Re: Streamlining host principal keytab provisioning?

On 24 Apr 2012, at 14:06, Jeff Blaine wrote: > How are people provisioning host principal keytabs in > large quantities? I've never really seen anyone discuss > this. It's not 1988 anymore ;) I built a system to do this for my former employer, and presented on it at the 2005 Best Practices Work

Re: Lion problems

On 11 Mar 2012, at 17:42, Jaap Winius wrote: > Today I attempted to get a Kerberos client running on Mac OS X. This > is 10.7 (Lion) system on which I had just installed a package from the > mit.edu site called Mac_OS_X_10.4_10.6_Kerberos_Extras.dmg. Lion uses a Heimdal based Kerberos, rathe

Re: Help: Can OpenSSH get OpenAFS token after the client login?

On 11 Jun 2011, at 18:22, "Markus Moeller" wrote: > If I remember right when GSSAPIauthentication is used and the client has a > valid Kerberos ticket pam won't be called on the server, so the pam module > won't help in that case. No, the PAM stack is invoked whatever mechanism has been used t

Announce: GSSAPI Key Exchange Patch for OpenSSH 5.7p1

Hi, I'm pleased to announce the availability of my GSSAPI Key Exchange patch for OpenSSH 5.7p1. In addition to adding support for key exchange, vital for enterprise users of SSH and Kerberos, it also adds a number of other GSSAPI related features: *) Cascading Credential Renewal - when e

Re: Kerberos5 + SSH Questions

On 4 Jan 2011, at 10:57, Lee Eric wrote: > debug1: Unspecified GSS failure. Minor code may provide more information > Key table entry not found > [...] > So I notice that it was due to SSH server side cannot find keytab but > it exists in /etc/krb5.keytab: > -r. 1 root root 526 Jan 3 00

Re: Kerberos5 + SSH Questions

On 3 Jan 2011, at 20:04, Brian Candler wrote: > On Mon, Jan 03, 2011 at 06:15:54PM +0000, Simon Wilkinson wrote: >> You probably also want: >> >> GSSAPIKeyExchange yes > > Does Fedora come with that patch already applied then? Yes. They added it in Fedora 13, an

Re: Kerberos5 + SSH Questions

On 3 Jan 2011, at 17:54, Brian Candler wrote: > On Mon, Jan 03, 2011 at 09:02:59PM +0800, Lee Eric wrote: >> My server OS is Fedora 14 and Kerberos version is 1.8.2-6 by using RPM >> based. I tried to make SSH combined with Kerberos but it looks like >> the authentication is failure when using Ke

New release of GSSAPI Key Exchange patch

[ If you're not familiar with the GSSAPI key exchange patches, or unsure why they make OpenSSH usable in large Kerberos deployments, http://www.sxw.org.uk/computing/patches/openssh.html contains some background information ] Regular readers of these emails will be aware that they've recently al

Re: GSS_C_NO_NAME for desired_name?

On 1 Jan 2011, at 16:48, Brian Candler wrote: > > That is: if someone broken into httpd, and it was using a shared > keytab > which also contained the sshd key, then they'd be able to go fetch > (and > abuse) the sshd key. You're not necessarily only concerned with local attackers here. Enc

Re: GSS_C_NO_NAME for desired_name?

On 1 Jan 2011, at 14:31, Brian Candler wrote: > On Fri, Dec 31, 2010 at 12:34:13PM -0500, Greg Hudson wrote: >> On Fri, 2010-12-31 at 06:32 -0500, Brian Candler wrote: >>> I'd like to propose this upstream, but first would like some feedback as to >>> whether this is likely to be a safe change to

Re: GSSAPIDelegateCredentials only works for REQUIRES_PRE_AUTH principals?

