>The definition of an argon salt is predicated on a nonce - number used
>once. Reusing the salt, changes the definition.
I ... don't see how that's relevant to this discussion? The document
you linked is not used by any extant Kerberos implementation that I am
aware of.
--Ken
__
:03:01 PM
To: Jim Shi
Cc: kerberos@mit.edu
Subject: Re: is there a way to detect if user is using same incorrect password
in authentication
>Hi, we have a required to detect if a client is using same incorrect
>password in in authentication against KDC. Is it possible the KDC
>s
>Hi, we have a required to detect if a client is using same incorrect
>password in in authentication against KDC. Is it possible the KDC
>server can determine if client is using same incorrect password? Thanks
Ouch, is this some dang compliance requirement? I thought I had dealt wit
there a way to detect if user is using same incorrect password in
authentication
Hi, we have a required to detect if a client is using same incorrect password
in in authentication against KDC.
Is it possible the KDC server can determine if client is using same incorrect
password?
Thanks
Jim
Hi, we have a required to detect if a client is using same incorrect password
in in authentication against KDC.
Is it possible the KDC server can determine if client is using same incorrect
password?
Thanks
Jim
Kerberos mailing list
On Tue, 2024-06-04 at 12:31 +, m_a_n_j_u_...@yahoo.com wrote:
> Hi again,
>
> I am looking at the implementing this (getting Kerberos service
> token) in C using Heimdal Kerberos library.
>
> In Golang using this go package https://github.com/alexbrainman/sspi
> it was simply two calls as bel
he right
>track. Thank you.
I think you're comparing apples and oranges a bit there; those two calls
you mention (which from my look at that Golang library really only end
up as one SSPI call) are only a small part of the overall authentication
flow. The code in that RFC you reference is a mo
Hi again,
I am looking at the implementing this (getting Kerberos service token) in C
using Heimdal Kerberos library.
In Golang using this go package https://github.com/alexbrainman/sspi it was
simply two calls as below:
cred=negotiate.AcquireCurrentCredentials()token =
negotiate.NewClientCont
Thank you. Yes, as suggested here, I am looking into using ether MIT or
Heimdal Kerberos implementation.
On Friday, 22 March 2024 at 10:05:38 GMT, Simo Sorce
wrote:
On Thu, 2024-03-21 at 11:24 -0400, Thomas Kula wrote:
> On Wed, Mar 20, 2024 at 11:33:16AM -0400, Ken Hornstein via Kerb
On Thu, 2024-03-21 at 11:24 -0400, Thomas Kula wrote:
> On Wed, Mar 20, 2024 at 11:33:16AM -0400, Ken Hornstein via Kerberos wrote:
> > > Thanks again Ken. My application is written in Go. So I'm looking
> > > for Kerberos implementation that can be easily integrated with my
> > > application. Hen
>Are you familiar with https://github.com/jcmturner/gokrb5? I've used it
>in the past with some experiments in some Go code I was working on, I
>wasn't touching GSSAPI but there's at least some GSSAPI code in there.
>Might be worth checking out as it's native Go code, no cgo wrapping.
I would caut
On Wed, Mar 20, 2024 at 11:33:16AM -0400, Ken Hornstein via Kerberos wrote:
> >Thanks again Ken. My application is written in Go. So I'm looking
> >for Kerberos implementation that can be easily integrated with my
> >application. Hence I was considering MIT Kerberos and using C bindings
> >to cal
>Thanks again Ken. My application is written in Go. So I'm looking
>for Kerberos implementation that can be easily integrated with my
>application. Hence I was considering MIT Kerberos and using C bindings
>to call those APIs from my Go code. "MacOS X it might be easier to use
>the native GSSAPI
Thanks again Ken.
My application is written in Go. So I'm looking for Kerberos implementation
that can be easily integrated with my application. Hence I was considering MIT
Kerberos and using C bindings to call those APIs from my Go code.
"MacOS X it might be easier to use the native GSSAPI impl
>Thanks Ken,I understand I need to use GSSAPI for Linux/MacOS
>platforms. I was wondering if I can use MIT Kerberos GSSAPI for the
>same. Does libcurl use MIT Kerberos gssapi ? Yes my proxy header would
>look exactly like you mentioned. Thank-you.
