Re: using Kerberos V5 with network address translation firewall?

able/DSL Router # to retrieve the IP address for use with Kerberos 5 authentication # when Network Address Translation (NAT) is enabled. # # by Frank da Cruz and Jeffrey Altman # # Version 1.0 if < \v(version) 800200 { end 99 This script requires C-Kermit or Kermit 95 version 800200 or higher

Re: using Kerberos V5 with network address translation firewall?

In article <[EMAIL PROTECTED]>, Russ Allbery <[EMAIL PROTECTED]> wrote: : Jeffrey Altman <[EMAIL PROTECTED]> writes: : : > If you can describe a good way to write the rule that says, replace : > address FOO with address NAT we can certainly make the change in the : >

Re: using Kerberos V5 with network address translation firewall?

PI-KRB5 does not require Channel Bindings. Any server that requires Channel Bindings is out of spec. Versions of MIT Kerberos FTPd had this bug. The current release does not. Jeffrey Altman * Sr.Software Designer C-Kermit 7.1 Alpha available The Kermit Project @ Columbia University in

Re: Configuring Leash32 to use memory credentials

rent builds only store the credentials in memory. Jeffrey Altman * Sr.Software Designer C-Kermit 7.1 Alpha available The Kermit Project @ Columbia University includes Secure Telnet and FTP http://www.kermit-project.org/ using Kerberos, SRP, and [EMAIL PROTECTED]

Re: using Kerberos V5 with network address translation firewall?

In article <[EMAIL PROTECTED]>, Michael Thomas <[EMAIL PROTECTED]> wrote: : [EMAIL PROTECTED] (Jeffrey Altman) writes: : > Now this wraps the forwarded credentials in an auth context which : > is bound to the local address/port and remote address/port. There is : > no meth

Re: using Kerberos V5 with network address translation firewall?

> [EMAIL PROTECTED] (Jeffrey Altman) writes: > > > If you can describe a good way to write the rule that says, replace > > address FOO with address NAT we can certainly make the change in the code. > > The problem in most cases is that there is no good way to know wha

Re: using Kerberos V5 with network address translation firewall?

n authenticating the client. There should be no need to use GSS_C_NO_CHANNEL_BINDINGS, because now you are saying that the client must not send bindings either. Jeffrey Altman * Sr.Software Designer C-Kermit 7.1 Alpha available The Kermit Project @ Columbia University includes

Re: using Kerberos V5 with network address translation firewall?

t. Obviously, it was not pulled into the 1.2.2 distribution. Jeffrey Altman * Sr.Software Designer C-Kermit 7.1 Alpha available The Kermit Project @ Columbia University includes Secure Telnet and FTP http://www.kermit-project.org/ using Kerberos, SRP, and [EMAIL PROTECTED]

Re: using Kerberos V5 with network address translation firewall?

In article <[EMAIL PROTECTED]>, Johan Danielsson <[EMAIL PROTECTED]> wrote: : Jeffrey Altman <[EMAIL PROTECTED]> writes: : : It will work just as well if the kdc and the service is on different : sides of the nat, that is not at all. : : In the other configurations it

Re: Using MITs Kerborised telnet with Windows 2000

ption type : in the krb5.conf file is des-cbc-md5. Has anyone got a suggestion as : to what I could do to get this working?? : : Thanks : : Hakan The MIT Telnet client may have a buffer that is too small to hold the Service Ticket issued by the Windows KDC. Jeffrey Altman * Sr.Software Desi

Re: testing kerberos with telnet

edentials on the telnet client end and therefore kerberos negotiation is not taking place, or . you are not using the kerberos telnet client. Jeffrey Altman * Sr.Software Designer C-Kermit 8.0 Beta available The Kermit Project @ Columbia University includes Secure Telnet a

