Original Message- From: Brent Kimberley Sent: Thursday, February 15, 2024 12:12 PM To: 'kerberos@mit.edu' ; 'k...@cmf.nrl.navy.mil' Subject: RE: Protocol benchmarking / auditing inquiry This approach is taught in first year

RE: Protocol benchmarking / auditing inquiry

This approach is taught in first year engineering. -Original Message- From: Brent Kimberley Sent: Thursday, February 15, 2024 12:10 PM To: kerberos@mit.edu; k...@cmf.nrl.navy.mil Subject: RE: Protocol benchmarking / auditing inquiry Ken. The term Frame of Reference is a Cyber Physical

RE: Protocol benchmarking / auditing inquiry

Ken. The term Frame of Reference is a Cyber Physical system (CPS) term. For those who work in the cyber subset, the term is "interface". Regardless of what you call it. You take the system diagram and evaluate using each major interface or Frame of Reference. The STIG or CIS benchmark is just

Re: Protocol benchmarking / auditing inquiry

>Minor comment the CIS Benchmark appears to have been written from the >system administrator's frame of reference - not the network frame of >reference (FoR). Typically, each frame of reference (FoR) needs to be >audited. Hence the need for automation. I can only say this: - I've been doing

RE: Protocol benchmarking / auditing inquiry

Minor comment the CIS Benchmark appears to have been written from the system administrator's frame of reference - not the network frame of reference (FoR). Typically, each frame of reference (FoR) needs to be audited. Hence the need for automation. -Original Message- From: Christopher

RE: Protocol benchmarking / auditing inquiry

To the best of my knowledge" Krb5i provides integrity whereas Krb5p provides confidentiality, integrity, and replay protection. "Walk tool" finding could map to a radar chart. In other news, Matthew Palko plans to modernize authentication.

  1   2   3   4   5   6   7   8   9   10   >