elf for whatever reason, you may
want to add a PID field for each line of debug output. It had me
speechless for a while with what seemed like all error tables were
getting removed multiple times, until I realized it was an NSS module
that was fo
On Sun, 2006-12-17 at 00:43 -0500, Theodore Tso wrote:
> On Fri, Dec 15, 2006 at 02:55:02AM +0100, Fredrik Tolf wrote:
> > However, this does seem like a bug, right? As I see it, the fault can be
> > considered to lie with the Kerberos library, in which case it should be
> >
On Fri, 2006-12-15 at 00:32 +0100, Fredrik Tolf wrote:
> On Thu, 2006-12-14 at 17:36 -0500, Ken Raeburn wrote:
> > If
> > the PAM library does dlopen and dlclose on loaded modules, there may
> > also be some kind of problem in that area.
>
> Indeed, that may be t
On Thu, 2006-12-14 at 17:36 -0500, Ken Raeburn wrote:
> On Dec 14, 2006, at 14:25, Fredrik Tolf wrote:
> > great fandango all over libkrb5's core, they all occur in the Kerberos
> > library, in incidents seemingly related to the error tables. The usual
> >
Kerberos V 1.4.3 and a system-supplied com_err library,
version 1.39. The system is Gentoo Linux.
For reference, the program in question is the daemon in Dolda Connect,
at <http://www.dolda2000.com/~fredrik/doldaconnect/>
I would be very gl
le, or is there any other solution that I
haven't thought of.
Similarly, what about HTTPS connections where the client has a client
certificate? Obviously, there *is* a private key involved, but is there
any way the HTTP server can ask the client to decrypt a TGT key for it?
Thank you for
client application, apart from
reimplementing Kerberos 5 in Java?
Fredrik Tolf
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
On Mon, 2006-08-21 at 18:29 -0400, Michael B Allen wrote:
> On Mon, 21 Aug 2006 21:48:30 +0200
> Fredrik Tolf <[EMAIL PROTECTED]> wrote:
>
> > So, I'm wondering, are the messages created by JGSS compatible with the
> > ones used by the native MIT API?
>
&g
I want to authenticate to)?
Fredrik Tolf
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
On Thu, 2005-12-01 at 09:16 +1100, Jeremy Hunt wrote:
> Fredrik Tolf wrote:
> > I checked the code you mention, but as far as I am able to tell, the
> > first one only runs in case no log specifications have been loaded
> > (if(log_control.log_nentries == 0)). Therefore, I
ng now on library routines to set/get the credentials
> to be used. The keyring ccache code is basically complete, with a few
> details to work out.
If there aren't any great problems, would you mind sending me the code?
I would be more than happy to betatest it, at t
such work going on, can anyone give a pointer to any
information on it? If not, I should give it a try myself.
Fredrik Tolf
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
On Sat, 2006-01-21 at 02:16 +0100, Fredrik Tolf wrote:
> I'll attach the files (they are rather small anyway) if you want them.
It seems the files didn't get attached. Does this mailing list filter
attachments?
In any event, I have also written another small program for automatic
t
y ugly, but it works until the Linux keyring ccache scheme
works and becomes the standard.
I'll attach the files (they are rather small anyway) if you want them.
Fredrik Tolf
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.e
get a TGT with
kinit -kt ...), it increased the principal's kvno and put a random key
on that principal, which meant that it wasn't possible to decrypt the
TGT using a password anymore.
Fredrik Tolf
Kerberos mailing list Kerberos@m
On Wed, 2005-12-28 at 15:25 +0200, Amir Saad wrote:
> can anyone tell me what are the differences between MIT kerberos and Heimdal
> kerberos?
Do you mean the political and social differences, or the technical
differences?
Fredrik Tolf
Ke
nged to
user1/[EMAIL PROTECTED], since that part of the principal format
has changed from Kerberos 4 to 5.
Fredrik Tolf
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
ires a base64 encoding program. The one I used comes from
Perl's MIME-Base64 module.
I don't know if there might be anything wrong with this way of doing it,
but in that case, I can't think of any.
Hope it helps.
Fredrik Tolf
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Unlike what some people seem to think, HTTP is not the solution
to all the problems in the world.
Fredrik Tolf
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
patched my
Kerberos library with a little snippet that eliminates recurring file
names when resolving the profile files to read.
I'm attaching the patch if the Kerberos team wants it.
