Re: honoring the TRUSTED_FOR_DELEGATION KDC MS-SFU Kerberos Protocol Extensions flag?

To wrap up this thread: after discussing this issue with our Windows admins over the past few months, we have concluded that the correct course of action here is to set the TRUSTED_FOR_DELEGATION flag in the userAccountControl attribute for all Linux host machine accounts that we control. This wil

Re: honoring the TRUSTED_FOR_DELEGATION KDC MS-SFU Kerberos Protocol Extensions flag?

On Tue, Apr 16, 2024 at 9:31 PM Ken Hornstein wrote: > Simo already explained the thinking there, but I think the thing > you're not considering is that not all services require delegated > credentials. Yes, in your environment (and ours) delegated > credentials for host principals is essential,

Re: honoring the TRUSTED_FOR_DELEGATION KDC MS-SFU Kerberos Protocol Extensions flag?

On Tue, Apr 16, 2024 at 1:46 PM Simo Sorce wrote: > The correct action is for you to ask the Domain Administrators to > mark the target hosts as ok for delegation, it is unclear why MIT > Kerberos should make it easy to override Realm policies. I think the core issue here is that RFC4120§2.8 was

Re: honoring the TRUSTED_FOR_DELEGATION KDC MS-SFU Kerberos Protocol Extensions flag?

On Mon, Apr 15, 2024 at 7:56 PM Ken Hornstein wrote: > I'm a LITTLE confused as to what you're describing here. As I > understand you, the TRUSTED_FOR_DELEGATION flag doesn't appear on > the wire and only in the account properties. Yes. Apologies; I should have been more precise: when Microsoft

honoring the TRUSTED_FOR_DELEGATION KDC MS-SFU Kerberos Protocol Extensions flag?

Has anyone else struggled with ssh clients being unable to delegate Kerberos credentials to a remote host because the Kerberos library that the ssh client uses implements the MS-SFU Kerberos Protocol Extensions and therefore honors the TRUSTED_FOR_DELEGATION flag of the target host? More generally

Re: kerberos credential cache filename with sshd causing problems for long running jobs

On Wed, Jul 7, 2021 at 8:20 PM Jason Keltz wrote: > I assume that the reason that SSHd creates the sshd credential cache > in /tmp/krb5cc__ is so that an ssh session will > not share the same credential cache with say, a local workstation > login. The reason why sshd creates the Kerberos file cr

Re: Is there a "batchable" way to do ktutil list

On Wed, Apr 21, 2021 at 6:42 AM Ken Hornstein wrote: > > Is there another command that is more script-friendly? If not, > > can someone share a good way to pass args to the MIT ktutil? > > I think "klist -k" does what you want. You can pass arguments to > ktutil in a script via stdin and parse

Re: CVE-2020-17049

On Mon, Nov 16, 2020 at 10:48 AM Luke Hebert wrote: > We've just started encountering problems at customer sites with > Kerberos enabled clients as a result of how Microsoft appears to be > approaching CVE-2020-17049 > . The > details

Re: krb5 with anonymous kinit, "Cannot allocate memory"

d with the lack of good error reporting... Whew, panic time! Appear to be all good now. Cheers, - James James Croall | Senior Product Manager Coverity | 185 Berry Street | Suite 6500, Lobby 3 | San Francisco, CA 94107 Office: 415.694.5354 | Mobile: 202.246.6613 | jcro...@coverity.com The

Re: krb5 with anonymous kinit, "Cannot allocate memory"

month rather than a year. Approximate times line up. Reasonable user error. Very poor error reporting though! - James James Croall | Senior Product Manager Coverity | 185 Berry Street | Suite 6500, Lobby 3 | San Francisco, CA 94107 Office: 415.694.5354 | Mobile: 202.246.6613 | jcro...@coverity.c

Re: krb5 with anonymous kinit, "Cannot allocate memory"

Kerberos clients have been up for 80 days now with no patches/updates! I will try and capture the transaction/packets. - James James Croall | Senior Product Manager Coverity | 185 Berry Street | Suite 6500, Lobby 3 | San Francisco, CA 94107 Office: 415.694.5354 | Mobile: 202.246.6613 | jcro

