is still UDP only.
Jeffrey Altman
--
-
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman
authenticating realm directly. In this case, change password
operations are taking place as expected.
Can you provide more details about your workstation configuration?
Jeffrey Altman
William G. Zereneh wrote:
> Hello,
>
> In reference to the posting from:
>
> J-F Cloutier jfclouti
immediately or after a random period of time?
Thanks.
Jeffrey Altman
Göran Hjorth wrote:
> Best one!
>
> I install Kerberos because Rexx for MySQL need it.
> Leash32.exe have problem to read a memory, see including file from print screen.
> It happens at -autoinit when I start my PC.
If you wish to utilize the Microsoft LSA obtained credentials with
Java Kerberos you should use the JAAS Login Provider. Note this
provider in JRE 1.4.2 is broken on Windows XP. The JRE 1.5 version
should work.
Sleepy wrote:
> I'm attempting to use Java's implementation of Kerberos in a Window
Henry B. Hotz wrote:
> MIT rc4 == Heimdal arcfour == preferred Microsoft encryption type?
Yes. Although in the current released products from Microsoft,
RC4 cannot be used for cross-realm with non-MS KDCs. In those cases
you must use DES-CBC-MD5.
hikari wrote:
> hikari wrote:
>
>> I'll redo it on both (the kdc and xp) and then try again.
>
>
> Which didn't make a difference.
You will have to diagnose it from the Windows side then.
The KDC is issuing a host key and the Windows host is rejecting it.
What is the enctype of the key
hikari wrote:
> Jeffrey Altman wrote:
>
>> What messages are appearing in the KDC log?
>
>
> Comes up with a NEEDED_PREAUTH:
> [EMAIL PROTECTED] for krbtgt/[EMAIL PROTECTED]
>
> then two ISSUEs:
> [EMAIL PROTECTED] for krbtgt/[EMAIL PROTE
Did you set the password using KSETUP ?
hikari wrote:
> Jeffrey Altman wrote:
>
>> Please detail exactly what you have done.
>
>
> I've added the host and cifs principles (short version and FQDN) for
> the workstation to the KDC, with its password. I
What messages are appearing in the KDC log?
Are you able to obtain tickets with Leash?
What messages are being logged in the Windows Event Log?
hikari wrote:
> Jeffrey Altman wrote:
>
>> Did you set the password using KSETUP ?
>
>
> Y
Please detail exactly what you have done.
hikari wrote:
> Hi All,
>
> I'm trying (and XP is /being/ very trying right now) to get
> integrated logins working with XP and an MIT KDC. I've been following
> the brief guide in the Release Notes and got it so, that as far as I can
> tell, it
which ships with Kerberos.
http://srp.stanford.edu/
Jeffrey Altman
mdj_kerberos wrote:
> Hi Group,
>
> I am trying to kerborize both telnet server and client. Could you
> please assist in how to go about it ?
> ( say, first we need to get the context for the kerberos ...).
Did you configure the %WINDIR%\KRB5.INI to specify the location of the
kdc in the realm?
Dominic Komareddy wrote:
> Hi,
> I am new to Kerberos. I have set up the Kerberos server on a Linux box. The KDC
> and Kadmin deamons are running. I have also downloaded Kerberos for Windows on
> anothe
Are you unable to create the path /usr/local/var/krb5kdc ?
Graham Turner wrote:
> Dear all,
>
> quoting the install guide in the krb51-3.3 distribtion from MIT
>
> "The kdc.conf file contains KDC configuration information, including
> defaults used when issuing Kerberos tickets. Normally, you sh
Dan Million wrote:
> Jeffrey Altman wrote:
>
> Yup. It's a brand new machine and this is the first time we've tried KFW.
>
> Thank you. I'll keep trying.
>
> Dan
What do have specified in your KRB5.INI file?
__
e this change for the next
release.