Fredrik Tolf
--- src/lib/krb5/os/init_os_ctx.c~ 2004-07-15 19:42:07.0 +0200
+++ src/lib/krb5/os/in
sages. It also doesn't explain why the ordinary
logfile receives double messages. Unless I've missed something, that is?
I guess I'll recompile the KDC with debug support and see what I can
find.
Fredrik Tolf
> I have a patch which works for kerberos 1.4.x, which I think resolve
u think that
could be related?
Fredrik Tolf
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
ly read once,
and it contains only one logging directive. kdc.conf is read twice for
some reason, but it doesn't contain any logging directives.
Thanks for the ideas, but I can't seem to get any further on that. Do
you have any more ideas?
Fredrik Tolf
> On 11/27/05, Fredrik Tolf <[
> getent passwd
>
> Any help?
Did you add "winbind" to the "passwd" line in your /etc/nsswitch.conf?
Fredrik Tolf
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
ne, but an open standard. I
don't think Windows supports it, but I'm fairly sure that it would work
when talking to *BSD machines.
Fredrik Tolf
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
E:/var/log/kadmin.log
admin_server = SYSLOG:INFO:DAEMON
default = FILE:/var/log/krb5lib.log
The logs from the kadmin daemon appear twice, as well. Does someone know
why this happens?
Fredrik Tolf
Kerberos mailing list Kerber
ry easy. On Linux, just mount a tmpfs anywhere you
want to store the files, and they will be stored in RAM.
Hope it helps!
Fredrik Tolf
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
cks a DoS flaw?
Fredrik Tolf
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
ugh, yum
does have a search function. Try, for example:
yum list '*firefox*'
yum list '*krb5*'
Or, if you're so inclined, even:
yum list '*'
Be prepared for a rather long list in the last case, however. :)
Fredrik Tolf
> "Fredrik Tolf" <[EMAIL PRO
u, by any chance, selected it to not be installed, try the
following:
yum install krb5-workstation pam_krb5
And, if you need it:
yum install krb5-server
Hope it helps,
Fredrik Tolf
Kerberos mailing list Kerberos@mit.edu
https://mailman
n
option (either by default or by specifying the -x switch to the Kerberos
telnet client), it's in the same class of security as SSH.
HTH,
Fredrik Tolf
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
rik/patches/>.
They are all released under the GNU GPL2, so use or abuse them however
you will or won't.
Also, I'd be very glad if someone could try and see if they work with
Heimdal. I've only tested them with MIT Kerberos.
Fredrik Tolf
ed hosts and 2) it will make reverse lookups
really slow on hosts that aren't responding.
If someone has a better idea, please tell me.
Fredrik Tolf
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
ht?
I've let myself understand that Microsoft has somehow patented this PAC
field. Now, I'm wondering if anyone in this newsgroup would happen to
know what patent this is and if there's any way I can have a look at it
(mostly for curiosi
manpage for more info).
>
> do you mean teh normal rwxrwxrwx permissions
Yeah.
Fredrik Tolf
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
authenticate
users, and you already have pam_krb5 installed and then want to store
the credentials locally, then it is the pam_setcred function you want to
look at.
If none of those match your scenario, I'll have to ask you to clarify
your ques
inux system,
controlled via file modes (see the chmod manpage for more info).
> and change the root dir
> of ftp ...
The ftpd that comes with MIT Kerberos automatically chroots anonymous
access to the home directory of the "ftp" user.
Hope it helps,
Fredrik Tolf
___
> Also,
> GSSAPI supports many mechanisms.
Is that so? I've only ever seen Kerberos being carried out over GSSAPI.
What others are there?
> Frank
>
>
>
>
>
> Fredrik Tolf <[EMAIL PROTECTED]>
> Sent by: [EMAIL PROTECTED]
> 01/18/2005
On Mon, 2005-01-17 at 16:49 -0500, Rachel Elizabeth Dillon wrote:
> On Mon, Jan 17, 2005 at 04:40:59AM +0100, Fredrik Tolf wrote:
> > I was thinking about adding local hints to our own reverse zones to
our
> > Bind configs to make reverse lookups work just between our own
network
, but from what I know, this hasn't
happened so far, so that doesn't really seem to be a very great
advantage of using GSSAPI.
Can someone enlighten me on this issue, please?
Fredrik Tolf
Kerberos mailing list Kerberos@mit.ed
by any chance, another way of letting Kerberos
canonicalize service principal names?