Re: krb5 with anonymous kinit, "Cannot allocate memory"

16 23}) 10.0.0.252: KDC_RETURN_PADATA: WELLKNOWN/anonym...@trial.coverity.com for krbtgt/trial.coverity@trial.coverity.com, Cannot allocate memory Any suggestions appreciated. Thanks, - James James Croall | Senior Product Manager Coverity | 185 Berry Street | Suite 6500, Lobby 3 | San Francisco, CA

Re: krb5 with anonymous kinit, "Cannot allocate memory"

I should add, this error occurs when running kinit -n. I can still kinit as a user on an already setup host and get a TGT. - James James Croall | Senior Product Manager Coverity | 185 Berry Street | Suite 6500, Lobby 3 | San Francisco, CA 94107 Office: 415.694.5354 | Mobile: 202.246.6613

krb5 with anonymous kinit, "Cannot allocate memory"

. Googling around I see strange reports of this error coming and then going and I don't know what to make of it. Any ideas? - James James Croall | Senior Product Manager Coverity | 185 Berry Street | Suite 6500, Lobby 3 | San Francisco, CA 94107 Office: 415.694.5354 | Mobile: 202.246.6613 |

Re: Anonymous kerberos and bootstrapping new hosts - how to?

(Follow up to my own email) Nevermind - I am a little rusty at this, I see the documentation is clear about ktadd randomizing the key and it's coming back to me now. Thanks again! - James James Croall | Senior Product Manager Coverity | 185 Berry Street | Suite 6500, Lobby 3 | San Fran

Re: Anonymous kerberos and bootstrapping new hosts - how to?

capability, I wasn't too keen on setting up an ssh back-channel into my hosts. - James James Croall | Senior Product Manager Coverity | 185 Berry Street | Suite 6500, Lobby 3 | San Francisco, CA 94107 Office: 415.694.5354 | Mobile: 202.246.6613 | jcro...@coverity.com The Leader in Deve

Re: Anonymous kerberos and bootstrapping new hosts - how to?

cenarios. Puzzled. Wondering if I'm going about this anonymous flow the right way at all! - James On 9/6/13 5:20 PM, "Russ Allbery" wrote: >James Croall writes: > >> Kadmin just won't let me in. When using the WELLKNOWN principal, it >> cannot

Anonymous kerberos and bootstrapping new hosts - how to?

zing kadmin interface When running kadmin under strace, it seems to be looking for the server in DNS! Is this approach viable? Can anybody help? Thanks, - James Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Kerberos, DNS and AAAA records

me TCP.)  There are also > asynchronous name-lookup techniques, but I think the most portable versions > require multithreading support and creation of threads, which capabilities > we're not requiring of the OS and application at present. > This is what I suspected. Thanks for all the info! -jim -- James Bardin Systems Analyst / Administrator Boston University Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Kerberos, DNS and AAAA records

with Centos 5, so our krb5 libs are version 1.6.1 Thanks, -jim -- James Bardin Systems Analyst / Administrator Boston University Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Multiple realms in one krb5.conf

on a station so that kerberos can service login requests for each of the 3 domains? Is this as simple as adding an entry for each realm in the realms section of the krb5.conf file. Thank you James CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the

RE: Solaris Pam_krb5.so.1 problem after installing MIT 1.6.3

I did not know because I was stuck on the DNS issue. The info you posted about the sshd stuff below is invaluable and I do not know how I missed that! I read the man page for sshd_config but did not consider sshd for some reason. Thank you James -Original Message- From: Douglas E. Enge

RE: Solaris Pam_krb5.so.1 problem after installing MIT 1.6.3

to see some debug though. Perhaps I can reinstall or freshen the pam_krb5 on my Solaris box? I will have to look into that. Thank you James -Original Message- From: Douglas E. Engert [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 10, 2008 7:28 AM To: Chavez, James R. Cc: kerberos@mit

