I'm surprised you need a mapping at all. The default mapping should simply
strip any instance component. What happens if you kinit manually with
username/cron using a password?
On Tue, May 5, 2015 at 4:24 AM, Rainer Krienke krie...@uni-koblenz.de
wrote:
Hello,
I am setting up a
On Fri, Nov 28, 2014 at 12:29 AM, Rick van Rein r...@openfortress.nl
wrote:
Here is a detailed discussion of how to configure FreeRADIUS to use
Kerberos with 802.1x authentication:
http://freeradius.1045715.n5.nabble.com/802-1x-amp-kerberos-td2765708.html
That discussion is how to setup a
On Fri, Nov 28, 2014 at 12:54 AM, Rick van Rein r...@openfortress.nl
wrote:
Hi Frank,
I didn't read the document, but from the name of it the EAP-GSS method I
noted earlier would be a true Kerberos authentication -- the client has to
pass on a kerberos token, not a password. It sounded
On Fri, Nov 28, 2014 at 1:15 AM, Rick van Rein r...@openfortress.nl wrote:
Hey,
There were numerous advantages to this approach for our environment,
however we never deployed it. I should have written a brief paper at the
time.
You still may ;-)
It would require a new SRV record, and
https://tools.ietf.org/html/draft-aboba-pppext-eapgss-12 maybe
On Wed, Nov 26, 2014 at 12:34 PM, Hugh Cole-Baker sigma...@gmail.com
wrote:
On 26 Nov 2014, at 17:18, kerberos-requ...@mit.edu wrote:
Hello,
I was surprised to find Kerberos authentication for both PPTP and L2TP
on Mac OS
There's a so-called 'upcall' mechanism in the filesystem. rpc.gssd gets
requests from the nfs client through that and sends the answers through the
same mechanism. It's very patchwork IMHO.
/sbin/mount and mounts_nfs per se have no knowledge of this authentication
backdoor.
On Fri, Sep 12,
Windows clients will handle this automatically by giving the user the
kerberos password prompt. In that case it's done in the kerb library. For
unix (and mac) clients this doesn't happen. The easiest solution is to
wrap the ssh binary with an expiration checker tool. Another route is to
deploy
KRB5CCNAME
On Wed, Oct 31, 2012 at 12:41 PM, Jim Shi hanmao_...@apple.com wrote:
Hi, I have a question.
When you start ssh, ssh will use TGT ticket in the cache that matches the
current unix login account.
Is my understanding correct? Is there way you can override this to use a
different
On Tue, Sep 25, 2012 at 2:08 PM, Russ Allbery r...@stanford.edu wrote:
We were quite concerned when we first looked at putting Kerberos KDCs
behind a hardware firewall because of that session limit. Our firewalls
have a 100,000 UDP session limit and a fairly quick timeout.
Ideally you just
On Tue, Sep 25, 2012 at 2:02 PM, Jack Neely jjne...@ncsu.edu wrote:
My network engineers tell me that the firewall in one DC had 8000
concurrent connections from the offending IP address to the KDCs and
4000 in the second DC. (Oddly, the DC with only 1 slave.) The KDCs
weren't able to
On Tue, Sep 18, 2012 at 2:00 PM, Matt Garman matthew.gar...@gmail.comwrote:
=== SERVER MACHINE, ROOT TERMINAL ===
...
mech: krb5, hndl len: 4, ctx len 85, timeout: 1348001077 (116 from
now), clnt: *matt@cron*, uid: -1, gid: -1, num aux grps: 0:
That's interesting. I wonder if that's a
Does the server know it's in the realm MYDOMAIN.COM?
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
On Tue, Sep 18, 2012 at 12:43 PM, Matt Garman matthew.gar...@gmail.comwrote:
Isn't the above path stuff kind of pointless anyway, since I can use
-k -t file with kinit at the user level? Which I have to do anyway,
from within cron?
yeah, whoops. I was thinking keytab but actually rpc.gssd
On Tue, Sep 18, 2012 at 9:42 AM, Matt Garman matthew.gar...@gmail.comwrote:
On Sat, Sep 15, 2012 at 8:12 PM, Frank Cusack fr...@linetwo.net wrote:
man rpc.gssd.
At least on my distro (CentOS 5), that man page is extremely terse.
At least it should tell you where to drop keytabs and how
man rpc.gssd.
Another option is to allow the servers to mount via sys permission. Your
NFS server may or may not allow this kind of configuration.
It should be the default that foo and foo/cron are equivalent for NFS
purposes.
Kerberos mailing
On Wed, Aug 15, 2012 at 8:10 AM, steve st...@steve-ss.com wrote:
Hi
openSUSE 12.1
Our Samba4 DC has a Kerberised NFS mounted share. I need the root user
to be able to write to the share. I can do this with by mounting it with:
no_root_squash,sec=sys
Is there any way I can do it with:
.