Re: Kerberos telnet and today's telnet vulnerability announcement

the hole it seems that it would be very difficult to exploit this hole. The overflow that occurs is produced with data generated by the telnet daemon and not the client. Jeffrey Altman * Sr.Software Designer C-Kermit 8.0 Beta available The Kermit Project @ Columbia University includes

Re: Kerberos telnet and today's telnet vulnerability announcement

problems: . it doesn't handle the transmission of urgent data properly . it has the potential for stack overflows because of recursive calls between netflush() and output_data() Give MIT a few days to do this right. You can use the FreeBSD patch in the meantime if you feel there

Re: Kerberos telnet and today's telnet vulnerability announcement

> > Give MIT a few days to do this right. You can use the FreeBSD patch > > in the meantime if you feel there is a significant need. > > Will do. > There are some other things we are doing as well such as adding in support for X Windows Forwarding and perhaps START_TL

Re: Is this a job for Kerberos?

le to perform step : 2. : : Can kerberos can accomplish this? : : Thanks : -Ken Faber : : P.S. Does anyone know if a CISCO router can act as a KDC host? : Jeffrey Altman * Sr.Software Designer C-Kermit 8.0 Beta available The Kermit Project @ Columbia University includes Secure Telnet and

Re: krb5_rd_req failed with error: Permission denied

ng as a user that does not have permission to read the keytab file. Jeffrey Altman * Sr.Software Designer C-Kermit 8.0 Beta available The Kermit Project @ Columbia University includes Secure Telnet and FTP http://www.kermit-project.org/ using Kerberos, SRP, and [EMA

Re: Are the MIT daemons (telnetd etc) PAM aware ?

get MIT's telnetd (out of the box) to call a pam module ? : : Or when people talk about PAM support for kerberos do they just mean that it : is possible to get the standard (NON MIT) daemons to call a MIT kerberos PAM module. : : Hope i explained that OK ! : : regards : : richJ Jeffre

Re: Tickets in XML

In article <[EMAIL PROTECTED]>, Lindy Carter <[EMAIL PROTECTED]> wrote: : I was wondering if anyone knows where I can find descriptions of Kerberos : tickets and message exchanges done in XML. : : Lindy Kerberos exchanges are encoded in ASN.1 not XML. Jeffrey Altman *

Re: Leash32 problem on Windows32

og report on the AIX box? : Kerberos 4 Cannot contact the kerberos server for the selected realm : (Kerberos error 56) Your KDC most likely was not built with Kerberos 4 support. Jeffrey Altman * Sr.Software Designer C-Kermit 8.0 Beta available The Kermit Project @ Columbia Universit

Re: kerberos auth against w2k server with 8 bit chars in password

part of the OS as well : as the ones from MIT Kerberos 1.2.2 and Heimdal 0.3f. : : It _does_ work when authenticating against an MIT Kerberos server. : : Any ideas about where I should be looking? : : Paul : : -- : Paul Haldane : Unix Systems, Computing Service University of Newcastle : :

Re: kerberos auth against w2k server with 8 bit chars in password

ing without regard for character-set. There is a serious discussion taking place about ways to handle this problem. But for the time being until a universal approach is determined I would seriously recommend restricting all user and host names to ASCII. Jeffrey Altman * Sr.Software Designer C

Re: kerberos auth against w2k server with 8 bit chars in password

ASCII, then the salt will have to change. Jeffrey Altman * Sr.Software Designer C-Kermit 8.0 Beta available The Kermit Project @ Columbia University includes Secure Telnet and FTP http://www.kermit-project.org/ using Kerberos, SRP, and [EMAIL PROTECTED] OpenSSL. SSH soon to follow.

