Maria,
This list is used by users and developers of Kerberos to discuss
details of the protocol and its implementations in various computer
systems. You are probably looking for help with the Kerberos system at
MIT specifically; for that, I recommend contacting the Athena On-Line
Consulting office
What happens if you go into the krb5-1.4.1/doc/api/ directory and run
% make
at your shell prompt? I'm assuming you're running some variant of UNIX
here. I'm on Debian stable, and when I do that, I get a file called
library.dvi that has 71 pages of documnetation that, at a cursory glance,
looks
The license is available here:
http://web.mit.edu/kerberos/www/krb5-1.4/krb5-1.4.1/doc/krb5-user/Copyright.html#Copyright
Among, I am sure, other places. The gist of it is that you don't
need the written permission of MIT to use Kerberos for commercial
use, nor will MIT endorse or support your co
You should be able to configure this in your /etc/krb5.conf file
as follows:
[logging]
kdc=FILE:/var/log/kdc.log
or similar. I found this in the krb5.conf manpage on a Solaris system;
this manpage (and the krb5(3) manpage) don't seem to exist on my Debian
sarge system. krb5(3) isn't on th
On Fri, Mar 25, 2005 at 10:36:27AM -0800, Mike Friedman wrote:
> I'm quite amenable to reinstalling LaTex, but where can I get it? I've
> looked at the LaTex project web page, which refers to several other sites,
> but they all appear to contain multiple components and packages and (not
> knowing
This is most likely a problem with your LaTeX installation, as the latex.fmt
file should be part of your LaTeX install; on my Debian Linux machine, it lives
in /var/lib/texmf/web2c/latex.fmt, but I don't have a Solaris machine to find
it on handy. If "find / | grep latex.fmt" (and there are probab
That depends greatly on what services you want your users to be
able to authenticate on to using their Kerberos credentials. If you
want to work with a variety of applications on both the Linux and
Windows side, you will need to either make sure that those applications
support krb5 or do some de
On Mon, Jan 17, 2005 at 04:40:59AM +0100, Fredrik Tolf wrote:
> I was thinking about adding local hints to our own reverse zones to our
> Bind configs to make reverse lookups work just between our own networks,
> but that will be extremely difficult at best, since he has a dynamic IP.
> We can figu
I recommend mailing [EMAIL PROTECTED]; this list is a general discussion
list for the Kerberos protocol :)
Best of luck,
-r.
On Fri, Jan 14, 2005 at 11:02:25AM -0500, Lisa Sachetta wrote:
> It would be greatly appreciated if you could provide me with any
> information regarding getting a Kerber
I wasn't privy to the actual conversation; I will try to get further
details and pass them on. It seemed strange to me, but also consistent
with the behavior I was seeing.
-r.
On Wed, Dec 08, 2004 at 06:31:53PM -0500, Ken Raeburn wrote:
> On Dec 8, 2004, at 17:49, Rachel Elizabeth Dill
A colleague went and asked Cisco about the Kerberos preauthentication
issue on VPN 3000 series hardware, and apparently they do not support
preauthentication and do not intend to do so. I thought this might be
useful to other people on this list, so I sent it along.
Thanks again for all the help,
On Tue, Dec 07, 2004 at 05:57:47PM -0500, Chaskiel M Grundman wrote:
> you ought to be able to tell if the client is sending a second request by
> using tcpdump or ethereal to capture packets from the network while the
> client is attempting to authenticate. (tcpdump does not have much of a krb5
>
On Tue, Dec 07, 2004 at 12:53:25PM -0800, Donn Cave wrote:
> In case it may help, you can find more detail about the
> preauthentication failure in the syslog output from the KDC.
> The error message can be a little misleading - I believe
> "No such file or directory" really means that the key was
I am one of many administrators for a network of 50 machines running
MIT Kerberos on Solaris. Recently, another administrator installed a
Cisco VPN Magic Box that supposedly uses Kerberos authentication, but
won't work unless preauthentication is turned off. With
preauthentication turned off for
t exist.