You should be able to use the MIT Kerberos GSSAPI
, 18 Mar 2024 at 12:11 am, Ken Hornstein wrote:
>Hi, I have a requirement to authenticate my application
>(Golang) against a proxy server which requires Kerberos
>authentication. I have achieved this on Windows using
>github/alexbrainman/sspi Golang package.From that package I
>
>Hi, I have a requirement to authenticate my application
>(Golang) against a proxy server which requires Kerberos
>authentication. I have achieved this on Windows using
>github/alexbrainman/sspi Golang package.From that package I
>basically call negotiate.AcquireCurrentUserCr
Hi,
I have a requirement to authenticate my application (Golang) against a proxy
server which requires Kerberos authentication.
I have achieved this on Windows using github/alexbrainman/sspi Golang
package.From that package I basically call
negotiate.AcquireCurrentUserCredentials() and
Hello everyone
I want to use Windows client/server + MIT Kerberos & OpenLadp to implement SSO
authentication.
On the application server side, I use LsaLogonUser() to ask for a Network style
logon through S4U Kerb extension.
But the LsaLogonUser() failed.
According to the KDC Server's l
On Sun, 2022-10-09 at 17:38 -0400, Ken Hornstein via Kerberos wrote:
> > On 9/30/22 16:06, Machin, Glenn Douglas via Kerberos wrote:
> > > Can someone tell me if a TGT containing an authentication
> > > indicator will work over to a service principal in another realm
>
>On 9/30/22 16:06, Machin, Glenn Douglas via Kerberos wrote:
>> Can someone tell me if a TGT containing an authentication indicator will
>> work over to a service principal in another realm which has a cross realm
>> trust relationship?
>
>Authentication indicators
On 9/30/22 16:06, Machin, Glenn Douglas via Kerberos wrote:
Can someone tell me if a TGT containing an authentication indicator will work
over to a service principal in another realm which has a cross realm trust
relationship?
Authentication indicators are currently only accepted within the
Can someone tell me if a TGT containing an authentication indicator will work
over to a service principal in another realm which has a cross realm trust
relationship?
Thanks,
Glenn
Kerberos mailing list Kerberos@mit.edu
https
>I have been trying to login to my Ubuntu (v 20.04) machine which is
>joined to AD server (Windows Server 2k16). And for log-in to the user
>account I am having a .CER certificate (certificate without private
>key) via Smartcard attached to the Ubuntu Machine. When I try this, it
>prompts for PIN b
So I tried this work around, creating a sym link:
ln -s /usr/lib64/libkadm5clnt_mit.so.12.0
/usr/lib64/security/pam_krb5_migrate.so.1
from ssh -vv -K
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos
On Fri, Oct 23, 2020 at 10:48 AM Robbie Harwood wrote:
> Robert Kudyba writes:
>
> > /usr/lib64/security/pam_krb5_migrate.so.1. Got the following errors:
> > /usr/lib64/security/pam_krb5_migrate.so.1): libkadm5clnt_mit.so.11:
> > cannot open shared object file: No such file or directory
>
> In Fe
Robert Kudyba writes:
> /usr/lib64/security/pam_krb5_migrate.so.1. Got the following errors:
> /usr/lib64/security/pam_krb5_migrate.so.1): lib kadm5clnt_mit.so.11:
> cannot open shared object file: No such file or directory
In Fedora, libkad5clnt_mit.so is provided by libkadm5. However, there
h
We are trying to drop in Kerberos authentication in Fedora 32 for NIS.
I have Kerberos working, H/T to
https://docs.oracle.com/en/operating-systems/oracle-linux/7/userauth/ol7-auth.html#ol7-cfgkrb-auth.
The man page for it at
https://docs.oracle.com/cd/E23824_01/html/821-1474/pam-krb5-migrate-5
On Fri, Aug 21, 2020 at 08:04:24PM -0400, Rita wrote:
> hi
>
> The webserver has DNS aliases but not multiple IPs. On a client level is it
(temporarily) forcing the name to resolve to just a single IP, e.g., via
/etc/hosts, would be one possible diagnostic measure.
