From naveen.bn at globaledgesoft.com Tue Jul 1 05:40:20 2008 From: naveen.bn at globaledgesoft.com (naveen.bn) Date: Tue, 01 Jul 2008 15:10:20 +0530 Subject: ASN1 Message-ID: <4869FB84.3020904@globaledgesoft.com> Hi all, I am using krb5-1.6.3, does it has support for decoding of octetstring value in CONSTRUCTED. Thank you naveen -------------- next part -------------- This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail and delete the original message.Global Edge Software Ltd has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. Global Edge Software Ltd reserves the right to monitor and review the content of all messages sent to or from this e-mail address From jarjonas at gmail.com Tue Jul 1 13:04:05 2008 From: jarjonas at gmail.com (Javier Arjona Sanchez) Date: Tue, 1 Jul 2008 19:04:05 +0200 Subject: Update group membership via a kerberos ticket???? Message-ID: <8e4d66710807011004w559f8ccap1824a3307a219623@mail.gmail.com> Hi, Can Network Identity Manager update the group membership via a kerberos ticket from Domain Controller Windows 2003 Server??? Thanks Javier From jhutz at cmu.edu Tue Jul 1 14:30:02 2008 From: jhutz at cmu.edu (Jeffrey Hutzelman) Date: Tue, 01 Jul 2008 14:30:02 -0400 Subject: ASN.1 In-Reply-To: <200807011529.m61FT4GI025836@raisinbran.srv.cs.cmu.edu> References: <200807011529.m61FT4GI025836@raisinbran.srv.cs.cmu.edu> Message-ID: <253F05E963F02C6F9A37C603@sirius.fac.cs.cmu.edu> --On Monday, June 30, 2008 04:43:10 PM +0200 mohamed.chaari at orange-ftgroup.com wrote: > I would like to know if I can modify the ASN.1 files of kerberos. As far as I know, you can modify anything you want in your copy of Kerberos. However, the ASN.1 describes the Kerberos protocol, which is specified in RFC4120 and related documents. If you make changes, the resulting protocol will no longer be Kerberos and may not interoperate correctly with existing and/or future implementations of the standard protocol. -- Jeffrey T. Hutzelman (N3NHS) Carnegie Mellon University - Pittsburgh, PA From mthompson at adt-it.com Tue Jul 1 16:21:58 2008 From: mthompson at adt-it.com (Marlon Thompson) Date: Tue, 1 Jul 2008 15:21:58 -0500 (CDT) Subject: Solaris 10 - Update 6 Information In-Reply-To: <479878339.1174561214943507788.JavaMail.root@mail.adt-it.com> Message-ID: <913631139.1174671214943718899.JavaMail.root@mail.adt-it.com> Will, I was viewing information online today regarding Solaris 10 Update 6 when I came across the following site: http://mailman.mit.edu/pipermail/kerberos/2008-May/013674.html I see mentioned here about Solaris 10 Update 6. Do you know how far in the future Update 6 can be expected to be released? We are in the process of updating from Solaris 10 Update 1 (1/06) to possibly Update 4 or 5. I have heard about Update 6, but no one at Sun.com has been able to assist me. I am not asking for definite details of what is in the release or a tied down date. Basically a notation that Update 6 is forthcoming and an estimated timeframe. Thanks in advance for your assistance. ~ Marlon -- Marlon W. Thompson Applied Data Trends, Inc. mthompson at adt-it.com marlon.w.thompson at us.army.mil ADT: 256.319.0664 cell: 256.679.1978 From Sam.Sharma at ga.com Tue Jul 1 15:33:37 2008 From: Sam.Sharma at ga.com (Shambhulal R. Sharma) Date: Tue, 1 Jul 2008 12:33:37 -0700 Subject: windows 2003 AD and keytab file generation Message-ID: <2A760B9242661D48B778599DC639260C059371@VEX.ad.ga.com> Hi All I am trying to use Active Directory installed on Windows Server 2003 as KDC. I followed the Microsoft step-by-step guide http://technet.microsoft.com/en-us/library/bb742433.aspx to create a windows user account, ktpass command to map a service principal name to the windows user account and generate a keytab file. So far I can map one service principal name to one windows user account which works fine. I have a requirement where multiple services running on a system should map their service principals to a single Windows User preferably computer account. I would like to generate/prepare a single keytab file for all service [ftp,http, etc.] principal names using ktpass and ktutil commands. My questions: Is it possible to use a computer account to map multiple service principal names. I know about setspn command which can allow add/delete/list operations to manage service principal association with a windows user/computer account. The problem seems to be with ktpass command, I do not know how I can generate keytab file for all service principal associated with a single user/computer account. Every time I try to use the ktpass -princ ... command it changes the kvno number which invalidates the previous keytab files. I tried ktpass with multiple -princ <...> -princ <...> options, which generates the keytab file only for the last principal name specified in the ktpass command line. Is it possible to have multiple service principals associated with a single computer/user account. Due to some security reasons this is not permitted on Windows. SAM SHARMA From dam at blastwave.org Wed Jul 2 01:11:45 2008 From: dam at blastwave.org (Dagobert Michelsen) Date: Wed, 2 Jul 2008 07:11:45 +0200 Subject: Solaris 10 - Update 6 Information In-Reply-To: <913631139.1174671214943718899.JavaMail.root@mail.adt-it.com> References: <913631139.1174671214943718899.JavaMail.root@mail.adt-it.com> Message-ID: Hi Marlon, Am 01.07.2008 um 22:21 schrieb Marlon Thompson: > I was viewing information online today regarding Solaris 10 Update > 6 when I came across the following site: http://mailman.mit.edu/ > pipermail/kerberos/2008-May/013674.html > > I see mentioned here about Solaris 10 Update 6. Do you know how > far in the future Update 6 can be expected to be released? Solaris 10 Update 5 was just released in May 2008, between the last releases where 10 and 8 month. So my educated guess is that update 6 will be released early 2009. Best regards -- Dago From Latesh.KJ at netapp.com Wed Jul 2 02:21:54 2008 From: Latesh.KJ at netapp.com (KJ, Latesh) Date: Wed, 2 Jul 2008 11:51:54 +0530 Subject: Root Access Message-ID: <01C7676F61850E4BB9DE91339353E49C13E121@BTCMVEXC1-PRD.hq.netapp.com> Hi, On AIX 5.3 Kerberos when I mount a share of NetApp storage from Linux client having share access as anon=0. Files are created using nobody nobody. Any clues? Note: The NIS is same on filer and client. Thanks Latesh KJ From vilas.tadoori.ext at siemens.com Wed Jul 2 08:30:51 2008 From: vilas.tadoori.ext at siemens.com (Tadoori (EXT), Vilas) Date: Wed, 2 Jul 2008 08:30:51 -0400 Subject: Kinit/kadmin does not work Message-ID: <0419C2808E620348A3119DCCE2A7A695075FADE5@USCIMPLM004.net.plm.eds.com> Ok ... i have rectified the issue. I do not maintain an .profile and usually do a bash on my solaris box. It was an elementary mistake that caused this problem earlier I have downloaded the kerberos distribution file krb5-1.6.3.tar.gz Later I built the same it then created the following dir structure /usr/local all the kerberos biniares are in bin and sbin respectively. When i exited out o bash on firday i lost my path to these binaries, in the hurry i have done the following to map the same back to my path export $PATH:/usr/local/sbin and bin this made the earlier binaries take into effect as my path was looking like /usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin I realized it and set that straight and everything is normal... I other thing that i want to raise is why is that the kerberos binaries would not work with the x86 solaris intel based installation... Regards Vilas _____ From: Tadoori (EXT), Vilas Sent: Monday, June 30, 2008 9:46 PM To: kerberos at mit.edu Subject: Kinit/kadmin does not work Dear All, It is really strange that the kinit does not work for me. I am pretty confident about my krb5.conf and kdc.conf files. They are good on the linux suse but when I have acutally started working over the weekend ...it gives me this message as below for the kinit(on solaris) bash-3.00# kinit kinit(v5): Cannot find KDC for requested realm while getting initial credentials The kadmin also is acting strange bash-3.00# kadmin -p x_tadoor Authenticating as principal x_tadoor with password. Password for x_tadoor at XXXXXXXXX * kadmin: Communication failure with server while initializing kadmin interface * intentionally crossed the realm This is giving problems on the SunOS x 86 architecture. bash-3.00# uname -a SunOS hysuntcsso 5.10 Generic_118855-33 i86pc i386 i86pc This is really frustrating....any help will be greatly appreciated. Regards Vilas From deengert at anl.gov Wed Jul 2 10:02:06 2008 From: deengert at anl.gov (Douglas E. Engert) Date: Wed, 02 Jul 2008 09:02:06 -0500 Subject: windows 2003 AD and keytab file generation In-Reply-To: <2A760B9242661D48B778599DC639260C059371@VEX.ad.ga.com> References: <2A760B9242661D48B778599DC639260C059371@VEX.ad.ga.com> Message-ID: <486B8A5E.2030507@anl.gov> Shambhulal R. Sharma wrote: > Hi All > > I am trying to use Active Directory installed on Windows Server 2003 as > KDC. I followed the Microsoft step-by-step guide > http://technet.microsoft.com/en-us/library/bb742433.aspx to create a > windows user account, ktpass command to map a service principal name to > the windows user account and generate a keytab file. So far I can map > one service principal name to one windows user account which works fine. > > I have a requirement where multiple services running on a system should > map their service principals to a single Windows User preferably > computer account. I would like to generate/prepare a single keytab file > for all service [ftp,http, etc.] principal names using ktpass and ktutil > commands. > From reading your note and notes from others in the past, you may be confused by the use of the term "user account" in the Microsoft article. You need to have an account for the service, which has objectClass: top, person, organizationalPerson and user. (It can also have an objectClass computer.) This account has nothing to do with the users who will use the service. It is an account for the service. It has to have a sAMAccountName that is restricted to 19 characters and unique in the forest. We use a convention something like: --
a fictional example: host-mylinux-it and the servicePrincipalName would be: host/myliniux.it.ga.com at GA.COM The account can be located anywhere in the directory tree. > My questions: > > Is it possible to use a computer account to map multiple service > principal names. I know about setspn command which can allow > add/delete/list operations to manage service principal association with > a windows user/computer account. Yes. But note that since there is only one password per account, all these principals will uses the same password to generate the keys. With RC4 there is no salt so they will have the same key. This may not be what you want. > > The problem seems to be with ktpass command, I do not know how I can > generate keytab file for all service principal associated with a single > user/computer account. Every time I try to use the ktpass -princ ... > command it changes the kvno number which invalidates the previous keytab > files. I tried ktpass with multiple -princ <...> -princ <...> options, > which generates the keytab file only for the last principal name > specified in the ktpass command line. The best way to do this is assign a different account for each service, so each has its own password and thus a different key. Like: host-mylinux host/mylinux.ga.com at GA.COM HTTP-mylinux HTTP/mylinux.ga.com at GA.COM You could then ues the unix tools to merge keytab files generated by ktpass if needed. Or you could use something like msktutil or the Solaris scripts to do all the ldap commands to AD to add/mod accounts and manage keytabs. > > Is it possible to have multiple service principals associated with a > single computer/user account. Due to some security reasons this is not > permitted on Windows. Yes it is, but the will share the same key. > > SAM SHARMA > > > > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From jaltman at secure-endpoints.com Wed Jul 2 10:31:45 2008 From: jaltman at secure-endpoints.com (Jeffrey Altman) Date: Wed, 02 Jul 2008 10:31:45 -0400 Subject: [Ietf-krb-wg] Proxiable/forwardable question In-Reply-To: References: <0D4EFF373FC0C17BE33A790D@sirius.fac.cs.cmu.edu> Message-ID: <486B9151.6000301@secure-endpoints.com> Lewis Adam-CAL022 wrote: > >> It might help a lot if you give up on the hypothetical and >> tell us what you're really trying to do. There's a good >> chance that there is a solution based on existing technology, >> but it's hard to tell without knowing more about what's going on. >> > > Okay, so basically my situation is that I have a user which is going to > authenticate to a central server. This central server will then alert > other application servers that the user is on-line. So when the user > authenticates to the central server by sending it a Kerberos ticket, I > would like for that central server to forward the user's ticket to the > other (application) servers, and for the end result to be that the user > has a shared session key with each of those application servers. Is this > possible? Let me start by suggesting that you hold this discussion on kerberos at mit.edu instead of on the IETF Kerberos WG mailing list. kerberos at mit.edu is for questions regarding Kerberos deployments whereas this mailing list is intended for discussions regarding the development of Kerberos protocol standards. Next I will suggest if you have not already done so read one or more of the tutorials on Kerberos so that you have a better idea of how the protocol actually works and what the roles of the participants are. You can find some good introductory tutorials at http://web.mit.edu/kerberos/papers.html In your environment you have client C, the KDC K, the Central Server CS, and an application server AS. When C wants to authenticate to CS it obtains a service ticket for CS from K using a previously obtained Ticket Granting Ticket for the user. This ticket T is encrypted in a key that only CS knows and contains a session key that is known to C. If CS can decrypt T it can obtain the session key and with it C and CS can prove their identity to one another. If C ever talks to AS directly then C would obtain a service ticket for AS from K. There is no need for CS to send a session key to AS. If CS is going to be communicating to AS on behalf of C, then C could "forward" a ticket to CS that CS can use to authenticate to AS as C. Note that it is very unclear from your description what your intended communication flow is or what protocols are involved. I have set followup-to kerberos at mit.edu. Jeffrey Altman -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3355 bytes Desc: S/MIME Cryptographic Signature Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20080702/b0ae81dd/smime-0001.bin From kwc at umich.edu Wed Jul 2 10:37:42 2008 From: kwc at umich.edu (Kevin Coffman) Date: Wed, 2 Jul 2008 10:37:42 -0400 Subject: Root Access In-Reply-To: <01C7676F61850E4BB9DE91339353E49C13E121@BTCMVEXC1-PRD.hq.netapp.com> References: <01C7676F61850E4BB9DE91339353E49C13E121@BTCMVEXC1-PRD.hq.netapp.com> Message-ID: <4d569c330807020737t2914f199y31a317ce930ff3c0@mail.gmail.com> This sounds like an NFS question? You should ask on the Linux NFS list: On Wed, Jul 2, 2008 at 2:21 AM, KJ, Latesh wrote: > > Hi, > > On AIX 5.3 Kerberos when I mount a share of NetApp storage from Linux > client having share access as anon=0. Files are created using nobody > nobody. Any clues? > Note: The NIS is same on filer and client. > > Thanks > Latesh KJ From vilas.tadoori.ext at siemens.com Wed Jul 2 10:40:14 2008 From: vilas.tadoori.ext at siemens.com (Tadoori (EXT), Vilas) Date: Wed, 2 Jul 2008 10:40:14 -0400 Subject: errors after creating keytab Message-ID: <0419C2808E620348A3119DCCE2A7A695075FAFCF@USCIMPLM004.net.plm.eds.com> Hi All, I have created a key tab in the following manner. I was a root when I added the keytab. in kadmin: kadmin> ktadd -k /etc/krb5.keytab root/admin at realm_name kadmin> exit when i do an kinit -k it gives me the following error bash-3.00# kinit -k kinit(v5): Cannot resolve network address for KDC in realm while getting initial credentials and when i do an kinit -p root/admin even when i am tying the correct password it gives me the below error kinit(v5): Password incorrect while getting initial credentials Actually none of the commands work when I am doing kadmin it gives me the follwoing message bash-3.00# kadmin Authenticating as principal root/admin at NET.PLM.EDS.COM with password. Password for root/admin at NET.PLM.EDS.COM: any advice to resolve this, when the keytab is deleated it works fine but that defeats the purpose regards vilas From sbuckley at MIT.EDU Wed Jul 2 12:43:26 2008 From: sbuckley at MIT.EDU (Stephen C. Buckley) Date: Wed, 2 Jul 2008 12:43:26 -0400 Subject: "Best Practices for Integrating Kerberos Into Your Application" Draft Available Message-ID: <3F0443AE-3EFD-4319-AA51-047B54018EC4@MIT.EDU> I'm pleased to announce to availability our second white paper, "Best Practices for Integrating Kerberos Into Your Application" It is available for free on our web site at: http://www.kerberos.org/software/appskerberos.pdf Additional documentation from a variety of sources is available here: http://www.kerberos.org/software/whitepapers.html Thanks again for your support of the Kerberos Consortium. s _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ Stephen C. Buckley Executive Director Kerberos Consortium Massachusetts Institute of Technology 77 Massachusetts Ave W92-159 Cambridge, MA 02139 web: http://www.kerberos.org From paul.moore at centrify.com Wed Jul 2 18:28:17 2008 From: paul.moore at centrify.com (Paul Moore) Date: Wed, 2 Jul 2008 15:28:17 -0700 Subject: windows 2003 AD and keytab file generation In-Reply-To: <486B8A5E.2030507@anl.gov> References: <2A760B9242661D48B778599DC639260C059371@VEX.ad.ga.com> <486B8A5E.2030507@anl.gov> Message-ID: In windows all computer accounts have multiple SPNs; at least host/computer, host/computer.domain, some have as many as 10 (or even more!) Heres my keytab 31 host/paul-es5.ent2k3.seattle.test at ENT2K3.SEATTLE.TEST (ArcFour with HMAC/md5) 31 host/paul-es5 at ENT2K3.SEATTLE.TEST (ArcFour with HMAC/md5) 31 HTTP/paul-es5.ent2k3.seattle.test at ENT2K3.SEATTLE.TEST (ArcFour with HMAC/md5) 31 HTTP/paul-es5 at ENT2K3.SEATTLE.TEST (ArcFour with HMAC/md5) 31 paul-es5$@ENT2K3.SEATTLE.TEST (ArcFour with HMAC/md5) The keytab entry is the same for each one - I don't recall the keytab maint commands but you should be able to duplicate the key entry (I created my keytab using our commercial product that is much easier than doing it manually with ktpass etc) -----Original Message----- From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Douglas E. Engert Sent: Wednesday, July 02, 2008 7:02 AM To: Shambhulal R. Sharma Cc: kerberos at mit.edu Subject: Re: windows 2003 AD and keytab file generation Shambhulal R. Sharma wrote: > Hi All > > I am trying to use Active Directory installed on Windows Server 2003 > as KDC. I followed the Microsoft step-by-step guide > http://technet.microsoft.com/en-us/library/bb742433.aspx to create a > windows user account, ktpass command to map a service principal name > to the windows user account and generate a keytab file. So far I can > map one service principal name to one windows user account which works fine. > > I have a requirement where multiple services running on a system > should map their service principals to a single Windows User > preferably computer account. I would like to generate/prepare a single > keytab file for all service [ftp,http, etc.] principal names using > ktpass and ktutil commands. > From reading your note and notes from others in the past, you may be confused by the use of the term "user account" in the Microsoft article. You need to have an account for the service, which has objectClass: top, person, organizationalPerson and user. (It can also have an objectClass computer.) This account has nothing to do with the users who will use the service. It is an account for the service. It has to have a sAMAccountName that is restricted to 19 characters and unique in the forest. We use a convention something like: --
a fictional example: host-mylinux-it and the servicePrincipalName would be: host/myliniux.it.ga.com at GA.COM The account can be located anywhere in the directory tree. > My questions: > > Is it possible to use a computer account to map multiple service > principal names. I know about setspn command which can allow > add/delete/list operations to manage service principal association > with a windows user/computer account. Yes. But note that since there is only one password per account, all these principals will uses the same password to generate the keys. With RC4 there is no salt so they will have the same key. This may not be what you want. > > The problem seems to be with ktpass command, I do not know how I can > generate keytab file for all service principal associated with a > single user/computer account. Every time I try to use the ktpass -princ ... > command it changes the kvno number which invalidates the previous > keytab files. I tried ktpass with multiple -princ <...> -princ <...