Solaris Pam_krb5.so.1 problem after installing MIT 1.6.3

version of Kerberos change the way pam_krb5 logs debug output? Perhaps in the app_defaults section in the krb5.conf file? Thanks James pam.conf --- #login login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth

Kerberos authentication; krb5.keytab significance.

create and populate krb5.keytab? While I wait for a response I will do some more reading. Thank You James CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential informa

Re: SSO Fails on XP SP2

Hi, I know some people have been tripped up with compatible cryptographic algorithms when connecting Linux-kerberos to Windows-kerberos. It's not that that MIT doesn't support Windows crypto algorithms. It seems like I remember that you have to modify the default algorithm, but this may not be

Small leak in kadm5_get_init_creds

;context, client); error: if (ccache != NULL && init_type != INIT_CREDS) krb5_cc_close(handle->context, ccache); Regards, -- Jerry James, Assistant Professor[EMAIL PROTECTED] Computer Science Department http://www.cs.usu.edu/~jerry/ Utah State University

Re: What version next?

Hi Ken, I haven't read anything on the site about 1.6, but I was curious about PKINIT support. Is this in 1.6 and if not, where does capability reside on the roadmap? Thanks! Randy -Original Message- From: Ken Raeburn [mailto:[EMAIL PROTECTED] Sent: Thursday, March 1, 2007 09:59 AM To:

Re: Password Expiration notifications

__ > > Kerberos mailing list Kerberos@mit.edu > > https://mailman.mit.edu/mailman/listinfo/kerberos > > > > > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/

Kerberos authentication does not seem to work when auditing is enabled on Solaris 9

I am running Solaris 9 with auditing turned on (etc/security/bsmconv). The problem I am having is that I can not logon with dtlogin via Kerberos authentication as long as auditing is enabled. If I disable auditing I have no problem logging in with my Kerberos account. I am up to the latest patch

Re: Commercial use of MIT Kerberos

Thank you very much. Best Regard, James WU - Original Message - From: "Rachel Elizabeth Dillon" <[EMAIL PROTECTED]> To: "XdXXXF(James Wu)" <[EMAIL PROTECTED]> Cc: Sent: Thursday, May 26, 2005 3:20 AM Subject: Re: Commercial use of MIT Kerberos The

Commercial use of MIT Kerberos

Dear Sir : Would you please tell me how to get the written permission of MIT before I use Kerberos for commercial use. Best Regard, James Wu ARES International Corp. A Taiwan base company Kerberos mailing list Kerberos@mit.edu

RE: Kerberos5 FTP not working. Neep Help!

I removed the key on the client, run kinit again and now FTP is working properly!!! Thank you very much for your help, Ken and Douglas! Warmest Regards, James -Original Message- From: Ken Raeburn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 16, 2004 4:22 PM To: James Chen Cc: Ken

RE: Kerberos5 FTP not working. Neep Help!

with HMAC/sha1, no salt Key: vno 7, DES with HMAC/sha1, no salt Key: vno 7, DES cbc mode with RSA-MD5, no salt Attributes: Policy: [none] kadmin: Thanks a lot! James -Original Message- From: Ken Raeburn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 16, 2004 3:34 PM To: James C

RE: Kerberos5 FTP not working. Neep Help!

ork functionality will fail. 127.0.0.1 localhost.localdomain localhost 192.168.1.1 server.james.comserver 10.150.41.73client.james.comclient Thanks! James -Original Message- From: James Chen Sent: Tuesday, November 16, 2004 10:23 AM To: 'Ken Raeburn

RE: Kerberos5 FTP not working. Neep Help!