> possible to disable the reve
hi
The webserver has DNS aliases but not multiple IPs. On a client level is it
possible to disable the reverse lookup? I am not sure if its backed up a
pool of servers -- is there a way to find out from a client?
On Fri, Aug 21, 2020 at 7:30 PM Benjamin Kaduk wrote:
> On Thu, Aug 13, 2020 at 07
On Thu, Aug 13, 2020 at 07:10:42AM -0400, Rita wrote:
> I created a user keytab. I use curl to authenticate against a web server.
> `curl -u : --negotitate` it works randomly (about 33% accuracy). I am
> trying to figure out if its a webserver issue or kerberos issue. Is there
> anything else I can
I created a user keytab. I use curl to authenticate against a web server.
`curl -u : --negotitate` it works randomly (about 33% accuracy). I am
trying to figure out if its a webserver issue or kerberos issue. Is there
anything else I can do?
--
--- Get your facts first, then you can distort them
When using the FAST OTP preauthentication module for the KDC, the OTP is passed
to the KDC over an encrypted FAST channel. The KDC then passes the OTP over to
a RADIUS server.
When the KDC communicates with a RADIUS server, can this be done over a more
secure method such as EAP or PEAP?
When O
On 5/22/19 2:17 PM, Robert Wehn wrote:
> However we are lacking the information, of how to actually implement and
> use it on the application side.
>
> How to implement constrained delegation in an application?
We have documentation on that at:
http://web.mit.edu/kerberos/krb5-latest/doc/appdev/g
Dear List,
we are looking into a multi-hop, single-sign-on authentication in the
context of file service and sync & share like front-end to the file
service. The scenario would be as follows:
- User is (kerberos-)authenticated to the client OS.
- The sync & share client (imagine Next
Sure!
I built 1.16.3 under a non-default directory and configure ccache in a
subdirectory. But I did not create that ccache directory. So a misleading
error message was generated.
On Fri, Jan 25, 2019 at 1:40 PM Robbie Harwood wrote:
> Yegui Cai writes:
>
> > On Thu, Jan 24, 2019 at 12:05 PM Ye
Yegui Cai writes:
> On Thu, Jan 24, 2019 at 12:05 PM Yegui Cai wrote:
>
>> I ran into an issue when I tried to run kadmind. The version of KDC
>> is 1.16.3. I did have kadmin/admin and kadmin/changepw in my realm.
>>
>> I did some google search. Some old posts are suggesting the existence
>> of
I figured out it by using strace. It turned out to be a directory was
missing. The error message is really confusing.
On Thu, Jan 24, 2019 at 12:05 PM Yegui Cai wrote:
> Hi all.
>
> I ran into an issue when I tried to run kadmind. The version of KDC is
> 1.16.3.
> I did have kadmin/admin and kad
Hi all.
I ran into an issue when I tried to run kadmind. The version of KDC is
1.16.3.
I did have kadmin/admin and kadmin/changepw in my realm.
I did some google search. Some old posts are suggesting the existence of
kadm5.keytab. I guess it is outdated? Do I still need to have kadm.keytab?
Or an
Hi Team,
I have installed the
i) FreeIPA server which internally has the kerberos
server in Machine 1 and
ii) Installed the Free IPA client which internally has
the kerberos client in Machine 2
I configured using the link :
https://www.jamielennox.net/bl
authentication with Kerberos
Not sure if this helps, but since it's late in the US, the last time I got a
"generic error" is when my LDAP db went down underneath Kerberos and it
couldn't connect. Probably not remotely related to your generic error, but
maybe see if you can talk to th
On Wed, Aug 8, 2018 at 20:38 Bob Fonacier wrote:
> Hi Kerberos Team,
>
> I'm trying to setup a Kerberos (SSO) authentication for our Oracle
> database. I've done the initial setup, but I cannot login to the database
> server. Also when I try to run "okinit" comm
Hi Kerberos Team,
I'm trying to setup a Kerberos (SSO) authentication for our Oracle database.