On 8 Jun 2010, at 22:05, Russ Allbery wrote: >> In general I find that sshd really does a very poor job explaining the >> reason why things went wrong when it comes to Kerberos/GSSAPI. I've got >> some free cycles this summer that I can put towards fixing that if it's >> something that can be fix

Re: OpenSSH GSSAPI gives "Cannot find ticket for requested realm"

> > Karmic 9.10: OpenSSH 5.1p1-6ubuntu2, libgssapi-krb5-2 > 1.7dfsg~beta3-1ubuntu0.6 > Lucid 10.04: OpenSSH 5.3p1-3ubuntu3, libgssapi-krb5-2 1.8.1+dfsg-2 This particular version change makes me suspect something related to DES tickets. Does the service ticket you're trying to obtain have encryp

Re: bug: krb5_get_host_realm() no longer uses DNS

On 17 May 2010, at 22:07, Nicolas Williams wrote: > You can always use GSS_C_NO_CREDENTIAL and then inquire the established > security context's acceptor principal name to see that it matches what > you expected. When I added StrictAcceptorCheck support to my OpenSSH patches (and to rot in thei

Re: Using OpenSSH with multiple Kerberos principals

On 9 Mar 2010, at 07:01, Jiawen Chen wrote: > I apologize if this is the wrong list on which to ask help. If > that's the case, please send me a pointer to the right list (perhaps > the OpenSSH list?). You want the GSSAPIClientIdentity option. It's been part of my key exchange patch

Fwd: [Bug 1242] GSSAPI Keyexchange support

Just because I know readers of this list have been following the GSSAPI Key Exchange saga over the last 9 years, I thought the following mail from OpenSSH's bug tracking system might be of interest. I still believe that their argument is bogus, and I will continue to maintain the OpenSSH key ex

Re: Automatically distributing nfs/ssh host principals

On 9 Feb 2010, at 15:24, Ken Raeburn wrote: > The idea has been kicked around before, and I believe one variant > (registering a new host principal over a kadmin session protected by > anonymous PKINIT) has been tried out in MIT's current development code. What we do here is require the input

GSSAPI Key Exchange Patch for OpenSSH 5.3p1

>From the better-late-than-never-department, I'm pleased to announce the >availability of my GSSAPI Key Exchange patches for OpenSSH 5.3p1. This is a >pretty minor maintenance release - it contains a couple of fixes to take into >account changes to the underlying OpenSSH code, and a compilation

Re: Hack Kerberos / AFS

On 29 Sep 2009, at 10:31, Remi Ferrand wrote: > Hye, > > I need help to create a little hack on Kerberos / AFS. You'd be much better off asking this question on the openafs-devel list, to which I've directed follows. This is definitely off-topic for krb-devel, and is actually not particularl

GSSAPI Key Exchange Patch for OpenSSH 5.2p1

Somewhat belatedly, I'm pleased to announce the availability of my GSSAPI key exchange patches for OpenSSH 5.2p1. Apologies for the delay in getting these out, a honeymoon, followed by the pressure of work, made the first half of this year rather busy! Whilst OpenSSH contains support for GSS

Re: Keytab server principal cuts off at @

On 15 Jun 2009, at 19:30, Charles Breite wrote: > I am wondering if anyone has seen this where the principal is > cutoffI have regenerated the keytab several times and re-checked > the > windows accounts we are using for the auth Shouldn't the principal > be HTTP/servername.domain@d

Re: Problem: passwordless SSH-login with Kerberos doesn't work

> > That's what sshd uses (probably through gethostname()) to determine > what > principal name to search for in the keytab. My GSSAPI KeyExchange patches (at http://www.sxw.org.uk/computing/patches/openssh.html) add support for a 'GSSAPIStrictAcceptorCheck' option, which can be used to pe

Re: Principal for Apache httpd vhost

On 11 May 2009, at 19:34, Richard E. Silverman wrote: > >Frank> What is the correct behavior and configuration? Thanks for >Frank> your help. If you don't control your clients, then you want to add a principal for every name that a client may use to reach your server. And then use th

GSSAPI LDAP support for Thunderbird

Just to let folk know, support for Kerberised access to LDAP address books has just landed in the Thunderbird 3 tree. Any feedback (nightly snapshot builds are available) would be appreciated! Thanks, Simon. Kerberos mailing list Ker