As for why you are unable to obtain a KDC from Leash but can from
kinit.exe, I have no idea. They should both be using the same krb5.ini
file and the same libraries. Are you sure you have only one version
of KFW on the machine?
Jeffrey Altman
Dan Millio
kinit does not send the password in clear text unless the kerberos
libraries have been replaced by a trojan horse.
melissa_benkyo wrote:
> hello folks,
>
> thanks for all the help. I wouldn't have make it here so far without
> your help. :) thanks. Now I'm trying to use pam api's instead but t
Wyllys Ingersoll wrote:
> krb5_kuserok is sort of an abberation. Its a weak attempt at
> an authorization interface. Its very easy to write your own
> non-KRB5-API dependent version of krb5_kuserok using just GSSAPI calls
> and standard C library functions.
>
> Obviously, you must assume some Ke
or Kerberos.
If you support this idea, please file a request with Sun.
Jeffrey Altman
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
You can always use JNI to wrap the necessary function calls from the
C based MIT Kerberos library.
Or you can extract the credential cache file format from the MIT
source code and re-implement it in Java.
Richard Gundersen wrote:
> Hi
>
> In case my previous question didn't sound clear, I've
Your output shows a kerberos 5 afs service ticket for WEB.RPI.EDU
and an afs token for web.rpi.edu.
aklog worked.
Andrew Bacchi wrote:
> Using MIT Krb5 1.3.2 from source, and afs-krb5.2.0.
>
> I'm not sure I'm getting converted tokens with aklog. I cannot
> read/write to AFS even if I kinit a
Milos Djukic wrote:
> How can Kerberos authenticate a user who isn't communicating through a Kerberized
> server? Will the request be automatically rejected as the user is trying to gain a
> service from an un-trusted server. If so, can the administrators of the Kerberos and
> the non-kerberos s
What does "hostname" say the machine name is?
[EMAIL PROTECTED] wrote:
> Thanks for the suggestions ... I thought it might be the kvno - but I
> checked:
> ---
> kadmin.local: getprinc host/kas.ruz.lat
> Principal: host/[EMAIL PROTECTED]
> Expiration date: [never]
> Last password change: Sat Ap
Via e-mail? :-)
I do not understand this question. Kerberos is an authentication
protocol not a messaging protocol.
Milos Djukic wrote:
> How do Kerberos users communicate with non-kerberos users?
>
>
> -
> Yahoo! Messenger - Communicate insta
credential
cache files. MIT Kerberos is certainly a choice for this.
Jeffrey Altman
melissa_benkyo wrote:
> I'm looking it up. and I'm using SEAM kerberos. I don't think it
> supports the kerberos API calls. Has anyone done kinit with SEAM
> kerberos?
>
> thank
The warning does not say all that much to me without providing a list
of the function names it thinks are the same.
Jeffrey Altman
Thomas Huang wrote:
> Hi,
>
> I am trying to build a custom Kerberos client application under Sun
> Solaris 9 using CC WorkShop 6 Update 2. The build
Inger, Slav (.) wrote:
> Hi all,
>
> I tested cross-realm awhile back and it seemed to work fine, not sure why I'm
> running into issues now, maybe I'm forgetting something obvious. Scenario: KDC is
> Active Directory, clients are running Solaris and HP-UX with Kerberos and
> appropriate patc
[EMAIL PROTECTED] wrote:
> Hi, folks
>
> 2) Users wouldn't be happy if they were unable to login one hour every
> time they change password.
>
> So, logical consequence is that master must answer all TGT requests.
> Having a slave around in case master dies is better than nothing, but
> slave
this list.
Jeffrey Altman
Frank Wu wrote:
> Hello All,
>
> I dowloaded and installed krb5-1.3.3-i686-pc-linux-gnu.tar on RedHat 9,
> and tried to set it up to work with MS Active Directory for
> cross-platform authentication, but without success. Has anyone tried
> thi
on must see the same name
for the machine as the client machine does from DNS. The GSSAPI
Service does not look for a keytab entry matching the client request,
it attempts to load the keytab entry when it starts.