I've done the initial setup, but I cannot login to the database server. Also
when I try to run "okinit" command, it is throwing a non-verbose error...
okinit
Kerberos Utilitie
Hi All,
I have considered using Kerberos authentication with SPNEGO. From what I
have found out, this could be theoretically done by integrating:
SPNEGO java filter [1]
I adapted the old class from [2]
Although I have not tested it, I suspect it should work just fine.
My project has a
nisms GSSAPI, provider Cyrus
%7|1516010149.634|SASLREFRESH|rdkafka#consumer-1|
[thrd:sasl_plaintext://host3:9092/bootstrap]:
sasl_plaintext://host3:9092/bootstrap: Refreshing SASL keys with command:
kinit -kt {} user@PRINCIPAL
kinit: Pre-authentication failed: Key table file '{}' not found while
bytes) to PRINCIPAL
[24032] 1516023480.511883: Resolving hostname XXX.XXX.XXX.168
[24032] 1516023480.512229: Sending initial UDP request to dgram
XXX.XXX.XXX.168:88
[24032] 1516023480.560726: Received answer (327 bytes) from dgram
XXX.XXX.XXX.168:88
[24032] 1516023480.560830: Response was not from master KDC
quot;-S kafka/host" from
> the kinit command line), you could verify that this is the problem and
> to determine (using klist) what service ticket is acquired during
> authentication.
>
>
> Kerberos mailing list
ieving -> from
with result: ...")
If you can configure rdkafka to acquire a TGT from the keytab instead of
directly acquiring a service ticket (by removing "-S kafka/host" from
the kinit command line), you could verify that this is the problem and
to d
>I have a hard time troubleshooting an error. I posted the issue
>already here (https://github.com/edenhill/librdkafka/issues/1630) and
>here (https://github.com/cyrusimap/cyrus-sasl/issues/501), but to no
>avail.
It might be helpful to describe what the underlying Kerberos implementation
is on th
Hi,
I have a hard time troubleshooting an error. I posted the issue
already here (https://github.com/edenhill/librdkafka/issues/1630) and
here (https://github.com/cyrusimap/cyrus-sasl/issues/501), but to no
avail.
In short:
I try to access a KafkaServer which uses Kerberos for authentication
x 1 root root4035 Jul 29 2015 sudo
>
> -rwxr-xr-x 1 root root5726 Jul 29 2015 pbrun
>
> -rwxr-xr-x 1 root root5522 Jul 29 2015 bksu
>
>
>
> *From:* Todd Grayson [mailto:tgray...@cloudera.com]
> *Sent:* Thursday, October 06, 2016 3:55 PM
> *To:* Robbie Harwood
>
To: Robbie Harwood
Cc: Pala hanumanth rao, Anil kumar; kerberos@MIT.EDU
Subject: Re: Kerberos Authentication Support help
Anil,
This is not really "support" more than a community discussion list (for your
information).
Do a 'which kinit' to verify your proper path to the kinit com
Todd,
So are you saying, this is not Red Hat Linux, but FoxT Linux ?
Thanks,
Anil Rao
From: Todd Grayson [mailto:tgray...@cloudera.com]
Sent: Friday, October 07, 2016 10:58 AM
To: Pala hanumanth rao, Anil kumar
Cc: Robbie Harwood; kerberos@MIT.EDU
Subject: Re: Kerberos Authentication Support
om
renew until 10/13/16 12:50:40, Flags: FRIA
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
On Thu, Oct 6, 2016 at 1:39 PM, Robbie Harwood wrote:
> anilkumar.palahanumanth...@wellsfargo.com writes:
>
> > Dear Support,
> >
> > We are using Kerberos Aut
anilkumar.palahanumanth...@wellsfargo.com writes:
> Dear Support,
>
> We are using Kerberos Authentication in the past on AIX with the below
> command and it worked fine.