Re: kerberos auth against w2k server with 8 bit chars in password

ime, only Windows 2000 realms support TCP connections and all Windows 2000 REALMS will publish this SRV record in DNS. Jeffrey Altman * Sr.Software Designer C-Kermit 8.0 Beta available The Kermit Project @ Columbia University includes Secure Telnet and FTP http://www.kermit-project.org/

Re: kerberos auth against w2k server with 8 bit chars in password

that anyone released everyone was wrong. When the GeneralString is treated as an octet string the Microsoft solution to the internationalization problem makes sense. This is especially true since an MIT KDC run in a Latin 1 locale cannot communicate with a client in a Latin 2 locale. Jeffrey Alt

Re: kerberos auth against w2k server with 8 bit chars in password

and you can't log in. The rule is: the administrator must use the same locale (or character set) as the client is going to use (at all times.) Jeffrey Altman * Sr.Software Designer C-Kermit 8.0 Beta available The Kermit Project @ Columbia University includes Secure

Re: telnet - encryption

onsider this combination of TLS using ADH-AES256-SHA and Kerberos 5 to be as strong as anything that can be provided. Jeffrey Altman * Sr.Software Designer C-Kermit 8.0 Beta available The Kermit Project @ Columbia University includes Secure Telnet and FTP http://www.kermit-project.org/

Re: Telnet Encryption Options vs. Kerberos V5

2946 - shows the : >>>>>following encryption types: : >>>>> : >>>>>NULL 0 : >>>>>DES_CFB641 : >>>>>DES_OFB64 2 : >>>>>DES3_CFB64 3 : >>>>>DES3_OFB64 4 : &

Re: Telnet Encryption Options vs. Kerberos V5

And of course C-Kermit 8.0 supports Kerberos 5, Kerberos 4, SRP, SSL/TLS for securing Telnet, FTP, HTTP, RLOGIN, KERMIT, ... See http://www.kermit-project.org/ck80.html http://www.kermit-project.org/security80.html -- Jeffrey Altman * Sr.Software Designer C-Kermit 8.0 Beta

Re: forward slashes in k5 princpals vs UNIX cache files

More than likely the check for '\' is to ensure that escapes are not processed in calls to sprintf() or related functions. -- Jeffrey Altman * Sr.Software Designer C-Kermit 8.0 Beta available The Kermit Project @ Columbia University includes Secure Telnet and FTP http://www.kerm

Re: Telnet Encryption Options vs. Kerberos V5

In article <9urro9$12mp$[EMAIL PROTECTED]>, Salil Dangi <[EMAIL PROTECTED]> wrote: : > "Jeffrey Altman" <[EMAIL PROTECTED]> wrote in message : > 9umtg9$lej$[EMAIL PROTECTED]">news:9umtg9$lej$[EMAIL PROTECTED]... : > : > However, the Telnet Encryptio

Re: Telnet Encryption Options vs. Kerberos V5

In article <9v2rfb$rbk$[EMAIL PROTECTED]>, Salil Dangi <[EMAIL PROTECTED]> wrote: : > Just wondering: : > . where did you get the Telnet Encryption Option ENCTYPE number from? : > Jeffrey Altman * Sr.Software Designer C-Kermit 8.0 Beta available : : RFC 2946 defines availa

Re: Telnet Encryption Options vs. Kerberos V5

nd we : are able to use either DES or RC4 for encryption. : : Salil : : : "Jeffrey Altman" <[EMAIL PROTECTED]> wrote in message : 9v316h$7d7$[EMAIL PROTECTED]">news:9v316h$7d7$[EMAIL PROTECTED]... : > I know the text of RFC 2946 very well. I am one of the authors. : &

Re: Kerberized RCP

I am using MIT Kerberos 1.2.2. : : You might want to try using the Kerberized ssh and scp rather than : rsh/rcp. (I'm sure Jeffrey Altman will pop up here and suggest : Kermit as another option.) The only potential issue with that is : dealing with the !@#$%^ host key tracking, which c

Re: Authentication negotation has failed, which is required for encryption. Goodbye

rberos FTP, ... http://www.columbia.edu/kermit/ckermit.html Jeffrey Altman * Sr.Software Designer C-Kermit 8.0 available now!!! The Kermit Project @ Columbia University includes Telnet, FTP and HTTP http://www.kermit-project.org/ secured with Kerberos, SRP, and [EMAIL PRO