On Saturday, January 21, 2012, Russ Allbery r...@stanford.edu wrote:
Frank Cusack fr...@linetwo.net writes:
They don't need to be. The screen saver itself can be run in an
unprivileged context.
Only with an internal architecture that screen savers often don't bother
to implement any more
On Sat, Jan 21, 2012 at 11:46 AM, Stefan Skoglund
stefan.skogl...@agj.netwrote:
I had a bit of problems unlocking the X session and after reading
other people description of the same symptom i did find the trigger for
it in my /etc/krb5.conf:
---
verify_ap_req_nofail = true
---
I dropped
Thanks for you continued work on this.
On Mon, Jan 9, 2012 at 1:42 AM, g...@hurderos.org wrote:
Good morning, hope the day is starting out well for everyone.
I'd like to announce the availability of a major upgrade to the Hurdo
package. The update is available at the following URL:
How can I learn the enctype of the TGS key? That is, the long lived krbtgt
key. Without having kadmin privileges.
'klist -e' reports Etype (skey, tkt), where I take it that skey = the
enctype of the session key and tkt = the enctype of the ??? opaque ticket I
guess?
I question if this is the
Oh wait. As always, just after sending the email is when you find the
answer.
I think the answer is that the enc-part isn't just an opaque blob, it's
etype
kvno
cipher
So that's where the enctype comes from. Can someone confirm my
understanding?
On Wed, Jan 4, 2012 at 3:17 PM, Frank
will segfault.
** **
In my world that means that rpc.gssd reads the pkinit-option in some way,
but I’m not sure.
** **
Best regards,
Patrik Martinsson, Sweden.
** **
** **
** **
** **
** **
*Från:* Frank Cusack [mailto:fr...@tenpedal.com]
*Skickat:* den 14
On Wed, Jul 6, 2011 at 10:27 AM, ghud...@mit.edu wrote:
Does anyone on this list intentionally rely on PTR lookups for
Kerberos hostname canonicalization?
Yes, for ssh host. In our case, the canonicalization is done by the ssh
client itself though, not by the krb5 library. Now that I'm
On Fri, May 13, 2011 at 12:08 AM, g...@hurderos.org wrote:
The next release will have a PAM module which handles the
authentication of the forwarded AP-REQ packet. That will eliminate
the need for the sudo patch and provide a general mechanism for any
application to leverage this system.
On Wed, Dec 22, 2010 at 10:31 AM, g...@hurderos.org wrote:
ftp://ftp.hurderos.org/pub/Hurdo/Hurdo-0.1.0.tar.gz
Revisiting this.
In my followup idea on having the server initiate the request for the fresh
credential, any thoughts on how to present a secure UI to the user so that
he knows this
That's terrible! You've enabled anyone to sudo without having to know the
real password. The whole point of sudo requiring a password is to make sure
that the actual user is present (e.g. didn't walk away from an open
terminal). By disabling tgt_verify, anyone can spoof a KDC response that
will
On Thu, Mar 31, 2011 at 6:42 AM, Guilherme Nery guilherm...@gmail.comwrote:
How can I get the realm of a hostname,
Consult local configuration (krb5.conf), or DNS SRV records if DNS is being
used.
and get the hostname of realm?
That question doesn't make sense. There is no mapping of
On 3/5/11 5:17 PM +0800 Lee Eric wrote:
I'm just thinking why SSL must be enabled when using mod_auth_kerb in
httpd. Because password will be transferred in encryption by Kerberos.
So is SSL used to proect the tickets or anything else?
You should never send authentication credentials to an
On 2/10/11 6:33 PM -0500 mikhail_tete...@timeinc.com wrote:
On 10.02.2011 18:28, Frank Cusack wrote:
Patch attached.
Great! Thank you very much, Frank! What is the status of it, though? Is
it in the OpenSSH tree already -- to be included in the next release, for
example? Yours,
It's
Patch attached.diff -uNrp openssh-5.8p1.orig/gss-serv-krb5.c openssh-5.8p1/gss-serv-krb5.c
--- openssh-5.8p1.orig/gss-serv-krb5.c 2006-08-31 22:38:36.0 -0700
+++ openssh-5.8p1/gss-serv-krb5.c 2011-02-10 15:03:29.0 -0800
@@ -32,7 +32,9 @@
#include sys/types.h
#include
I recently added this support and will release it shortly.
On 1/31/11 3:37 PM -0500 Mikhail T. wrote:
Hello!
We are using Kerberos throughout, but one feature of ssh
authorized_keys feels missing...
We'd like to be able to limit principles to only be able to execute
certain commands.
It
On 1/31/11 4:20 PM -0500 mikhail_tete...@timeinc.com wrote:
On 31.01.2011 15:57, Frank Cusack wrote:
I recently added this support and will release it shortly.