I agree there are few good ways to debug this other then trac
ft LSA
credentials into a new MIT Kerberos credentials cache or access the
MS LSA credentials in read-only mode via the MIT krb5_ccache "MSLSA:"
ccache interface.
Jeffrey Altman
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
[EMAIL PROTECTED] wrote:
>>Make sure that the service principals in the KDC do not contain
>>any enctypes other than DES-CBC-CRC or DES-CBC-MD5. Java cannot
>>handle them.
>
>
> Don't understand this. Aren't client programs supposed to choose the
> encryption types they do understand out of th
In Panther you can
#define KERBEROSLOGIN_NEVER_PROMPT 1
I'm not sure that this works with earlier releases.
Nebergall, Christopher wrote:
> Is there a way to programmatically or in a configuration file to disable Mac
> OS X auto-prompting for the user's kerberos password?
>
> I'm interested in
Sensei wrote:
>
> AFS, Kerberos and LDAP are currently on the same server... and I'll keep
> it so...
Many folks on this list will consider running any services on the same
machine as the Kerberos KDC to be a security weakness. You increase the
attack surface of the machine when you do so. If
contain the user's profile and Documents and Settings folders.
I do not know how you would use OpenLDAP in place of the Windows
Active Directory. I suggest you ask that question on an OpenLDAP
mailing list.
Jeffrey Altman
Sensei wrote:
> Hi.
>
> I've built an afs cell, a kerber
GSS-API Kerberos authentication is embedded within application
specific protocols. In this case, you need to write a test application
which implements the SQL query protocol as implemented by the ODBC
drivers.
the Java-ODBC driver interface provides very poor performance and is
usually regarded a
Sleepy wrote:
> Hello all,
>
> I have some questions that I would appreciate getting some expert
> Kerberos assistance with.
>
> 1) Is SQL Server limited to DES encryption only?
>
> The reason I ask is that I have discovered empirically that the
> SQL Server service startup account needs
enctypes other than DES-CBC-CRC or DES-CBC-MD5. Java cannot
handle them.
Jeffrey Altman
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
In speaking with contacts at Microsoft, they have assured me that this
situation, Logon Session Authenticated by NTLM and yet having Kerberos
tickets in the LSA Cache can only happen if the KDC on the PDC was not
functioning at the time you logged in. If this is the case, there will
be records in
Vikas Gandhi wrote:
> Jeffrey
> Even I am trying hard to understand the meaning of this. I also run
> the sspi samples and they ran fine. So I am more than confused ???
>
> Can u guide me what next should I try to debug How can I cange
> NTLM to Kerberos
> Any hind to proceed
>
>
Vikas Gandhi wrote:
> In function IsKerberosLogon()
> if ( !lstrcmp(L"Kerberos",buffer) )
> Success = TRUE;
> The value of buffer in NTLM so success is false.
>
If you logon session is not authenticated with Kerberos
but with NTLM, how are you obtaining tickets for display
by microsoft's "k
I have no idea why you can't find the MSLSA: credential cache.
Since you have built from source why don't you trace it in the
debugger. You should be able to figure it out quite easily.
src/athena/auth/krb5/src/lib/krb5/ccache/cc_mslsa.c
Ker
Vikas Gandhi wrote:
> Finally I found my mistake. I put a variable set KRB5_KTNAME=.\\krb5kt
> Then I started running the server and this was successful
> Now the client part It cribs
> C:\gss>gss-client.exe -port beetle mittest hello
> GSS-API error initializing context: Miscellaneous f
Vikas Gandhi wrote:
> Now I reversed the entry
>HKLM\Software\MIT\Kerberos5\
> PreserveInitialTicketIdentity = 0x0 (DWORD)
>HKCU\Software\MIT\Kerberos5\
> PreserveInitialTicketIdentity = 0x0 (DWORD)
> and introduced new entry
> HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerbe
You need a keytab file for the gss-server.exe because the service
must know its key. If it does not know its key, then it cannot
decode the service ticket presented to it by the gss client.