> echo "password" | /opt/boksm/bin/kinit userid
>
> We recently migrated from AIX to Li
Dear Support,
We are using Kerberos Authentication in the past on AIX with the below command
and it worked fine.
echo "password" | /opt/boksm/bin/kinit userid
We recently migrated from AIX to Linux, and when we gave the above commands,it
is asking for password in interactive mode.
it.edu
Date: 08/27/2016 05:03 AM
Subject:Re: GSS_S_CONTINUE_NEEDED when doing Kerberos
authentication?
Hi Jordan,
> I looked into it, but my negotiate messages look like this:
>
> "Negotiate YIID..." which I think means that they're kerberos messages?
You shou
Hi Jordan,
> I looked into it, but my negotiate messages look like this:
>
> "Negotiate YIID..." which I think means that they're kerberos messages?
You should base64-decode it [Section 4.1 of RFC 4559] and dump that as GSSAPI
content which, at least in this early phase, is DER-encode. You sho
On Thu, 25 Aug 2016, JSoet wrote:
> Hi, I'm implementing SPNEGO & Kerberos authentication in our application's
> webserver code and have it working fine when the KDC is Active Directory.
> I'm now testing it with an MIT KDC instance and when I attempt to
> authe
12
hrs in the future), but I'm not sure what to change to make the renew time
longer, the krb5.conf on the client has renew_lifetime set as 7d... And in
the kdc.conf on the kdc server the max_renewable_life is set as 5d... ?
--
View this message in context:
http://kerberos.996246.n3
Jordan,
> I haven't tried to implement the continuation of the context yet, because it
> will be a fair amount of work, so I thought I'd email the group to ask
> whether it's likely that there is just a problem with my setup, or if I'm
> mistaken and it is possible to get a continue_needed when wo
Hi, I'm implementing SPNEGO & Kerberos authentication in our application's
webserver code and have it working fine when the KDC is Active Directory.
I'm now testing it with an MIT KDC instance and when I attempt to
authenticate a user who has a ticket from that KDC I get a
GS
se like I said I was just using the flask webserver as a test, but if
there's still something wrong with my dns setup then I'd prefer to fix it.
--
View this message in context:
http://kerberos.996246.n3.nabble.com/Beginner-Kerberos-question-problem-with-spnego-authentication-with-webserve
On Wed, Jun 22, 2016 at 6:41 PM, JSoet wrote:
> sure where to look next to solve it. When running the flask webserver I get
> this error when it tries to do the authGSSServerInit call:
> /GSSError: (('Unspecified GSS failure. Minor code may provide more
> information', 851968), ('', 14))/
>
I'm trying to modify a webserver that I work on to do SPNEGO authentication
with an Active Directory server. In preparation for that I've set up 2
machines to test the authentication and I thought I'd try and use an
existing simple webserver to check that I have them set up cor
from scratch,
discarding any pre-existing service tickets. There is no difference
between re-authentication and renewal in this respect.
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Hello,
When a service re-authenticates to the KDC, effectively getting a new TGT,
are the service tickets related to previous instance of the TGT for that
service, no longer valid?
That is, does a service re-authenticating to a KDC, rather than renewing,
cause all the current related service tick
work. Note that you're probably skipping
krb5_verify_creds, so an attacker that can spoof the KDC on the network
can bypass this check, but given the other issues with this security
measure, it may not be worth worrying about that.
I would recommend considering using PAM to do the authenti
Hi Russ, thank you for the (as always) very helpful and detailed
reply... a few follow-up comments:
On Wed, Feb 3, 2016 at 4:47 PM, Russ Allbery wrote:
> You'll want to either perform just the authentication calls without saving
> the resulting cache or use a separate cache
using this program is really who he says
> he is.
You'll want to either perform just the authentication calls without saving
the resulting cache or use a separate cache (by setting KRB5CCNAME to
override the default cache, only for this interaction).
> - I'm just getting started wit
reattached" (e.g. detach, go home, login remotely, attach to get
your exact same terminal(s) back). What we want is to force a
Kerberos authentication whenever an "attach" is attempted. This is to
prevent admins (i.e. root user) from su'ing to that user, then
attaching t
Hello Kerberos Community.