> > options, which generates the keytab file only for the last principal > name specified in the ktpass command line. The best way to do this is assign a different account for each service, so each has its own password and thus a different key. Like: host-mylinux host/mylinux.ga.com at GA.COM HTTP-mylinux HTTP/mylinux.ga.com at GA.COM You could then ues the unix tools to merge keytab files generated by ktpass if needed. Or you could use something like msktutil or the Solaris scripts to do all the ldap commands to AD to add/mod accounts and manage keytabs. > > Is it possible to have multiple service principals associated with a > single computer/user account. Due to some security reasons this is not > permitted on Windows. Yes it is, but the will share the same key. > > SAM SHARMA > > > > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos From Kevan.Earl at astrazeneca.com Wed Jul 2 12:13:45 2008 From: Kevan.Earl at astrazeneca.com (Earl, Kevan C) Date: Wed, 2 Jul 2008 17:13:45 +0100 Subject: Problem building krb5 v 1.6.3 on AIX 5.3 using gcc 4.2.0 Message-ID: <3154FEBCFB92804DA39A2560E17183760341F1A1@ukaprdembx02.rd.astrazeneca.net> Hello, I'm having a problem building krb5 v 1.6.3 on AIX 5.3 using gcc 4.2.0. configure runs OK, but make stops with the following error: gcc -L../../../lib -Wl,-blibpath:/usr/local/lib::/usr/lib:/lib -g -O2 -Wall -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -pedantic -D_THREAD_SAFE -o client client.o rpc_test_clnt.o -lgssrpc -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lkrb5support -lpthreads ld: 0706-006 Cannot find or open library file: -l gssrpc ld:open(): A file or directory in the path name does not exist. ld: 0706-006 Cannot find or open library file: -l gssapi_krb5 ld:open(): A file or directory in the path name does not exist. ld: 0706-006 Cannot find or open library file: -l krb5 ld:open(): A file or directory in the path name does not exist. ld: 0706-006 Cannot find or open library file: -l k5crypto ld:open(): A file or directory in the path name does not exist. ld: 0706-006 Cannot find or open library file: -l com_err ld:open(): A file or directory in the path name does not exist. ld: 0706-006 Cannot find or open library file: -l krb5support ld:open(): A file or directory in the path name does not exist. collect2: ld returned 255 exit status make: 1254-004 The error code from the last command is 1. Stop. make: 1254-004 The error code from the last command is 1. Stop. make: 1254-004 The error code from the last command is 1. Stop. make: 1254-004 The error code from the last command is 1. Stop. Is this just an environment issue? If so, please can someone suggest a possible solution. Regards, Kevan Earl From Matej.Zagiba at fmph.uniba.sk Thu Jul 3 08:14:54 2008 From: Matej.Zagiba at fmph.uniba.sk (Matej Zagiba) Date: Thu, 03 Jul 2008 14:14:54 +0200 Subject: MIT kerberos + OpenLDAP backend Message-ID: <486CC2BE.8080506@fmph.uniba.sk> Hello everybody, I'm trying to set up MIT kerberos with OpenLDAP backend. I found description of this functionality in kerberos admin guide, and I followed provided instructions. But it not usable, I cannot create working principal, assign policy or do kinit. Default principals like K/M works as expected. I will appreciate any help. System information: Debian Etch MIT kerberos 1.6.3 (compiled from debian testing packages) OpenLDAP 2.4.10 (compiled from OpenLDAP sources) action transcription follows: builder:/etc/krb5kdc# kdb5_ldap_util -D cn=adm-service,o=kerberos -H ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi create -subtrees o=kerberos -r TEST -s -sf /etc/krb5kdc/stash Password for "cn=adm-service,o=kerberos": Initializing database for realm 'TEST' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: builder:/etc/krb5kdc# kadmin.local -q "ank -pw 123456 user1" Authenticating as principal root/admin at TEST with password. WARNING: no policy specified for user1 at TEST; defaulting to no policy Principal "user1 at TEST" created. builder:/etc/krb5kdc# kadmin.local -q "getprincs *" Authenticating as principal root/admin at TEST with password. K/M at TEST krbtgt/TEST at TEST kadmin/admin at TEST kadmin/changepw at TEST kadmin/history at TEST kadmin/builder at TEST user1 at TEST builder:/etc/krb5kdc# kadmin.local -q "getprinc user1" Authenticating as principal root/admin at TEST with password. Segmentation fault builder:/etc/krb5kdc# kadmin.local -q "add_policy -maxlife 180day default" Authenticating as principal root/admin at TEST with password. builder:/etc/krb5kdc# kadmin.local -q "getprincs *" Authenticating as principal root/admin at TEST with password. K/M at TEST krbtgt/TEST at TEST kadmin/admin at TEST kadmin/changepw at TEST kadmin/history at TEST kadmin/builder at TEST user1 at TEST builder:/etc/krb5kdc# kadmin.local -q "ank -pw 123456 user2" Authenticating as principal root/admin at TEST with password. NOTICE: no policy specified for user2 at TEST; assigning "default" Principal "user2 at TEST" created. builder:/etc/krb5kdc# kadmin.local -q "getprincs *" Authenticating as principal root/admin at TEST with password. get_principals: Invalid argument while retrieving list. builder:/etc/krb5kdc# kadmin.local -q "getprinc user2" Authenticating as principal root/admin at TEST with password. get_principal: Invalid argument while retrieving "user2 at TEST". builder:/etc/krb5kdc# kadmin.local -q "getprinc user1" Authenticating as principal root/admin at TEST with password. Segmentation fault builder:/etc/krb5kdc# kadmin.local -q "getprinc K/M" Authenticating as principal root/admin at TEST with password. Principal: K/M at TEST Expiration date: [never] Last password change: [never] Password expiration date: [none] Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Thu Jul 03 13:37:44 CEST 2008 (db_creation at TEST) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 1 Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt Attributes: DISALLOW_ALL_TIX REQUIRES_PRE_AUTH Policy: [none] builder:/etc/krb5kdc# /etc/init.d/krb5-kdc start builder:/etc/krb5kdc# kinit user1 Password for user1 at TEST: builder:/etc/krb5kdc# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: user1 at TEST Valid starting Expires Service principal 07/03/08 13:55:37 07/03/08 23:55:37 krbtgt/TEST at TEST renew until 07/04/08 13:55:34 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached builder:/etc/krb5kdc# kdestroy builder:/etc/krb5kdc# kinit user2 kinit(v5): Generic error (see e-text) while getting initial credentials and here is log message: Jul 03 13:55:58 builder krb5kdc[7486](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 158.195.31.111: LOOKING_UP_CLIENT: user2 at TEST for krbtgt/TEST at TEST, Invalid argument -- Matej Zagiba From mehran.esfandiari at gmail.com Thu Jul 3 02:59:12 2008 From: mehran.esfandiari at gmail.com (gsmman) Date: Wed, 2 Jul 2008 23:59:12 -0700 (PDT) Subject: Error in AbstractServiceNotation x.407 Message-ID: Hi All I am new member in ur group , I am very glad for join to you I have a problem about AbstractServiceNotation I am woerking with specifation 03.49 and when compile that with TAU Telelogic it doesn'tr know AbstractServiceNotation I found it ( in x.407) but It ceated at 1992 and It used MACRO in ASN. 1 and new ASN.1 desn't know Macro for this cause I am lookinf for about solution about that before thanks From kulg123 at gmail.com Fri Jul 4 00:16:03 2008 From: kulg123 at gmail.com (kul gupta) Date: Fri, 4 Jul 2008 09:46:03 +0530 Subject: mod_auth_kerb +aoache issue Message-ID: <2203f95e0807032116j28cdfe42o429c279732c43d4@mail.gmail.com> Hello I am using mod_auth_kerb module( for apache webserver ) for authentication.I am facing the following issues(*Issue (1) and Issue (2)) as described below-* *I also attaching the word document detailing the issues* Apache server is in ?Redhat Enterprise linux 5.0 KDC ?in Redhat Enterprise linux 5.0 I have installed and configure Openssl0.9.8g apache 2.2.8 mod_auth_kerb 2.3 *1)*Apache with SSL is working fine and I am able to access https:\\ ruchita.com\index.html As per given in the INSATLL file of mod_auth_kerb we have done the settings of IE and mozilla as -- For Mozilla - I typed "about:config" in the URL bar and then set the value of "network.negotiate-auth.trusted-uris" to https://ruchita.com It then prompted me for username and password I entered my Kerberos username and password and enter *Issue (1)-->* After entering the details (username and password) it again prompted for the username and password. *2)* For IE also i did the settings as given in n the INSATLL file of mod_auth_kerb I went to "Local intranet" Also edited the file- WINDOWS->system32->drivers->etc->host And added my linux machine(where the apache server is ) ip and its name in it. As 172.25.108.159 ruchita.com *Issue (2)* Now ,when I m trying to access http://ruchita.com, the output coming is Internal Server Error Also while accesing https://ruchita.com ,the output is Page cannot be displayed I will be highly thankful if someone can guide me for the same Thanks Kul From thomas.boutry at notarius.com Mon Jul 7 09:21:41 2008 From: thomas.boutry at notarius.com (Thomas Boutry) Date: Mon, 7 Jul 2008 09:21:41 -0400 Subject: Kerberos-LDAP infrastructure Message-ID: Hi, We'd like to deploy Kerberos it on our network. We already have a working Kerberos setup in our Lab which has a Master Kerberos server with an OpenLDAP backend and a Slave Kerberos server which also uses an OpenLDAP backend. Before we go live into production, we're looking for information on how to build the Kerberos infrastrucure (i.e. In which network DMZ do I install the KDC? Where should we install the slave Kerberos servers? Can we run a "hidden" KDC, much like a hidden Primary DNS server? How would that affect users who want to change their passwords? etc). Unfortunately, we didn't find a lot of documentation which talks specifically about Kerberos architecture. That's why we're looking for experienced Kerberos users to help us deploy a good Kerberos infrastructure. Our goals are to create a Hidden Master Kerberos and several Slaves. We plan to use the Kerberos/OpenLDAP services for authentication via SSH, OpenAFS, autofs maps, sudo rights plus users and groups. The Kerberos architecture has to support two different data centers. Both sites have serveral DMZ networks (WWW, Application and Database for the classic three tiered environment plus le local LAN). We'd like to use Kerberos to login on all of these networks. One slave in the LAN to support workstations and LAN servers. Other two slaves in a DMZ (which one?) for DMZ Servers support and as Workstation backup support. We need to have redundancy of course. I've created an image of the architecture I just described which you can see at http://www.zerocatastrophe.com/kerberos-architecture.png This architecture is by no means final. Suggestions are welcomed! Please let me know what you think? I will post a summary once the architecture is final. Many thanks, --- Thomas Boutry UNIX systems administrator From hotz at jpl.nasa.gov Mon Jul 7 12:52:02 2008 From: hotz at jpl.nasa.gov (Henry B. Hotz) Date: Mon, 7 Jul 2008 09:52:02 -0700 Subject: [modauthkerb] mod_auth_kerb +aoache issue In-Reply-To: <2203f95e0807032116j28cdfe42o429c279732c43d4@mail.gmail.com> References: <2203f95e0807032116j28cdfe42o429c279732c43d4@mail.gmail.com> Message-ID: There ought to be more information in the Apache error log. Also you can increase the log level if necessary. On Jul 3, 2008, at 9:16 PM, kul gupta wrote: > Hello > I am using mod_auth_kerb module( for apache webserver ) for > authentication.I am facing the following issues(Issue (1) and Issue > (2)) as described below- > I also attaching the word document detailing the issues > > Apache server is in ?Redhat Enterprise linux 5.0 > KDC ?in Redhat Enterprise linux 5.0 > > I have installed and configure > > Openssl0.9.8g > apache 2.2.8 > mod_auth_kerb 2.3 > > 1)Apache with SSL is working fine and I am able to access https:\ > \ruchita.com\index.html > > As per given in the INSATLL file of mod_auth_kerb we have done the > settings of IE and mozilla > > as -- For Mozilla - I typed "about:config" in the URL bar and then > set the value of "network.negotiate-auth.trusted-uris" to https://ruchita.com > > It then prompted me for username and password > I entered my Kerberos username and password and enter > > Issue (1)--> After entering the details (username and password) it > again prompted for the username and password. > > > > 2) For IE also i did the settings as given in n the INSATLL file of > mod_auth_kerb > I went to "Local intranet" > Also edited the file- WINDOWS->system32->drivers->etc->host > And added my linux machine(where the apache server is ) ip and its > name in it. > As > 172.25.108.159 ruchita.com > > > > > > Issue (2) > Now ,when I m trying to access http://ruchita.com, the output coming > is > > Internal Server Error > > Also while accesing https://ruchita.com ,the output is > > Page cannot be displayed > > > I will be highly thankful if someone can guide me for the same > Thanks > Kul > issues > .doc > > > ------------------------------------------------------------------------- > Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! > Studies have shown that voting for your favorite open source project, > along with a healthy diet, reduces your potential for chronic lameness > and boredom. Vote Now at http://www.sourceforge.net/community/cca08_______________________________________________ > modauthkerb-help mailing list > modauthkerb-help at lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/modauthkerb-help From aditham at yahoo.com Tue Jul 8 11:25:51 2008 From: aditham at yahoo.com (aditham@yahoo.com) Date: Tue, 8 Jul 2008 08:25:51 -0700 (PDT) Subject: krb5_context in a threaded process Message-ID: I need to initialize multiple krb5_context's in a multi-threaded program and each context *must* be initialized from a different config file. krb5_init_context() seems to read config from /etc/krb5.conf or the file pointed to by KRB5_CONFIG. Setting the environment variable will not work since "env"is for the process, not the thread. I was wondering if there is a better way to do this, other than creating a mutex to set/get the KRB5_CONFIG env variable before each krb5_init_context. thanks R.K From kjensen at diku.dk Tue Jul 8 10:53:00 2008 From: kjensen at diku.dk (Klaus Jensen) Date: Tue, 8 Jul 2008 16:53:00 +0200 Subject: kadmin: Unbalanced quotes in command line Message-ID: <20080708145300.GB22948@diku.dk> Hi, I'm working on using a script to change the password for a given principal. The resulting command line is something like this: kadmin -k -t keytapfile -p host/host.foobar -q "cpw -pw princ at REALM" When contains a quote character (i.e. password is: foobar"omg) I get the following error: kadmin: Unbalanced quotes in command line Note that the quote is escaped: kadmin -k -t keytapfile -p host/host.foobar -q "cpw -pw foobar\"omg princ at REALM" I tried using kadmin without '-q' and got the same error message when using the command directly: # kadmin -k -t keytapfile -p host/host.foobar kadmin: cpw -pw foobar"omg princ at REALM kadmin: Unbalanced quotes in command line Samething when escaped: kadmin: cpw -pw foobar\"omg princ at REALM kadmin: Unbalanced quotes in command line Only succesful way I found to set a password using a quote (not escaped) was: # kadmin -k -t keytapfile -p host/host.foobar kadmin: cpw princ at REALM Enter password for principal "princ at REALM": Re-enter password for principal "princ at REALM": Password for "princ at REALM" changed. I'm using krb5-1.5.3. Any ideas or alternative approaches? Thanks! -- Klaus "Oops, I always forget the purpose of competition is to divide people into winners and losers." -Hobbes being sarcastic From ioplex at gmail.com Tue Jul 8 17:54:15 2008 From: ioplex at gmail.com (Michael B Allen) Date: Tue, 8 Jul 2008 17:54:15 -0400 Subject: krb5_context in a threaded process In-Reply-To: References: Message-ID: <78c6bd860807081454w6d39aa6bx89e956657e7cb07a@mail.gmail.com> On Tue, Jul 8, 2008 at 11:25 AM, wrote: > I need to initialize multiple krb5_context's in a multi-threaded > program > and each context *must* be initialized from a different config file. > > krb5_init_context() seems to read config from /etc/krb5.conf or the > file > pointed to by KRB5_CONFIG. Setting the environment variable will not > work since > "env"is for the process, not the thread. > > I was wondering if there is a better way to do this, other than > creating a mutex > to set/get the KRB5_CONFIG env variable before each krb5_init_context. Not really. What I did was add a krb5_config_set function to allow setting individual properties and then change the default krb5.conf location to an empty file. I believe Heimdal has such functions (although I don't know if the work was fully completed due to memory management issues). I don't know if MIT has such functions. Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ From raeburn at MIT.EDU Tue Jul 8 17:55:12 2008 From: raeburn at MIT.EDU (Ken Raeburn) Date: Tue, 8 Jul 2008 17:55:12 -0400 Subject: krb5_context in a threaded process In-Reply-To: References: Message-ID: On Jul 8, 2008, at 11:25, aditham at yahoo.com wrote: > I need to initialize multiple krb5_context's in a multi-threaded > program > and each context *must* be initialized from a different config file. > > krb5_init_context() seems to read config from /etc/krb5.conf or the > file > pointed to by KRB5_CONFIG. Setting the environment variable will not > work since > "env"is for the process, not the thread. > > I was wondering if there is a better way to do this, other than > creating a mutex > to set/get the KRB5_CONFIG env variable before each krb5_init_context. Unfortunately, no, at the moment that's the best way. (Or use multiple processes.) I'd actually thought about implementing an interface to take the extra input argument, because it would clean up how some of the KDC initialization works right now (which uses a private variant of krb5_init_context that only differs in that it adds the kdc.conf file to the normal list of config files). Do you want to propose and implement something along those lines? The krbdev at mit list would be the place for that discussion.... Ken From raeburn at MIT.EDU Tue Jul 8 17:56:38 2008 From: raeburn at MIT.EDU (Ken Raeburn) Date: Tue, 8 Jul 2008 17:56:38 -0400 Subject: kadmin: Unbalanced quotes in command line In-Reply-To: <20080708145300.GB22948@diku.dk> References: <20080708145300.GB22948@diku.dk> Message-ID: <6C710E8A-CBEA-4389-8464-F4B6A45B4DB3@mit.edu> On Jul 8, 2008, at 10:53, Klaus Jensen wrote: > I'm working on using a script to change the password for a given > principal. > The resulting command line is something like this: > > kadmin -k -t keytapfile -p host/host.foobar -q "cpw -pw > princ at REALM" > > When contains a quote character (i.e. password is: > foobar"omg) > I get the following error: > > kadmin: Unbalanced quotes in command line > > Note that the quote is escaped: > kadmin -k -t keytapfile -p host/host.foobar -q "cpw -pw foobar\"omg > princ at REALM" > > > > I tried using kadmin without '-q' and got the same error message > when using > the command directly: > > # kadmin -k -t keytapfile -p host/host.foobar > kadmin: cpw -pw foobar"omg princ at REALM > kadmin: Unbalanced quotes in command line > > Samething when escaped: > > kadmin: cpw -pw foobar\"omg princ at REALM > kadmin: Unbalanced quotes in command line Yeah, the quote handling in that code is kind of strange. As best I recall, the code was vaguely modeled on a CLI that treated "" within a quoted string as inserting just " into that string, and unfortunately not on UNIX sh or csh behavior. So: % ../../Inst/sbin/kadmin.local -q 'ank "foo""bar"' Authenticating as principal raeburn/admin at ATHENA.MIT.EDU with password. WARNING: no policy specified for foo"bar at ATHENA.MIT.EDU; defaulting to no policy Enter password for principal "foo"bar at ATHENA.MIT.EDU": Or this one, which looks even stranger: % kadmin.local -q 'ank foo""""bar' Authenticating as principal raeburn/admin at ATHENA.MIT.EDU with password. WARNING: no policy specified for foo"bar at ATHENA.MIT.EDU; defaulting to no policy Enter password for principal "foo"bar at ATHENA.MIT.EDU": (That's read as "foo" and then a quoted string containing one quote and then "bar", all pasted together as one argument.) Getting that through the shell's parser if you use double-quoted strings on the shell command line will be even uglier. I wouldn't write any scripts or anything that rely on this behavior; I keep hoping we'll just replace that library with an externally maintained, and perhaps more UNIX-like, command-line parser. I'm sure there are a few out there. (One that provides some kind of scripting capability would be a win, I would guess.) If we do, I expect we'd keep the basic tool behavior the same, but weird quoting stuff like this may change. Ken From hshukla at hp.com Wed Jul 9 10:08:13 2008 From: hshukla at hp.com (Shukla, Himanshu (STSD)) Date: Wed, 9 Jul 2008 14:08:13 +0000 Subject: Kpasswd and IPv6 Message-ID: Hi, I had one doubt regarding IPv6 support for MIT kpasswd utility in 1.6.2 release or any prior release. From code it seems kpasswd will not work even if kadmind supports IPv6 (Some other Implementation apart from IPv6). Looks like kdcd is supported in IPv6 environment while kadmind still works only in IPv4 environment. Since kpasswd utility require kadmind to run in IPv6 environment and kadmind is not supported in IPv6 environment, so no IPv6 support for kpasswd too. Is there any plan in future to support MIT kpasswd utility in IPv6 environment ?? Thanks & Regards, Himanshu From vr.sinha at gmail.com Thu Jul 10 05:34:00 2008 From: vr.sinha at gmail.com (Vibhuti Sinha) Date: Thu, 10 Jul 2008 02:34:00 -0700 Subject: Kerberos Authorization Mechanism Message-ID: Hi, I am currently running two KDC servers with cross realm authentication setup between the two. 1st Server is in kerberos realm TEST.COM 2nd Server is in kerberos realm EXAMPLE.COM TEST.COM trusts EXAMPLE.COM Now, I need to design an authorization mechanism by which any administrator in EXAMPLE.COM should not have admin rights in TEST.COM Services in TEST.COM are ssh and Unix authentication. creating ACLs in TEST.COM for authorization is not feasible and I do not have this option. What are my other options to achieve this? Regards Vibhuti Sinha From mdevine at opendemand.com Thu Jul 10 08:55:32 2008 From: mdevine at opendemand.com (Matthew Devine) Date: Thu, 10 Jul 2008 08:55:32 -0400 Subject: Test Environment Message-ID: <002301c8e28c$3d491e40$640fa8c0@MattODS> So I'm looking for a little guidance on setting up a Kerberos environment from scratch simply for testing purposes (I.E. No Domain Controller or anything yet). I'm looking to actually set up this environment and then kerberize an apache web server running on Windows. Then verify it all working by having a third client machine try to connect to apache. If someone could just help point in the right direction just to get things started it would be a big help. I found lots of tutorials and have a pretty good understand but most of them start you off with already having the domain set up and they all refer to using AD as the domain controller. 1. What should I use for setting up a domain using Linux as my PDC? 2. Can I install the KDC on the same machine as the PDC? 3. When I finally install Apache on the Windows machine, should I install it as a Domain User or just as a local system user? Thanks again for the assistance, Matthew Devine From michael at stroeder.com Thu Jul 10 14:03:07 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Thu, 10 Jul 2008 20:03:07 +0200 Subject: Test Environment In-Reply-To: References: Message-ID: Matthew Devine wrote: > So I'm looking for a little guidance on setting up a Kerberos environment > from scratch simply for testing purposes (I.E. No Domain Controller or > anything yet). How about using the VMWare-Player for setting up various test machines? Ciao, Michael. From thomas.boutry at notarius.com Thu Jul 10 16:57:49 2008 From: thomas.boutry at notarius.com (Thomas Boutry) Date: Thu, 10 Jul 2008 16:57:49 -0400 Subject: Test Environment In-Reply-To: References: Message-ID: Matthew Devine wrote: >> So I'm looking for a little guidance on setting up a Kerberos environment >> from scratch simply for testing purposes (I.E. No Domain Controller or >> anything yet). >How about using the VMWare-Player for setting up various test machines? >Ciao, Michael. it's a good idea, but be careful with the time synchronization. Some guest OS consistently run more slowly or more quickly than real world time. The reason that caused the slowing time inside guest system is because of that the guest clock frequency is setting too high than the host OS can offer. And if you have a time problem Kerberos can't work properly, specially the ticket manager. If yours guest OS is Linux you have a workaround on the vmware's web site : http://kb.vmware.com/selfservice/viewContent.do?language=en_US&externalI d=1420 if you want use FreeBSD check this link , but it's in French sorry, maybe it can help : http://casys.crevetor.org/index.php/FreeBSD_vmware-server_Guest -- Thomas Boutry ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos From rra at stanford.edu Thu Jul 10 20:27:05 2008 From: rra at stanford.edu (Russ Allbery) Date: Thu, 10 Jul 2008 17:27:05 -0700 Subject: pam-krb5 3.11 released Message-ID: <87y749xo2u.fsf@windlord.stanford.edu> I'm pleased to announce release 3.11 of pam-krb5. pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal. It supports ticket refreshing by screen savers, configurable authorization handling, authentication of non-local accounts for network services, password changing, and password expiration, as well as all the standard expected PAM features. It works correctly with OpenSSH, even with ChallengeResponseAuthentication and PrivilegeSeparation enabled, and supports configuration either by PAM options or in krb5.conf or both. Changes from previous release: pam_setcred, pam_open_session, and pam_acct_mgmt now return PAM_IGNORE for ignored users or non-Kerberos logins rather than PAM_SUCCESS. This return code tells the PAM library to continue as if the module were not present in the configuration and allows sufficient to be meaningful for pam-krb5 in account and session groups. pam_authenticate continues to return failure for ignored users; PAM_IGNORE would arguably be more correct, but increases the risk of security holes through incorrect configuration. Support correct password expiration handling according to the PAM standard (returning success from pam_authenticate and an error from pam_acct_mgmt and completing the authentication after pam_chauthotk). This is not the default since it opens security holes with broken applications that don't call pam_acct_mgmt or ignore its exit status. To enable it, set the PAM option defer_pwchange for applications known to make the correct PAM calls and check return codes. Add a new option to attempt change of expired passwords during pam_authenticate if Kerberos authentication returns a password expired error. Normally, the Kerberos library will do this for you, but some Kerberos libraries (notably Solaris) disable that code. This option allows simulation of the normal Kerberos library behavior on those platforms. Work around an apparent Heimdal bug when krb5_free_cred_contents is called on an all-zero credential structure. It's not clear what's going on here and the Heimdal code looks correct, but avoiding the call fixes the problem. Warn if more than one of use_authtok, use_first_pass, and try_first_pass is set and use the strongest of the one set. Remove the workaround for versions of MIT Kerberos that didn't initialize a krb5_get_init_creds_opt structure on opt_alloc. This bug was only present in early versions of 1.6; the correct