Re: Long-running jobs with renewal of krb5 tickets and AFS tokens

On 28 Feb 2009, at 23:04, Thomas Kula wrote: > On Sat, Feb 28, 2009 at 05:42:58PM -0500, Jason Edgecombe wrote: >> We have users who need to run long-running jobs and store their >> files in >> AFS during the run. >> >> I've read the k5start and k5renew man pages, but I don't see how I >> can

Re: Kerberos auth based on ticket

On 16 Dec 2008, at 14:32, Rowley, Mathew wrote: > My question was more - if you have PAM and GSSAPI both enables, > will the ssh client still go through the PAM stack (for > authorization purposes). Yes it will. Any authorization rules enforced by the account step, any additional credenti

Re: Kerberos auth based on ticket

On 16 Dec 2008, at 13:37, Rowley, Mathew wrote: > If you have a kerberos ticket, and ssh to a box that has GSSAPI > enabled, will that pass through/disregard the PAM stack? With OpenSSH, it will use the setcred bit of the auth stack, and the account and session stacks, but disregard the auth

Re: Destroy expired tickets?

On 6 Nov 2008, at 15:05, Ken Raeburn wrote: > On Nov 5, 2008, at 21:16, Stefan Monnier wrote: >> How can I destroy expired tickets? >> >> They're useless at best, and in some cases they're positively harmful >> (their presence prompts `ssh' to contact the KDC to try and delegate >> credentials, w

Re: Kerberize MS Exchange?

On 14 Oct 2008, at 23:21, Markus Moeller wrote: > I can also confirm that outgoing SMTP with GSSAPI auth works with > Thunderbird against sendmail. If anyone is having problems with GSSAPI and Thunderbird which they believe is a bug in the product, please open a bug in their Bugzilla and Cc:

Re: SSO

On 18 Jul 2008, at 12:13, Michael Ströder wrote: > Is the TGT sent by the browser in the SPNEGO blob? Up to now I thought > it's just a service ticket. SPNEGO is a GSSAPI mechanism, wrapping the Kerberos one. If you set the deleg_creds flag when calling into the API, then a TGT will be includ

Re: SSO

On 18 Jul 2008, at 15:34, Michael B Allen wrote: > > As stated before this is completely false. These browser configuration > options accept a domain name which makes all the configs the same. Given that I wrote portions of this code, I'm entirely aware of what it can, and can't do. In situatio

Re: SSO

On 18 Jul 2008, at 06:57, Russ Allbery wrote: > "Michael B Allen" <[EMAIL PROTECTED]> writes: > >> If you read the whole thread you'd know I'm only talking about the >> *IntrAnet* scenario. With SPNEGO you do not type in a passwords at >> all >> whereas with WebAuth you might need to. > > You'r

Re: Is a Kerberos principal always a DNS name?

On 25 Apr 2008, at 04:23, John Hascall wrote: > > >> If we take for example an sshd server on a typical Unix host, how >> does >> it figure out its own principal name? Suppose it has keys for >> multiple principals in the keytab, which one would it choose? > > I can't speak for how sshd does it,

Re: advice on kerberizing products

On 23 Apr 2008, at 20:23, Ken Hornstein wrote: >> > 1) Dynamically load all Kerberos functions at runtime with dlopen() or >the equivalent. > > 2) Encapsulate all of your Kerberos functionality into an open-source >module or program and have your customers compile that > particular bit >

GSSAPI Key Exchange Patch for OpenSSH 5.0p1 (plus an added extra)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 It's that time again! There's been another OpenSSH release, and once again, I'm pleased to announce the availability of my GSSAPI Key Exchange patch for it. Whilst OpenSSH contains support for GSSAPI user authentication, this still relies upon S

Re: delegating principal creation to a web process

On 21 Mar 2008, at 01:36, Jason Edgecombe wrote: >> > The script will check that the user is in the /etc/password file. The > keytab will only have privileges to add accounts, so existing accounts > like admin/root are safe. Bear in mind that if you wildcards anywhere in your ACLs, you don't ju