Re: How do people handle linking against des425 and openssl?

n either SSL/TLS or SSH. The library used Apache, OpenLDAP, OpenSSH, ... is libcrypto.a. All of these applications should also support Kerberos. We should be making that support as transparent as possible for the application developer. Note that OpenSSL 0.9.7 supports the TLS KRB5 ciphers with both

Re: MIT Kerberos for Windows 2.1.x cred cache breaks Win2k service

Windows 2000 service to perform Kerberos/GSS operations on behalf of : other users? : : Mike. I'm not sure I understand the problem you are having. Would you care to describe what you were doing with previous versions that no longer works? Jeffrey Altman * Sr.Software Designer C-Kermit

Re: ckermit on Mac OS 10.3.9 with Kerberos?

u/user/j/a/jaltman/Public/kermit/kermit.macosx103.secure http://web.mit.edu/jaltman/Public/kermit/kermit.macosx103.secure Unfortunately, source is not available. Jeffrey Altman -- - This e-mail account is not read on a regular basis. Please send private responses

Re: Kerberos for Wireless Authentication

ver all you are doing is using Kerberos to perform a database lookup. This technique is frequently used as a means of providing single password functionality to an organization but it is not Kerberos. Jeffrey Altman -- - This e-mail account is not read on a re

Re: kerberos authentication for apache on windows

that uses the MIT Kerberos APIs, you can build the module against the SDK that is installed as a part of MIT Kerberos for Windows. Jeffrey Altman -- - This e-mail account is not read on a regular basis. Please send private responses to jaltman at mit dot edu ___

Re: Kerberos for Wireless Authentication

n work on at a given time. If members of the wireless community were to participate in the working group, it would increase the amount of work that can be accomplished. Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature Kerber

Re: potential for harm in DES AD/MIT trust

l such time as they no longer need to be used. With 2003 Server SP1 there should no longer be a reason to use DES keys for anything but compatibility with Java 1.5 and earlier. Jeffrey Altman -- - This e-mail account is not read on a regular basis. Please send private response

Re: remote printing/drive mapping to windows ad with mit kerberos

his functionality. One option you have is to allow your users to join their machines to the WIN.AD.REALM. Jeffrey Altman -- - This e-mail account is not read on a regular basis. Please send private responses to jaltman at mit dot edu Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Offline password attacks on AS-REQ

IETF Kerberos Working Group. Unfortunately, due to existing patents and the deployment strategies of some vendors we have not been able to reach consensus on a single approach that would be interoperable for all. Jeffrey Altman -- - T

Re: Offline password attacks on AS-REQ

ld force all AS-REQ and AS-REP across an SSL tunnel. If you are this concerned, you should probably require IPSec when talking to your Domain controllers. Jeffrey Altman -- - This e-mail account is not read on a regular basis. Plea

Re: Windows KDC interoperablity with linux clients

[EMAIL PROTECTED] wrote: > Hi, > > I am trying to use no windows clienst to use Windows as KDC. Does the > non windows clients need to be part of the domain ? If you want to be able to use kerberos for login to the machine then you should have assigned to the machine a "host/[EMAIL PROTECTED]" se

Re: Updating encryption types

Phil Dibowitz wrote: > On Tue, Jul 05, 2005 at 01:48:54PM -0700, Phil Dibowitz wrote: > >>from kadmin, great (though is that "no salt" supposed to be there?)! >> >>However, klist -e shows: >> >>[EMAIL PROTECTED] unstale]$ klist -e >>Ticket cache: FILE:/tmp/krb5cc_36070 >>Default principal: [EMAIL

Re: Java sample for SSO using JAAS on XP SP2,

indows using Kerberos, you can obtain the Kerberos user principal name. This name does not have to match the name of the Windows logon name. Jeffrey Altman -- - This e-mail account is not read on a regular basis. Please send private responses