Thank you, Frank! Will this be an extension to the .k5login syntax, or
something else? Yours,
It uses .k5users, exactly like ksu(1
On 1/5/11 2:53 PM +0530 krbmit siso wrote:
*Server Principal Names in TGS-REQ.*
Padata field - Contents in the TICKET which is visible
Tkt-vno: 5
Realm: realm1.com
Server Name (Principal):
I'm thinking of having users being able to optionally do an OTP hwauth
to obtain their TGT. Assuming that the require-hwauth flag on a
service principal would mean that the TGT has to have the H flag set in
order to obtain a service ticket, this would require hwauth in order
to use NFS, eg to a
On February 2, 2007 5:46:55 PM -0500 Peter Iannarelli
[EMAIL PROTECTED] wrote:
I don't believe I've seen anyone with a token strapped to their
notebook and their PIN etched on the case.
I know a few thousand such users. Not with the PIN etched :-) but with
a credit card form factor token
On Wed, 6 Oct 2004 19:31:19 + (UTC) [EMAIL PROTECTED] (Jason T Hardy) wrote:
I guess the problem that everyone is having with our deployment is the
term load-balancer. We don't actually want to easy the load off of our
...
Good, because:
You'll say that DNS is the answer. I would agree.
On Wed, 6 Oct 2004 19:21:19 + (UTC) [EMAIL PROTECTED] (Gary LaVoy) wrote:
The load balancer is simply another failure point.
As is everything else.
However load balancers are complicated devices and more prone to
failure.
WHOA! - Yes load balancers can be complicated if you want to use
On Wed, 6 Oct 2004 03:59:35 + (UTC) [EMAIL PROTECTED] (Jason T Hardy) wrote:
Sam,
Actually, a load balancer simplifies client deployment in our case (we
can't utilize DNS load balancing on our campus). We can, with a load
Don't need DNS load balancing (and it's broken anyway).
balancer,
On Mon, 04 Oct 2004 10:55:49 +0800 sam [EMAIL PROTECTED] wrote:
Hi,
I m not sure which kerberos I should use. With Heimdal, it is a
thread-safe implementation, while MIT's kerberos is not.
Please correct me if I m wrong, it appears that there is more
applicatoins support MIT kerberos than
On 12 Jul 2004 05:16:00 -0700 [EMAIL PROTECTED] (mdj_kerberos) wrote:
hi all,
Is it possible to make kerberos work without having krb5.conf file
and keytab file Is it possible to include the contents of the
conf file and keytab file in the code itself?
clients don't need keytabs,
On Wed, 2 Jun 2004 14:11:52 -0400 bart.w.jenkins [EMAIL PROTECTED] wrote:
All,
I would love to use MIT's Kerberos, but it looks as though it can NOT do
Role Based Access Control (RBAC) out of the box.
That's not the job of an authentication system. RBAC is authorization.
/fc
On 28 Jan 2004 07:32:46 -0800 [EMAIL PROTECTED] wrote:
Anyone have any pointers to information about the relative merits
of using Kerberos or LDAP for authentication in a large heterogeneous
environment?
I think other responses are missing the bigger picture.
You are almost certainly (I'd bet
On Tue, 5 Aug 2003 16:40:22 + (UTC) [EMAIL PROTECTED] (Sam Hartman) wrote:
It seems kind of unfortunate that you're combining these two modules.
It seems that I'd really rather use PAM or pubcookie for my password
auth and then GSS-based stuff for native Kerberos.
At the risk of just doing
That's not Kerberos authentication. If you had read the first two sentences
on that page you'd see it doesn't meet the requestor's needs.
/fc
On Fri, 1 Aug 2003 15:10:50 + (UTC) [EMAIL PROTECTED] (Subu Ayyagari) wrote:
Kerberos authentication for apache:
On Tue, 17 Jun 2003 13:26:47 + (UTC) [EMAIL PROTECTED] (Parag Godkar) wrote:
1. Do I have to compile openssh on all the linux servers after
applying Simon Wilkinson's gss-api patch from -
http://www.sxw.org.uk/computing/patches/openssh.html
Yes, if you want to use protocol 2.
On Thu, 19 Jun 2003 10:22:50 -0700 Donn Cave [EMAIL PROTECTED] wrote:
unfortunately it doesn't interoperate with the ssh.com approach to
Kerberos 5 for protocol 2.
Which, AIUI, was rejected in the ietf for being deficient. Regardless
of any deficiencies (or not) in the ssh.com approach, the
On Tue, 17 Jun 2003 10:27:20 + (UTC) [EMAIL PROTECTED] (Parag Godkar) wrote:
1. Do I have to compile openssh on all the linux servers after
applying Simon Wilkinson's gss-api patch from -
http://www.sxw.org.uk/computing/patches/openssh.html
Yes, if you want to use protocol 2. If
47 matches
Mail list logo