Re: delegating principal creation to a web process

On 20 Mar 2008, at 17:52, Jason Edgecombe wrote: > We're working on creating a process that will automatically create a > kerberos principal for a user when they agree to the computer policies > on a web page. We do this, although probably in a less restricted fashion than you desire. Our 'Fr

Re: GSSAPI Key Exchange Patch for OpenSSH 4.7p1

On 1 Mar 2008, at 03:12, Russ Allbery wrote: > Matthew Andrews <[EMAIL PROTECTED]> writes: > >> Hmmm The cascading credentials code sounds interesting, but >> raises >> the practical question of how does one deal with derived credentials. >> > Just re-run the session PAM stack with PAM_REFR

Re: sshd: ../../include/k5-thread.h:704: k5_mutex_finish_init_1: Assertion `(&(&m->os)->n)->initialized != K5_MUTEX_DEBUG_INITIALIZED' failed.

Is pam_krb5 linked against the same Kerberos library as openssh? If you're building OpenSSH from source, it's possible that you're picking up Umich's broken libgssapi (which is there for NFSv4 support), and not the MIT Kerberos libgssapi_krb5 (RedHat's spec file has a hack to avoid this). Ch

Re: Is "SPN advertisement" or well-known SPNs a security hole?

On 16 Jan 2008, at 21:32, Srinivas Kakde wrote: > I > think there must be equivalence between permission required create a > principal on > a KDC and the permission required associate the service principal > name > with network binding information. I think this is an interesting area > of stud

Re: Automating creation of service principals (new hosts, etc)

On 14 Jan 2008, at 16:17, Jeff Blaine wrote: > How are people approaching the creation of host/host.foo.com > without human intervention? There have been a couple of talks on this subject at recent AFS & Kerberos Best Practices Workshops: http://workshop.openafs.org/afsbpw05/talks/kerb-auto.htm

Re: Kerberos 5 and DNS aliases

>If so, why does the available name depend on the `hostname` setting without >any change in the DNS? Because the server picks the acceptor principal to use for incoming connections by resolving the machine's hostname. You can disable this behaviour, and permit any principal[1] whose key is in

Re: Kerberos 5 and DNS aliases

On 2 Dec 2007, at 06:32, Victor Sudakov wrote: > > I have created a principal for each of the several names, and placed > these principals' keys into the destination server's keytab. However > when I try to ssh into this server, GSSAPI auth works only for one of > these names, actually the name w

Re: MIT Kerberos LDAP backend

[ Replying to both of your emails at once ] > Do you know of any other method whereby we would be able to > effectively > let Kerberos delegate the authentication step to LDAP, and then > carry on > as if that part had been done itself? I think you're misunderstanding the way that Kerberos wo

Re: Solaris 10 sshd + GSSAPI = where's my cred cache?

On 9 Nov 2007, at 04:04, Danny Mayer wrote: >> >> The manpage (ssh_config(4)) says: >> >> GSSAPIDelegateCredentials >> >> Enables/disables GSS-API credential forwarding. The >> default is no. >> ^ > That makes no sense. The default is no? The defau

Re: sshs ticket length issue

On 6 Nov 2007, at 21:28, Edgecombe, Jason wrote: > > The main problem is that I don't get the proper ticket length when > ssh'ing into the solaris 9 machine using my password. Turn off KerberosAuthentication and KerberosOrLocalPasswd, and let sshd use PAM to authenticate your Kerberos password

Re: Kerberos OpenLDAP Frontend

On 4 Oct 2007, at 19:02, Booker Bense wrote: > > The only reason to put in a LDAP back end is to simplify the > account management One thing I keep thinking about implementing is an LDAP->kadmin proxy. You'd still have the KDC database in the current DB format, but you'd be able to access it

Re: Using LDAP in place of .k5login

>Does anyone have any mods to use LDAP to store the auth_to_local >database? Somewhere or another I've got patches allowing this to be deferred to a daemon that's contacted through a Unix socket (library provides principal and username, dameon says yes or no). I never really got past prototyp