Re: Assertion failuers

-disable-threads will turn off support for building multi-threaded applications. In my opinion, it is best if you build your libraries and applications for the specific version of the OS you are using. Backward compatibility only goes so far. Jeffrey Altman -- - This e-mail account i

Re: Windows SSH client that uses tickets not obtained from AD login

Kermit 95 provides support for SSH with GSS and it derives its tickets from KFW. The version distributed by Columbia University is old and not quite up to date but it works. jay alvarez wrote: > Hi, > Do you know any windows ssh client that can use > gss

Re: Kerberos for Windows 2.6.5 ccname FILE: issues

:\src\openafs\openafs-cvs\src\WINNT\afsd]kdestroy [C:\src\openafs\openafs-cvs\src\WINNT\afsd]klist klist.exe: No credentials cache found (ticket cache FILE:c:\temp\krbcache) Kerberos 4 ticket cache: API:krb4cc klist.exe: No ticket file (tf_util) Jeffrey Altman Noah Hughes wrote: > I have fou

Re: Minimizing Leash on Start up

remove the -autoinit parameter. If you haven't read the Leash User Documentation, KFW Release Notes, and MSI Deployment Guide, please do. Jeffrey Altman Noah Hughes wrote: > Is there any current way to keep Leash from prompting for a password > the first time it starts? Ideally, It

Re: EAP-Kerberos

realm act as a proxy to other realms? You already have a proxy that will be communicating with the KDC from the local realm. Why wouldn't that proxy act like a normal Kerberos client and communicate with each of the realms necessary to obtain service tickets for the source client

Re: SPN Canonicalization

Kerberos mechanism it will obtain a Kerberos service ticket and establish a connection to the service. The requirement to make this work is that the names entered by the user (or those constructed by lookup) must have service principal names in the KDB and the keytab files on the machines that are

Re: Kerberos on AIX 5.3 : error :Cannot retrieve key from keytab

s/[EMAIL PROTECTED] > > > When klist is able to read /etc/krb5/krb5.keytab file why is kinit > not able to retrive the key. You are using a Java version of kinit. Does the version of Java you are using support all of the key types included in the keytab file? Jeffrey Altman -- --

Re: Kerberos

If you are using the MIT Kerberos APIs they are the same for Unix and Windows. The SDK is available as part of the KFW distribution. Jeffrey Altman Janos wrote: > Hello! My problem is this: > I need to write two simple keberized application for > windows. I have seen examples

Re: Memory Leak problems with krb5_get_init_creds_password?

Chet Burgess wrote: > It is important to note that even if you have the > REALM and KDC(s) listed in the file properly the library will still > try DNS first, so you MUST add "dns_fallback = false" to turn off the > resolver calls. I am fairly sure that DNS is not used in preference to the config

Re: Mail.app with multiple accounts using Kerberos

you either need to use cross-realm or your applications have to maintain knowledge of which principal should be used to access the given resource. This is a non-trivial problem. Jeffrey Altman Kerberos mailing list Kerberos@mit

Re: Kerberos for Windows 2.6.5 ccname FILE: issues

I can replicate the problem but don't see anything obviously wrong. Please send a bug report to [EMAIL PROTECTED] Jeffrey Altman Hughes, Noah L [ECSS] wrote: > Jeffrey, > > You are right, kdestroy.exe works with the FILE:c:\temp\krbcache. The > reason I had trouble was

Re: Password Changing failing from Windows to MIT KDC

Mike: I can verify that there is a problem although I cannot determine at the moment what the source of it is. What is the most recent version of KFW that you are aware works? Please send a bug report to [EMAIL PROTECTED] Jeffrey Altman Mike Friedman wrote: > I posted on this a few days

Re: Mail.app with multiple accounts using Kerberos

John Rudd wrote: > Jeffrey Altman wrote: > > >> The reality is that in the current day you either need to use >> cross-realm or your applications have to maintain knowledge of which >> principal should be used to access the given resource. >> >> This is