"hostname" returns "localhost.localdomain". Is it the problem? Should I change the hostname to "server.james.com" or "server"? Thanks! James -Original Message- From: Ken Raeburn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 16, 2004 7:17 AM T

Kerberos5 FTP not working. Neep Help!

rver below. Could anyone help to see if anything is missing? I also attached all the Kerberos related config on client and server below(/etc/hosts, klist -e -k, listprincs, krb5.conf, kdc.conf). Thanks a million!! James [EMAIL PROTECTED] bin]# ./ftp -d -v server.james.com Connected to server.jame

Re: Problem with cross realm trust and udp between AD and MIT

Hey Russ! It *may* be sufficient to set: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains\MYREALM This is a dword, and the bit you need set is 0x02 See: http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/windows2000/techinfo/reskit/en-us/rege

Kerberos + LDAP + Cyrus-SASL woes

only requirement is that the working implementation / configuration be well-documented for future reference. Any help / direction / guidance is greatly appreciated. James Hunt, Senior Programmer OIC Group, Inc. http://www.oicgroup.net/ Kerberos

Default Kerberos database format

When I set up my realm, I followed the instructions at http://web.mit.edu/kerberos/krb5-1.3/krb5-1.3.3/doc/krb5-install.html#Propagate%20the%20Database%20to%20Each%20Slave%20KDC (minus the -R to kdb5_util, which doesn't seem to be supported), using a script similar to the one presented t

RE: Dual Login enabled using kerberos

what you provided, except jwaltha was Administrator instead. That too, did not work ( I didn't expect it to) Do you have any other suggestions? I really don't want to remove root local access. I've done that before and it really isn't fun. Thank you :) --- James

Dual Login enabled using kerberos

When I configure my redhat machine to login using kerberos, I have noticed that I can login using both the local password that was established on the machine, and the password that I establish using the kdc-db. Is there a way to configure the machine such that it only logs in using the kerberos

Root Authentication

! --- James Walthall Jr IBM Host Integration Server Test / HATS Outside: (919) 254-8869 Tieline: 444-8869 Research Triangle Park Raleigh, North Carolina Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos

Red Hat Login

authentication) What needs to be done to get Red Hat authenticating Administrator through kerberos correctly??? --- James Walthall Jr IBM Host Integration Server Test / HATS Outside: (919) 254-8869 Tieline: 444-8869 Research Triangle Park Raleigh, North Carolina

RedHat Login

What principle do I need to add for me to be able to login from the redhat 8 login console (the GUI) using user name Administrator and password ? Assume the following: REALM: RALEIGH.IBM.COM HOST: MYHOST USER NAME: Administrator I have Kerberos installed and auth

Re: Authentication In Redhat

I would go about doing this? I'm learning linux, but coming from a windows background. The simpler this can be explained, the better. Thanks in advance... Regards, James Walthall Jr IBM - Host Integration Server Test IDD and BETA Outside: (919) 254-8869 Tieline: 444-8869 Research Triangle

Authentication In Redhat

a way, please be specific as to how I can go about setting that up. Regards, James Walthall Jr IBM - Host Integration Server Test IDD and BETA Outside: (919) 254-8869 Tieline: 444-8869 Research Triangle Park Raleigh, North Carolina Kerberos mailing

kadmin

nyone have a similar problem? Any suggestions? Regards, James Walthall Jr IBM - Host Integration Server Test IDD and BETA Outside: (919) 254-8869 Tieline: 444-8869 Research Triangle Park Raleigh, North Carolina Kerberos mailing list [EMAIL

Kerberos 5 slave installation

point for the slave KDC. If I was, then what was I supposed to do? If I was not, then what should i do? Regards, James Walthall Jr IBM - Host Integration Server Test IDD and BETA Outside: (919) 254-8869 Tieline: 444-8869 Research Triangle Park Raleigh, North Carolina

Re: [OpenAFS-devel] Re: OpenSSH, OpenAFS, Heimdal Kerberos and MIT Kerberos

On Tue, 27 Jan 2004 18:58:36 -0500 (EST) Dean Anderson <[EMAIL PROTECTED]> wrote: > Nope. OpenSSH 3.7.1p1 works for me with privsep turned off. When privsep > is turned off, there is no subprocess. 3.7.1p1 has some additional > breakage, in that if your ssh client doesn't support 'interactive/pam

Migrating from b6 to 1.3.1 (without the a master key phrase)

Hi! We will shortly be addressing an upgrade issue similar to that raised a year ago by Art Freeman on comp.protocols.kerberos: http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&threadm=ldv7kj618mg.fsf%40saint-elmos-fire.mit.edu&rnum=9&prev=/groups%3Fq%3Dkerberos%2Bstash%2Bfile%26ie%3DUT

Public Key

Where do I get the public key to verify the source code? Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos

aklog:Key table entry not found while getting AFS tickets

and sucessfully access my AFS space. However, if I login with kerberos and try to execute "aklog", I receive the following messages: aklog: Couldn't get asu.edu AFS tickets: aklog:Key table entry not found while getting AFS tickets Any ideas on how to resolve this problem?