GSSAPI Key Exchange Patch for OpenSSH 4.7p1

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I'm pleased to (finally) announce the availability of my GSSAPI Key Exchange patch for OpenSSH 4.7p1. Whilst OpenSSH contains support for doing GSSAPI user authentication, this only allows the underlying security mechanism to authenticate th

Re: Kerberos and IP aliases

On 11 Sep 2007, at 06:38, Mark Davies wrote: On Tue, 11 Sep 2007, Russ Allbery wrote: I patched mod_auth_kerb a long time back to do this and thought that patch was incorporated into the upstream source, but apparently it wasn't. You have to patch it to not explicitly import credentials and i

Re: Kerberos for authentication, php for authorization

On 8 Jun 2007, at 17:34, Michael B Allen wrote: > On Fri, 8 Jun 2007 09:00:09 +0100 > Simon Wilkinson <[EMAIL PROTECTED]> wrote: > >> Ultimately, this means you may need to have a keytab containing >> multiple different prinicpals for your service, and have >>

Re: Kerberos for authentication, php for authorization

On 7 Jun 2007, at 15:24, " " <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> wrote: > mod_auth_kerb works great in the right conditions. You must be using > IE or a newer Firefox. Linux works great (not sure about other Unix > systems). On Windows the two browsers can only acquire credentials > from t

Re: gssapi auth, and multihomed multinamed hosts

On 6 Jun 2007, at 16:55, Michael B Allen wrote: >> I have a Solaris 10 server with two ip addresses: "fixed.example.com" >> and "float.example.com". The latter is an IP address that the server >> sometimes assumes as part of its role in a high-availability cluster. >> >> I have compiled my own ope

Re: GSS-API routine for renewing credentials

On 18 Apr 2007, at 22:41, Robert wrote: > > The client should actually not be bothered by the need to initiate > a new > security context with the gateway. That's what you indicate, right? > (The gateway may need the delegated credentials to initiate a new > security > context to a second bac

GSSAPI Key Exchange Patch for OpenSSH 4.6p1

Hi, I'm pleased to announce the availability of my GSSAPI Key Exchange patch for OpenSSH 4.6p1. This patch adds support for the RFC4462 GSSAPI key exchange mechanisms to OpenSSH, along with some minor fixes for the GSSAPI code that is already in the tree. The patch implements: *) gss-gr

krb5_sendto_kdc fails in some threaded applications

I've been doing some further work on Kerberos integration in assorted applications, and I'm seeing some problems with the Gaim 2.0.0 betas and Kerberos 1.5. It would appear that something in Gaim's threading is causing the select in the middle of krb5_sendto_kdc to return EINTR, which is c

Re: GSSAPI keytab location per application

On 15 Feb 2007, at 16:32, Peger, Daniel Heinrich wrote: > > Is there any way to specify a keytab different than the default one > on a > per application basis? You can set KRB5_KTNAME in the Unix environment before calling the application, too. It's perhaps not neat - but it does mean that th

Re: SSH with Multiple Interfaces

On 18 Jan 2007, at 22:29, Russ Allbery wrote: > > Looks like you're running into this: > > > > I haven't heard anything further about this since this bug report, > and I'm > not sure if either Simon or OpenSSH upstream are interested.

OpenSSH renewed credentials forwarding

Hi, As a follow-up to yesterday's announcement of the 4.4p2 GSSAPI key exchange patch set, I'm now looking for people who'd be interested in testing some new, experimental code. I have had a number of requests from people who've wondered whether there is a way of forwarding renewed credenti

New version of OpenSSH key exchange patch

Hi, I'm pleased to be able to announce the availability of my GSSAPI Key Exchange patch for OpenSSH 4.4p1. This patch adds RFC4462 compatibility to OpenSSH, along with adding additional GSSAPI support that is yet to make it into the main tree. The patch implements: *) gss-group1-sha1-*, gss-g

Re: sshd, Tiger and KRB5CCNAME

On 25 Aug 2006, at 19:58, Alexandra Ellwood wrote: > > Is the CCAPI patch even in what went out in the Tiger security > update? AFAICT, it's not, so perhaps the machines where it isn't > working have taken the update and the others have not. No, it is. It looks like the Tiger security updat