Re: windows browsers send ntlm instead of kerberos tokens

Neither Internet Explorer nor FireFox 1.0 use KFW for their Kerberos support. If you want them to have Kerberos credentials, Windows must obtain them for you when you login to Windows using an Active Directory account. Jeffrey Altman Julien ALLANOS wrote: > Hello, > > I'm

Re: windows browsers send ntlm instead of kerberos tokens

Julien ALLANOS wrote: > Quoting Jeffrey Altman <[EMAIL PROTECTED]>: > >> Neither Internet Explorer nor FireFox 1.0 use KFW for their Kerberos >> support. If you want them to have Kerberos credentials, Windows must >> obtain them for you when you login to Win

Re: Tickets get flushed when Windows Xp locked?

mathieu.bouffard wrote: > Hi, I have some problems with some compiling jobs runing while Windows > Xp is locked, and I noticed that when you lock and unlock a session, > all the kerberos TGT and service tickets get deleted and recreated. > This seems to only happens under Windows Xp (new security f

Re: Password Changing failing from Windows to MIT KDC

Mike: Thanks for this additional piece of information. It is quite possible that the issue is related to NAT affects. I will need to look into the reason for why a ticket containing addresses is being obtained. The default for KFW is to not obtain tickets with addresses. Jeffrey Altman

Re: sspi cache vs mit credential cache

t all. If the application is written to use the MIT Kerberos libraries then there are two choices. Leash can copy the credentials from the MSLSA ccache into the MIT CCAPI cache or the user can choose to use the MSLSA cache directly. Be sure you are using KFW 2.6.5. Jeffrey Altman -- ---

Re: Win2k3 SP1 ktpass problem.

Are you specifying the correct kvno and are you extracting the correct enctype? 2K3 SP1 supports the export of RC4-HMAC keys and that might be the new default. Jeffrey Altman Srinivas Cheruku wrote: > Hi, > > I am using Win2k3 as my KDC. > > I was using the keytab extrac

Re: Win2k3 SP1 ktpass problem.

Is the correct kvno value being written to the keytab entry? Use the KFW kvno.exe command to find out what kvno the service principal is using. Then include that value in the ktpass.exe command line with the -kvno command line option. Jeffrey Altman Srini wrote: > Hi, > > I have

Re: Kerberos support in Thunderbird

et to get MIT's Kerberos > For Windows (and it's GSSAPI library) used instead of Microsoft's > sspi. > > This line: > > user_pref("network.auth.use-sspi", false); > > Needs to be put into a user's "prefs.js" in their user profile d

Re: Kerberos support in Thunderbird

users need to have the ability to disable the use of GSSAPI on a per mailbox basis until such time as we have better client principal selection algorithms in place. Jeffrey Altman -- - This e-mail account is not read on a regular basis. Please send private responses to jaltman at

Re: Kerberos support in Thunderbird

27;s original role in supporting Firefox's > NegotiateAuth implementation - fixing this in some way is bug #307788 @ > bugzilla.mozilla.org > > Simon. I can confirm that prompting works on Windows with MIT KFW 3.0 and the appropriate settings entered into about:config. Jeffrey Alt

Re: Kerberos support in Thunderbird

an't seem to get Thunderbird to retrieve my > email. I do not believe that the MIT mail servers support SASL GSSAPI Kerberos 5 for authentication. You might want to contact the Help Desk to confirm this. Jeffrey Altman -- - This e-mail account is not read on a

Re: Building Debug version of MIT kerberos for windows

The only Platform SDK that is supported is the "Windows XP SP2 Platform SDK". The compiler that is used to build it is VS.NET 2003. It sounds like you must obtain a version of awk that works as well. Jeffrey Altman Balakrishnan, Sivakumar wrote: > Hi, > > > >

Re: get only username from REMOTE_USER variable

authentication from multiple realms, it is necessary to include the full principal name in REMOTE_USER to distinguish the source of the authentication. Jeffrey Altman -- - This e-mail account is not read on a regular basis. Please send private responses to jaltman at mit dot edu ___

Re: Where donwload MIT KDC binary for Windows?

raries on Windows. Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Where donwload MIT KDC binary for Windows?