Re: Win2000 PAC-Credentials Implementation

On Thu, 4 Sep 2003 15:49:44 -0500 [EMAIL PROTECTED] (Dr. Greg Wettstein) wrote: [...] > A federated identity structure means that organizations are going to > take responsibility for managing their own user identities. These > three fundamental identities thus exist within the context of an > ent

PAM modules clearing pwexpire field without prompting for new PW

I tracked down the source of the pwexpire "clearing" problem when a PAM module allows a user with an expired password to log in without prompting them for the new one: the module was simply re-using the original password to effect the password change, leaving the user with the same password and

Re: Password changing for xdm

On Fri, 21 Mar 2003 13:53:42 -0500 "James F.Hranicky" <[EMAIL PROTECTED]> wrote: > Ok, I may be able to swing that :-> I'm just glad I have a prompter as a > skeleton to go on, thanks. On second thought, calling a function to get the return value from an Xt widg

Re: Password changing for xdm

On Fri, 21 Mar 2003 13:44:45 -0500 Ken Hornstein <[EMAIL PROTECTED]> wrote: > >> xlockmore; if you go to the xlockmore site and download the latest snapshot, > >> they should be in there. > > > >You may be interested to know that a hamfisted attempt to put your prompter > >code into the Kerberized

Re: Password changing for xdm

On Fri, 21 Mar 2003 10:11:38 -0500 Ken Hornstein <[EMAIL PROTECTED]> wrote: > >> Heh. You see why I choose to make xlock use the Kerberos call directly? > > > >Yep -- were these patches submitted to the XFree86 xlock or xlockmore? > >Where could I find them? > > xlockmore; if you go to the xlock

Re: Password changing for xdm

On Fri, 21 Mar 2003 11:32:06 -0600 [EMAIL PROTECTED] (Dr. Greg Wettstein) wrote: > It might be something that could save you a few steps although it > needs some more additional work. > > > Thanks, > > Let me know and I would be happy to ship you a tarball of sources. > > Have a good weekend.

Re: Password changing for xdm

On Fri, 21 Mar 2003 09:58:35 -0500 Ken Hornstein <[EMAIL PROTECTED]> wrote: > Heh. You see why I choose to make xlock use the Kerberos call directly? Yep -- were these patches submitted to the XFree86 xlock or xlockmore? Where could I find them? > >I'm thinking about trying to set up a prompter

Password changing for xdm

Well, I'm beginning to think the PAM route should be used strictly for password authentication and not worry about doing password expiration with it, due to continued segfaults, and the difficulty in debugging them in a dynamically loaded shared lib (plus no debugging symbols in Sol8's libpam, etc)

Kerberos and InterMapper

that would test if the server is functional. Do any of you know? -- Thanks, James Reynolds University of Utah Student Computing Labs [EMAIL PROTECTED] 801-585-9811 At 10:25 PM -0500 3/2/03, [EMAIL PROTECTED] wrote: Thanks for your note re: the Kerberos probe. It appears that you can use either T

Re: Password expiration

On Fri, 7 Mar 2003 21:56:40 -0600 Steve Langasek <[EMAIL PROTECTED]> wrote: > If the application in question is one that the user must type their > password into directly, there's no particular advantage to making it > Kerberos-aware instead of just making it PAM-aware, really (this is the > niche