fix is to upgrade. Add an additional header check for AIX's bundled Kerberos. If KRB5_CONFIG was explicitly set in the environment, don't use a different krb5-config based on --with-krb5. If krb5-config isn't executable, don't use it. This allows one to force library probing by setting KRB5_CONFIG to point to a nonexistent file. Sanity-check the results of krb5-config before proceeding and error out in configure if they don't work. For Kerberos libraries without krb5-config, also check for networking libraries (-lsocket and friends) before checking for Kerberos libraries in case shared library dependencies are broken. Fix Autoconf syntax error when probing for libkrb5support. Thanks, Mike Garrison. Set an explicit visibility of hidden for all internal functions at compile time if gcc is used to permit better optimization. Hide all functions except the official interfaces using a version script on Linux. This protects against leaking symbols into the application namespace and provides some mild optimization benefit. Fix the probing of PAM headers for const on Mac OS X. This will suppress some harmless compiler warnings there. Thanks, Markus Moeller. You can download it from: Debian packages have been uploaded to Debian unstable. Please let me know of any problems or feature requests not already listed in the TODO file. -- Russ Allbery (rra at stanford.edu) From marvin.cotto at googlemail.com Tue Jul 15 08:00:51 2008 From: marvin.cotto at googlemail.com (Marvin Cotto) Date: Tue, 15 Jul 2008 14:00:51 +0200 Subject: Unicode characters in password Message-ID: <5b67dd310807150500w27a51bbi50e09ea8dc89d6b6@mail.gmail.com> Hello I am working on software which uses kerberos as authentication system. Clients request to support non ascii characters in passwords. If i try my (windows) client against active directory unicode password works perfectly. But when I try it against linux where is mit kerberos it allows me to change password to some "unicode" but the password doesn't work. My question is if unicode passwords are supposed to work in kerberos? And if not which part of rfc says so? Thanks a lot M. From dwm at doc.ic.ac.uk Tue Jul 15 10:13:47 2008 From: dwm at doc.ic.ac.uk (David McBride) Date: Tue, 15 Jul 2008 15:13:47 +0100 Subject: Unicode characters in password In-Reply-To: <5b67dd310807150500w27a51bbi50e09ea8dc89d6b6@mail.gmail.com> References: <5b67dd310807150500w27a51bbi50e09ea8dc89d6b6@mail.gmail.com> Message-ID: <487CB09B.4040602@doc.ic.ac.uk> Marvin Cotto wrote: > My question is if unicode passwords are supposed to work in kerberos? And if > not which part of rfc says so? Not at the moment. See RFC 4120, section 5.2.1. for a discussion of string types in Kerberos messages. [0] (My understanding is that adding i18n support to Kerberos is on the krb-wg's current TODO list -- indeed, it's mentioned in their charter. [1]) Cheers, David -- David McBride Department of Computing, Imperial College, London [0] http://tools.ietf.org/html/rfc4120#section-5.2.1 [1] http://www.ietf.org/html.charters/krb-wg-charter.html -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20080715/612138f5/signature.bin From naveen.bn at globaledgesoft.com Tue Jul 15 10:14:38 2008 From: naveen.bn at globaledgesoft.com (naveen.bn) Date: Tue, 15 Jul 2008 19:44:38 +0530 Subject: Regarding algorithm support Message-ID: <487CB0CE.8070504@globaledgesoft.com> Hi Kevin, I felt the krb5-1.6.3 does not supports des3_cbc_md5. My client application requires des3_cbc_md5 support from the kdc. Can you please guide on giving kdc server support for des3_cbc_md5 algorithm. Thank you with regards naveen From Tim.Alsop at CyberSafe.com Tue Jul 15 10:15:43 2008 From: Tim.Alsop at CyberSafe.com (Tim Alsop) Date: Tue, 15 Jul 2008 15:15:43 +0100 Subject: Regarding algorithm support In-Reply-To: <487CB0CE.8070504@globaledgesoft.com> References: <487CB0CE.8070504@globaledgesoft.com> Message-ID: <1A136DCE57F98F4B8BAB5FFC69C8E6DA0E712C3A@exchange.cybersafe.local> Naveen, This cipher suite is available (etype = 5) and supported in CyberSafe TrustBroker client libraries, and I don't believe it is included in MIT distribution. My understanding is that MIT 3DES implementation is etype = 7 (DES-CBC-SHA1). Thanks, Tim -----Original Message----- From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of naveen.bn Sent: 15 July 2008 15:15 To: kevin Cc: kerberos at mit.edu Subject: Regarding algorithm support Hi Kevin, I felt the krb5-1.6.3 does not supports des3_cbc_md5. My client application requires des3_cbc_md5 support from the kdc. Can you please guide on giving kdc server support for des3_cbc_md5 algorithm. Thank you with regards naveen ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos From klausk at linux.vnet.ibm.com Tue Jul 15 11:21:56 2008 From: klausk at linux.vnet.ibm.com (Klaus Heinrich Kiwi) Date: Tue, 15 Jul 2008 12:21:56 -0300 Subject: Two (or more) KDCs and a single LDAP directory Message-ID: <1216135316.1827.28.camel@klausk.br.ibm.com.br.ibm.com> Hi, I'd like to know what are the supported methods of usage if I have to use two or more KDC instances with one LDAP directory. I can see a couple of scenarios but I'm not really sure what is the supported way of dealing with them. For example: 1) Two KDC servers, one LDAP server, same realm: Since LDAP has no locking mechanism, would there be potential race conditions? Is kpropd the correct way of doing this? 2) Two KDC servers, one LDAP server, separate realms: I don't see why I couldn't have two KDC instances using the same LDAP server, if they are not dealing with the same realm. 3) one KDC server, two mirror LDAP servers, same realm: The way I see we would need LDAP synchronization between the LDAP servers 4) two KDC servers, two mirror LDAP servers, same realm: We should use kpropd + ldap synchronization? 5) two KDC servers, two mirror LDAP servers, separate realms: same as (2)? Thanks, -Klaus -- Klaus Heinrich Kiwi Linux Security Development, IBM Linux Technology Center From jindrich.houska at seznam.cz Tue Jul 15 11:45:13 2008 From: jindrich.houska at seznam.cz (jhouska) Date: Tue, 15 Jul 2008 08:45:13 -0700 (PDT) Subject: SAP GUI with Kerberos 5, SAP Linux, SNC for SSO Message-ID: <5bc34f73-122d-441c-b786-559b0310d90f@l64g2000hse.googlegroups.com> Hi, I'm trying to configure SSO between SAP GUI 6.40 (Windows) and SAP 6.40 (Red Hat). I followed the instructions at http://help.sap.com/saphelp_nw04s/helpdata/en/44/0ebf6c9b2b0d1ae10000000a114a6b/content.htm (but used libgssapi_krb5.so instead of gsskrb5.dll) but I have a trouble: The checkbox "enable secure network connection" in sap gui is grey and I cannot check it. (I installed sapsso.msi and set SNC_LIB before). How can I enable this option in SAP GUI? Thank you very much, Jindra From ssorce at redhat.com Tue Jul 15 14:48:07 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 15 Jul 2008 14:48:07 -0400 Subject: Two (or more) KDCs and a single LDAP directory In-Reply-To: <1216135316.1827.28.camel@klausk.br.ibm.com.br.ibm.com> References: <1216135316.1827.28.camel@klausk.br.ibm.com.br.ibm.com> Message-ID: <1216147687.23973.52.camel@localhost.localdomain> On Tue, 2008-07-15 at 12:21 -0300, Klaus Heinrich Kiwi wrote: > Hi, > > I'd like to know what are the supported methods of usage if I have to > use two or more KDC instances with one LDAP directory. I can see a > couple of scenarios but I'm not really sure what is the supported way of > dealing with them. For example: > > 1) Two KDC servers, one LDAP server, same realm: > Since LDAP has no locking mechanism, would there be potential race > conditions? Is kpropd the correct way of doing this? Internal locking guarantees operations are atomic. So, if the ldap client is written correctly, data should always be consistent. > 2) Two KDC servers, one LDAP server, separate realms: > I don't see why I couldn't have two KDC instances using the same LDAP > server, if they are not dealing with the same realm. As long as you have 2 separate parts of the tree dedicated to the 2 realms, there should be no problem. > 3) one KDC server, two mirror LDAP servers, same realm: > The way I see we would need LDAP synchronization between the LDAP > servers Using native LDAP replication is usually the way to go. > 4) two KDC servers, two mirror LDAP servers, same realm: > We should use kpropd + ldap synchronization? I don't know what kpropd would buy you, the data is already replicated by ldap. > 5) two KDC servers, two mirror LDAP servers, separate realms: > same as (2)? yup. Simo. -- Simo Sorce * Red Hat, Inc * New York From raeburn at MIT.EDU Tue Jul 15 15:17:02 2008 From: raeburn at MIT.EDU (Ken Raeburn) Date: Tue, 15 Jul 2008 15:17:02 -0400 Subject: Two (or more) KDCs and a single LDAP directory In-Reply-To: <1216135316.1827.28.camel@klausk.br.ibm.com.br.ibm.com> References: <1216135316.1827.28.camel@klausk.br.ibm.com.br.ibm.com> Message-ID: <63024F9D-C0B4-4EF0-BED8-814B42D0E3B5@mit.edu> On Jul 15, 2008, at 11:21, Klaus Heinrich Kiwi wrote: > I'd like to know what are the supported methods of usage if I have to > use two or more KDC instances with one LDAP directory. I can see a > couple of scenarios but I'm not really sure what is the supported > way of > dealing with them. For example: > > 1) Two KDC servers, one LDAP server, same realm: > Since LDAP has no locking mechanism, would there be potential race > conditions? Is kpropd the correct way of doing this? I think it's okay. You could run kadmind on only one server, if you want to be extra careful. You wouldn't need kpropd in an LDAP setup. In fact, kpropd is probably a bad idea in an LDAP setup. On the receiving end, in the db2-backend case, it operates by loading a new database file, and when that's done, renaming it to use the "real" database file name. I don't know if it'll work properly at all for an LDAP back end. However, be aware that this impression *isn't* based on experience with that code, I mostly work with the db2 back end; maybe it's flexible enough to deal with that and I hadn't noticed. (The incremental-propagation changes we're folding in for the 1.7 release won't change this, even if you were propagating between non- replicated LDAP installations or db2-to-LDAP, because in the too-far- out-of-date case, it does a full-copy propagation to replace the slave database, like the current implementation.) > 3) one KDC server, two mirror LDAP servers, same realm: > The way I see we would need LDAP synchronization between the LDAP > servers > > 4) two KDC servers, two mirror LDAP servers, same realm: > We should use kpropd + ldap synchronization? Like Simo said, use LDAP replication, not kpropd, and things should be fine... Ken From naveen.bn at globaledgesoft.com Wed Jul 16 07:48:21 2008 From: naveen.bn at globaledgesoft.com (naveen.bn) Date: Wed, 16 Jul 2008 17:18:21 +0530 Subject: des3_cbc_md5 Message-ID: <487DE005.8030507@globaledgesoft.com> Hi Kevin , I added the support for des3_cbc_md5 in lib/crypto/etypes.c const struct krb5_keytypes krb5_enctypes_list[] = { { ENCTYPE_DES3_CBC_MD5, "des3-cbc-md5", "Triple DES cbc mode with md5", &krb5int_enc_des3,&krb5int_hash_md5, krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt, krb5int_dk_string_to_key, krb5int_dk_prf, CKSUMTYPE_RSA_MD5_DES3 } and provided an entry in the DEFAULT_ETYPE_LIST lib/krb5/krb/init_ctx.c #define DEFAULT_ETYPE_LIST \ "aes256-cts-hmac-sha1-96 " \ "aes128-cts-hmac-sha1-96 " \ "des3-cbc-sha1 arcfour-hmac-md5 " \ "des-cbc-crc des-cbc-md5 des-cbc-md4 " \ "des3-cbc-md5 " but the kdc replays with a error message saying CANT_FIND_CLIENT_KEY. I want the kdc to use the generated key using DH parameters passed in the AS_REQ. kindly help me out in solving this problem. Thank you with regards naveen From naveen.bn at globaledgesoft.com Wed Jul 16 10:34:33 2008 From: naveen.bn at globaledgesoft.com (naveen.bn) Date: Wed, 16 Jul 2008 20:04:33 +0530 Subject: help Message-ID: <487E06F9.1000601@globaledgesoft.com> Hi all, Has any one tried to give support for des3_cbc_md5 algorithm for the kdc for krb5-1.6.3. How to go head and do this . please any one guide me in achieving the above . Thank you with regards naveen From ssdesai1 at gmail.com Thu Jul 17 09:53:50 2008 From: ssdesai1 at gmail.com (Sharad Desai) Date: Thu, 17 Jul 2008 09:53:50 -0400 Subject: SSO Message-ID: <5183a7480807170653q196244d9gd6a27e186849f520@mail.gmail.com> Hi All, I was actually interested in implementing a web SSO solution for my environment. I have five applications -- all web applications, so a web SSO is needed -- and three run off of Windows, while the other two are Unix and Linux. Since they are web apps, it won't matter from where they are run from. I wanted to use Kerberos to authenticate the user. After research, I thought this would make sense. I saw some suggestions using CoSign or WebAuth. I can't use WebAuth because it is only for Linux, and CoSign is written for Apache (but there are ISAPI filters i guess for IIS) and I am running off of Microsoft IIS. Hopefully this is on the right track. I know that using Kerberos for web SSO is definitely quite difficult, but I would like for it to be implemented. If any of you have suggestions or any advice, I would appreciate it. Thanks in advance. From deengert at anl.gov Thu Jul 17 10:39:31 2008 From: deengert at anl.gov (Douglas E. Engert) Date: Thu, 17 Jul 2008 09:39:31 -0500 Subject: SSO In-Reply-To: <5183a7480807170653q196244d9gd6a27e186849f520@mail.gmail.com> References: <5183a7480807170653q196244d9gd6a27e186849f520@mail.gmail.com> Message-ID: <487F59A3.90002@anl.gov> Sharad Desai wrote: > Hi All, > > I was actually interested in implementing a web SSO solution for my > environment. I have five applications -- all web applications, so a web SSO > is needed -- and three run off of Windows, while the other two are Unix and > Linux. Since they are web apps, it won't matter from where they are run > from. > > I wanted to use Kerberos to authenticate the user. After research, I > thought this would make sense. I saw some suggestions using CoSign or > WebAuth. I can't use WebAuth because it is only for Linux, and CoSign is > written for Apache (but there are ISAPI filters i guess for IIS) and I am > running off of Microsoft IIS. > > Hopefully this is on the right track. I know that using Kerberos for web > SSO is definitely quite difficult, but I would like for it to be > implemented. If any of you have suggestions or any advice, I would > appreciate it. You may want to search for SPNEGO and mod_auth_kerb. Windows IE and IIS have SPNEGO built in, and can use the Kerberos in Active Directory. Apache can use mod_auth_kerb that supports SPNEGO. With FireFox 2 on any platform see the about:config and the network.negotiate-auth.trusted-uris option. > > Thanks in advance. > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From javiplx at gmail.com Thu Jul 17 10:55:51 2008 From: javiplx at gmail.com (Javier Palacios) Date: Thu, 17 Jul 2008 16:55:51 +0200 Subject: SSO In-Reply-To: <487F59A3.90002@anl.gov> References: <5183a7480807170653q196244d9gd6a27e186849f520@mail.gmail.com> <487F59A3.90002@anl.gov> Message-ID: >> I wanted to use Kerberos to authenticate the user. After research, I >> thought this would make sense. I saw some suggestions using CoSign or >> WebAuth. I can't use WebAuth because it is only for Linux, and CoSign is >> written for Apache (but there are ISAPI filters i guess for IIS) and I am >> running off of Microsoft IIS. >> [...] > > You may want to search for SPNEGO and mod_auth_kerb. Windows IE and IIS > have SPNEGO built in, and can use the Kerberos in Active Directory. > Apache can use mod_auth_kerb that supports SPNEGO. With FireFox 2 on any platform > see the about:config and the network.negotiate-auth.trusted-uris option. > The main (and probably only) drawback of this method is that is all about HTTP basic authentication, and most of applications only allow some kind of cookie based auth. You might want to look at PAPI (http://papi.rediris.es), it only provides Web SSO, but I think is enough for you. Allows multiple authentication backends, and although it is not packaged as default it is possible to use Kerberos (actually, I tested it successfully against a W3K domain controller). On the authentication server side, as far as I remember it forces you to use apache (but apache for Windows is OK). And regarding the application side, the IIS might be a problem, except if the code is PHP. But you can integrate it with Java (a tomcat filter at least). Hope this helps. Javier Palacios From ssdesai1 at gmail.com Thu Jul 17 11:01:02 2008 From: ssdesai1 at gmail.com (Sharad Desai) Date: Thu, 17 Jul 2008 11:01:02 -0400 Subject: SSO In-Reply-To: References: <5183a7480807170653q196244d9gd6a27e186849f520@mail.gmail.com> <487F59A3.90002@anl.gov> Message-ID: <5183a7480807170801v60e26508k4086834bedbf83fb@mail.gmail.com> Hello, Thanks for your responses. > You may want to search for SPNEGO and mod_auth_kerb. Windows IE and IIS > have SPNEGO built in, and can use the Kerberos in Active Directory. > Apache can use mod_auth_kerb that supports SPNEGO. With FireFox 2 on any platform > see the about:config and the network.negotiate-auth.trusted-uris option. I would have definitely considered this, but the group that I am working with does not want to include AD in any solution. Also, (I'm not sure how familiar people are with Cosign) since Cosign transforms Kerberos authentication to a cookie-based authentication which the browsers can use, I was wondering if you have had any experience with this. Thanks again. On 7/17/08, Javier Palacios wrote: > > >> I wanted to use Kerberos to authenticate the user. After research, I > >> thought this would make sense. I saw some suggestions using CoSign or > >> WebAuth. I can't use WebAuth because it is only for Linux, and CoSign > is > >> written for Apache (but there are ISAPI filters i guess for IIS) and I > am > >> running off of Microsoft IIS. > >> [...] > > > > You may want to search for SPNEGO and mod_auth_kerb. Windows IE and IIS > > have SPNEGO built in, and can use the Kerberos in Active Directory. > > Apache can use mod_auth_kerb that supports SPNEGO. With FireFox 2 on any > platform > > see the about:config and the network.negotiate-auth.trusted-uris option. > > > > The main (and probably only) drawback of this method is that is all > about HTTP basic authentication, and most of applications only allow > some kind of cookie based auth. > > You might want to look at PAPI (http://papi.rediris.es), it only > provides Web SSO, but I think is enough for you. Allows multiple > authentication backends, and although it is not packaged as default it > is possible to use Kerberos (actually, I tested it successfully > against a W3K domain controller). > On the authentication server side, as far as I remember it forces you > to use apache (but apache for Windows is OK). > And regarding the application side, the IIS might be a problem, except > if the code is PHP. But you can integrate it with Java (a tomcat > filter at least). > > Hope this helps. > > Javier Palacios > From rra at stanford.edu Thu Jul 17 14:23:20 2008 From: rra at stanford.edu (Russ Allbery) Date: Thu, 17 Jul 2008 11:23:20 -0700 Subject: SSO In-Reply-To: <5183a7480807170801v60e26508k4086834bedbf83fb@mail.gmail.com> (Sharad Desai's message of "Thu\, 17 Jul 2008 11\:01\:02 -0400") References: <5183a7480807170653q196244d9gd6a27e186849f520@mail.gmail.com> <487F59A3.90002@anl.gov> <5183a7480807170801v60e26508k4086834bedbf83fb@mail.gmail.com> Message-ID: <8763r4jron.fsf@windlord.stanford.edu> "Sharad Desai" writes: > Also, (I'm not sure how familiar people are with Cosign) since Cosign > transforms Kerberos authentication to a cookie-based authentication > which the browsers can use, I was wondering if you have had any > experience with this. Given your platform constraints and desire to avoid Active Directory, I think Cosign is definitely your best option. However, I believe that you will need a UNIX server to run the Cosign login daemon, even though you can use IIS for specific web applications. I could be wrong, since I don't run it myself, but you should check on that if that will be a problem. -- Russ Allbery (rra at stanford.edu) From ioplex at gmail.com Thu Jul 17 14:25:16 2008 From: ioplex at gmail.com (Michael B Allen) Date: Thu, 17 Jul 2008 14:25:16 -0400 Subject: SSO In-Reply-To: <5183a7480807170801v60e26508k4086834bedbf83fb@mail.gmail.com> References: <5183a7480807170653q196244d9gd6a27e186849f520@mail.gmail.com> <487F59A3.90002@anl.gov> <5183a7480807170801v60e26508k4086834bedbf83fb@mail.gmail.com> Message-ID: <78c6bd860807171125s4fb0022bif1b9368265874ee5@mail.gmail.com> On Thu, Jul 17, 2008 at 11:01 AM, Sharad Desai wrote: > Hello, > > Thanks for your responses. > >> You may want to search for SPNEGO and mod_auth_kerb. Windows IE and IIS >> have SPNEGO built in, and can use the Kerberos in Active Directory. >> Apache can use mod_auth_kerb that supports SPNEGO. With FireFox 2 on any > platform >> see the about:config and the network.negotiate-auth.trusted-uris option. > > I would have definitely considered this, but the group that I am working > with does not want to include AD in any solution. > > Also, (I'm not sure how familiar people are with Cosign) since Cosign > transforms Kerberos authentication to a cookie-based authentication which > the browsers can use, I was wondering if you have had any experience with > this. When trying to determine the right SSO solution for your web applications, it is important to realize that the mode of operation behind solutions that call themselves "SSO" varies tremendously so you really need to carefully state your requirements. For example, you mentioned WebAuth and CoSign. Both of these solutions are really targeted for highly heterogeneous environments like University networks where the only client requirement is that the browser support cookies. So it works on the IntrAnet, the IntErnet, on a hostile dormitory network, a kiosk at the airport, ...etc. But if you don't have those requirements these solutions do have quite a bit of overhead with all the redirecting and, more important, they do not give you true single-sign-on behavior. They're more like "double sign on" because you have to login to a central server and they get redirected back to the target site. Then you have "SSO" solutions like OpenID which are really more like "triple sign on" since you have to login to your workstation, then to the OpenID service and then put in the OpenID service you're using at the target site. This scenario is really only for the IntErnet where there is no chance of the client and service being members of the same domain. For a strictly IntrAnet environment the WWW-Authenticate: Negotiate or NTLMSSP protocols used by IIS, mod_auth_kerb, Plexcel, JCIFS and others are the only true *Single* Sign On solutions where the clients existing credentials are used to transparently authenticate without requiring the user to enter a password. These use either the original WWW-Authenticate: NTLM protocol (obsolete), raw NTLMSSP (rare), raw Kerberos 5 (rarer) or SPNEGO (very common - used to "negotiate" either NTLMSSP or Kerberos 5). Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ From ssdesai1 at gmail.com Thu Jul 17 14:36:04 2008 From: ssdesai1 at gmail.com (Sharad Desai) Date: Thu, 17 Jul 2008 14:36:04 -0400 Subject: SSO In-Reply-To: <78c6bd860807171125s4fb0022bif1b9368265874ee5@mail.gmail.com> References: <5183a7480807170653q196244d9gd6a27e186849f520@mail.gmail.com> <487F59A3.90002@anl.gov> <5183a7480807170801v60e26508k4086834bedbf83fb@mail.gmail.com> <78c6bd860807171125s4fb0022bif1b9368265874ee5@mail.gmail.com> Message-ID: <5183a7480807171136m1b6b4ad8r81339ff3a999f5bb@mail.gmail.com> Thanks Mike for your response. >For example, you mentioned WebAuth and CoSign. Both of these solutions >are really targeted for highly heterogeneous environments like >University networks where the only client requirement is that the >browser support cookies. So it works on the IntrAnet, the IntErnet, on >a hostile dormitory network, a kiosk at the airport, ...etc. But if >you don't have those requirements these solutions do have quite a bit >of overhead with all the redirecting and, more important, they do not >give you true single-sign-on behavior. They're more like "double sign >on" because you have to login to a central server and they get >redirected back to the target site. >For a strictly IntrAnet environment the WWW-Authenticate: Negotiate or >NTLMSSP protocols used by IIS, mod_auth_kerb, Plexcel, JCIFS and >others are the only true *Single* Sign On solutions where the clients >existing credentials are used to transparently authenticate without >requiring the user to enter a password. These use either the original >WWW-Authenticate: NTLM protocol (obsolete), raw NTLMSSP (rare), raw >Kerberos 5 (rarer) or SPNEGO (very common - used to "negotiate" either >NTLMSSP or Kerberos 5). That's good to know. The only thing is that the environment that I have is an intErnet one. I really don't have an intrAnet environment. Even though the applications are used by just the employees, they are accessible outside the organization's network (if I am making a rookie mistake about the concept of intrAnet, then definitely point it out). I feel as if for this situation, Cosign would be the best because it caters to IIS, while WebAuth does not have any stable filters for IIS. Let me know if my logic make sense or not. Thanks again for all your guys' help. On 7/17/08, Michael B Allen wrote: > > On Thu, Jul 17, 2008 at 11:01 AM, Sharad Desai wrote: > > Hello, > > > > Thanks for your responses. > > > >> You may want to search for SPNEGO and mod_auth_kerb. Windows IE and IIS > >> have SPNEGO built in, and can use the Kerberos in Active Directory. > >> Apache can use mod_auth_kerb that supports SPNEGO. With FireFox 2 on any > > platform > >> see the about:config and the network.negotiate-auth.trusted-uris option. > > > > I would have definitely considered this, but the group that I am working > > with does not want to include AD in any solution. > > > > Also, (I'm not sure how familiar people are with Cosign) since Cosign > > transforms Kerberos authentication to a cookie-based authentication which > > the browsers can use, I was wondering if you have had any experience with > > this. > > When trying to determine the right SSO solution for your web > applications, it is important to realize that the mode of operation > behind solutions that call themselves "SSO" varies tremendously so you > really need to carefully state your requirements. > > For example, you mentioned WebAuth and CoSign. Both of these solutions > are really targeted for highly heterogeneous environments like > University networks where the only client requirement is that the > browser support cookies. So it works on the IntrAnet, the IntErnet, on > a hostile dormitory network, a kiosk at the airport, ...etc. But if > you don't have those requirements these solutions do have quite a bit > of overhead with all the redirecting and, more important, they do not > give you true single-sign-on behavior. They're more like "double sign > on" because you have to login to a central server and they get > redirected back to the target site. > > Then you have "SSO" solutions like OpenID which are really more like > "triple sign on" since you have to login to your workstation, then to > the OpenID service and then put in the OpenID service you're using at > the target site. This scenario is really only for the IntErnet where > there is no chance of the client and service being members of the same > domain. > > For a strictly IntrAnet environment the WWW-Authenticate: Negotiate or > NTLMSSP protocols used by IIS, mod_auth_kerb, Plexcel, JCIFS and > others are the only true *Single* Sign On solutions where the clients > existing credentials are used to transparently authenticate without > requiring the user to enter a password. These use either the original > WWW-Authenticate: NTLM protocol (obsolete), raw NTLMSSP (rare), raw > Kerberos 5 (rarer) or SPNEGO (very common - used to "negotiate" either > NTLMSSP or Kerberos 5). > > Mike > > -- > Michael B Allen > PHP Active Directory SPNEGO SSO > http://www.ioplex.com/ > From ssdesai1 at gmail.com Thu Jul 17 15:07:05 2008 From: ssdesai1 at gmail.com (Sharad Desai) Date: Thu, 17 Jul 2008 15:07:05 -0400 Subject: SSO In-Reply-To: <8763r4jron.fsf@windlord.stanford.edu> References: <5183a7480807170653q196244d9gd6a27e186849f520@mail.gmail.com> <487F59A3.90002@anl.gov> <5183a7480807170801v60e26508k4086834bedbf83fb@mail.gmail.com> <8763r4jron.fsf@windlord.stanford.edu> Message-ID: <5183a7480807171207n63f7df55hf384cac7c507bc65@mail.gmail.com> Thanks Russ. >Given your platform constraints and desire to avoid Active Directory, I >think Cosign is definitely your best option. However, I believe that you >will need a UNIX server to run the Cosign login daemon, even though you >can use IIS for specific web applications. I could be wrong, since I >don't run it myself, but you should check on that if that will be a >problem. Is the Unix server for a cron job? If so, then there are some resources that can maybe run this job on IIS. I'm not quite sure, but from what I've read there are some out there. Let me know if those sound bogus or if you think it can be done. Thanks again On 7/17/08, Russ Allbery wrote: > > "Sharad Desai" writes: > > > Also, (I'm not sure how familiar people are with Cosign) since Cosign > > transforms Kerberos authentication to a cookie-based authentication > > which the browsers can use, I was wondering if you have had any > > experience with this. > > Given your platform constraints and desire to avoid Active Directory, I > think Cosign is definitely your best option. However, I believe that you > will need a UNIX server to run the Cosign login daemon, even though you > can use IIS for specific web applications. I could be wrong, since I > don't run it myself, but you should check on that if that will be a > problem. > > -- > Russ Allbery (rra at stanford.edu) > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > From ssdesai1 at gmail.com Thu Jul 17 15:22:33 2008 From: ssdesai1 at gmail.com (Sharad Desai) Date: Thu, 17 Jul 2008 15:22:33 -0400 Subject: SSO In-Reply-To: <5183a7480807171207n63f7df55hf384cac7c507bc65@mail.gmail.com> References: <5183a7480807170653q196244d9gd6a27e186849f520@mail.gmail.com> <487F59A3.90002@anl.gov> <5183a7480807170801v60e26508k4086834bedbf83fb@mail.gmail.com> <8763r4jron.fsf@windlord.stanford.edu> <5183a7480807171207n63f7df55hf384cac7c507bc65@mail.gmail.com> Message-ID: <5183a7480807171222m56f9c325sf654dbe1a71d2399@mail.gmail.com> Oops, let me clarify that last post. After reading it, it sounds as if I am telling you to look for those resources, which is totally the opposite, I apologize :). I meant to ask if it was even theoretically possible to adapt the cron jobs to run off of IIS instead of a Unix server. On 7/17/08, Sharad Desai wrote: > > Thanks Russ. > > >Given your platform constraints and desire to avoid Active Directory, I > >think Cosign is definitely your best option. However, I believe that you > >will need a UNIX server to run the Cosign login daemon, even though you > >can use IIS for specific web applications. I could be wrong, since I > >don't run it myself, but you should check on that if that will be a > >problem. > > Is the Unix server for a cron job? If so, then there are some > resources that can maybe run this job on IIS. I'm not quite sure, but from > what I've read there are some out there. Let me know if those sound bogus > or if you think it can be done. > > Thanks again > > On 7/17/08, Russ Allbery wrote: >> >> "Sharad Desai" writes: >> >> > Also, (I'm not sure how familiar people are with Cosign) since Cosign >> > transforms Kerberos authentication to a cookie-based authentication >> > which the browsers can use, I was wondering if you have had any >> > experience with this. >> >> Given your platform constraints and desire to avoid Active Directory, I >> think Cosign is definitely your best option. However, I believe that you >> will need a UNIX server to run the Cosign login daemon, even though you >> can use IIS for specific web applications. I could be wrong, since I >> don't run it myself, but you should check on that if that will be a >> problem. >> >> -- >> Russ Allbery (rra at stanford.edu) > > >> ________________________________________________ >> Kerberos mailing list Kerberos at mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos >> > > From michael at stroeder.com Thu Jul 17 11:22:51 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Thu, 17 Jul 2008 17:22:51 +0200 Subject: SSO In-Reply-To: References: <5183a7480807170653q196244d9gd6a27e186849f520@mail.gmail.com> <487F59A3.90002@anl.gov> Message-ID: Sharad Desai wrote: >> You may want to search for SPNEGO and mod_auth_kerb. Windows IE and IIS >> have SPNEGO built in, and can use the Kerberos in Active Directory. >> Apache can use mod_auth_kerb that supports SPNEGO. With FireFox 2 on any >> platform >> see the about:config and the network.negotiate-auth.trusted-uris option. > > I would have definitely considered this, but the group that I am working > with does not want to include AD in any solution. It works with any Kerberos KDC. I'm using CAS (http://www.ja-sig.org/products/cas/) for SPNEGO/Kerberos with fall-back to LDAP bind. Ciao, Michael. From rra at stanford.edu Thu Jul 17 16:40:35 2008 From: rra at stanford.edu (Russ Allbery) Date: Thu, 17 Jul 2008 13:40:35 -0700 Subject: SSO In-Reply-To: <5183a7480807171207n63f7df55hf384cac7c507bc65@mail.gmail.com> (Sharad Desai's message of "Thu\, 17 Jul 2008 15\:07\:05 -0400") References: <5183a7480807170653q196244d9gd6a27e186849f520@mail.gmail.com> <487F59A3.90002@anl.gov> <5183a7480807170801v60e26508k4086834bedbf83fb@mail.gmail.com> <8763r4jron.fsf@windlord.stanford.edu> <5183a7480807171207n63f7df55hf384cac7c507bc65@mail.gmail.com> Message-ID: <87zlogb5x8.fsf@windlord.stanford.edu> "Sharad Desai" writes: > Thanks Russ. > >> Given your platform constraints and desire to avoid Active Directory, I >> think Cosign is definitely your best option. However, I believe that >> you will need a UNIX server to run the Cosign login daemon, even though >> you can use IIS for specific web applications. I could be wrong, since >> I don't run it myself, but you should check on that if that will be a >> problem. > > Is the Unix server for a cron job? No, it would be for the Cosign login server, the server that handles all of the actual authentication. -- Russ Allbery (rra at stanford.edu) From rra at stanford.edu Thu Jul 17 17:01:55 2008 From: rra at stanford.edu (Russ Allbery) Date: Thu, 17 Jul 2008 14:01:55 -0700 Subject: SSO In-Reply-To: <78c6bd860807171125s4fb0022bif1b9368265874ee5@mail.gmail.com> (Michael B. Allen's message of "Thu\, 17 Jul 2008 14\:25\:16 -0400") References: <5183a7480807170653q196244d9gd6a27e186849f520@mail.gmail.com> <487F59A3.90002@anl.gov> <5183a7480807170801v60e26508k4086834bedbf83fb@mail.gmail.com> <78c6bd860807171125s4fb0022bif1b9368265874ee5@mail.gmail.com> Message-ID: <87mykgb4xn.fsf@windlord.stanford.edu> "Michael B Allen" writes: > For example, you mentioned WebAuth and CoSign. Both of these solutions > are really targeted for highly heterogeneous environments like > University networks where the only client requirement is that the > browser support cookies. So it works on the IntrAnet, the IntErnet, on a > hostile dormitory network, a kiosk at the airport, ...etc. But if you > don't have those requirements these solutions do have quite a bit of > overhead with all the redirecting This is generally not noticable in practice. However, what is noticable is the additional level of complexity from having to run a central login server. > and, more important, they do not give you true single-sign-on > behavior. They're more like "double sign on" because you have to login > to a central server and they get redirected back to the target site. Well, no, they're double sign-on because the central server usually has to prompt you for a password. But if the central server implements Negotiate-Auth and the browser speaks it, both WebAuth and Cosign give you true and complete single sign-on. > For a strictly IntrAnet environment the WWW-Authenticate: Negotiate or > NTLMSSP protocols used by IIS, mod_auth_kerb, Plexcel, JCIFS and > others are the only true *Single* Sign On solutions where the clients > existing credentials are used to transparently authenticate without > requiring the user to enter a password. This is true, but somewhat deceptively so, given that WebAuth and Cosign can both leverage Negotiate-Auth to extend that single sign-on capability to all web servers without Negotiate-Auth on each one and (often more of an issue) without having the user have to bless every server for Negotiate-Auth authentication. (They only have to bless the central login server.) However, if that configuration issue isn't a concern, simply using Negotiate-Auth, which is built into IIS, is definitely easier. It does, however, require that your clients have a local Kerberos configuration (members of an AD domain, for example) to get single sign-on and falls back to essentially basic-auth for each server without it, whereas WebAuth or Cosign will fall back to a single web authentication and then reuse of that authentication without having to further enter your password. The password prompting behavior from an IIS server to Firefox and similar browsers is also poor and confusing in our experience, but that may be fixable. -- Russ Allbery (rra at stanford.edu) From ioplex at gmail.com Thu Jul 17 18:29:40 2008 From: ioplex at gmail.com (Michael B Allen) Date: Thu, 17 Jul 2008 18:29:40 -0400 Subject: SSO In-Reply-To: <87mykgb4xn.fsf@windlord.stanford.edu> References: <5183a7480807170653q196244d9gd6a27e186849f520@mail.gmail.com> <487F59A3.90002@anl.gov> <5183a7480807170801v60e26508k4086834bedbf83fb@mail.gmail.com> <78c6bd860807171125s4fb0022bif1b9368265874ee5@mail.gmail.com> <87mykgb4xn.fsf@windlord.stanford.edu> Message-ID: <78c6bd860807171529m4f867a06s770bdc81ad44c4bd@mail.gmail.com> On Thu, Jul 17, 2008 at 5:01 PM, Russ Allbery wrote: > "Michael B Allen" writes: >> and, more important, they do not give you true single-sign-on >> behavior. They're more like "double sign on" because you have to login >> to a central server and they get redirected back to the target site. > > Well, no, they're double sign-on because the central server usually has to > prompt you for a password. But if the central server implements > Negotiate-Auth and the browser speaks it, both WebAuth and Cosign give you > true and complete single sign-on. But only if clients are members of the domain. And that is the scenario where direct SPNEGO / NTLMSSP solutions are going to perform better. >> For a strictly IntrAnet environment the WWW-Authenticate: Negotiate or >> NTLMSSP protocols used by IIS, mod_auth_kerb, Plexcel, JCIFS and >> others are the only true *Single* Sign On solutions where the clients >> existing credentials are used to transparently authenticate without >> requiring the user to enter a password. > > This is true, but somewhat deceptively so, given that WebAuth and Cosign > can both leverage Negotiate-Auth to extend that single sign-on capability > to all web servers without Negotiate-Auth on each one and (often more of > an issue) without having the user have to bless every server for > Negotiate-Auth authentication. (They only have to bless the central login > server.) I believe you mean that you have to add something to "IE > Security > Local intranet" or the "network.negotiate-auth.trusted-uris" in FF? You do not have to specify each server explicitly. Those configs accept domain suffixes. > However, if that configuration issue isn't a concern, simply using > Negotiate-Auth, which is built into IIS, is definitely easier. It does, > however, require that your clients have a local Kerberos configuration > (members of an AD domain, for example) to get single sign-on Of course. You can't have true single sign on if you're not a member of the service's domain (or a domain the service's authority trusts). > and falls > back to essentially basic-auth for each server without it, > whereas WebAuth > or Cosign will fall back to a single web authentication and then reuse of > that authentication without having to further enter your password. The > password prompting behavior from an IIS server to Firefox and similar > browsers is also poor and confusing in our experience, but that may be > fixable. This is a little bit of a stretch. It might be true for mod_auth_kerb but otherwise, it's basically false. IIS will do NTLMSSP if the client does not want to or cannot do SPNEGO. If that fails (e.g. because the client is not logged in with domain credentials) then the browser will pop up a password dialog but it will still do NTLMSSP with the creds entered. At least if you're using IWA it will. Of course IIS to do BASIC but you have to configure it that way and we're not talking about that. In our Plexcel product, we provide a script level API which provides a major advantage over IIS, WebAuth, mod_auth_kerb or anything else that intercepts requests. So with Plexcel, if the client cannot do SPNEGO, the script can decide what to do which is usually to redirect the user to an SSL protected HTML login form where they then use Plexcel's API again to do a Kerberos 5 login. In either case you end up with a TGT for talking to other services (provided the service is permitted to delegate). WebAuth and Cosign are good solutions when you have disparate networks where some clients may only support cookies and nothing else. But for an IntrAnet environment where clients are logged into a domain 90% of the time, the performance and flexibility of direct SPNEGO / NTLMSSP is almost always going to be a better solution. Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ From rra at stanford.edu Thu Jul 17 18:46:02 2008 From: rra at stanford.edu (Russ Allbery) Date: Thu, 17 Jul 2008 15:46:02 -0700 Subject: SSO In-Reply-To: <78c6bd860807171529m4f867a06s770bdc81ad44c4bd@mail.gmail.com> (Michael B. Allen's message of "Thu\, 17 Jul 2008 18\:29\:40 -0400") References: <5183a7480807170653q196244d9gd6a27e186849f520@mail.gmail.com> <487F59A3.90002@anl.gov> <5183a7480807170801v60e26508k4086834bedbf83fb@mail.gmail.com> <78c6bd860807171125s4fb0022bif1b9368265874ee5@mail.gmail.com> <87mykgb4xn.fsf@windlord.stanford.edu> <78c6bd860807171529m4f867a06s770bdc81ad44c4bd@mail.gmail.com> Message-ID: <87r69s86z9.fsf@windlord.stanford.edu> "Michael B Allen" writes: > On Thu, Jul 17, 2008 at 5:01 PM, Russ Allbery wrote: >> Well, no, they're double sign-on because the central server usually has >> to prompt you for a password. But if the central server implements >> Negotiate-Auth and the browser speaks it, both WebAuth and Cosign give >> you true and complete single sign-on. > But only if clients are members of the domain. Well, possessing Kerberos tickets in the domain, at least. (If you use Firefox, you don't have to actually be a member of the domain; you can use a different mechanism for getting Kerberos tickets, such as NIM.) But essentially yes. > And that is the scenario where direct SPNEGO / NTLMSSP solutions are > going to perform better. If by "better" you mean "pretty much the same," yes, modulo the configuration note that I mentioned. > I believe you mean that you have to add something to "IE > Security > > Local intranet" or the "network.negotiate-auth.trusted-uris" in FF? You > do not have to specify each server explicitly. Those configs accept > domain suffixes. Correct. And if that's easy for you to do for all sites of interest, then that's great. It is in some cases and not in others. >> The password prompting behavior from an IIS server to Firefox and >> similar browsers is also poor and confusing in our experience, but that >> may be fixable. > > This is a little bit of a stretch. It might be true for mod_auth_kerb > but otherwise, it's basically false. I'm not sure why you raise mod_auth_kerb when I specifically mentioned IIS. It's been an issue for us with IIS and Negotiate-Auth. > IIS will do NTLMSSP if the client does not want to or cannot do > SPNEGO. If that fails (e.g. because the client is not logged in with > domain credentials) then the browser will pop up a password dialog but > it will still do NTLMSSP with the creds entered. Correct, and our experience is that, when this happens, the dialog box presented by the browser often doesn't work correctly and requires that the user press Enter to get a second password dialog box, depending on what negotiation the browser tries to do. The user may also need to enter a different form of their account name (prefixed with the AD realm, for instance) depending on the local configuration. As I say, these issues may be addressable, but I know that they've been very confusing for users in our environment and have been a definite negative in doing Negotiate-Auth directly with IIS for us. I haven't been directly involved in trying to fix them, but I know that we've deployed some services using pure Negotiate-Auth on IIS and tried for some time to address this, finally giving up and just documenting the behavior for our users. > In our Plexcel product, we provide a script level API which provides a > major advantage over IIS, WebAuth, mod_auth_kerb or anything else that > intercepts requests. So with Plexcel, if the client cannot do SPNEGO, > the script can decide what to do which is usually to redirect the user > to an SSL protected HTML login form where they then use Plexcel's API > again to do a Kerberos 5 login. Yes, this is easier with Negotiate-Auth (although only Negotiate-Auth is needed; your product isn't). It's standard Apache functionality (using error handlers for failed authentications) available to any authentication module, but it doesn't work for authentication modules that never fail, only redirect the user (WebAuth and Cosign both fit this model). mod_auth_kerb can fail, letting error handlers do their job. Shibboleth offers another solution to this problem (lazy sessions) which has its pluses and minuses compared to using failure handlers. In brief, the main advantages that something like WebAuth or Cosign offer is centralizing the handling of the Negotiate-Auth process on a single system (which may or may not simplify browser configuration depending on your environment) and a fallback mode that, in the absence of SPNEGO Negotiate-Auth, is closer to single sign-on than you would get by running Negotiate-Auth separately on each web server. What you lose is the additional complexity of setting up the WebAuth or Cosign infrastructure, including the need for a central UNIX server, and in the case of WebAuth, IIS support (making it unsuitable for the problem originally presented on this thread). -- Russ Allbery (rra at stanford.edu) From michael at stroeder.com Thu Jul 17 19:12:33 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Fri, 18 Jul 2008 01:12:33 +0200 Subject: SSO In-Reply-To: References: <5183a7480807170653q196244d9gd6a27e186849f520@mail.gmail.com> <487F59A3.90002@anl.gov> <5183a7480807170801v60e26508k4086834bedbf83fb@mail.gmail.com> <78c6bd860807171125s4fb0022bif1b9368265874ee5@mail.gmail.com> <87mykgb4xn.fsf@windlord.stanford.edu> <78c6bd860807171529m4f867a06s770bdc81ad44c4bd@mail.gmail.com> Message-ID: <2805l5-ijg.ln1@nb2.stroeder.com> Russ Allbery wrote: > (If you use > Firefox, you don't have to actually be a member of the domain; you can use > a different mechanism for getting Kerberos tickets, such as NIM.) What is NIM? Ciao, Michael. From ioplex at gmail.com Thu Jul 17 21:32:24 2008 From: ioplex at gmail.com (Michael B Allen) Date: Thu, 17 Jul 2008 21:32:24 -0400 Subject: SSO In-Reply-To: <87r69s86z9.fsf@windlord.stanford.edu> References: <5183a7480807170653q196244d9gd6a27e186849f520@mail.gmail.com> <487F59A3.90002@anl.gov> <5183a7480807170801v60e26508k4086834bedbf83fb@mail.gmail.com> <78c6bd860807171125s4fb0022bif1b9368265874ee5@mail.gmail.com> <87mykgb4xn.fsf@windlord.stanford.edu> <78c6bd860807171529m4f867a06s770bdc81ad44c4bd@mail.gmail.com> <87r69s86z9.fsf@windlord.stanford.edu> Message-ID: <78c6bd860807171832rf80d2d7yd8521e4228ddc32b@mail.gmail.com> On Thu, Jul 17, 2008 at 6:46 PM, Russ Allbery wrote: >> And that is the scenario where direct SPNEGO / NTLMSSP solutions are >> going to perform better. > > If by "better" you mean "pretty much the same," yes, modulo the > configuration note that I mentioned. No, I definitely meant "better". With direct SPNEGO we 401 the initial HTTP request, accept one GSSAPI token and get a TGT. With something like WebAuth, the client is redirected to a central server, then you have to do all of the above (or an explicit login which is more stuff) and then redirect the client back to the original target (and this doesn't include getting a TGT on the target server). With Plexcel we can do SPNEGO, check group membership (we extract the group SIDs from the PAC), app-level access to basic user info and a get TGT without talking to a third party at all. The time between the initial HTTP request and the 200 response is less than 20 ms (or ~50 ms if the user is in a few hundred groups). Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ From cclausen at acm.org Thu Jul 17 21:52:04 2008 From: cclausen at acm.org (Christopher D. Clausen) Date: Thu, 17 Jul 2008 20:52:04 -0500 Subject: SSO References: <5183a7480807170653q196244d9gd6a27e186849f520@mail.gmail.com><487F59A3.90002@anl.gov><5183a7480807170801v60e26508k4086834bedbf83fb@mail.gmail.com><78c6bd860807171125s4fb0022bif1b9368265874ee5@mail.gmail.com><87mykgb4xn.fsf@windlord.stanford.edu><78c6bd860807171529m4f867a06s770bdc81ad44c4bd@mail.gmail.com><87r69s86z9.fsf@windlord.stanford.edu> <78c6bd860807171832rf80d2d7yd8521e4228ddc32b@mail.gmail.com> Message-ID: Michael B Allen wrote: > On Thu, Jul 17, 2008 at 6:46 PM, Russ Allbery > wrote: >>> And that is the scenario where direct SPNEGO / NTLMSSP solutions are >>> going to perform better. >> >> If by "better" you mean "pretty much the same," yes, modulo the >> configuration note that I mentioned. > > No, I definitely meant "better". > > With direct SPNEGO we 401 the initial HTTP request, accept one GSSAPI > token and get a TGT. > > With something like WebAuth, the client is redirected to a central > server, then you have to do all of the above (or an explicit login > which is more stuff) and then redirect the client back to the original > target (and this doesn't include getting a TGT on the target server). That is the whole point. NOT sending authentication infor directly to the server and instead using a central auth server is a FEATURE. > With Plexcel we can do SPNEGO, check group membership (we extract the > group SIDs from the PAC), app-level access to basic user info and a > get TGT without talking to a third party at all. The time between the > initial HTTP request and the 200 response is less than 20 ms (or ~50 > ms if the user is in a few hundred groups). The whole point of the central server is to keep end-users from typing passwords in at all the other random webservers. The speed does not matter. The point is that those hosting the server are not to be trusted with the end user passwords and the central server solves this problem. This is why things like Bluestem were developed: https://www-s4.uiuc.edu/bluestem-notes/ And the central solutions can optionally add user group data from LDAP / AD / whatever. < References: <5183a7480807170653q196244d9gd6a27e186849f520@mail.gmail.com> <487F59A3.90002@anl.gov> <5183a7480807170801v60e26508k4086834bedbf83fb@mail.gmail.com> <78c6bd860807171125s4fb0022bif1b9368265874ee5@mail.gmail.com> <87mykgb4xn.fsf@windlord.stanford.edu> <78c6bd860807171529m4f867a06s770bdc81ad44c4bd@mail.gmail.com> <87r69s86z9.fsf@windlord.stanford.edu> <78c6bd860807171832rf80d2d7yd8521e4228ddc32b@mail.gmail.com> Message-ID: <78c6bd860807171916q537f7f90p605560b73dae36fd@mail.gmail.com> On Thu, Jul 17, 2008 at 9:52 PM, Christopher D. Clausen wrote: >> With Plexcel we can do SPNEGO, check group membership (we extract the >> group SIDs from the PAC), app-level access to basic user info and a >> get TGT without talking to a third party at all. The time between the >> initial HTTP request and the 200 response is less than 20 ms (or ~50 >> ms if the user is in a few hundred groups). > > The whole point of the central server is to keep end-users from typing > passwords in at all the other random webservers. If you read the whole thread you'd know I'm only talking about the *IntrAnet* scenario. With SPNEGO you do not type in a passwords at all whereas with WebAuth you might need to. If you have a lot of clients that cannot do SPNEGO then, yes, WebAuth and Cosign are better solutions. > The point is that those hosting the server are not to be > trusted with the end user passwords and the central server solves this > problem. That's not a problem if you're using AD since you have the "Account is trusted for delegation" flag which is off by default. No one can setup a service and lure people into giving up their TGTs. An admin has to go into the account and flag it as trusted for delegation. Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ From rra at stanford.edu Fri Jul 18 01:43:04 2008 From: rra at stanford.edu (Russ Allbery) Date: Thu, 17 Jul 2008 22:43:04 -0700 Subject: SSO In-Reply-To: <78c6bd860807171832rf80d2d7yd8521e4228ddc32b@mail.gmail.com> (Michael B. Allen's message of "Thu\, 17 Jul 2008 21\:32\:24 -0400") References: <5183a7480807170653q196244d9gd6a27e186849f520@mail.gmail.com> <487F59A3.90002@anl.gov> <5183a7480807170801v60e26508k4086834bedbf83fb@mail.gmail.com> <78c6bd860807171125s4fb0022bif1b9368265874ee5@mail.gmail.com> <87mykgb4xn.fsf@windlord.stanford.edu> <78c6bd860807171529m4f867a06s770bdc81ad44c4bd@mail.gmail.com> <87r69s86z9.fsf@windlord.stanford.edu> <78c6bd860807171832rf80d2d7yd8521e4228ddc32b@mail.gmail.com> Message-ID: <874p6nu4rb.fsf@windlord.stanford.edu> "Michael B Allen" writes: > On Thu, Jul 17, 2008 at 6:46 PM, Russ Allbery wrote: >> If by "better" you mean "pretty much the same," yes, modulo the >> configuration note that I mentioned. > No, I definitely meant "better". > With direct SPNEGO we 401 the initial HTTP request, accept one GSSAPI > token and get a TGT. > With something like WebAuth, the client is redirected to a central > server, then you have to do all of the above (or an explicit login > which is more stuff) and then redirect the client back to the original > target (and this doesn't include getting a TGT on the target server). That's all very interesting and clients to a first approximation don't care. Speed through initial authentication is just not that high on the feature requirements list for most applications, as opposed to speed after initial authentication which is basically equivalent (well, Cosign's model to allow logout possibly has some issues). Absolutely, if you're in a situation where round trip minimization and speed to first authentication is absolutely critical, Negoiate-Auth is a simpler browser workflow. Of course, the main place where that's the case is over a WAN, which isn't the most common case for your intranet case, but the two do coincide from time to time. Also, both WebAuth and Cosign can provide specific credentials to the servers, not just either a TGT or nothing, but that's a whole different discussion. -- Russ Allbery (rra at stanford.edu) From rra at stanford.edu Fri Jul 18 01:57:53 2008 From: rra at stanford.edu (Russ Allbery) Date: Thu, 17 Jul 2008 22:57:53 -0700 Subject: SSO In-Reply-To: <78c6bd860807171916q537f7f90p605560b73dae36fd@mail.gmail.com> (Michael B. Allen's message of "Thu\, 17 Jul 2008 22\:16\:43 -0400") References: <5183a7480807170653q196244d9gd6a27e186849f520@mail.gmail.com> <487F59A3.90002@anl.gov> <5183a7480807170801v60e26508k4086834bedbf83fb@mail.gmail.com> <78c6bd860807171125s4fb0022bif1b9368265874ee5@mail.gmail.com> <87mykgb4xn.fsf@windlord.stanford.edu> <78c6bd860807171529m4f867a06s770bdc81ad44c4bd@mail.gmail.com> <87r69s86z9.fsf@windlord.stanford.edu> <78c6bd860807171832rf80d2d7yd8521e4228ddc32b@mail.gmail.com> <78c6bd860807171916q537f7f90p605560b73dae36fd@mail.gmail.com> Message-ID: <87vdz3spi6.fsf@windlord.stanford.edu> "Michael B Allen" writes: > If you read the whole thread you'd know I'm only talking about the > *IntrAnet* scenario. With SPNEGO you do not type in a passwords at all > whereas with WebAuth you might need to. You're making a bogus comparison. If you don't have to type in passwords with SPNEGO Negotiate-Auth, you don't have to type in passwords with WebAuth either; it can use SPNEGO Negotiate-Auth for initial authentication. In the Negotiate-Auth case, the password handling is exactly the same, which one would expect given that it's using exactly the same protocol and mechanism. (Cosign I think requires the ticket cache on the central login server, so does introduce the twist of delegation.) The difference does not lie in SPNEGO handling; it lies in the architectural complexity, in what the fallback looks like when Negotiate-Auth doesn't work, and in the delegation and authentication persistance model. -- Russ Allbery (rra at stanford.edu) From rra at stanford.edu Fri Jul 18 01:59:30 2008 From: rra at stanford.edu (Russ Allbery) Date: Thu, 17 Jul 2008 22:59:30 -0700 Subject: SSO In-Reply-To: <2805l5-ijg.ln1@nb2.stroeder.com> ("Michael =?iso-8859-1?Q?St?= =?iso-8859-1?Q?r=F6der=22's?= message of "Fri\, 18 Jul 2008 01\:12\:33 +0200") References: <5183a7480807170653q196244d9gd6a27e186849f520@mail.gmail.com> <487F59A3.90002@anl.gov> <5183a7480807170801v60e26508k4086834bedbf83fb@mail.gmail.com> <78c6bd860807171125s4fb0022bif1b9368265874ee5@mail.gmail.com> <87mykgb4xn.fsf@windlord.stanford.edu> <78c6bd860807171529m4f867a06s770bdc81ad44c4bd@mail.gmail.com> <2805l5-ijg.ln1@nb2.stroeder.com> Message-ID: <87r69rspfh.fsf@windlord.stanford.edu> Michael Str?der writes: > Russ Allbery wrote: >> (If you use Firefox, you don't have to actually be a member of the >> domain; you can use a different mechanism for getting Kerberos tickets, >> such as NIM.) > What is NIM? Network Identity Manager, although properly speaking the bit that's actually getting the tickets is Kerberos for Windows. NIM is the UI and an abstraction layer that can handle additional types of credentials. This is what we use for nearly all of our Windows clients to avoid having to have them all joined to a domain (which in many cases is just not an option). -- Russ Allbery (rra at stanford.edu) From simon at sxw.org.uk Fri Jul 18 05:28:35 2008 From: simon at sxw.org.uk (Simon Wilkinson) Date: Fri, 18 Jul 2008 10:28:35 +0100 Subject: SSO In-Reply-To: <87vdz3spi6.fsf@windlord.stanford.edu> References: <5183a7480807170653q196244d9gd6a27e186849f520@mail.gmail.com> <487F59A3.90002@anl.gov> <5183a7480807170801v60e26508k4086834bedbf83fb@mail.gmail.com> <78c6bd860807171125s4fb0022bif1b9368265874ee5@mail.gmail.com> <87mykgb4xn.fsf@windlord.stanford.edu> <78c6bd860807171529m4f867a06s770bdc81ad44c4bd@mail.gmail.com> <87r69s86z9.fsf@windlord.stanford.edu> <78c6bd860807171832rf80d2d7yd8521e4228ddc32b@mail.gmail.com> <78c6bd860807171916q537f7f90p605560b73dae36fd@mail.gmail.com> <87vdz3spi6.fsf@windlord.stanford.edu> Message-ID: On 18 Jul 2008, at 06:57, Russ Allbery wrote: > "Michael B Allen" writes: > >> If you read the whole thread you'd know I'm only talking about the >> *IntrAnet* scenario. With SPNEGO you do not type in a passwords at >> all >> whereas with WebAuth you might need to. > > You're making a bogus comparison. Russ has pretty much covered the ground here, but I thought I should make some comments from our (Cosign based) perspective. SPNEGO is great in an all Windows environment, where you absolutely control every client that's authenticating to your system. It breaks down as soon as you add machines which are only loosely under your management control. As well as requiring that all clients have a properly configured Kerberos client, using SPNEGO with Firefox also requires browser configuration, which has to happen for every site that users may access, or delegate credentials to, and for every user. The failure mode for SPNEGO also isn't particularly elegant. If you can't do SPNEGO, you can either reject the user, or prompt them for a username and password, for every one of your sites that they visit. Getting your users used to entering login details every time they visit any website is a sure fire way to encourage social engineering attacks. Having every server on your network accepting passwords also opens you up to attacks on those servers, and severely complicates your trust model. The advantage of a WebSSO system like Cosign or WebAuth is that all of this configuration, and fallback, is handled at a single location which greatly simplifies management, both of services (which only need to know how to talk to your Web SSO system), and clients (which only need to be set up to do SPNEGO with your Web SSO login host, if at all). Whether you're actually doing _single_ signon at this point does rear its head (and in the past, I've been pretty rude about web double signon solutions), but with something like either Cosign or Webauth you can easily configure other authentication mechanisms in front of your web login server, and provide single signon for users whose systems support it, without affecting the experience of those users who are on systems that don't. The issue isn't whether _most_ of your clients will support SPNEGO, but whether they all will. As soon as you have to add non-SPNEGO support, even if that's just to cater for a small number of clients, you've lost. > (Cosign I think requires the ticket cache on > the central login server, so does introduce the twist of delegation.) Cosign doesn't require the ticket cache. In fact, if you don't care about delegation, you can use Cosign with any authentication source, not just Kerberos. Of course, if you don't have a ticket cache, you can't delegate credentials to services. We spent a while looking at different login mechanisms, including using purely browser based ones such as kx509 and SPENGO. The only way we could see of achieving a reasonable level of both security and usability was to deploy a WebSSO solution. The only fly in the ointment here is that none of the WebSSO solutions currently available can handle authenticating POST requests, where the user hasn't previously authenticated to the service, due to their requirement for redirects. For us, this was a small price to pay. S. From ssdesai1 at gmail.com Fri Jul 18 08:11:01 2008 From: ssdesai1 at gmail.com (Sharad Desai) Date: Fri, 18 Jul 2008 08:11:01 -0400 Subject: SSO In-Reply-To: References: <5183a7480807170653q196244d9gd6a27e186849f520@mail.gmail.com> <78c6bd860807171125s4fb0022bif1b9368265874ee5@mail.gmail.com> <87mykgb4xn.fsf@windlord.stanford.edu> <78c6bd860807171529m4f867a06s770bdc81ad44c4bd@mail.gmail.com> <87r69s86z9.fsf@windlord.stanford.edu> <78c6bd860807171832rf80d2d7yd8521e4228ddc32b@mail.gmail.com> <78c6bd860807171916q537f7f90p605560b73dae36fd@mail.gmail.com> <87vdz3spi6.fsf@windlord.stanford.edu> Message-ID: <5183a7480807180511o1a21b4c2k9a9a91639b28d951@mail.gmail.com> Hi Simon, >The only fly in the ointment here is that none of the WebSSO >solutions currently available can handle authenticating POST >requests, where the user hasn't previously authenticated to the >service, due to their requirement for redirects. For us, this was a >small price to pay. I apologize, but can you elaborate on this? Thanks On 7/18/08, Simon Wilkinson wrote: > > > On 18 Jul 2008, at 06:57, Russ Allbery wrote: > > > "Michael B Allen" writes: > > > >> If you read the whole thread you'd know I'm only talking about the > >> *IntrAnet* scenario. With SPNEGO you do not type in a passwords at > >> all > >> whereas with WebAuth you might need to. > > > > You're making a bogus comparison. > > Russ has pretty much covered the ground here, but I thought I should > make some comments from our (Cosign based) perspective. > > SPNEGO is great in an all Windows environment, where you absolutely > control every client that's authenticating to your system. It breaks > down as soon as you add machines which are only loosely under your > management control. As well as requiring that all clients have a > properly configured Kerberos client, using SPNEGO with Firefox also > requires browser configuration, which has to happen for every site > that users may access, or delegate credentials to, and for every user. > > The failure mode for SPNEGO also isn't particularly elegant. If you > can't do SPNEGO, you can either reject the user, or prompt them for a > username and password, for every one of your sites that they visit. > Getting your users used to entering login details every time they > visit any website is a sure fire way to encourage social engineering > attacks. Having every server on your network accepting passwords also > opens you up to attacks on those servers, and severely complicates > your trust model. > > The advantage of a WebSSO system like Cosign or WebAuth is that all > of this configuration, and fallback, is handled at a single location > which greatly simplifies management, both of services (which only > need to know how to talk to your Web SSO system), and clients (which > only need to be set up to do SPNEGO with your Web SSO login host, if > at all). Whether you're actually doing _single_ signon at this point > does rear its head (and in the past, I've been pretty rude about web > double signon solutions), but with something like either Cosign or > Webauth you can easily configure other authentication mechanisms in > front of your web login server, and provide single signon for users > whose systems support it, without affecting the experience of those > users who are on systems that don't. > > The issue isn't whether _most_ of your clients will support SPNEGO, > but whether they all will. As soon as you have to add non-SPNEGO > support, even if that's just to cater for a small number of clients, > you've lost. > > > (Cosign I think requires the ticket cache on > > the central login server, so does introduce the twist of delegation.) > > Cosign doesn't require the ticket cache. In fact, if you don't care > about delegation, you can use Cosign with any authentication source, > not just Kerberos. Of course, if you don't have a ticket cache, you > can't delegate credentials to services. > > We spent a while looking at different login mechanisms, including > using purely browser based ones such as kx509 and SPENGO. The only > way we could see of achieving a reasonable level of both security and > usability was to deploy a WebSSO solution. > > The only fly in the ointment here is that none of the WebSSO > solutions currently available can handle authenticating POST > requests, where the user hasn't previously authenticated to the > service, due to their requirement for redirects. For us, this was a > small price to pay. > > S. > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > From ioplex at gmail.com Fri Jul 18 10:34:30 2008 From: ioplex at gmail.com (Michael B Allen) Date: Fri, 18 Jul 2008 10:34:30 -0400 Subject: SSO In-Reply-To: References: <5183a7480807170653q196244d9gd6a27e186849f520@mail.gmail.com> <78c6bd860807171125s4fb0022bif1b9368265874ee5@mail.gmail.com> <87mykgb4xn.fsf@windlord.stanford.edu> <78c6bd860807171529m4f867a06s770bdc81ad44c4bd@mail.gmail.com> <87r69s86z9.fsf@windlord.stanford.edu> <78c6bd860807171832rf80d2d7yd8521e4228ddc32b@mail.gmail.com> <78c6bd860807171916q537f7f90p605560b73dae36fd@mail.gmail.com> <87vdz3spi6.fsf@windlord.stanford.edu> Message-ID: <78c6bd860807180734j47060eeaq3aea141fb38314ef@mail.gmail.com> On Fri, Jul 18, 2008 at 5:28 AM, Simon Wilkinson wrote: > > On 18 Jul 2008, at 06:57, Russ Allbery wrote: > >> "Michael B Allen" writes: >> >>> If you read the whole thread you'd know I'm only talking about the >>> *IntrAnet* scenario. With SPNEGO you do not type in a passwords at >>> all >>> whereas with WebAuth you might need to. >> >> You're making a bogus comparison. > > Russ has pretty much covered the ground here, but I thought I should > make some comments from our (Cosign based) perspective. > > SPNEGO is great in an all Windows environment, where you absolutely > control every client that's authenticating to your system. It breaks > down as soon as you add machines which are only loosely under your > management control. As well as requiring that all clients have a > properly configured Kerberos client, using SPNEGO with Firefox also > requires browser configuration, which has to happen for every site > that users may access, or delegate credentials to, and for every user. As stated before this is completely false. These browser configuration options accept a domain name which makes all the configs the same. You do not need to specify explicit hostnames. AD will not give services TGTs unless the service account is flagged as "Trusted for delegation". > The only fly in the ointment here is that none of the WebSSO > solutions currently available can handle authenticating POST > requests, where the user hasn't previously authenticated to the > service, due to their requirement for redirects. For us, this was a > small price to pay. SPNEGO handles authenticating POST just fine. Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ From simon at sxw.org.uk Fri Jul 18 11:05:24 2008 From: simon at sxw.org.uk (Simon Wilkinson) Date: Fri, 18 Jul 2008 16:05:24 +0100 Subject: SSO In-Reply-To: <78c6bd860807180734j47060eeaq3aea141fb38314ef@mail.gmail.com> References: <5183a7480807170653q196244d9gd6a27e186849f520@mail.gmail.com> <78c6bd860807171125s4fb0022bif1b9368265874ee5@mail.gmail.com> <87mykgb4xn.fsf@windlord.stanford.edu> <78c6bd860807171529m4f867a06s770bdc81ad44c4bd@mail.gmail.com> <87r69s86z9.fsf@windlord.stanford.edu> <78c6bd860807171832rf80d2d7yd8521e4228ddc32b@mail.gmail.com> <78c6bd860807171916q537f7f90p605560b73dae36fd@mail.gmail.com> <87vdz3spi6.fsf@windlord.stanford.edu> <78c6bd860807180734j47060eeaq3aea141fb38314ef@mail.gmail.com> Message-ID: <550CD656-0363-4100-81B5-A1B422B1BFFD@sxw.org.uk> On 18 Jul 2008, at 15:34, Michael B Allen wrote: > > As stated before this is completely false. These browser configuration > options accept a domain name which makes all the configs the same. Given that I wrote portions of this code, I'm entirely aware of what it can, and can't do. In situations where the KDC provides no control over delegation, you do not want every machine in your domain capable of accepting delegated credentials. The fact that the Firefox switch controls not just SPNEGO, but also NTLM authentication, means you have to be additionally cautious if you have a site with machines under multiple different managements under the same control. > You > do not need to specify explicit hostnames. AD will not give services > TGTs unless the service account is flagged as "Trusted for > delegation" Not all KDCs implement this functionality. Not all sites use AD. The original poster explicitly " ... does not want to use AD in any solution". While I'm here, I should also respond to: > Then you have "SSO" solutions like OpenID which are really more like > "triple sign on" since you have to login to your workstation, then to > the OpenID service and then put in the OpenID service you're using at > the target site. This is not true. You can implement an OpenID solution which leverages your site's local authentication and a WebSSO mechanism such as Cosign, to allow single sign-on to appropriate OpenID services too (removing the final signon step requires that the service remember the OpenID you used when you last accessed the site). We have such a service in development. S. From michael at stroeder.com Fri Jul 18 07:13:28 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Fri, 18 Jul 2008 13:13:28 +0200 Subject: SSO In-Reply-To: References: <5183a7480807170653q196244d9gd6a27e186849f520@mail.gmail.com> <487F59A3.90002@anl.gov> <5183a7480807170801v60e26508k4086834bedbf83fb@mail.gmail.com> <78c6bd860807171125s4fb0022bif1b9368265874ee5@mail.gmail.com> <87mykgb4xn.fsf@windlord.stanford.edu> <78c6bd860807171529m4f867a06s770bdc81ad44c4bd@mail.gmail.com> <87r69s86z9.fsf@windlord.stanford.edu> Message-ID: Michael B Allen wrote: > On Thu, Jul 17, 2008 at 6:46 PM, Russ Allbery wrote: >>> And that is the scenario where direct SPNEGO / NTLMSSP solutions are >>> going to perform better. >> If by "better" you mean "pretty much the same," yes, modulo the >> configuration note that I mentioned. > > No, I definitely meant "better". > > With direct SPNEGO we 401 the initial HTTP request, accept one GSSAPI > token and get a TGT. Is the TGT sent by the browser in the SPNEGO blob? Up to now I thought it's just a service ticket. Ciao, Michael. From simon at sxw.org.uk Fri Jul 18 11:41:17 2008 From: simon at sxw.org.uk (Simon Wilkinson) Date: Fri, 18 Jul 2008 16:41:17 +0100 Subject: SSO In-Reply-To: References: <5183a7480807170653q196244d9gd6a27e186849f520@mail.gmail.com> <487F59A3.90002@anl.gov> <5183a7480807170801v60e26508k4086834bedbf83fb@mail.gmail.com> <78c6bd860807171125s4fb0022bif1b9368265874ee5@mail.gmail.com> <87mykgb4xn.fsf@windlord.stanford.edu> <78c6bd860807171529m4f867a06s770bdc81ad44c4bd@mail.gmail.com> <87r69s86z9.fsf@windlord.stanford.edu> Message-ID: <7655B7E6-8F82-4439-A800-55B30E2E63C0@sxw.org.uk> On 18 Jul 2008, at 12:13, Michael Str?der wrote: > Is the TGT sent by the browser in the SPNEGO blob? Up to now I thought > it's just a service ticket. SPNEGO is a GSSAPI mechanism, wrapping the Kerberos one. If you set the deleg_creds flag when calling into the API, then a TGT will be included. S. From ioplex at gmail.com Fri Jul 18 11:58:31 2008 From: ioplex at gmail.com (Michael B Allen) Date: Fri, 18 Jul 2008 11:58:31 -0400 Subject: SSO In-Reply-To: References: <5183a7480807170653q196244d9gd6a27e186849f520@mail.gmail.com> <487F59A3.90002@anl.gov> <5183a7480807170801v60e26508k4086834bedbf83fb@mail.gmail.com> <78c6bd860807171125s4fb0022bif1b9368265874ee5@mail.gmail.com> <87mykgb4xn.fsf@windlord.stanford.edu> <78c6bd860807171529m4f867a06s770bdc81ad44c4bd@mail.gmail.com> <87r69s86z9.fsf@windlord.stanford.edu> Message-ID: <78c6bd860807180858x2f1bb4e4hb73937bf0d6e1d2b@mail.gmail.com> On Fri, Jul 18, 2008 at 7:13 AM, Michael Str?der wrote: > Michael B Allen wrote: >> On Thu, Jul 17, 2008 at 6:46 PM, Russ Allbery wrote: >>>> And that is the scenario where direct SPNEGO / NTLMSSP solutions are >>>> going to perform better. >>> If by "better" you mean "pretty much the same," yes, modulo the >>> configuration note that I mentioned. >> >> No, I definitely meant "better". >> >> With direct SPNEGO we 401 the initial HTTP request, accept one GSSAPI >> token and get a TGT. > > Is the TGT sent by the browser in the SPNEGO blob? Up to now I thought > it's just a service ticket. Yes, the relevant SPNEGO token is basically a wrapped AP-REQ wihch is composed of a service ticket and an authenticator. I believe the TGT or what is used to build a TGT is in the authenticator (at least that's what WireShark calls it). Incidentally the encrypted part of the service ticket contains the authorization data (the PAC if it was issued by AD) which I assume is combined with the TGT data in the authenticator to build a TGT with authorization data. Otherwise it would have to dupe that data and the size of blobs in the SPNEGO token doesn't represent that. Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ From rra at stanford.edu Fri Jul 18 13:01:06 2008 From: rra at stanford.edu (Russ Allbery) Date: Fri, 18 Jul 2008 10:01:06 -0700 Subject: SSO In-Reply-To: <5183a7480807180511o1a21b4c2k9a9a91639b28d951@mail.gmail.com> (Sharad Desai's message of "Fri\, 18 Jul 2008 08\:11\:01 -0400") References: <5183a7480807170653q196244d9gd6a27e186849f520@mail.gmail.com> <78c6bd860807171125s4fb0022bif1b9368265874ee5@mail.gmail.com> <87mykgb4xn.fsf@windlord.stanford.edu> <78c6bd860807171529m4f867a06s770bdc81ad44c4bd@mail.gmail.com> <87r69s86z9.fsf@windlord.stanford.edu> <78c6bd860807171832rf80d2d7yd8521e4228ddc32b@mail.gmail.com> <78c6bd860807171916q537f7f90p605560b73dae36fd@mail.gmail.com> <87vdz3spi6.fsf@windlord.stanford.edu> <5183a7480807180511o1a21b4c2k9a9a91639b28d951@mail.gmail.com> Message-ID: <87ljzzgm99.fsf@windlord.stanford.edu> "Sharad Desai" writes: >> The only fly in the ointment here is that none of the WebSSO solutions >> currently available can handle authenticating POST requests, where the >> user hasn't previously authenticated to the service, due to their >> requirement for redirects. For us, this was a small price to pay. > > I apologize, but can you elaborate on this? WebSSO systems handle unauthenticated users by redirecting them to a central login server as a response to an attempt to access a protected resource. The HTTP protocol, however, does not permit returning a redirect as the result of a POST, nor is there any good way to stash the data that comes along with a POST while bouncing the user through the login server without application support for the SSO system (which is contrary to a primary goal: ability to drop WebSSO in front of any arbitrary web application without modifying the application). As a result, when using a WebSSO, you have to ensure that the user has authenticated at some point in the page flow before they do a POST. You can't authenticate them at the time of the POST; you need to have existing credentials to use at that point. This usually isn't much of a problem since it's considered best practice for most applications using POST to force the user to authenticate prior to the POST anyway (otherwise, some cross-site attacks and deceptive tricks are easier to perform). -- Russ Allbery (rra at stanford.edu) From rra at stanford.edu Fri Jul 18 13:02:02 2008 From: rra at stanford.edu (Russ Allbery) Date: Fri, 18 Jul 2008 10:02:02 -0700 Subject: SSO In-Reply-To: ("Michael =?iso-8859-1?Q?St?= =?iso-8859-1?Q?r=F6der=22's?= message of "Fri\, 18 Jul 2008 13\:13\:28 +0200") References: <5183a7480807170653q196244d9gd6a27e186849f520@mail.gmail.com> <487F59A3.90002@anl.gov> <5183a7480807170801v60e26508k4086834bedbf83fb@mail.gmail.com> <78c6bd860807171125s4fb0022bif1b9368265874ee5@mail.gmail.com> <87mykgb4xn.fsf@windlord.stanford.edu> <78c6bd860807171529m4f867a06s770bdc81ad44c4bd@mail.gmail.com> <87r69s86z9.fsf@windlord.stanford.edu> Message-ID: <87hcangm7p.fsf@windlord.stanford.edu> Michael Str?der writes: > Is the TGT sent by the browser in the SPNEGO blob? Up to now I thought > it's just a service ticket. It's optional. The browser can choose to delegate credentials or not, based on local configuration. (In Firefox, for example, it's two separate configuration options.) -- Russ Allbery (rra at stanford.edu) From michael at stroeder.com Fri Jul 18 12:03:55 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Fri, 18 Jul 2008 18:03:55 +0200 Subject: SSO In-Reply-To: References: <5183a7480807170653q196244d9gd6a27e186849f520@mail.gmail.com> <487F59A3.90002@anl.gov> <5183a7480807170801v60e26508k4086834bedbf83fb@mail.gmail.com> <78c6bd860807171125s4fb0022bif1b9368265874ee5@mail.gmail.com> <87mykgb4xn.fsf@windlord.stanford.edu> <78c6bd860807171529m4f867a06s770bdc81ad44c4bd@mail.gmail.com> <87r69s86z9.fsf@windlord.stanford.edu> Message-ID: Simon Wilkinson wrote: > > On 18 Jul 2008, at 12:13, Michael Str?der wrote: >> Is the TGT sent by the browser in the SPNEGO blob? Up to now I thought >> it's just a service ticket. > > SPNEGO is a GSSAPI mechanism, wrapping the Kerberos one. If you set the > deleg_creds flag when calling into the API, then a TGT will be included. Which entity has to set this flag when calling into the API? The web browser or the web server? My goal when doing SSO for web applications is that I don't trust the web applications so much not to reveal the user's credentials. Ciao, Michael. From junejowaqar at yahoo.com Fri Jul 18 11:26:54 2008 From: junejowaqar at yahoo.com (waqar junejo) Date: Fri, 18 Jul 2008 08:26:54 -0700 (PDT) Subject: boss i have linux ftp related problem tel me what to do!!! its urgent Message-ID: <53552.37042.qm@web63905.mail.re1.yahoo.com> Hi, I get the following Kerberos related error when i do FTP from another machine(redhat AS 4) to my machine(redhat 9.0). How to solve this problem ? Connected to 107.108.89.173. 220 localhost.localdomain FTP server (Version 5.60) ready. 334 Using authentication type GSSAPI; ADAT must follow GSSAPI accepted as authentication type GSSAPI error major: Miscellaneous failure GSSAPI error minor: No credentials cache found GSSAPI error: initializing context GSSAPI authentication failed 334 Using authentication type KERBEROS_V4; ADAT must follow KERBEROS_V4 accepted as authentication type Kerberos V4 krb_mk_req failed: You have no tickets cached Name (107.108.89.173:chandrasekar): bye 530 Must perform authentication before identifying USER. Login failed. Remote system type is UNIX. Using binary mode to transfer files. I don't know what is going on my ftp server if I try to connect it shows that error. Kindly anyone tell a soln, From ioplex at gmail.com Fri Jul 18 17:36:59 2008 From: ioplex at gmail.com (Michael B Allen) Date: Fri, 18 Jul 2008 17:36:59 -0400 Subject: SSO In-Reply-To: References: <5183a7480807170653q196244d9gd6a27e186849f520@mail.gmail.com> <5183a7480807170801v60e26508k4086834bedbf83fb@mail.gmail.com> <78c6bd860807171125s4fb0022bif1b9368265874ee5@mail.gmail.com> <87mykgb4xn.fsf@windlord.stanford.edu> <78c6bd860807171529m4f867a06s770bdc81ad44c4bd@mail.gmail.com> <87r69s86z9.fsf@windlord.stanford.edu> Message-ID: <78c6bd860807181436y73483b68k405ad4b116eda1bd@mail.gmail.com> On Fri, Jul 18, 2008 at 12:03 PM, Michael Str?der wrote: > Simon Wilkinson wrote: >> >> On 18 Jul 2008, at 12:13, Michael Str?der wrote: >>> Is the TGT sent by the browser in the SPNEGO blob? Up to now I thought >>> it's just a service ticket. >> >> SPNEGO is a GSSAPI mechanism, wrapping the Kerberos one. If you set the >> deleg_creds flag when calling into the API, then a TGT will be included. > > Which entity has to set this flag when calling into the API? The web > browser or the web server? It's the client's responsibility to decide whether or not to include a TGT. A client can always request a forwardable TGT in which case it can be submitted to the web server. For example on Linux if you do kinit -f principal at REALM and then point Firefox at an SPNEGO protected page, and it has network.negotiate-auth.delegation-uris set to the target domain, it will send the TGT. However, if you're using Windows clients in an AD environment and the HTTP service account has "Trusted for delegation" turned off, the TGT will not be sent. > My goal when doing SSO for web applications is that I don't trust the > web applications so much not to reveal the user's credentials. Your choices are based on necessity, not trust. If the web application needs delegated credentials (e.g. to authenticate as the user with another tier), then you need to send the TGT [1]. If the web app does not need delegated credentials then configure your clients not to send the TGT (in AD this means simply turning off the "Trusted for delegation" flag on the HTTP service account). Mike [1] Kerberos provides other ways to limit how the TGT can be used and to proxy service tickets and such but I don't think browsers have support for such things yet. -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ From rra at stanford.edu Fri Jul 18 22:40:45 2008 From: rra at stanford.edu (Russ Allbery) Date: Fri, 18 Jul 2008 19:40:45 -0700 Subject: SSO In-Reply-To: <78c6bd860807181436y73483b68k405ad4b116eda1bd@mail.gmail.com> (Michael B. Allen's message of "Fri\, 18 Jul 2008 17\:36\:59 -0400") References: <5183a7480807170653q196244d9gd6a27e186849f520@mail.gmail.com> <5183a7480807170801v60e26508k4086834bedbf83fb@mail.gmail.com> <78c6bd860807171125s4fb0022bif1b9368265874ee5@mail.gmail.com> <87mykgb4xn.fsf@windlord.stanford.edu> <78c6bd860807171529m4f867a06s770bdc81ad44c4bd@mail.gmail.com> <87r69s86z9.fsf@windlord.stanford.edu> <78c6bd860807181436y73483b68k405ad4b116eda1bd@mail.gmail.com> Message-ID: <8763r2fvf6.fsf@windlord.stanford.edu> "Michael B Allen" writes: > Your choices are based on necessity, not trust. If the web application > needs delegated credentials (e.g. to authenticate as the user with > another tier), then you need to send the TGT [1]. Unless you use a system such as WebAuth or Cosign that supports limited delegation, in which case you can send only exactly the credentials that the web application needs. > [1] Kerberos provides other ways to limit how the TGT can be used and to > proxy service tickets and such but I don't think browsers have support > for such things yet. They don't so far as I know. Delegation in all the current browsers is an all-or-nothing affair. -- Russ Allbery (rra at stanford.edu) From huaraz at moeller.plus.com Sun Jul 20 11:33:53 2008 From: huaraz at moeller.plus.com (Markus Moeller) Date: Sun, 20 Jul 2008 16:33:53 +0100 Subject: Problem with SPNEGO on Solaris 10 build 4 Message-ID: I tried to use my squid_kerb_auth on Solaris 10 and fail. My configure determines it supports SPNEGO but when I use it I get 2008/07/20 16:11:37| squid_kerb_auth: gss_accept_sec_context() failed: No credentials were supplied, or the credentials were unavailable or inaccessible. No error BH gss_accept_sec_context() failed: No credentials were supplied, or the credentials were unavailable or inaccessible. No error 2008/07/20 16:11:37| squid_kerb_auth: User not authenticated To test it I did a kinit as a user and run squid_kerb_auth_test which creates a base64 encoded token. ./squid_kerb_auth_test testserver.solaris.home Token: YIICPAYGKwYBBQUCoIICMDCCAiygDTALBg...... I use then the token as input to squid_kerb_auth ./squid_kerb_auth -i -d < YIICPAYGKwYBBQUCoIICMDCCAiygDTALBgkqh... >! 2008/07/20 16:11:36| squid_kerb_auth: Starting version 1.0.1 2008/07/20 16:11:36| squid_kerb_auth: Got 'YR YIICPAYGKwYBBQUCoII.... from squid (length: 771). 2008/07/20 16:11:37| squid_kerb_auth: gss_accept_sec_context() failed: No credentials were supplied, or the credentials were unavailable or inaccessible. No error BH gss_accept_sec_context() failed: No credentials were supplied, or the credentials were unavailable or inaccessible. No error 2008/07/20 16:11:37| squid_kerb_auth: User not authenticated When I do the same on any other platform (including Opensolaris) it works fine. Also when I configure squid_kerb_auth without -DHAVE_SPNEGO it works fine e.g. I get: 2008/07/20 16:11:07| squid_kerb_auth: Starting version 1.0.1 2008/07/20 16:11:07| squid_kerb_auth: Got 'YR YIICEQYJKoZIhvcSAQICAQB.... from squid (length: 715). 2008/07/20 16:11:07| squid_kerb_auth: parseNegTokenInit failed with rc=102 2008/07/20 16:11:07| squid_kerb_auth: Token is possibly a GSSAPI token AF AA== markus at SOLARIS.HOME 2008/07/20 16:11:07| squid_kerb_auth: AF AA== markus at SOLARIS.HOME 2008/07/20 16:11:07| squid_kerb_auth: User markus at SOLARIS.HOME authenticated Is this a know problem with Solaris 10 or must I specify the right mechanism ? Thank you Markus From ioplex at gmail.com Sun Jul 20 14:07:32 2008 From: ioplex at gmail.com (Michael B Allen) Date: Sun, 20 Jul 2008 14:07:32 -0400 Subject: Problem with SPNEGO on Solaris 10 build 4 In-Reply-To: References: Message-ID: <78c6bd860807201107g325551fdgf5b851a79bc8a453@mail.gmail.com> On Sun, Jul 20, 2008 at 11:33 AM, Markus Moeller wrote: > I tried to use my squid_kerb_auth on Solaris 10 and fail. I don't know anything about squid_kerb_auth or Solaris 10 really but how are libs linked together? There are enough GSSAPI and Kerberos libs around that you almost have to use symbol versioning if you're loading things dynamically. Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ From huaraz at moeller.plus.com Sun Jul 20 14:56:35 2008 From: huaraz at moeller.plus.com (Markus Moeller) Date: Sun, 20 Jul 2008 19:56:35 +0100 Subject: Problem with SPNEGO on Solaris 10 build 4 In-Reply-To: <78c6bd860807201107g325551fdgf5b851a79bc8a453@mail.gmail.com> References: <78c6bd860807201107g325551fdgf5b851a79bc8a453@mail.gmail.com> Message-ID: I use native Solaris 10 libraries. My source is at http://squidkerbauth.cvs.sourceforge.net/squidkerbauth/squid_kerb_auth/ ./configure checking for a BSD-compatible install... ./install-sh -c checking whether build environment is sane... yes checking for a thread-safe mkdir -p... ./install-sh -c -d checking for gawk... no checking for mawk... no checking for nawk... nawk checking whether make sets $(MAKE)... yes checking for gcc... no checking for cc... cc checking for C compiler default output file name... a.out checking whether the C compiler works... yes checking whether we are cross compiling... no checking for suffix of executables... checking for suffix of object files... o checking whether we are using the GNU C compiler... no checking whether cc accepts -g... yes checking for cc option to accept ISO C89... none needed checking for style of include used by make... GNU checking dependency style of cc... none checking how to run the C preprocessor... cc -E checking gssapi.h usability... no checking gssapi.h presence... no checking for gssapi.h... no checking gssapi/gssapi.h usability... yes checking gssapi/gssapi.h presence... yes checking for gssapi/gssapi.h... yes checking gssapi/gssapi_ext.h usability... yes checking gssapi/gssapi_ext.h presence... yes checking for gssapi/gssapi_ext.h... yes checking for main in -lnsl... yes checking for main in -lsocket... yes checking for main in -lresolv... yes checking for main in -lgss... yes checking for SPNEGO support... yes checking whether byte ordering is bigendian... yes configure: ## -----------------------------## configure: ## configure: ## seam has been selected configure: ## configure: ## -----------------------------## configure: creating ./config.status config.status: creating Makefile config.status: creating config.h config.status: executing depfiles commands configure: updating config.h and the make is just: cc -DHAVE_CONFIG_H -I. -g -c squid_kerb_auth.c cc -DHAVE_CONFIG_H -I. -g -c base64.c cc -g -o squid_kerb_auth squid_kerb_auth.o base64.o -lgss -lresolv -lsocket -lnsl cc -DHAVE_CONFIG_H -I. -g -c squid_kerb_auth_test.c cc -g -o squid_kerb_auth_test squid_kerb_auth_test.o base64.o -lgss -lresolv -lsocket -lnsl So no conflict with any other Keberos library. No Heimdal nor MIT is installed. Markus "Michael B Allen" wrote in message news:78c6bd860807201107g325551fdgf5b851a79bc8a453 at mail.gmail.com... > On Sun, Jul 20, 2008 at 11:33 AM, Markus Moeller > wrote: >> I tried to use my squid_kerb_auth on Solaris 10 and fail. > > I don't know anything about squid_kerb_auth or Solaris 10 really but > how are libs linked together? There are enough GSSAPI and Kerberos > libs around that you almost have to use symbol versioning if you're > loading things dynamically. > > Mike > > -- > Michael B Allen > PHP Active Directory SPNEGO SSO > http://www.ioplex.com/ > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > From amitpawar007 at gmail.com Mon Jul 21 05:54:32 2008 From: amitpawar007 at gmail.com (amit pawar) Date: Mon, 21 Jul 2008 15:24:32 +0530 Subject: issue with mod_spnego Message-ID: <748000080807210254xb930dd3u95bba1c86229221@mail.gmail.com> HI All, I am trying to use mod_spnego on Apache server (windows). Whenever I try to login from client from IE, it asks me for username and password. When I enter correct username and password, the Apache server crashes (child process crashes while server keeps on running). When I enter wrong password the server doesn't crash. I have followed instructions from ReadMe file of mod_spnego module version 1.0 Let me explain you in Detail. I have kerberos krb5kdc and kadmin running on linux machine. I have Apache server running on windows machine. (windows server 2003) Now from another windows machine when I try to login from IE, Apache server crashes give below error. (client: Windows XP) NOTE: I have multiple realm running on windows machine. The one which I am using is not the default one. ERROR shown on Apache server. "An unhandled win32 exception occurred in httpd.exe[2040]" In debugging process, call stack windows shows "mod_spnego.so!_GSSAPI_INITIAL_CONTEXT_TOKEN_BODY_it(). What am i doing wrong, can someone let me know? One more thing, when i tried to using mod_spnego module v1.0 on windows XP, the Apache server couldn't start. But I succeeded with same process on Windows servers 2003. Does mod_spnego module have any issues with Windows XP? -- Regards, Amit Pawar Financial Technologies (India) Ltd. Mobile: 9833 586 568 From michael at stroeder.com Sat Jul 19 10:16:44 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Sat, 19 Jul 2008 16:16:44 +0200 Subject: SSO In-Reply-To: References: <5183a7480807170653q196244d9gd6a27e186849f520@mail.gmail.com> <5183a7480807170801v60e26508k4086834bedbf83fb@mail.gmail.com> <78c6bd860807171125s4fb0022bif1b9368265874ee5@mail.gmail.com> <87mykgb4xn.fsf@windlord.stanford.edu> <78c6bd860807171529m4f867a06s770bdc81ad44c4bd@mail.gmail.com> <87r69s86z9.fsf@windlord.stanford.edu> Message-ID: Michael B Allen wrote: > > It's the client's responsibility to decide whether or not to include a > TGT. A client can always request a forwardable TGT in which case it > can be submitted to the web server. For example on Linux if you do > kinit -f principal at REALM and then point Firefox at an SPNEGO protected > page, and it has network.negotiate-auth.delegation-uris set to the > target domain, it will send the TGT. > > However, if you're using Windows clients in an AD environment and the > HTTP service account has "Trusted for delegation" turned off, the TGT > will not be sent. Ok. Thanks (also to Russ) for clarifying this. >> My goal when doing SSO for web applications is that I don't trust the >> web applications so much not to reveal the user's credentials. > > Your choices are based on necessity, not trust. If the web application > needs delegated credentials (e.g. to authenticate as the user with > another tier), then you need to send the TGT [1]. If the web app does > not need delegated credentials then configure your clients not to send > the TGT (in AD this means simply turning off the "Trusted for > delegation" flag on the HTTP service account). I have two scenarios: 1. One is using CAS with SPNEGO/Kerberos (see http://www.ja-sig.org/wiki/display/CASUM/SPNEGO) and fall-back to simple bind. In this scenario I don't want the browser to send the TGT. 2. I'm thinking about implementing SPNEGO/Kerberos in web2ldap to let the use bind via SASL/GSSAPI to the LDAP server (up to now a "local" TGT has to be present for this to work). For this I need the TGT. So I'm glad both is possible. Ciao, Michael. From deengert at anl.gov Mon Jul 21 12:05:29 2008 From: deengert at anl.gov (Douglas E. Engert) Date: Mon, 21 Jul 2008 11:05:29 -0500 Subject: SSO In-Reply-To: <78c6bd860807181436y73483b68k405ad4b116eda1bd@mail.gmail.com> References: <5183a7480807170653q196244d9gd6a27e186849f520@mail.gmail.com> <5183a7480807170801v60e26508k4086834bedbf83fb@mail.gmail.com> <78c6bd860807171125s4fb0022bif1b9368265874ee5@mail.gmail.com> <87mykgb4xn.fsf@windlord.stanford.edu> <78c6bd860807171529m4f867a06s770bdc81ad44c4bd@mail.gmail.com> <87r69s86z9.fsf@windlord.stanford.edu> <78c6bd860807181436y73483b68k405ad4b116eda1bd@mail.gmail.com> Message-ID: <4884B3C9.9030207@anl.gov> Michael B Allen wrote: > On Fri, Jul 18, 2008 at 12:03 PM, Michael Str?der wrote: >> Simon Wilkinson wrote: >>> On 18 Jul 2008, at 12:13, Michael Str?der wrote: >>>> Is the TGT sent by the browser in the SPNEGO blob? Up to now I thought >>>> it's just a service ticket. >>> SPNEGO is a GSSAPI mechanism, wrapping the Kerberos one. If you set the >>> deleg_creds flag when calling into the API, then a TGT will be included. >> Which entity has to set this flag when calling into the API? The web >> browser or the web server? > > It's the client's responsibility to decide whether or not to include a > TGT. A client can always request a forwardable TGT in which case it > can be submitted to the web server. For example on Linux if you do > kinit -f principal at REALM and then point Firefox at an SPNEGO protected > page, and it has network.negotiate-auth.delegation-uris set to the > target domain, it will send the TGT. > > However, if you're using Windows clients in an AD environment and the > HTTP service account has "Trusted for delegation" turned off, the TGT > will not be sent. Just to clarify, A Windows KDC will set the OK-AS-DELEGATE flag in the Kerberos flags in the service ticket if the TRUSTED_FOR_DELEGATION UserAccountControl glag is set for the service account. This is advisory to the client. But the bit was introduced in Windows first. I have seen mods to the MIT Kerberos to set this bit and mods in the client to check if it is set. Unfortunately the client needs to know if the KDC has implemented the code to set the bit or not, because the default for the bit is off, and non windows clients have always assumed delegation was OK. (The bit should have been NOT-OK-AS-DELEGATE, It would have made introduction of the feature much cleaner.) A client using any protocol, should always be very cautious in delegating, as a delegated TGT is usually as good as the one you get with login or kinit. SSH has the ssh_config "GSSAPIDelegateCredentials yes" to control delegation. > >> My goal when doing SSO for web applications is that I don't trust the >> web applications so much not to reveal the user's credentials. Have you looked at the Sun Access Manager? http://www.sun.com/software/products/access_mgr/index.jsp Or other SSO products? > > Your choices are based on necessity, not trust. If the web application > needs delegated credentials (e.g. to authenticate as the user with > another tier), then you need to send the TGT [1]. If the web app does > not need delegated credentials then configure your clients not to send > the TGT (in AD this means simply turning off the "Trusted for > delegation" flag on the HTTP service account). > > Mike > > [1] Kerberos provides other ways to limit how the TGT can be used and > to proxy service tickets and such but I don't think browsers have > support for such things yet. Too bad, limiting the capabilities