At the organisation where I work we are trying to achieve SSO
authentication using Kerberos mechanism on the following setup:
- physical load-balancer (machine1) receiving incoming http sessions,
but redirecting the traffic to a WebLogic Server (machine2).
The
by cluster do you mean hadoop?
Hadoop can (based on version, workload, and service usage pattern) get very
very chatty with a KDC. Depends on what you are doing on the 10GB network;
but I would say you can definitely handle the krb on the 1GB interface, but
consider your principal to hostname map
On Wed, 2015-09-09 at 15:45 -0500, Ben Kim wrote:
> My worry about 10G is when data traffic gets jammed or network goes down
> KDC may not respond. 10G network cables are not redundant for budget reason.
> My worry about 1G network is network bandwidth. I'M pretty new to Kerberos,
> and as a servic
Hi!
I have a Kerberos KDC residing in a 6 server cluster, and the cluster is
linked with 10Gb network where data gets transferred, and 1Gb network where
administrators connect.
Would it be better practice to have Kerberos setup on 10G data network or
1G admin network?
My worry about 10G is when d
ure what you mean by using RPCs but bear in mind that any
>> kind of third party service could NOT be based on HTTP (because that
>> would just be pushing the poop around without actually getting rid of
>> it). And a non-HTTP based third party authentication service probably
these days but this has become more
> about HTTP authentication (non-Enterprise points at the end) now than
> it is about Kerberos.
>
> On Thu, Jun 25, 2015 at 12:39 PM, Benjamin Kaduk wrote:
>>> gotten better over the years). Note that the reason the Windows SSPI
>>>
e
> about HTTP authentication (non-Enterprise points at the end) now than
> it is about Kerberos.
>
> On Thu, Jun 25, 2015 at 12:39 PM, Benjamin Kaduk wrote:
>>> gotten better over the years). Note that the reason the Windows SSPI
>>> is used by Java is largely because there i
Pls beware, I'm copying ietf-http-wg at w3.org so please remove one or
the other addresses (or both!) when replying if necessary. Not sure
about cross posting netiquette these days but this has become more
about HTTP authentication (non-Enterprise points at the end) now than
it is about Ker
gt; > Hadoop 2.5.0 as a filter in front of a Tomcat 6 Servlet we
> > wish to add Kerberos authentication to.
Michael has basically made this point at the end of his message, but just
to drive it home: the HTTP Negotiate authentication you are using is the
SPNEGO mechanism for the GSS-API p
On Wed, Jun 24, 2015 at 2:07 PM, Albert C. Baker III wrote:
> I am using the Java class org.apache.hadoop.security.
> authentication.server.AuthenticationFilter from Apache
> Hadoop 2.5.0 as a filter in front of a Tomcat 6 Servlet we
> wish to add Kerberos authentication to.
>
&g
> From: kerberos-boun...@mit.edu [mailto:kerberos-boun...@mit.edu] On Behalf
> Of Albert C. Baker III
> Sent: Wednesday, June 24, 2015 8:08 PM
> To: kerberos@mit.edu
> Subject: Kerberos Authentication question(s)
> [...]
> Any leads on how to figure this out would be gre
I am using the Java class org.apache.hadoop.security.
authentication.server.AuthenticationFilter from Apache
Hadoop 2.5.0 as a filter in front of a Tomcat 6 Servlet we
wish to add Kerberos authentication to.
I am attempting to write some test cases against this filter
so that we have a better
On 12/16/2014 10:31 AM, Kenneth MacDonald wrote:
> I've been asked if it would be possible for the MIT krb5 KDC not to
> increment the failed authentication count (and presumably the time) when
> one of the older passwords was used. I know such behaviour is not
> documented.
[...
I've been asked if it would be possible for the MIT krb5 KDC not to
increment the failed authentication count (and presumably the time) when
one of the older passwords was used. I know such behaviour is not
documented.
The question arose because the MS Active Directory KDC can do this.
Qu
authentication is not enough: we need a *username* to
authorize the authenticated _principal_ to, and that comes later in
the protocol.