>
> On Nov 23, 2004, at 1:32 PM, Rachel Elizabeth Dillon wrote:
>
> >From the kinit manpage in the most recent Debian version, which is
> >1.3.x:
> >
> >OPTIONS
> > -5 get Kerberos 5 tickets. This overrides whatever the
> >de
From the kinit manpage in the most recent Debian version, which is 1.3.x:
OPTIONS
-5 get Kerberos 5 tickets. This overrides whatever the default
built-in behavior may be. This option may be used with -4
-4 get Kerberos 4 tickets. This overrides whatever
On Wed, Oct 27, 2004 at 07:54:45PM +0200, Fredrik Tolf wrote:
> Is there no way to just add one single general rule to cover all users,
> analogous to filename matching in Makefiles? That is, something like
> this:
>
> %/[EMAIL PROTECTED] x %/[EMAIL PROTECTED]
>
> Where, as in make, `%' would hav
Do you have something like this in /etc/krb5kdc/kdc.conf (or wherever
your kdc configuration files live) :
max_renewable_life = 7d 0h 0m 0s
? I don't have anything in my /etc/krb5.conf about renewable times,
and I can kinit -R successfully. Other than that my configuration is
out of the box MIT
This line:
>PAM rejected by account configuration[9]: Authentication service
>cannot retrieve authentication info.
suggests that PAM is failing for some reason. Without knowing more
about your configuration, I have no idea why. :) Some things to try:
1. http://lists.debian.org/debian-glibc/2002
There are a couple of things that I havs seen as common across multiple
realms; username/admin principals tend to be principals with full
administrative rights in kadmin, and username/root principals tend to
be principals with additional privileges you want the user to have to
remember to turn on
Kerberos and LDAP are very very different things. If they were animals,
one would be a dog and one would be something very different, like maybe
a lemur. Basically, Kerberos is an authentication service which uses
strong encryption to guarantee the authentication of users and hosts.
LDAP, on the ot
t know about all of that here).
>
>
>
> -Original Message-
> From: [EMAIL PROTECTED] on behalf of Rachel Elizabeth Dillon
> Sent: Fri 10/8/2004 1:12 PM
> To: [EMAIL PROTECTED]
> Subject: PAM and GSSAPI SSH authentication conflict
>
> I am building a networ
I am building a network that uses Kerberos for authentication. The original
plan was to have a single bastion host to which users sshed, and logged in
using their Kerberos password. From that bastion host, users could then
ssh to any other machine on the network, authenticatning via forwardable
Ke
I have an existing MIT Kerberos realm with Kerberized SSH logins over
GSSAPI using method external-keyx. I want to be able to connect to this
realm from a Windows machine. The owner of the realm has a SecureCRT
license, so I started there. With MIT KfW 2.6.5 installed on the machine
(which is runn
before I did so.
-r.
On Tue, Sep 21, 2004 at 07:20:10PM -0400, Ken Raeburn wrote:
> On Sep 21, 2004, at 17:29, rachel elizabeth dillon wrote:
> >1. Are you trying to ssh as a user that exists on the other machine?
> >If the user does not exist in the other machine's /etc/pass
I am not entirely sure what your situation or problem is, but here
are some things you might try:
1. Are you trying to ssh as a user that exists on the other machine?
If the user does not exist in the other machine's /etc/passwd, then
I don't believe the KDC will ever be queried.
2. ssh -v -v -v
Have you tried looking in /var/krb5/kdc.log on your KDC to see if the
KDC is getting a ticket request? It if is, there should be an error
associated; if not, you may need to change something in one of the
ssh config files. (Also, you are using ssh-krb5 on both the server
and client machines, correc
It is possible that your question is answered by this question in the
Kerberos FAQ:
http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#kerbwww
There has also been some work done on integrating Kerberos into
apache and Mozilla, but this is highly experimental if it works at
all and not
28 matches
Mail list logo