Jeffrey Altman
Vikas Gandhi wrote:
> Why do need krb5kt for It is no where.
> I understan
You did not answer the most important question I asked you.
Where is your krb5kt file? and is there a service key in the file?
As for kinit, you cannot use 'kinit' with MSLSA: ccaches since the
MSLSA: ccache is read-only. MSLSA: only works if you have already
performed a login via Windows and th
the KRB5.INI file should go in %WINDIR%. Where are you placing the
keytab file containing the server keys for the service principal?
Vikas Gandhi wrote:
> Hi
> Also I tried to run the gss-server that comes along where I am
> getting
> C:\OSBA\kfw-2.6-final\src\athena\auth\krb5\src\appl\g
hipping.
Not to say that forcing the use of des-cbc-crc is a good idea, its not.
Just pointing out that there are still interop problems based entirely
in the implemented set of enctypes.
Jeffrey Altman
Kerberos mailing list
What are you testing gss.exe against?
The version of the GSS-SSPI server which is shipped
as part of the MS SDK is incompatible with the GSS.EXE
as shipped in KFW 2.6. We are working with Microsoft
to release updated versions of the example code.
Jeffrey Altman
Vikas Gandhi wrote:
> Hi
The current version is Kerberos for Windows 2.6 and it is
available from http://web.mit.edu/kerberos/
Christopher T Vogan wrote:
>
>
>
> Hi,
>
> I am a test for IBM NFS for z/OS product.
> I am trying to test NFS with auth_GSS authentication. This method requires
> the use of Kerberos v5.
>
Yes. Set the environment variable
KRB5CCNAME=MSLSA:
before initializing the GSSAPI32.DLL
Vikas Gandhi wrote:
> Hi ALL
> As MSLSA is supported by current distribution of the kfw 2.6. Can
> this be used to authenticate against the Active Directory of windows
> 2003.
>
> i.e. Can I wr
who has authenticated
has the necessary privileges or not to access the service.
Jeffrey Altman
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
What is KFW 1.2.6 ?
KFW version numbers are 2.5 and 2.6. Krb5 version numbers are 1.2.x and
1.3.x.
KFW 2.5 ships with Krb5 1.3.1
KFW 2.6 ships with Krb5 1.3.2
Jeffrey Altman
KFW Maintainer
Marcel wrote:
> hello,
>
> just wanted to ask if there is possibility or a howto to force
Vikas:
I answered the question that I could answer. I do not know the
answer to whether anyone has written a program that uses both
the netscape-sdk and MIT KfW 2.5. I certainly have not.
Jeffrey Altman
Vikas Gandhi wrote:
> Hi Jeffrey
> I am asking a basec fundamental question. Has s
efore starting your application and the credentials from the MS LSA
cache will automatically and transparently be used.
Jeffrey Altman
KFW Maintainer
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
If you are an MSDN subscriber I suggest you download Virtual PC for
Windows and install Linux within a virtual machine to use for testing.
If you are not an MSDN subscriber, I suggest you purchase a license to
VMWare.
Ish-Lev Avshalom wrote:
> I have downloaded kfw-2.5 and it compiled fine on
defective
and really needs to be upgraded to correct not only security
problems but a programming error which can result in system
crashes from correct use by applications.
Jeffrey Altman
KFW Maintainer
steve hauser wrote:
> Hello, I'd like to use your kerberos for my Win98 system but it w
TELNET only supports DES encryption types.
However, that warning means that the telnet client does not
include support for encryption. Which client are you using?
Jeffrey Altman
Neelima Adusumilli wrote:
> Hi!
> When I'm running telnet with -ax option it is giving th
KFW is only a Kerberos client library.
The MIT KDC is not supported on Windows.