Siva: At the present time MIT KFW only provides the Kerberos client libraries and tools. KFW does not contain either a KDC or any of the kadmin libraries. Jeffrey Altman Balakrishnan, Sivakumar wrote: > You can find it at > > http://web.mit.edu/kerberos/dist/index.html#KFW2.6.5 &g

Re: Kerberos 4 Authentication

ining a TGT fail with kinit -4 [EMAIL PROTECTED] and succeed with klog [EMAIL PROTECTED] with the same password? Jeffrey Altman -- - This e-mail account is not read on a regular basis. Please send private responses to j

Re: Config for enctypes on *recieved* service tickets

A Bad Integrity error is most likely the result of having the wrong key in the keytab entry. Jeffrey Altman -- - This e-mail account is not read on a regular basis. Please send private responses to jaltman at mit dot edu _

Re: AS_REP question

ipal and you must obtain a service ticket for that principal and validate that you can decrypt it with the service principal's long term key. Take a look at krb5_verify_init_creds() Jeffrey Altman -- - This e-mail account is not read on a regular basis.

Re: tgt lifetime

Vladimir Konrad wrote: > hello, > > i am trying to extend the tgt lifetime to 5 days. i have modified the krbtgt > principal (the showprinc reports the correct lifetime value). the kdc.conf > looks ok (the max_life is set to 7 days). > > but when doing "kinit -l 5d", all i get is 2 days of lifeti

Re: KSSL

SL_KEYTAB,KRB5KEYTAB); > } > } > .... > > Thanks, > vj > There are no browsers that I am aware of that support the Kerberos ciphers. Jeffrey Altman -- - This e-mail account is not read on a regular basis. Please send priv

Re: question on keytabs

osign installation to anyone else. If you have done so, you should change the keys immediately. Anyone with access to the cosign keys can gain access to all of the Kerberos 5 TGTs for users that have logged into Cosign. Jeffrey Altman -- - This e-mail account is not read on a

Re: Unable to to get a TGT that abides to specified renewal interval

/05 13:51:29 krbtgt/[EMAIL PROTECTED] > renew until 10/15/05 03:51:29, Flags: RI > > I would really appreciate any insights to solve this riddle. > > Ciao > Stefano Check the lifetime settings for the krbtgt/[EMAIL PROTECTED] and [EMAIL PROTECTED] principals in the K

Re: Kerberos V5 Authentication for a Telnet Session

Neither Microsoft's Telnet Server nor their Telnet client support Kerberos authentication. In order to use Kerberos 5 authentication on Windows you will need to find third party products that provide this functionality. Jeffrey Altman [EMAIL PROTECTED] wrote: > Here is what i want

Re: Kerberos V5 Authentication for a Telnet Session

-Kermit's Telnet Debugging is superb if what you are looking for are dumps of the negotiations. Jeffrey Altman -- - This e-mail account is not read on a regular basis. Please send private responses to jaltman at mit dot edu Ker

Re: X.509 Interop

o use a Kerberos service ticket to obtain an X.509 certificate with the same lifetime as the Kerberos ticket. Jeffrey Altman Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Cross-realm network traffic...

onfigured > appropriately in each realm.) The client talks to a KDC in each realm in order to obtain the TGTs for each realm. KDCs from different realms do not talk to one another. Firewalls should not block port 88/udp or 88/tcp. Otherwise, clients ca

Re: Handling credentials cache on Win32 without loading krbcc32s.exe?

to enter their credentials. If this is an end user application, it is preferable for the tickets to be obtained via the provided ticket manager. Leash32.exe in KFW 2.6.5. Jeffrey Altman Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Quick Question?