SSHv2 could well have been (and perhaps still could be) optimized
quite a bit. As it is all of this takes quite a few messages: TCP
handshake, version string scream
GSS keyex authenticates the server to the client. The client can then
be authenticated to the server with it tries gssapi-keyex userauth.
Nico
--
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
ng list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
Hi Rufe,
first step of establishing ssh connection is establishing Transport
Layer. In this step the server is authenticated and keys are exchanged,
that are used to provide integrity and confidentiality. U
On 10/31/2014 01:52 PM, Benjamin Kaduk wrote:
> gssapi-keyex is not a way for the client to authenticate to the server; it
> replaces the normal key exchange step that uses the server's
> ssh_host_{ecdsa,rsa,dsa}_keys.
If memory serves, the gssapi-keyex key exchange actually authenticates
both par
On Fri, 31 Oct 2014, Rufe Glick wrote:
> Hello,
>
> I have Kerberos infrastructure set up and GSSAPI enabled in
> ssh_config/sshd_config of the SSH client/server (GSSAPIAuthentication
> yes). When I connect to the SSH server using verbose mode I see that SSH
> client uses 'gssapi-with-mic' mode to
Hello,
I have Kerberos infrastructure set up and GSSAPI enabled in
ssh_config/sshd_config of the SSH client/server (GSSAPIAuthentication yes).
When I connect to the SSH server using verbose mode I see that SSH client uses
'gssapi-with-mic' mode to authenticate itself. Then if I additionally ena
Thanks!
Dnia 2014-08-09, sob o godzinie 16:20 +0100, Dameon Wagner pisze:
> On Sat, Aug 09 2014 at 00:41:07 -0400, Greg Hudson scribbled
> in "Re: Machine authentication":
> > On 08/08/2014 03:37 AM, jarek wrote:
> > > Is it possible to receive ticket for host
On Sat, Aug 09 2014 at 00:41:07 -0400, Greg Hudson scribbled
in "Re: Machine authentication":
> On 08/08/2014 03:37 AM, jarek wrote:
> > Is it possible to receive ticket for host principal and use
> > this ticket for authentication ?
>
> Yes. Normally this
On 08/08/2014 03:37 AM, jarek wrote:
> Is it possible to receive ticket for host principal and use this ticket
> for authentication ?
Yes. Normally this is done using a keytab, in one of three ways:
* krb5_get_init_creds_keytab from the application code.
* kinit -k from the comman
Hello!
Is it possible to receive ticket for host principal and use this ticket
for authentication ?
I'd like to somehow authenticate daemonized application to PostgreSQL
with GSSAPI without any user interaction.
best regards
Hello!
I have hot-standby cluster with two servers: s1 and s2. This cluster
has also virtual ip address s3, assigned to current master.
I can authenticate in s1 and s2 (postgres, gss) but when I'm trying to
authenticate in s3, I see:
duplicate GSS authentication request
I
Hello!
I have two servers (s1, s2) working as hot-standby cluster with virtual
ip address (s3), which is assigned to current master.
I have created host/s3 user in kadmin and added it to keytabs on both
servers, but when I'm trying to authenticate to s3, I see:
duplicate GSS authentic
On 05/18/2014 12:57 PM, Simo Sorce wrote:
> On Wed, 2014-05-14 at 13:24 -0700, Russ Allbery wrote:
>> The Kerberos protocol permits the server to tell the client both the salt
>> and the rounds, so you could dynamically adjust the rounds and use
>> per-principal salt within the protocol (or, even b
On Wed, 2014-05-14 at 13:24 -0700, Russ Allbery wrote:
> Greg Hudson writes:
>
> > * The AES enctypes have an intentionally expensive string-to-key
> > function, making brute-force password attacks more expensive by a
> > significant but constant factor.
>
> The one caveat I'll add to this, thou
Great - thanks - I agree with pretty much all of that. My questions was
again more of a theoretical "what does it really provide?" and are those
benefits worth any possible risk.
I think that Greg's answer that enc time pre-auth is only slightly more
negligible to brute force than without it and t
1 - 100 of 919 matches
Mail list logo