Jeffrey Altman
KFW Maintainer
Gerard Murphy wrote:
> Is it possible to set up a KDC, using KfW 2.5, on a Windows 2000
> Professional or XP machine, so that I can us the LeashManager to get
> tickets?
>
Doug:
KfW requires Aug 2001. There is nothing in the newer SDKs that is
required. Using newer SDKs is advised but not required.
- Jeff
Douglas E. Engert wrote:
> Have se this before. You need a the Microsoft SDK.
> See [krbdev.mit.edu #1675] Windows build needs Feb 2003 Platform SDK
>
___
ndows maschine.
no
> i'm asking, because my test-suite is on a windows xp maschine and the final version
> has to
> run on a vxworks system.
there is no in memory credentials cache for vxworks.
Jeffrey Altman
Kerbero
the in memory credential cache is distributed as part of the
MIT Kerberos for Windows distribution. Version 2.5 is the
last official release; 2.6 is currently in beta.
http://web.mit.edu/kerberos
Jeffrey Altman
KfW Maintainer
Marcel Lehner wrote:
> I had read somewhere that it is possi
The [EMAIL PROTECTED] mailing list is an inappropriate place for this
discussion.
Please hold this discussion on [EMAIL PROTECTED] OR open a bug report in the
Request Tracker by sending e-mail to [EMAIL PROTECTED]
Thank you.
John Hascall wrote:
Beata A. Pruski wrote:
I must say I don't underst
Workstation using KSETUP?
Jeffrey Altman
Tyson Oswald wrote:
> Hello all,
>
> I read the white paper on the MS site
> (http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp)
> to setup AD authentication on Unix. It is based on MIT KDC, but I am
> using SE
Jeffrey Altman wrote:
As the tool affects the Windows 2003 Server LSA configuration, it should
allow RC4-HMAC cross realm trusts to be configured with any non-MS KDC.
(Assuming I can get it to work.)
RC4-HMAC support for cross realm trusts will not be available in Win2003
Server until SP1.
Jeffrey
Alberto Patino wrote:
On Wed, 2004-02-18 at 00:49, Jeffrey Altman wrote:
I have verified with Microsoft that the default configuration of Windows
2003 does not allow the use of RC4-HMAC with MIT KDC Trust
relationships. There is functionality to support this mode of operation
unfortunately
Examine the Kerberos 5 1.3.2 Admin Docs on the MIT Kerberos web site.
Beata A. Pruski wrote:
I did some more search within the source code (kfw-2.5) and found out that
there are two entries in the realms section of the configuration file which
are used for locating kdc(s). They are called "kd
Beata A. Pruski wrote:
I must say I don't understand why within krb5_get_init_creds_password, after
the first call to krb5_get_init_creds (with use_master being 0) returns
KRB5KDC_ERR_KEY_EXP, there is still another call made to the same function
with use_master set to 1. Shouldn't there be some
ation to construct a tool to enable
RC4-HMAC support for MIT KDC Trust relationships and will endeavor to
build one in the next day or two for inclusion within the final release
of KfW 2.6. At the very least this tool will allow you to specify a
MIT Realm Name and allow the RC4-HMAC
Is kadmind running?
Marcel Lehner wrote:
> Does anyone can help me?
>
> When I try to start kadmin I always get the following message after entering
> my password:
>
> "kadmin: Communication failure with server while initializing kadmin interface"
>
> KDC is running fine and I also get tickets
registered as the prompter and it is called as a result of
krb5_get_init_creds_password() without a password being provided as an
argument. Hence, the password is only prompted for once.
Jeffrey Altman
KfW Maintainer
Beata A. Pruski wrote:
> I have hard time to get the posix prompter to run under
Digant Kasundra wrote:
> I think that's one of the ways you can do it, but that setup isn't
> considered "pass-through authentication," which is what we are going for.
That is the only way to do it. There is no term called "pass-through"
authentication within Kerberos. The authentication betwe
The kadm5 library is currently not supported on Windows as part of KfW.