d. If you want clients outside the firewall to be able to contact KDCs inside the firewall, you need to open inbound. Jeffrey Altman Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Some problem in forming the TGS request pkt with krb5_parse_name()

construct the request to the KDC? Please keep in mind that Kerberos authenticates two peers to each other by name. The requirement is that the service principal exist in the Kerberos Database. Do you have service principals in the KDB of the form "host/[EMAIL PROTECTED]"? Jeff

Re: new leash 3.0 issues

Are you sure that you mean Leash? Leash has been replaced by NetIdMgr in kfw 3.0. I will contact you privately with a new build to test. Jeffrey Altman Matthew Cocker wrote: > Hi > > I have been having some fun with the 3.0 MSI based install. It seems > that the debug(?) dlls

Re: Telnet authentication problem

n > ecrypted telnet session, telnetd comes back with "authorization failed". > Auth is taking place within a single realm. > > Any ideas? TIA! Your service principals do not have single DES enctypes. The MIT Telnet only supports single DES. The Telnet distribution from http:/

Re: Interop/Compat: 3DES used in AS-REP despite no client support

When creating or modifying the cross realm principals with MIT kadmin, you must specify the list of enc:salt combinations you wish created for that principal. If you do not specify a list, the default list from kdc.conf will be used. You use the "-e enc:salt ..." option as documented here: http:

Re: KfW 3.0 problem: identity provider

Kerberos 5 identity manager. If you determine why the krb5_32.dll cannot be loaded, you will have the answer to your problem. I ask about other implementations because the versions of krb5_32.dll that NRL used to distribute have incompatibilities with the ones distributed by MIT. Jeffrey

Re: Permission denied in replay cache code

environments. Note that GSSAPI was not designed with multi-threaded environments in mind. While the MIT implementation is now safer, you must still ensure that only one thread uses each gss security context. Jeffrey Altman Balakrishnan, Sivakumar wrote: > Hi, > > > > I have install

Re: kfw-3.0 can't obtain tickets from heimdal kdc 0.7.1(Bad address

ses listed in the ticket request. Do you have a [libdefaults] entry "noaddresses = false" ? If so, does it make a difference if you change it to "true"? Jeffrey Altman jay alvarez wrote: > Ok, here's what I did: > I am trying to setup a kdc server for mixed un

Re: kfw-3.0 can't obtain tickets from heimdal kdc 0.7.1(Bad address

jay alvarez wrote: > > Jeffrey Altman <[EMAIL PROTECTED]> wrote: Both of the Heimdal KDCs I have > access to work fine but I do > not know what version of Heimdal they are using. > Before, I use to have a heimdal-0.6.x + Leash ticket manager(kfw2.6.5) and >

Re: User delegation in Kerberos V5

I don't think you want to give Alice your credentials in this case. What you want to do is associated an ACL on your files/directories which provide Alice permissions to access them in the methods you wish to permit. Jeffrey Altman [EMAIL PROTECTED] wrote: > Hi, > > I am wonderi

Re: User delegation in Kerberos V5

using AFS, you can give Alice your AFS token to access AFS, but then Alice has all of the privileges that you have. She will not be restricted only to the directories you wish her to access but can do anything you can do. This is simply not smart. Jeffrey Altman ___

Re: Key version number for principal in key table is incorrect -

[EMAIL PROTECTED] wrote: > Hi all, > > I have seen the earlier replies to the similar issues and tried to > debug myself. Could not solve the issue, so posting once again. > > I am trying to run the gss api sample applications using windows 2003 > server. I have two linux machines and I am tryin

Re: Key version number for principal in key table is incorrect -

client principal for which you know the password and can obtain a TGT. This will create for you a credential cache. kvno will not ask you for a credential cache unless it cannot find one with a valid TGT. "kvno sample/[EMAIL PROTECTED]" will report the key ve

  1   2   3   4   5   6   7   >