Re: webmail and GSSAPI authentication to imapd

[EMAIL PROTECTED] wrote: > So i suppose there is not any well know way to do this.I am willing to > setup pubcookie or cosign but i first want to make sure there is a way > to modify a webmail system to use the web sso.This seems to me to be > the difficult part after all. You can certainly setup

SRV records and canonicalization

I'm interested in what people feel the 'correct' approach is to the following situation. XMPP (the 'Jabber' protocol) uses DNS SRV records to determine the location of a Jabber service for a given DNS domain. In some implementations there may be multiple servers, running on multiple different mach

GSSAPI Key Exchange patches for OpenSSH 4.3p2

Patches supporting GSSAPI Key Exchange in OpenSSH 4.3p2 are now available from http://www.sxw.org.uk/computing/patches/openssh.html These patches add support for performing GSSAPI key exchange to the OpenSSH client and server. Whilst OpenSSH contains support for using GSSAPI in the user authentica

Re: Problem with kerberos and ssh.

>> I would have asked what other libgss could there possibly be. But >> then someone on the openssh mailing list pointed out that I should >> just bypass the libgssapi-0.7 stuff entirely That was me - I cross posted my (somewhat lengthy) response here too, but it has yet to appear (I suspect t

New GSSAPI Key Exchange patch for OpenSSH 4.2p1

Hi, This is to announce the availability of a new version of my GSSAPI key exchange patch for OpenSSH. The code is available from http://www.sxw.org.uk/computing/patches/openssh.html Changes since the last release are: *) Implement GSS group exchange *) Disable DNS canonicalization of the

Re: Kerberos support in Thunderbird

Sam Hartman wrote: > Jim> (b) If my ticket cache is empty, Thunderbird correctly posts > Jim> a "your server does not support secure authentication" > Jim> dialog. My key manager never prompts me to obtain a ticket. > > On Mac and Windows this is not at all what I'd expect. I'd expect

Re: Kerberos support in Thunderbird

Jeffrey Altman wrote: > For e-mail, I believe that you really want the ability to specify > in the account setup the Kerberos principal name that should be used > for the client. There's not much intelligence in the code at the moment - it will use whatever the default principal in the current cre

Kerberos support in Thunderbird

The Thunderbird beta (1.5b1) that was released yesterday contains new support for Kerberos/GSSAPI authentication against POP3, IMAP and SMTP servers. It would be really good to get some test coverage against different servers, and in different environments. I originally wrote and tested the code a

Kerberizing your whole network

A while ago on this list there was a discussion about "Kerberizing your whole network" - concerning which protocols were capable of Kerberos support, and which implementations actually provide Kerberos capability. I've often found trouble getting this kind of information, so I decided to set up a

Kerberos support in Firefox/Thunderbird (was Re: windows browsers send ntlm instead of kerberos tokens)

Jeffrey Altman wrote: > Neither Internet Explorer nor FireFox 1.0 use KFW for their Kerberos > support. Just because this comment reminded me... As of this week, Firefox and Thunderbird nightly builds (and the eventual 1.5 release) support using either SSPI or KFW, according to the value of the h

Re: Kerberos ticket access to MS Exchange

Nikola Milutinovic wrote: > How about IMAP kerberized client in general? I'm working with David Bienvenu and others on GSSAPI support for Thunderbird. It should support both MIT Kerberos for Windows, and Microsoft's SSPI. Simon. Kerberos mailing li

Re: krb5.conf ' # ' in realms section can cause ssh to segv

Troy Benjegerdes wrote: > > Is this a potential security issue? Granted, if you can edit krb5.conf, > you can do a lot of other stuff.. but a segv is pretty bad behavior. You've not really provided enough information to track this down. The stack trace doesn't have any symbols, and you haven't ev

Re: Windows SSH client that uses tickets not obtained from AD login

jay alvarez wrote: > Hi, > Do you know any windows ssh client that can use > gssapi authentication and not using SSPI(used by > vintela and CSS putty versions) There's a version of the CSS putty modifications which can use MIT Kerberos for Windows. Download their Putty Installer, install it, and