It would certainly be a worth while feature to request. Why don't you
send a feature request to krb5-bugs (at) mit.edu.
Jeffrey Altman
Colin Caughie wrote:
>>"kadmin" is a KDC administration tool.
machine hosting
the KDC, then you can securely move it to Windows and place it somewhere
that your KfW based application can find it.
Jeffrey Altman
KfW Maintainer
Colin Caughie wrote:
> Hi,
>
> I'm looking into using Kerberos (probably MIT) to add secure authentication
> to a
Which version of MIT Kerberos is the KDC?
And more importantly, does the user principal in the MIT KDC have a key
of type RC4-HMAC associated with it?
Jeffrey Altman
rousset wrote:
> Hello,
>
> I have established a trust relationship between Active Directory and MIT
> Kerberos r
--- Begin Message ---
Microsoft ASN.1 Library Length Overflow Heap Corruption
Release Date:
February 10, 2004
Date Reported:
July 25, 2003
Severity:
High (Remote Code Execution)
Systems Affected:
Microsoft Windows NT 4.0 (all versions)
Microsoft Windows 2000 (SP3 and earlier)
Microsoft Windows
--- Begin Message ---
Microsoft ASN.1 Library Bit String Heap Corruption
Release Date:
February 10, 2004
Date Reported:
September 25, 2003
Severity:
High (Remote Code Execution)
Systems Affected:
Microsoft Windows NT 4.0
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
--- Begin Message ---
Microsoft ASN.1 Library Bit String Heap Corruption
Release Date:
February 10, 2004
Date Reported:
September 25, 2003
Severity:
High (Remote Code Execution)
Systems Affected:
Microsoft Windows NT 4.0
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Security Bulletin MS04-007:
ASN.1 Vulnerability Could Allow Code Execution (828028)
Bulletin URL:
http://www.microsoft.com/technet/security/bulletin/MS04-007.asp
Summary:
Version Number: V1.0
Revision Date: 02-10-2004
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating:
For Windows 2000 Server the key is:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
AllowTGTSessionKey = 0x01 (DWORD)
King Lung Chiu wrote:
Hi Jeffrey,
thanks for the reply.
The session key type is 0 (or NULL). What operating system are you using?
I'm running cygwin unde
The session key type is 0 (or NULL). What operating system are you using?
King Lung Chiu wrote:
> OK, here's a bit more info:
>
> $ export KRB5CCNAME=FILE:C:/cygwin/tmp/krb5ccwin;leash32 -m;klist -5 -e
> Ticket cache: FILE:C:/cygwin/tmp/krb5ccwin
> Default principal: [EMAIL PROTECTED]
>
>
What operating system are you running on?
If it is Windows 2003 or Windows 2000 Server or Windows XP SP2 then the
problem is that you need to set a registry value to enable the
exportation of TGTs from the Kerberos LSA with the session key intact.
Jeffrey Altman
King Lung Chiu wrote:
>
().
Jeffrey Altman
Kevin Burton wrote:
> Do you have any suggestions as to how to do that?
>
> "Sam Hartman" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]
>
>>Are you using krb5_prompter_posix? If so, this does not really work
>>on Windows
You don't need to install a KDC but you do need to ensure
that the keytab file you created is in the proper format
expected by Kerberos on VMS. If KerberosAdmin is the
only tool available to read/write keytab files then you
will need to install whatever is necessary to obtain access
to that tool
If you want to provide separate mappings of hosts to domains, then
you will have to provide domain to realm mappings for each individual
machine name
Sam Hartman wrote:
>>"Inger," == Inger, Slav (S B ) <[EMAIL PROTECTED]> writes:
>
>
> Inger,> Final question for today: is it explicitl
Does the VMS KerberosAdmin tool recognize the keytab file? What does
list keytab
report?
Juha Nieminen wrote:
> We are testing Kerberos on OpenVMS.