Re: Password expiration

On Fri, 07 Mar 2003 13:51:41 -0500 Ken Hornstein <[EMAIL PROTECTED]> wrote: > I believe the _client_ support for this has been cleaned up and should > be better in MIT Kerberos 1.3, when it comes out (I don't know when that > will be). So that is at least one important piece of the puzzle. Ok --

Re: Password expiration

On Fri, 7 Mar 2003 11:26:13 -0600 "Jacques A. Vidrine" <[EMAIL PROTECTED]> wrote: > On Fri, Mar 07, 2003 at 11:31:34AM -0500, James F.Hranicky wrote: > > Is anyone actually using the password expiration features of > > Kerberos? > > For what it's wort

Password expiration

Is anyone actually using the password expiration features of Kerberos? I've been trying to make sure it works properly with the pam_krb5-1.0.3 package, but I've run into so many problems I'm wondering about the feasibility of doing so: - I can only apparently get the pw_expiration info wh

JESUS IS LORD

Dear Brethren, Greetings in the precious name of Jesus Christ. I have received a very reliable information about you, and would like you to assist me in this transaction. However, I am MR.JAMES UMUNNA. the only son to the former Chief of Army Staff Federal Republic of Nigeria who is presently in

Seg fault in pam_krb-1.0.3

I found a pointer bug that causes a segfault in pam_krb5-1.0.3: In pam_krb5_prompter.c the following variables are defined: const struct pam_message **conv_arg; struct pam_message *msg, **p; further down in the file, the following assignment is made: conv_arg = (const struct pam_me

Access to client.pw_expiration

I've patched my krb5 libraries and my kdc so that I can notify users of impending password expiration as detailed in these messages: http://mailman.mit.edu/pipermail/krb5-bugs/2002-February/12.html http://mailman.mit.edu/pipermail/kerberos/2002-August/001418.html However, it seems that

Security hole in pam_krb5-1.0.3

It appears I've stumbled across a security hole in pam_krb5-1.0.3 . This occurs in the latest cvs found at pserver:[EMAIL PROTECTED]:/cvsroot/pam When I use the module above on a Solaris 8 machine, I get the following behavior: 1876 : su - jfhmtest Password for [EMAIL PROTECTED]:

problem in installing postgresql with kerberos in HP-UX

g for com_err in -lcom_err... yes checking for krb5_encrypt in -lcrypto... no checking for krb5_encrypt in -lk5crypto... yes checking for krb5_sendauth in -lkrb5... no configure: error: library 'krb5' is required for Kerberos 5 please help me in this problem.

Request for Assistance!

Attn:Dear Friend, I wish this my proposal will not come to you as a surprise. I am James Desouza, a Regional Director with NATIONAL TRUST SECURITY COMPANY S.A.R.L with regional Office in Lome-Togo. We had a foreign client (name with held) who deposited a huge sum of amount, US$4.5million

Re: Keytab problems

On Fri, 21 Jun 2002, Sam Hartman wrote: > When you add a key to a keytab file, that key is randomized by the > server before being added. You do not want to put user principals in > keytab files. Instead, you want to create a principal for the > explicit purpose of living in a keytab. >

Keytab problems

I have started running some experiments on a few machines in hopes of deploying Kerberos throughout our department. We are running Solaris 8, and I am using SEAM 1.0.1 on the test systems. Since I am learning this on my own, some things are not as obvious to me as I think they should be. My cu

ADV Oil and Gas Investment

How would you like a 100% tax free Investment in Oil and Gas wells? Make over 100% annually and receive monthly tax free Income with very low risk. Email your name, address, and phone number to [EMAIL PROTECTED] and we will send you the information. ===DISCLAIMER=

suid problems

Our department is planning on implementing kerberos v5 soon, and I have to assess what changes will be needed in our department for this to work. We are running Solaris 8, and I am installing SEAM 1.0.1 The first problem that I am faced with is dealing with scripts that are suid

V4 -> v5 question

initial credentials thanks _ James Lindsey System Programmer III IBM Certified Specialist RS6000/SP System Administration Blue Cross Blue Shield of Florida [EMAIL PROTECTED] (904)905-7138 > ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~ > "Darkness is