Re: Need some tips on kerberizing our ENTIRE network

Russ Allbery wrote: > How to do GSSAPI is part of the Jabber protocol, but is not > implemented by any of the servers or clients so far as I know. I've written some patches for Jabberd2 (in their bugzilla - http://j2.openaether.org/bugzilla/show_bug.cgi?id=45 ), and am in the process of developin

Re: Pending OpenSSH release: contains Kerberos/GSSAPI changes

Daniel, My personal belief is that its too late in this release cycle to make this change. As the author of the GSSAPI code in OpenSSH, I completely accept your comments - we're not (currently) RFC compliant. However, I'm aware of a number of vendors who have successfully performed interop tes

Re: OpenSSH problem on Solaris 8

Marc ([EMAIL PROTECTED]) wrote: : Well that's strange because I have one: : 1 host/hostname.domain.com@REALM Apologies for the stupid question - but this isn't literally host/hostname.domain.com@REALM, but rather host/mymachine.mydomain@MYREALM (with mymachine, mydomain and MYREALM replaced

Re: OpenSSH problem on Solaris 8

Marc ([EMAIL PROTECTED]) wrote: : debug1: No principal in keytab matches desired name This is your problem. You need a host/ principal in the default keytab (probably /etc/krb5.keytab) of the server. Cheers, Simon. Kerberos mailing list

Re: Kerberized SSH on Solaris 8

Marc ([EMAIL PROTECTED]) wrote: : > I would just use for openssh the built in krb5 authentication that comes : > with openssh. One note if you want to get a forwardable ticket, openssh : > does not do it. I have a patch if you are interested in it but I have to : > separate it out from another p

Re: kerberos, ssh, and solaris8

Sam Hartman ([EMAIL PROTECTED]) wrote: : This cannot be a Kerberos bug; the ssh patches are responsible for : ccache permissions. I suspect, from previous posts on this subject, that its an problem with the interaction between OpenSSH and the Solaris pam_krb5 module. If the original poster isn't

Re: GSSAPI on FreeBSD 4.5

Marc ([EMAIL PROTECTED]) wrote: : First I had to copy over gss-serv.c, gss-genr.c and kexgss.c from the : compilation of GSSAPI in OpenSSH on my linux box because somehow patch : didn't create those files on FreeBSD (know why ???). So then I did a: Sounds like patch is doing something very wie

Re: ftpd and AFS tickets

Ken Hornstein ([EMAIL PROTECTED]) wrote: : But if you're doing GSSAPI, then pam is never being invoked, right? No, if PAM support is enabled then the account and session portions of the ssh PAM stack will be invoked, even for a GSSAPI login. This enables things like the gaining of additional cred

Re: ssh

Norbert Veber ([EMAIL PROTECTED]) wrote: : Srinivas Cheruku wrote: : > and the Simon's GSSAPI/Kerberos patch from : > http://www.sxw.org.uk/computing/patches/openssh.html : Why is this patch needed? I thought openssh had built-in kerberos : support? Yes, and no. OpenSSH's current Kerberos v5 s

Re: OpenSSH with latest GSSAPI patch now storing credentials !

Someone ([EMAIL PROTECTED]) wrote: : Just a little remark, I am running sshd in debugging mode and the : : debug1: No GSSAPI credentials stored : message, still appears, I think it shoudln't appear anymore. Right. In order to under stand why this message is correct, you need to know a bit about

Re: OpenSSH won't store credentials

Nicolas Williams ([EMAIL PROTECTED]) wrote: : auth_krb5_password() seems to have a bug in that it tries to : krb5_cc_resolve() 'MEMORY:'. That's not a valid ccache name in MIT krb5. : 'MEMORY:foobar' should work. I believe that it should really be using a file based ccache, rather than a memory

Re: Question About Kerberos

Srinivas Cheruku ([EMAIL PROTECTED]) wrote: : Use these option in instead of "KerberosAuthentication yes" : GssapiAuthentication yes : GssapiKeyExchange yes : GssapiUseSessionCredCache yes This won't solve the original posters problem. The GSSAPI options enable Kerberos support in the version 2 p