> We are running VMS 7.3-2 and
> Kerberos for OpenVMS v2.0-6, client setup.
>
> Realm and KDC are in windows2003 server.
> W2K workstations
Ken Weaverling wrote:
> In article <[EMAIL PROTECTED]>,
> Jeffrey Altman <[EMAIL PROTECTED]> wrote:
>>Is the KDC being found via DNS or via entries in a krb5.conf file?
>
>
> krb5.conf I believe -- does windows DNS on active directory stash the
> kerberos lo
I should mention that the krb5_locate_kdc() function is one that has
undergone a major re-write between 1.2.7 and 1.3.1. Any findings
that the error is in krb5_locate_kdc() can only be responded to with
a request that you upgrade to the current release of the distribution.
Jeffrey Altman
> Also, this uses a windows 2000 server for KDC. It had done that for
> over a year with no problems. This problem happened when we migrated
> the server from redhat 7.3 to Redhat enterprise linux (RHEL) 3 over
> the holidays.
Is the KDC being found via DNS or via entries in a krb5.
If you need to use ms2mit to gain access to your credentials then you
must use KfW because only KfW has the support for the CCAPI based memory
cache. This support is not available when krb5 is built under cygwin or
when krb5 is built outside of the KfW framework.
Jeffrey Altman
KfW Maintainer
None of these items are supported by the MIT Kerberos Development team.
The only one that you would want to use is (3) so that the resulting
program can access the in memory credentials cache.
You will most likely have to modify the build for openssh to make this
work.
Jeffrey Altman
KfW
Version 1.3.1 distribution
to install and configure a KDC on Unix/Linux. Or you can use on of the
Kerberos distributions which comes with a variety of major commercial
operating systems from Windows Server to HP-UX to Mac OS X to AIX to
Solaris to
Jeffrey Altman
Prabodh Achyutha M wrote:
>
David Magda wrote:
>
> And what prevents a Kerberos server from being compromised? Any
> system can have a root-kit installed on it.
Simple. You don't run any other services on your KDC.
All access is via physical connections. Small network footprint
results in extremely low chance of hacking.
What does Kermit list for the output of
AUTH K5 LIST /E
after attempting to connect to the Telnet Service?
Ryan Odgers wrote:
> I created them with ktpass using the defaults of which DES-CBC-CRC should be
> the default. I also tried switching my server to use MD5 type encryption and
> using
What are the service principal and session key keytypes for the
host/[EMAIL PROTECTED] ticket?
If they are not DES-CBC-CRC then you will not be able to
negotiate DES encryption in Telnet protocol.
Ryan Odgers wrote:
> I get the following error when trying to connect with kermit telnet:
> key
GSSAPI Kerberos V5 is being used for authentication
LDAP is being used for authorization. This is not the same
as using LDAP for authentication.
Jeffrey Altman
Harry Le wrote:
> Not entirely true.
>
> Most LDAP servers now support the SASL/GSSAPI mechanism. It uses Kerb
LDAP is not an authentication infrastructure.
All you are doing with LDAP is providing a database of usernames
and passwords which is accessible over the network. Your users
must then transmit said usernames and passwords across the network
to a potentially compromised machine in order for them to
mpile time.
Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
software should do the
rest.
Jeffrey Altman
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
. If you have a system which is consistently
producing bad data
at a known point it would be good to see if we can trace it down.
Jeffrey Altman
John Hascall wrote:
6303373b766d61124537494153544154452e4544550067710e403f616673
c . 7 ; v m a . E 7 u s e r . . I A S T A T E . E D U
ol\Lsa\Kerberos\Parameters
AllowTGTSessionKey = 0x1 (DWORD)
if you want to allow KfW to import Windows LSA credentials into the
MIT ccache via either ms2mit or Leash.
Jeffrey Altman
Ryan Odgers wrote:
> Hi Doug,
>
> still on win2000
> I can authenticate and get tgt ticket wit
501 - 600 of 676 matches
Mail list logo