Thank you for your time!
Fredrik Tolf
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
ite packet analyzer should give you more answers than I can provide
in hours.
Good luck,
Fredrik Tolf
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
ite packet analyzer should give you more answers than I can provide
in hours.
Good luck,
Fredrik Tolf
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
't have to type their passwords), and thus I need some
extra principals to do that job. Likewise with cron.
Thanks for replying!
Fredrik Tolf
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
ake the MIT KDC allow users to do this?
Thanks for your time!
Fredrik Tolf
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
MU_CURRENT_DIR/usr/local/lib to LD_LIBRARY_PATH
(don't forget to export LD_LIBRARY_PATH if it's not already defined).
Fredrik Tolf
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
On Wed, 2004-09-29 at 21:59 +, Sam Hartman wrote:
> >>>>> "Fredrik" == Fredrik Tolf <[EMAIL PROTECTED]> writes:
>
> Fredrik> See, I don't understand how this can be a security issue
> Fredrik> at all. I mean, I realize of course
, and from what I know of Kerberos authorization, I cannot see how
that could be wrong. Since this doesn't seem to be the general
consensus, I'm assuming that I'm wrong somewhere, but could someone be
as kind as to enlighten me i
On Wed, 2004-09-22 at 20:12 -0400, Ken Raeburn wrote:
> On Sep 22, 2004, at 19:58, Fredrik Tolf wrote:
> >> Shouldn't be hard. I think you need to dig up the code in the krb5
> >> library (or include directory, or a copy in the KDC code? I forget
> >> where 1.3
On Wed, 2004-09-22 at 19:43 -0400, Ken Raeburn wrote:
> On Sep 22, 2004, at 18:50, Fredrik Tolf wrote:
> > On Wed, 2004-09-22 at 22:37 +, Sam Hartman wrote:
> >>>>>>> "Fredrik" == Fredrik Tolf <[EMAIL PROTECTED]> writes:
> >>
> &
On Wed, 2004-09-22 at 22:37 +, Sam Hartman wrote:
> >>>>> "Fredrik" == Fredrik Tolf <[EMAIL PROTECTED]> writes:
>
> Fredrik> Does anyone know if the KDC is configurable to just
> Fredrik> listen to 0.0.0.0, or will I have to take the
On Wed, 2004-09-22 at 22:37 +, Sam Hartman wrote:
> >>>>> "Fredrik" == Fredrik Tolf <[EMAIL PROTECTED]> writes:
>
> Fredrik> Does anyone know if the KDC is configurable to just
> Fredrik> listen to 0.0.0.0, or will I have to take the
Does anyone know if the KDC is configurable to just listen to 0.0.0.0,
or will I have to take the time to patch it?
Fredrik Tolf
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
fixing the bug that made it
crash in the first place, I accidentally overwrote its configuration
file, and that is what somehow caused the error.
On a side note, I had already tried deleting the replay cache, but since
that wasn't it, it obviously didn't help.
T
#x27;ve linked against the MIT Krb5 libraries, version 1.2.7.
Can someone be as kind as to shed some light on this problem for me?
Fredrik Tolf
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
ath/to/the/users/keytab user/autologin"
Then, to initialize the ccache, run kinit like this:
kinit -k -t /path/to/the/users/keytab user/autologin
That way, you won't have to save the user's password in plaintext.
Admittedly, this is how it would be done on Linux/UNIX with the MIT
imple
On Mon, 2004-08-30 at 18:52 +, Sam Hartman wrote:
> >>>>> "Fredrik" == Fredrik Tolf <[EMAIL PROTECTED]> writes:
>
> Fredrik> I'm developing an application that has Krb5
> Fredrik> authentication (native, not GSS-API), and I foun
ket forwarding, you'll also need
"GSSAPIDelegateCredentials yes".
Hope it helps.
Fredrik Tolf
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
erberos mistakes in the code,
such as credential cleanup. Even in the case of the latter, though, I
don't know how to fix it, since I haven't been programming with GSS-API.
Sorry for the long post.
Fredrik Tolf
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
I've read, it seems that the client actually sends an
encrypted version of the user's password over the network, which seems
to cancel out the beneficial effects of transferring an encrypted TGT.
I'm guessing that I'm wrong about this somehow, considering how mature
Kerberos is,
60 matches
Mail list logo