Re: Openssh and Kerberos

[EMAIL PROTECTED] wrote: : I just compiled SSH v3.1.0p1 with the GSSAPI and opnessh patches included : on a Solaris 8 box. It works : fine, well I get my password authenticated by the KDC on a W2K box. But I : have : remarked that my credential cache in /tmp directory is owned by the root. : Is it

Re: OpenSSH won't store credentials

Nicolas Williams ([EMAIL PROTECTED]) wrote: : Yes, it's possible, and you don't need Simon's OpenSSH/GSS patches to do : this. IIRC OpenSSH has this as a builtin feature (you may need Simon's : OpenSSH MIT/Heimdal compat patches for that to work). You will. There's also a bug that I've just disc

Re: OpenSSH won't store credentials

Someone ([EMAIL PROTECTED]) wrote: : > klist -5 : klist: No credentials cache found (ticket cache FILE:) : > kinit : kinit(v5): No credentials cache found when initializing cache Can you let me know what the KRB5CCNAME environment variable is set to on the server. It looks like it may be set t

Re: Kerberos http authentication

Booker C. Bense ([EMAIL PROTECTED]) wrote: : - Umich had a similar scheme a while ago. Umich's scheme is still available. We're using the code in prototype form locally. Its comprised of a client / server which is used to get short lived X509 certificates based on the user's Kerberos credentials.

Re: Kerberized RCP

problems. Userauth will, however, fail. As I said, I hope that this will be the last patch that breaks backwards compatibility. > Where's the draft at wrt publication as an RFC? >From recent WG traffic I believe that there are a number of minor issues which will be resolved in the next re

Re: Kerberized RCP

elease incompatible with future versions of the draft. The latter is the only work that I still have to complete. Cheers, Simon -- Simon Wilkinson<[EMAIL PROTECTED]> http://www.sxw.org.uk "Go not to the elves for counsel, for they will say both yes and no. -- J.R.R. Tolkien

Re: Kerberized RCP

On Thursday 20 December 2001 21:55, Douglas E. Engert wrote: > I would like to complement you on the excellent GSSAPI mods for > OPenSSH-2.9p2. Thanks - I'm glad that they have been of use to people! > In the meantime to get away from ssh-1.2.* we need a common > Kerberos type method across all

Re: Kerberized RCP

Mathieu Nantel ([EMAIL PROTECTED]) wrote: : Thanks for the answers. I guess I'll give OpenSSH another try at : compiling with Kerberos. I've read that the problems I used to have were : due to the implementation that they did which had functions that were : only compatible with the Heimdal release

Re: Scripting kadmin

Nicolas Williams ([EMAIL PROTECTED]) wrote: : A little work with SWIG should yield a Perl module to access the kadm5 : library directly. There is such a thing already for Heimdal's kadm5 : library, but the MIT/Heimdal APIs are different enough that that module : won't work with MIT krb5. There ha

Re: how to debug OpenSSH-->GSSAPI-->KerberosV?

>From your debug output it looks like the acquire credentials call is failing. This is somewhat strange. Have you created a host/ principal and correctly stored it in the machines keytab? Is this keytab readable by the sshd? Does the key version in the keytab match the one in the KDC? If you have

Re: how to debug OpenSSH-->GSSAPI-->KerberosV?

Sviatoslav Rimdenok ([EMAIL PROTECTED]) wrote: : is there any way to debug what is going on between GSS level and : underlying KerberosV? Not that I'm aware of - the GSS code for OpenSSH reports as much information that it can. If anyone knows of a portable way of finding out more, please let

Re: K5 Credentials Forwarding with SSH2

Booker C. Bense ([EMAIL PROTECTED]) wrote: : - You might want to look at openssh and the gssapi patches to the : openssh src. : - I've got no idea if it's any better than the ssh.com code, but : making it work at Stanford with both K5 and AFS is next on my list of : things to do. As the author o