of delegated credentials is one of the areas Kerberos implantations need improvement. It is one of the reasons Kerberos will not scale well across organization boundaries and makes site security nervous. The OK-AD-DELEGATE is a step, but its all or nothing. > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From deengert at anl.gov Mon Jul 21 12:24:02 2008 From: deengert at anl.gov (Douglas E. Engert) Date: Mon, 21 Jul 2008 11:24:02 -0500 Subject: Problem with SPNEGO on Solaris 10 build 4 In-Reply-To: References: Message-ID: <4884B822.8030504@anl.gov> Markus Moeller wrote: > I tried to use my squid_kerb_auth on Solaris 10 and fail. My configure > determines it supports SPNEGO but when I use it I get > > 2008/07/20 16:11:37| squid_kerb_auth: gss_accept_sec_context() failed: No > credentials were supplied, or the credentials were unavailable or > inaccessible. No error > BH gss_accept_sec_context() failed: No credentials were supplied, or the > credentials were unavailable or inaccessible. No error > 2008/07/20 16:11:37| squid_kerb_auth: User not authenticated > > To test it I did a kinit as a user and run squid_kerb_auth_test which > creates a base64 encoded token. > ./squid_kerb_auth_test testserver.solaris.home > Token: YIICPAYGKwYBBQUCoIICMDCCAiygDTALBg...... > > I use then the token as input to squid_kerb_auth > > ./squid_kerb_auth -i -d <> YIICPAYGKwYBBQUCoIICMDCCAiygDTALBgkqh... >> ! > > 2008/07/20 16:11:36| squid_kerb_auth: Starting version 1.0.1 > 2008/07/20 16:11:36| squid_kerb_auth: Got 'YR YIICPAYGKwYBBQUCoII.... from > squid (length: 771). > 2008/07/20 16:11:37| squid_kerb_auth: gss_accept_sec_context() failed: No > credentials were supplied, or the credentials were unavailable or > inaccessible. No error > BH gss_accept_sec_context() failed: No credentials were supplied, or the > credentials were unavailable or inaccessible. No error > 2008/07/20 16:11:37| squid_kerb_auth: User not authenticated > > > When I do the same on any other platform (including Opensolaris) it works > fine. Also when I configure squid_kerb_auth without -DHAVE_SPNEGO it works > fine e.g. I get: > > 2008/07/20 16:11:07| squid_kerb_auth: Starting version 1.0.1 > 2008/07/20 16:11:07| squid_kerb_auth: Got 'YR YIICEQYJKoZIhvcSAQICAQB.... > from squid (length: 715). > 2008/07/20 16:11:07| squid_kerb_auth: parseNegTokenInit failed with rc=102 > 2008/07/20 16:11:07| squid_kerb_auth: Token is possibly a GSSAPI token > AF AA== markus at SOLARIS.HOME > 2008/07/20 16:11:07| squid_kerb_auth: AF AA== markus at SOLARIS.HOME > 2008/07/20 16:11:07| squid_kerb_auth: User markus at SOLARIS.HOME authenticated > > > Is this a know problem with Solaris 10 or must I specify the right mechanism > ? > I had some problems with mod_auth_kerb with SPNEGO on Solaris 10, bit mostly with storing delegate credentials. http://opensolaris.org/jive/thread.jspa?threadID=59270&tstart=0 It might have to do with what maintenance level you are at. Over the life of Solaris 10, Sun has made quite a few changes, including adding the Kerberos header files. ldd might also show something. > > Thank you > Markus > > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From huaraz at moeller.plus.com Mon Jul 21 17:05:52 2008 From: huaraz at moeller.plus.com (Markus Moeller) Date: Mon, 21 Jul 2008 22:05:52 +0100 Subject: Problem with SPNEGO on Solaris 10 build 4 In-Reply-To: <4884B822.8030504@anl.gov> References: <4884B822.8030504@anl.gov> Message-ID: I use build 4 and in general it works fine. I have now compiled the gss-sample test client and server on Opensolaris and Solaris 10 build 4. On OpenSolaris I get: client: ./gss-client -port 11000 -mech 1.3.6.1.5.5.2 opensolaris.solaris.home HTTP test Sending init_sec_context token (size=606)...continue needed... context flag: GSS_C_MUTUAL_FLAG context flag: GSS_C_REPLAY_FLAG context flag: GSS_C_CONF_FLAG context flag: GSS_C_INTEG_FLAG "markus at SOLARIS.HOME" to "HTTP/opensolaris.solaris.home at SOLARIS.HOME", lifetime 35860, flags 136, locally initiated, open Name type of source name is { 1 2 840 113554 1 2 2 1 }. Mechanism { 1 3 6 1 5 5 2 } supports 4 names 0: { 1 2 840 113554 1 2 1 1 } 1: { 1 2 840 113554 1 2 1 2 } 2: { 1 2 840 113554 1 2 1 3 } 3: { 1 3 6 1 5 6 2 } Signature verified. server: context flag: GSS_C_MUTUAL_FLAG context flag: GSS_C_REPLAY_FLAG context flag: GSS_C_CONF_FLAG context flag: GSS_C_INTEG_FLAG Accepted connection: "markus at SOLARIS.HOME" Received message: "test" NOOP token whereas on Solaris 10 I get: client: ./gss-client -port 11000 -mech 1.3.6.1.5.5.2 solaris10 HTTP Test Sending init_sec_context token (size=581)...continue needed...reading token flags: 0 bytes read server: ./gss-server -port 11000 HTTP GSS-API error accepting context: No credentials were supplied, or the credentials were unavailable or inaccessible GSS-API error accepting context: No error So it looks to me like a bug in Solaris 10. Markus "Douglas E. Engert" wrote in message news:4884B822.8030504 at anl.gov... > > > Markus Moeller wrote: >> I tried to use my squid_kerb_auth on Solaris 10 and fail. My configure >> determines it supports SPNEGO but when I use it I get >> >> 2008/07/20 16:11:37| squid_kerb_auth: gss_accept_sec_context() failed: No >> credentials were supplied, or the credentials were unavailable or >> inaccessible. No error >> BH gss_accept_sec_context() failed: No credentials were supplied, or the >> credentials were unavailable or inaccessible. No error >> 2008/07/20 16:11:37| squid_kerb_auth: User not authenticated >> >> To test it I did a kinit as a user and run squid_kerb_auth_test which >> creates a base64 encoded token. >> ./squid_kerb_auth_test testserver.solaris.home >> Token: YIICPAYGKwYBBQUCoIICMDCCAiygDTALBg...... >> >> I use then the token as input to squid_kerb_auth >> >> ./squid_kerb_auth -i -d <>> YIICPAYGKwYBBQUCoIICMDCCAiygDTALBgkqh... >>> ! >> >> 2008/07/20 16:11:36| squid_kerb_auth: Starting version 1.0.1 >> 2008/07/20 16:11:36| squid_kerb_auth: Got 'YR YIICPAYGKwYBBQUCoII.... >> from >> squid (length: 771). >> 2008/07/20 16:11:37| squid_kerb_auth: gss_accept_sec_context() failed: No >> credentials were supplied, or the credentials were unavailable or >> inaccessible. No error >> BH gss_accept_sec_context() failed: No credentials were supplied, or the >> credentials were unavailable or inaccessible. No error >> 2008/07/20 16:11:37| squid_kerb_auth: User not authenticated >> >> >> When I do the same on any other platform (including Opensolaris) it works >> fine. Also when I configure squid_kerb_auth without -DHAVE_SPNEGO it >> works >> fine e.g. I get: >> >> 2008/07/20 16:11:07| squid_kerb_auth: Starting version 1.0.1 >> 2008/07/20 16:11:07| squid_kerb_auth: Got 'YR YIICEQYJKoZIhvcSAQICAQB.... >> from squid (length: 715). >> 2008/07/20 16:11:07| squid_kerb_auth: parseNegTokenInit failed with >> rc=102 >> 2008/07/20 16:11:07| squid_kerb_auth: Token is possibly a GSSAPI token >> AF AA== markus at SOLARIS.HOME >> 2008/07/20 16:11:07| squid_kerb_auth: AF AA== markus at SOLARIS.HOME >> 2008/07/20 16:11:07| squid_kerb_auth: User markus at SOLARIS.HOME >> authenticated >> >> >> Is this a know problem with Solaris 10 or must I specify the right >> mechanism >> ? >> > > I had some problems with mod_auth_kerb with SPNEGO on Solaris 10, bit > mostly > with storing delegate credentials. > http://opensolaris.org/jive/thread.jspa?threadID=59270&tstart=0 > > It might have to do with what maintenance level you are at. > Over the life of Solaris 10, Sun has made quite a few changes, including > adding the Kerberos header files. ldd might also show something. > >> >> Thank you >> Markus >> >> >> ________________________________________________ >> Kerberos mailing list Kerberos at mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos >> >> > > -- > > Douglas E. Engert > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > From William.Fiveash at Sun.COM Tue Jul 22 17:52:55 2008 From: William.Fiveash at Sun.COM (Will Fiveash) Date: Tue, 22 Jul 2008 16:52:55 -0500 Subject: Problem with SPNEGO on Solaris 10 build 4 In-Reply-To: References: <4884B822.8030504@anl.gov> Message-ID: <20080722215254.GB26554@sun.com> I suggest you post your findings to kerberos-discuss at opensolaris.org. On Mon, Jul 21, 2008 at 10:05:52PM +0100, Markus Moeller wrote: > I use build 4 and in general it works fine. I have now compiled the > gss-sample test client and server on Opensolaris and Solaris 10 build 4. > > On OpenSolaris I get: > > client: > ./gss-client -port 11000 -mech 1.3.6.1.5.5.2 opensolaris.solaris.home HTTP > test > Sending init_sec_context token (size=606)...continue needed... -- Will Fiveash Sun Microsystems Inc. http://opensolaris.org/os/project/kerberos/ From rra at stanford.edu Wed Jul 23 00:18:05 2008 From: rra at stanford.edu (Russ Allbery) Date: Tue, 22 Jul 2008 21:18:05 -0700 Subject: kstart 3.14 released Message-ID: <87vdyxi682.fsf@windlord.stanford.edu> I'm pleased to announce release 3.14 of kstart. k4start, k5start, and krenew are modified versions of kinit which add support for running as a daemon to maintain a ticket cache, running a command with credentials from a keytab and maintaining a ticket cache until that command completes, obtaining AFS tokens (via an external aklog) after obtaining tickets, and creating an AFS PAG for a command. They are primarily useful in conjunction with long-running jobs; for moving ticket handling code out of servers, cron jobs, or daemons; and to obtain tickets and AFS tokens with a single command. Changes from previous release: Add -F and -P options to k5start to force the tickets to not be forwardable or proxiable, regardless of library defaults. This can be necessary if one's krb5.conf defaults to forwardable or proxiable tickets but service principals aren't allowed to get such tickets. You can download it from: As of this release, kstart is now maintained in Git. See the above URL for more details. Debian packages have been uploaded to Debian unstable. Please let me know of any problems or feature requests not already listed in the TODO file. -- Russ Allbery (rra at stanford.edu) From eirvine at tpg.com.au Wed Jul 23 03:59:17 2008 From: eirvine at tpg.com.au (Edward Irvine) Date: Wed, 23 Jul 2008 17:59:17 +1000 Subject: Creating an MIT style keytab for an existing Windows AD member computer Message-ID: <2EFEBB04-5276-442A-9EA3-B9B41FDEC9A7@tpg.com.au> Hi, I'd like to find out if there is any way to extract a HOST keytab for a windows computer that is already a member of an active directory domain. A Java developer I look after wants to do the single sign on thing to his web application. Our environment is a mixed Active Directory and Solaris environment. By creating a new user in active directory, and mapping the user to a service principle using ktpass.exe, we now have SPNEGO single sign on working between the clients Internet Explorer and the JBoss server on *Solaris*. So far so good. The developer, who uses a Windows workstation that is part the Active Directory domain, now wants the SPNEGO authentication to work in his own windows workstation - and for that to work I need to get the keytab for the host/pingname.of.host at KERBEROS.REALM.NAME A quick LDAP lookup of his workstation in AD reveals that it already has a servicePrincipalName of HOST/pingname.of.host - so presumably I can extract the keytab somehow. But how? I don't personally have admin access to the AD domain, but I work with the folks who do. Eddie From deengert at anl.gov Wed Jul 23 10:19:04 2008 From: deengert at anl.gov (Douglas E. Engert) Date: Wed, 23 Jul 2008 09:19:04 -0500 Subject: Creating an MIT style keytab for an existing Windows AD member computer In-Reply-To: <2EFEBB04-5276-442A-9EA3-B9B41FDEC9A7@tpg.com.au> References: <2EFEBB04-5276-442A-9EA3-B9B41FDEC9A7@tpg.com.au> Message-ID: <48873DD8.8000108@anl.gov> Edward Irvine wrote: > Hi, > > I'd like to find out if there is any way to extract a HOST keytab for > a windows computer that is already a member of an active directory > domain. Do you have to be use the Windows "host" principal? Can your application use a different principal, like HTTP or LDAP or make up your own. Then your application server has its own keyfile, and does not need access to the one use by Windows for login. There are security issues with letting an application access this key. It could then impersonate any user to the machine. > > A Java developer I look after wants to do the single sign on thing to > his web application. Our environment is a mixed Active Directory and > Solaris environment. > > By creating a new user in active directory, and mapping the user to a > service principle using ktpass.exe, we now have SPNEGO single sign on > working between the clients Internet Explorer and the JBoss server on > *Solaris*. So far so good. A common misunderstanding when reading the Microsoft docs Kerberos and service principals has to do with the term "user". The "user" account referred to with ktpass, is an ldap term for the objectclass user. Kerberos service principals need a "user" account in AD. This user account has nothing to do with real users who will authenticate to the service. > > The developer, who uses a Windows workstation that is part the Active > Directory domain, now wants the SPNEGO authentication to work in his > own windows workstation - and for that to work I need to get the > keytab for the host/pingname.of.host at KERBEROS.REALM.NAME > > A quick LDAP lookup of his workstation in AD reveals that it already > has a servicePrincipalName of HOST/pingname.of.host - so presumably I > can extract the keytab somehow. But how? > Not really. They also change the keys every so often, so you don't want to copy it. If your Java application needs to act as a server, and really use the "host" service principal, can you use some Java to SSPI-service class? (Don't know if one exists.) (GSSAPI and SSPI use the same protocols.) > I don't personally have admin access to the AD domain, but I work > with the folks who do. > > Eddie > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From paul.moore at centrify.com Wed Jul 23 13:41:41 2008 From: paul.moore at centrify.com (Paul Moore) Date: Wed, 23 Jul 2008 10:41:41 -0700 Subject: Creating an MIT style keytab for an existing Windows AD membercomputer In-Reply-To: <48873DD8.8000108@anl.gov> References: <2EFEBB04-5276-442A-9EA3-B9B41FDEC9A7@tpg.com.au> <48873DD8.8000108@anl.gov> Message-ID: "It could then impersonate any user to the machine" Can you explain that. I want to make sure I understand all potential kerb threats, this is a new one to me. -----Original Message----- From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Douglas E. Engert Sent: Wednesday, July 23, 2008 7:19 AM To: Edward Irvine Cc: kerberos at mit.edu Subject: Re: Creating an MIT style keytab for an existing Windows AD membercomputer Edward Irvine wrote: > Hi, > > I'd like to find out if there is any way to extract a HOST keytab for > a windows computer that is already a member of an active directory > domain. Do you have to be use the Windows "host" principal? Can your application use a different principal, like HTTP or LDAP or make up your own. Then your application server has its own keyfile, and does not need access to the one use by Windows for login. There are security issues with letting an application access this key. It could then impersonate any user to the machine. > > A Java developer I look after wants to do the single sign on thing to > his web application. Our environment is a mixed Active Directory and > Solaris environment. > > By creating a new user in active directory, and mapping the user to a > service principle using ktpass.exe, we now have SPNEGO single sign on > working between the clients Internet Explorer and the JBoss server on > *Solaris*. So far so good. A common misunderstanding when reading the Microsoft docs Kerberos and service principals has to do with the term "user". The "user" account referred to with ktpass, is an ldap term for the objectclass user. Kerberos service principals need a "user" account in AD. This user account has nothing to do with real users who will authenticate to the service. > > The developer, who uses a Windows workstation that is part the Active > Directory domain, now wants the SPNEGO authentication to work in his > own windows workstation - and for that to work I need to get the > keytab for the host/pingname.of.host at KERBEROS.REALM.NAME > > A quick LDAP lookup of his workstation in AD reveals that it already > has a servicePrincipalName of HOST/pingname.of.host - so presumably I > can extract the keytab somehow. But how? > Not really. They also change the keys every so often, so you don't want to copy it. If your Java application needs to act as a server, and really use the "host" service principal, can you use some Java to SSPI-service class? (Don't know if one exists.) (GSSAPI and SSPI use the same protocols.) > I don't personally have admin access to the AD domain, but I work with > the folks who do. > > Eddie > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos From ioplex at gmail.com Wed Jul 23 14:01:43 2008 From: ioplex at gmail.com (Michael B Allen) Date: Wed, 23 Jul 2008 14:01:43 -0400 Subject: Creating an MIT style keytab for an existing Windows AD member computer In-Reply-To: <2EFEBB04-5276-442A-9EA3-B9B41FDEC9A7@tpg.com.au> References: <2EFEBB04-5276-442A-9EA3-B9B41FDEC9A7@tpg.com.au> Message-ID: <78c6bd860807231101o64f71bbfx8cfd14af78ccd4c0@mail.gmail.com> On Wed, Jul 23, 2008 at 3:59 AM, Edward Irvine wrote: > Hi, > > I'd like to find out if there is any way to extract a HOST keytab for > a windows computer that is already a member of an active directory > domain. > > A Java developer I look after wants to do the single sign on thing to > his web application. Our environment is a mixed Active Directory and > Solaris environment. > > By creating a new user in active directory, and mapping the user to a > service principle using ktpass.exe, we now have SPNEGO single sign on > working between the clients Internet Explorer and the JBoss server on > *Solaris*. So far so good. > > The developer, who uses a Windows workstation that is part the Active > Directory domain, now wants the SPNEGO authentication to work in his > own windows workstation - and for that to work I need to get the > keytab for the host/pingname.of.host at KERBEROS.REALM.NAME > > A quick LDAP lookup of his workstation in AD reveals that it already > has a servicePrincipalName of HOST/pingname.of.host - so presumably I > can extract the keytab somehow. But how? > > I don't personally have admin access to the AD domain, but I work > with the folks who do. Extracting the keys from AD is not possible [1]. However, the ktpass utility from MS can set the password, generate the corresponding key separately and put it into a keytab file. Note that you must have at least account operator privilege to set a password in AD. Mike [1] There is a freeware utility called ktexport that can extract the keys from a DC and dump them into a keytab but it is only (sometimes) useful for debugging purposes with WireShark. The resulting keytab is not valid for use with any kind of service. -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ From deengert at anl.gov Wed Jul 23 15:30:09 2008 From: deengert at anl.gov (Douglas E. Engert) Date: Wed, 23 Jul 2008 14:30:09 -0500 Subject: Creating an MIT style keytab for an existing Windows AD membercomputer In-Reply-To: References: <2EFEBB04-5276-442A-9EA3-B9B41FDEC9A7@tpg.com.au> <48873DD8.8000108@anl.gov> Message-ID: <488786C1.1070103@anl.gov> Paul Moore wrote: > "It could then impersonate any user to the machine" > > Can you explain that. I want to make sure I understand all potential > kerb threats, this is a new one to me. This is at the heart of Kerberos. Client and server trust KDC and trust KDC to give service ticket to client usable at server. The server trust the KDC only because the KDC and server share a secret, the key in the keytab. If someone else knows the key of the service principal, they could create a service ticket claiming to be any client, and present it to the server. The server will decrypt the ticket assuming it came form the KDC introducing the client to the server. See http://www.ietf.org/rfc/rfc4120.txt section 3.2.3 > > > > > > -----Original Message----- > From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On > Behalf Of Douglas E. Engert > Sent: Wednesday, July 23, 2008 7:19 AM > To: Edward Irvine > Cc: kerberos at mit.edu > Subject: Re: Creating an MIT style keytab for an existing Windows AD > membercomputer > > > > Edward Irvine wrote: >> Hi, >> >> I'd like to find out if there is any way to extract a HOST keytab for >> a windows computer that is already a member of an active directory >> domain. > > Do you have to be use the Windows "host" principal? Can your application > use a different principal, like HTTP or LDAP or make up your own. > > Then your application server has its own keyfile, and does not need > access to the one use by Windows for login. There are security issues > with letting an application access this key. It could then impersonate > any user to the machine. > >> A Java developer I look after wants to do the single sign on thing to >> his web application. Our environment is a mixed Active Directory and >> Solaris environment. >> >> By creating a new user in active directory, and mapping the user to a >> service principle using ktpass.exe, we now have SPNEGO single sign on >> working between the clients Internet Explorer and the JBoss server on >> *Solaris*. So far so good. > > A common misunderstanding when reading the Microsoft docs Kerberos and > service principals has to do with the term "user". > The "user" account referred to with ktpass, is an ldap term for the > objectclass user. Kerberos service principals need a "user" account in > AD. This user account has nothing to do with real users who will > authenticate to the service. > >> The developer, who uses a Windows workstation that is part the Active >> Directory domain, now wants the SPNEGO authentication to work in his >> own windows workstation - and for that to work I need to get the >> keytab for the host/pingname.of.host at KERBEROS.REALM.NAME >> >> A quick LDAP lookup of his workstation in AD reveals that it already >> has a servicePrincipalName of HOST/pingname.of.host - so presumably I >> can extract the keytab somehow. But how? >> > Not really. They also change the keys every so often, so you don't > want to copy it. > > If your Java application needs to act as a server, and really use the > "host" service principal, can you use some Java to SSPI-service class? > (Don't know if one exists.) (GSSAPI and SSPI use the same protocols.) > >> I don't personally have admin access to the AD domain, but I work with > >> the folks who do. >> >> Eddie >> >> ________________________________________________ >> Kerberos mailing list Kerberos at mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos >> >> > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From Nicolas.Williams at sun.com Wed Jul 23 15:33:54 2008 From: Nicolas.Williams at sun.com (Nicolas Williams) Date: Wed, 23 Jul 2008 14:33:54 -0500 Subject: Creating an MIT style keytab for an existing Windows AD member computer In-Reply-To: <78c6bd860807231101o64f71bbfx8cfd14af78ccd4c0@mail.gmail.com> References: <2EFEBB04-5276-442A-9EA3-B9B41FDEC9A7@tpg.com.au> <78c6bd860807231101o64f71bbfx8cfd14af78ccd4c0@mail.gmail.com> Message-ID: <20080723193354.GW25547@Sun.COM> On Wed, Jul 23, 2008 at 02:01:43PM -0400, Michael B Allen wrote: > Extracting the keys from AD is not possible [1]. Nor ist it possible to extract them from MIT krb5 KDCs. > However, the ktpass utility from MS can set the password, generate the > corresponding key separately and put it into a keytab file. You can build keytabs directly on MIT krb5 systems using the MIT krb5 API, or even interactively with kpasswd and ktutil (an early version of adjoin [see below] did just that). Or you could probably just use or adapt Sun's adjoin/ksetpw tools to your purposes: http://www.sun.com/bigadmin/features/articles/kerberos_s10.jsp http://www.sun.com/bigadmin/features/articles/kerberos_s10.pdf http://opensolaris.org/os/project/winchester/files/adjoin-s10u4.tar.gz http://opensolaris.org/os/project/winchester/files/adjoin-s10u5.tar.gz > Note that you must have at least account operator privilege to set a > password in AD. Indeed. > Mike > > [1] There is a freeware utility called ktexport that can extract the > keys from a DC and dump them into a keytab but it is only (sometimes) > useful for debugging purposes with WireShark. The resulting keytab is > not valid for use with any kind of service. Sure, if you have direct, privileged access to a KDC you could always extract its keys. Portions of the KDC could run directly in a hardware keystore, making it really hard to get to the keys, but that's not the case here. Nico -- From rra at stanford.edu Wed Jul 23 20:55:20 2008 From: rra at stanford.edu (Russ Allbery) Date: Wed, 23 Jul 2008 17:55:20 -0700 Subject: Creating an MIT style keytab for an existing Windows AD member computer In-Reply-To: <20080723193354.GW25547@Sun.COM> (Nicolas Williams's message of "Wed\, 23 Jul 2008 14\:33\:54 -0500") References: <2EFEBB04-5276-442A-9EA3-B9B41FDEC9A7@tpg.com.au> <78c6bd860807231101o64f71bbfx8cfd14af78ccd4c0@mail.gmail.com> <20080723193354.GW25547@Sun.COM> Message-ID: <87wsjcf6dj.fsf@windlord.stanford.edu> Nicolas Williams writes: > On Wed, Jul 23, 2008 at 02:01:43PM -0400, Michael B Allen wrote: >> Extracting the keys from AD is not possible [1]. > Nor ist it possible to extract them from MIT krb5 KDCs. It is as of 1.6 using kadmin.local (not that this changes the rest of your point). -- Russ Allbery (rra at stanford.edu) From Nicolas.Williams at sun.com Wed Jul 23 21:40:46 2008 From: Nicolas.Williams at sun.com (Nicolas Williams) Date: Wed, 23 Jul 2008 20:40:46 -0500 Subject: Creating an MIT style keytab for an existing Windows AD member computer In-Reply-To: <87wsjcf6dj.fsf@windlord.stanford.edu> References: <2EFEBB04-5276-442A-9EA3-B9B41FDEC9A7@tpg.com.au> <78c6bd860807231101o64f71bbfx8cfd14af78ccd4c0@mail.gmail.com> <20080723193354.GW25547@Sun.COM> <87wsjcf6dj.fsf@windlord.stanford.edu> Message-ID: <20080724014045.GJ25547@Sun.COM> On Wed, Jul 23, 2008 at 05:55:20PM -0700, Russ Allbery wrote: > Nicolas Williams writes: > > On Wed, Jul 23, 2008 at 02:01:43PM -0400, Michael B Allen wrote: > > >> Extracting the keys from AD is not possible [1]. > > > Nor ist it possible to extract them from MIT krb5 KDCs. > > It is as of 1.6 using kadmin.local (not that this changes the rest of your > point). Right, it doesn't -- running kadmin.local on the KDC with sufficient privilege qualifies as "privileged access to a KDC" :) From jobs at webdos.com Thu Jul 24 14:10:13 2008 From: jobs at webdos.com (jc) Date: Thu, 24 Jul 2008 11:10:13 -0700 (PDT) Subject: Kerberos security prompts for credentials that can't be satisfied. IE most be closed and reopened Message-ID: Windows 2003 Server, Windows XP pro clients IE 7.0 We have a MOSS 2007 farm set up with Kerberos security. It works great 99% of the time. However, there is an odd quirk.. every now and then, and in the middle of any given operation or any time following logging in.. can be minutes after loging in or even hours... Sharepoint will prompt for authentication, you can attempt to enter your credentials, but it does not let you in. If we clip the web address line, close the IE browser, reopen a browser and paste the address line, the session continues with no prompt for credentials. What could this be? Thanks for any help or information. From vas at mpeks.no-spam-here.tomsk.su Sun Jul 27 22:52:52 2008 From: vas at mpeks.no-spam-here.tomsk.su (Victor Sudakov) Date: Mon, 28 Jul 2008 02:52:52 +0000 (UTC) Subject: ktutil get Message-ID: Colleagues, There is a very useful command "ktutil get" in Heimdal. It allows to conveniently join a host into a Kerberos domain, without bothering about transferring the keytab. What is the analogous command in the Solaris Kerberos implementation? -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49 at fidonet http://vas.tomsk.ru/ From ssdesai1 at gmail.com Mon Jul 28 08:55:26 2008 From: ssdesai1 at gmail.com (Sharad Desai) Date: Mon, 28 Jul 2008 08:55:26 -0400 Subject: Kerberos KDC Message-ID: <5183a7480807280555h7e2b5b95h4af452d45c3fc813@mail.gmail.com> Hello All, I am trying to set up a Kerberos 5 KDC on my servers. I run Windows IIS 6.0 and our management does not want to use Kerberos through AD. I was wondering if anyone could help me on where to start. Thanks in advance From Loki at no.spam Mon Jul 28 18:07:49 2008 From: Loki at no.spam (Loki) Date: Tue, 29 Jul 2008 00:07:49 +0200 Subject: Java Client accessing .NET Web Service and Kerberos Delegation with AD Message-ID: Hi all, we are running a .NET web service which uses Kerberos delegation to access a backend service on behalf of the client's security context. We have no problem with .NET client applications or IE accessing the web service, but in case of a Java app acting as client, delegation fails. The Java app correctly requests a TGT from the Win 2003 Active Directory and then requests and gets a valid service ticket to access the .NET web service. After that, the web service does a programmatically impersonation before making a ADSI/LDAP bind to the AD. This impersonation fails in case of a Java application. Client: - Java 6 application on Windows Web Service: - IIS 6 - ASP.NET 2.0 Web Service Backend Service: - Windows Server 2003 Active Directory Domain Controller (LDAP) Did anyone implemented a similar environment and may help me to find a solution? I can post configuration files, log files and network traces. loki From petesea at bigfoot.com Mon Jul 28 19:03:53 2008 From: petesea at bigfoot.com (petesea@bigfoot.com) Date: Mon, 28 Jul 2008 16:03:53 -0700 (PDT) Subject: KfW and Vista Message-ID: I have a special installer (NSIS) that first installs KfW and then starts the NIM so the user can enter their Kerberos password and then accesses a server via SSH/GSSAPI. On Win XP, this works fine. Vista on the other hand seems to run the NIM in a different context or session or something. It's running as the same user, but credentials available via the NIM are not available via command line clients (ie running klist from the command line says there's no credentials even though the NIM says there are). If I run "Process Explorer", I see there are 2 - krbcc32s.exe processes and I presume that means they are using separate credentials caches? Is there any way to force a NIM that was started via an installer so it uses the same credential cache as the command line kinit/klist/kdestroy? From jaltman at secure-endpoints.com Mon Jul 28 19:25:45 2008 From: jaltman at secure-endpoints.com (Jeffrey Altman) Date: Mon, 28 Jul 2008 19:25:45 -0400 Subject: KfW and Vista In-Reply-To: References: Message-ID: <488E5579.2080109@secure-endpoints.com> The installer runs with Administrator privileges under the Administrator session. It is running in a different logon session than the user session. If you see Windows report the second session as the same user it is because the user is in the Administrators Group and as such is running in a second session without the UAC restrictions. Once the installer process is running elevated it is not possible to have it CreateProcess within the original logon session. Jeffrey Altman petesea at bigfoot.com wrote: > I have a special installer (NSIS) that first installs KfW and then starts > the NIM so the user can enter their Kerberos password and then accesses a > server via SSH/GSSAPI. > > On Win XP, this works fine. Vista on the other hand seems to run the NIM > in a different context or session or something. It's running as the same > user, but credentials available via the NIM are not available via command > line clients (ie running klist from the command line says there's no > credentials even though the NIM says there are). > > If I run "Process Explorer", I see there are 2 - krbcc32s.exe processes > and I presume that means they are using separate credentials caches? > > Is there any way to force a NIM that was started via an installer so it > uses the same credential cache as the command line kinit/klist/kdestroy? > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3355 bytes Desc: S/MIME Cryptographic Signature Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20080728/67854a6c/smime.bin From abhishek.brave at gmail.com Tue Jul 29 03:49:07 2008 From: abhishek.brave at gmail.com (Abhishek Chowdhury) Date: Tue, 29 Jul 2008 00:49:07 -0700 (PDT) Subject: Any workaround for [domain_realm] section Message-ID: <18707098.post@talk.nabble.com> I am using kerberos v5 version Following is the domain realm section of my kerberos configuration file [domain_realm] abhi.com = AS.ABHI.COM .abhi.com = AS.ABHI.COM abhi-amit.abhi.com = AMIT.ABHI.COM as.abhi.com = AMIT.ABHI.COM Now in the realm AMIT.ABHI.COM I have around 400 entries(servics).If I go through the method above then I have to enter the 400 entries separately for the services in AMIT.ABHI.COM. Also I cannot write abhi.com = AMIT.ABHI.COM or .abhi.com=AMIT.ABHI.COM because it is already used for AS.ABHI.COM. So is there any workaround for this problem. Changing of DNS name is also not possible. Any pointers in this regard will be very helpful. -- View this message in context: http://www.nabble.com/Any-workaround-for--domain_realm--section-tp18707098p18707098.html Sent from the Kerberos - General mailing list archive at Nabble.com. From abhishek.brave at gmail.com Tue Jul 29 04:43:32 2008 From: abhishek.brave at gmail.com (Abhishek Chowdhury) Date: Tue, 29 Jul 2008 01:43:32 -0700 (PDT) Subject: SSH configuration Message-ID: <18707809.post@talk.nabble.com> I want to configure passwordless ssh after successful kinit. for that I have to change configurations in etc/ssh_config: GSSAPIAuthentication yes GSSAPIDelegateCredentials yes but we dont have these options in ssh_config file? any pointers in this regard? -- View this message in context: http://www.nabble.com/SSH-configuration-tp18707809p18707809.html Sent from the Kerberos - General mailing list archive at Nabble.com. From javiplx at gmail.com Tue Jul 29 06:18:55 2008 From: javiplx at gmail.com (Javier Palacios) Date: Tue, 29 Jul 2008 12:18:55 +0200 Subject: Any workaround for [domain_realm] section In-Reply-To: <18707098.post@talk.nabble.com> References: <18707098.post@talk.nabble.com> Message-ID: On Tue, Jul 29, 2008 at 9:49 AM, Abhishek Chowdhury wrote: > > I am using kerberos v5 version > Following is the domain realm section of my kerberos configuration file > > [domain_realm] > abhi.com = AS.ABHI.COM > .abhi.com = AS.ABHI.COM > > abhi-amit.abhi.com = AMIT.ABHI.COM > as.abhi.com = AMIT.ABHI.COM > > Now in the realm AMIT.ABHI.COM I have around 400 entries(servics).If I go > through the method above then I have to enter the 400 entries separately for > the services in AMIT.ABHI.COM. Also I cannot write abhi.com = AMIT.ABHI.COM > or .abhi.com=AMIT.ABHI.COM because it is already used for AS.ABHI.COM. > > So is there any workaround for this problem. > Changing of DNS name is also not possible. > Any pointers in this regard will be very helpful. Not completelly sure, but I believe that the TXT records allow you to do that Javier Palacios From raeburn at MIT.EDU Tue Jul 29 06:20:32 2008 From: raeburn at MIT.EDU (Ken Raeburn) Date: Tue, 29 Jul 2008 11:20:32 +0100 Subject: Any workaround for [domain_realm] section In-Reply-To: <18707098.post@talk.nabble.com> References: <18707098.post@talk.nabble.com> Message-ID: <6049BF9E-6542-4430-BABE-241165E66819@mit.edu> On Jul 29, 2008, at 08:49, Abhishek Chowdhury wrote: > Now in the realm AMIT.ABHI.COM I have around 400 entries(servics).If > I go > through the method above then I have to enter the 400 entries > separately for > the services in AMIT.ABHI.COM. Also I cannot write abhi.com = > AMIT.ABHI.COM > or .abhi.com=AMIT.ABHI.COM because it is already used for AS.ABHI.COM. > > So is there any workaround for this problem. > Changing of DNS name is also not possible. > Any pointers in this regard will be very helpful. If you can add TXT records for the hosts in AMIT, you could enable the use of these TXT records on all the clients; it's a theoretical security weakness, though, which is why it's off by default. The admin or install guides should mention how to set these up, I think. (Sorry, only have a few minutes right now.) You could also set up some site-wide scheme for distributing updates to the domain_realm section, but that's kind of ugly. If you set KRB5_CONFIG to a colon-separated list of files, the krb5 library code will read all of them in. If you have some site-wide shared file system, you could put a file there with the domain_realm entries for your site, but obviously there are potential security and performance issues there. Eventually we want to have a way for the KDC to supply this information, but while we've got a spec in the works, we don't have an implementation yet. Ken From eirvine at tpg.com.au Tue Jul 29 06:23:13 2008 From: eirvine at tpg.com.au (Edward Irvine) Date: Tue, 29 Jul 2008 20:23:13 +1000 Subject: SSH configuration In-Reply-To: <18707809.post@talk.nabble.com> References: <18707809.post@talk.nabble.com> Message-ID: <694F45BD-AED4-4143-ADC9-0D98CBB4A82B@tpg.com.au> Hi, On 29/07/2008, at 6:43 PM, Abhishek Chowdhury wrote: > > I want to configure passwordless ssh after successful kinit. > > for that I have to change configurations in etc/ssh_config: > > > GSSAPIAuthentication yes > GSSAPIDelegateCredentials yes > > but we dont have these options in ssh_config file? The GSSAPI directives may still be valid for your system. Suggest reading the man pages. man ssh_config man sshd_config > What version of UNIX/Linux are you using? > any pointers in this regard? > -- > View this message in context: http://www.nabble.com/SSH- > configuration-tp18707809p18707809.html > Sent from the Kerberos - General mailing list archive at Nabble.com. > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > From bodik at civ.zcu.cz Tue Jul 29 06:57:46 2008 From: bodik at civ.zcu.cz (bodik) Date: Tue, 29 Jul 2008 12:57:46 +0200 Subject: SSH configuration In-Reply-To: <694F45BD-AED4-4143-ADC9-0D98CBB4A82B@tpg.com.au> References: <18707809.post@talk.nabble.com> <694F45BD-AED4-4143-ADC9-0D98CBB4A82B@tpg.com.au> Message-ID: <488EF7AA.6000109@civ.zcu.cz> hi, I think, that you also need: * krb5.conf a proper configuration for your realm * sshd_config KerberosAuthentication yes KerberosOrLocalPasswd yes KerberosTicketCleanup yes * ssh_config GSSAPIAuthentication yes GSSAPIDelegateCredentials yes * pam.d/ssh pam_krb5.so * krb5.keytab service key in keytab for host (to establish a trust between service and KDC) >> any pointers in this regard? there should be many howto's out there, but just now i cann't find any suitable walkthrough. but this looks fine (i didn't read it :) http://www.visolve.com/security/ssh_kerberos.php bodik From james.chavez at sanmina-sci.com Tue Jul 29 12:06:54 2008 From: james.chavez at sanmina-sci.com (Chavez, James R.) Date: Tue, 29 Jul 2008 09:06:54 -0700 Subject: Kerberos authentication; krb5.keytab significance. Message-ID: <19A4A238A352AD40B65B3D88780DDBC6BEC33B@sjc1amfpew04.am.sanm.corp> Hello, I am attempting to setup Linux(Redhat) to use Kerberos authentication via Active Directory. I have configured my /etc/krb5.conf with the appropriate REALM and KDC entries. I am able to kinit and receive a krb5 ticket. Also I have joined the box to the Active directory domain using Samba and the net adds join command. I can authenticate using Winbind but would rather use kerberos. However I get errors in the messages log such as.. sshd[4996]: pam_krb5[4996]: account checks fail for 'Domain\user': user is unknown or account expired. sshd[4996]: pam_krb5[4996]: authentication fails for 'Domain\user' (Domainusername at REALM): User not known to the underlying authentication module (Client not found in Kerberos database). When logging in I am prepending the domain name for example.. DOMAIN\username. That results in the above message. I also tried username at REALM and that leaves no mention of krb5 in the message log rather it shows. sshd[4273]: input_userauth_request: invalid user user at REALM Jul 29 08:51:55 phx1amwk169925 sshd[4272]: pam_unix(sshd:auth): check pass; user unknown Jul 29 08:51:55 phx1amwk169925 sshd[4272]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.16.155.156 Jul 29 08:51:55 phx1amwk169925 sshd[4272]: pam_succeed_if(sshd:auth): error retrieving information about user user at REALM Jul 29 08:51:58 phx1amwk169925 sshd[4272]: Failed password for invalid user user at REALM from 172.16.155.156 port 39913 ssh2. While I was doing some reading last night I found that joining Active Directory using net ads join does not create a /etc/krb5.keytab file. I have a feeling this may be part of the issue? I do not have a krb5.keytabfile on the box. Also the account for the box exists in Active Directory users and computers and I can retrieve the info on it by using the css_adkadmin get_account command. Can I somehow pull a keytab file from Active Directory from this existing computer account? I am not quite sure of the contents of the keytab file. Is it possible to manually create and populate krb5.keytab? While I wait for a response I will do some more reading. Thank You James CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. From jos at catnook.com Tue Jul 29 12:29:40 2008 From: jos at catnook.com (Jos Backus) Date: Tue, 29 Jul 2008 09:29:40 -0700 Subject: krb5_sname_to_principal question Message-ID: <20080729162940.GA97188@lizzy.catnook.local> In Kerberos 1.5, krb5_sname_to_principal calls krb5_get_host_realm which (when KRB5_DNS_LOOKUP is defined) causes DNS to be queried for a _kerberos.FQDN TXT RR when no applicable domain_realm entry is found and dns_lookup_realm is set. In 1.6 the KRB5_DNS_LOOKUP ifdef'ed code was removed. This means that the domain_realm section HAS to have a matching entry for the machine, mapping it into a realm, whereas in 1.5 this didn't need to be the case if the above conditions were met. I'm aware (from a previous discussion) that the DNS lookups are insecure (although they _are_ used in the case of failing referrals, in which case krb5_get_fallback_host_realm is called). But I'm still wondering what the suggested fix is, beyond the obvious addition to domain_realm. Comments? -- Jos Backus jos at catnook.com From seb at foo.com Tue Jul 29 11:50:09 2008 From: seb at foo.com (Seb) Date: 29 Jul 2008 15:50:09 GMT Subject: SSH configuration References: <18707809.post@talk.nabble.com> <694F45BD-AED4-4143-ADC9-0D98CBB4A82B@tpg.com.au> Message-ID: <20080729084900.750@usenet.piggo.com> On 2008-07-29, bodik wrote: > * sshd_config > KerberosAuthentication yes > KerberosOrLocalPasswd yes > KerberosTicketCleanup yes that's for Kerberos 4; for version 5 you need: GSSAPIAuthentication yes GSSAPICleanupCredentials yes Cheers, --Seb From rra at stanford.edu Tue Jul 29 15:26:17 2008 From: rra at stanford.edu (Russ Allbery) Date: Tue, 29 Jul 2008 12:26:17 -0700 Subject: krb5_sname_to_principal question In-Reply-To: <20080729162940.GA97188@lizzy.catnook.local> (Jos Backus's message of "Tue\, 29 Jul 2008 09\:29\:40 -0700") References: <20080729162940.GA97188@lizzy.catnook.local> Message-ID: <87hca8mqzq.fsf@windlord.stanford.edu> Jos Backus writes: > In Kerberos 1.5, krb5_sname_to_principal calls krb5_get_host_realm which > (when KRB5_DNS_LOOKUP is defined) causes DNS to be queried for a > _kerberos.FQDN TXT RR when no applicable domain_realm entry is found and > dns_lookup_realm is set. > > In 1.6 the KRB5_DNS_LOOKUP ifdef'ed code was removed. This means that > the domain_realm section HAS to have a matching entry for the machine, > mapping it into a realm, whereas in 1.5 this didn't need to be the case > if the above conditions were met. I believe this was to support server-side referrals. The idea is that the client will ask the server for a principal with an empty realm and the server will figure out the realm. I don't know exactly how this works, though. -- Russ Allbery (rra at stanford.edu) From jos at catnook.com Tue Jul 29 17:54:48 2008 From: jos at catnook.com (Jos Backus) Date: Tue, 29 Jul 2008 14:54:48 -0700 Subject: krb5_sname_to_principal question In-Reply-To: <87hca8mqzq.fsf@windlord.stanford.edu> References: <20080729162940.GA97188@lizzy.catnook.local> <87hca8mqzq.fsf@windlord.stanford.edu> Message-ID: <20080729215448.GA5598@lizzy.catnook.local> On Tue, Jul 29, 2008 at 12:26:17PM -0700, Russ Allbery wrote: > I believe this was to support server-side referrals. The idea is that the > client will ask the server for a principal with an empty realm and the > server will figure out the realm. *nod* As it stands, without a matching domain_realm entry, the realm remains empty. This broke our setup between CentOS 4 (Kerberos 1.5) and CentOS 5 (Kerberos 1.6.1) , where ssh'in into a box fails with `Wrong principal in request'. Adding some debugging from 1.6.3 reveals that the offered principal is `host/fqdn at REALM' whereas the expected principal (returned from krb5_sname_to_principal()) is `host/fqdn@'. > I don't know exactly how this works, though. Neither do I. -- Jos Backus jos at catnook.com From rra at stanford.edu Tue Jul 29 20:03:23 2008 From: rra at stanford.edu (Russ Allbery) Date: Tue, 29 Jul 2008 17:03:23 -0700 Subject: krb5_sname_to_principal question In-Reply-To: <20080729215448.GA5598@lizzy.catnook.local> (Jos Backus's message of "Tue\, 29 Jul 2008 14\:54\:48 -0700") References: <20080729162940.GA97188@lizzy.catnook.local> <87hca8mqzq.fsf@windlord.stanford.edu> <20080729215448.GA5598@lizzy.catnook.local> Message-ID: <87sktsi6gk.fsf@windlord.stanford.edu> Jos Backus writes: > On Tue, Jul 29, 2008 at 12:26:17PM -0700, Russ Allbery wrote: >> I believe this was to support server-side referrals. The idea is that >> the client will ask the server for a principal with an empty realm and >> the server will figure out the realm. > *nod* As it stands, without a matching domain_realm entry, the realm > remains empty. > This broke our setup between CentOS 4 (Kerberos 1.5) and CentOS 5 > (Kerberos 1.6.1) , where ssh'in into a box fails with `Wrong principal > in request'. Adding some debugging from 1.6.3 reveals that the offered > principal is `host/fqdn at REALM' whereas the expected principal (returned > from krb5_sname_to_principal()) is `host/fqdn@'. Yes, you're having the same situation that we did, where the change to support referrals broke other software. My only experience with it has been in the area of where it broke things. We solved the problems we ran into by making sure that we had domain_realm mappings on the client, since otherwise ksu stopped working. I think ksu has now been fixed in Subversion, though. -- Russ Allbery (rra at stanford.edu) From jos at catnook.com Tue Jul 29 20:56:17 2008 From: jos at catnook.com (Jos Backus) Date: Tue, 29 Jul 2008 17:56:17 -0700 Subject: krb5_sname_to_principal question In-Reply-To: <87sktsi6gk.fsf@windlord.stanford.edu> References: <20080729162940.GA97188@lizzy.catnook.local> <87hca8mqzq.fsf@windlord.stanford.edu> <20080729215448.GA5598@lizzy.catnook.local> <87sktsi6gk.fsf@windlord.stanford.edu> Message-ID: <20080730005617.GA40558@lizzy.catnook.local> On Tue, Jul 29, 2008 at 05:03:23PM -0700, Russ Allbery wrote: > We solved the problems we ran into by making sure that we had domain_realm > mappings on the client, since otherwise ksu stopped working. I think ksu > has now been fixed in Subversion, though. We'll solve this problem in a similar way, by moving to a single realm and adding a global domain_realm mapping. Thanks for your comments, Russ. -- Jos Backus jos at catnook.com From petesea at bigfoot.com Wed Jul 30 04:43:20 2008 From: petesea at bigfoot.com (petesea@bigfoot.com) Date: Wed, 30 Jul 2008 01:43:20 -0700 (PDT) Subject: KfW 3.2.2 and plink on Vista Message-ID: I have a Kerberos enabled version of PuTTY which works fine on XP using both KfW 3.1.0 and 3.2.2. It also works fine on Vista using KfW 3.1.0. But on Vista using KfW 3.2.2, plink triggers a Vista error popup with the following detailed info. Is this a problem with KfW? Or plink? Or Vista? Problem signature: Problem Event Name: APPCRASH Application Name: plink.exe Application Version: 0.0.0.0 Application Timestamp: 442da71c Fault Module Name: ntdll.dll Fault Module Version: 6.0.6001.18000 Fault Module Timestamp: 4791a7a6 Exception Code: c0000005 Exception Offset: 000659c3 OS Version: 6.0.6001.2.1.0.256.16 Locale ID: 1033 Additional Information 1: 0278 Additional Information 2: fca079b4ae336117388507dcafefd8fe Additional Information 3: ed28 Additional Information 4: e4da8b766cc83f8ab38503727fc11ef0 From jaltman at secure-endpoints.com Wed Jul 30 09:19:20 2008 From: jaltman at secure-endpoints.com (Jeffrey Altman) Date: Wed, 30 Jul 2008 09:19:20 -0400 Subject: KfW 3.2.2 and plink on Vista In-Reply-To: References: Message-ID: <48906A58.5060109@secure-endpoints.com> The error is in plink and putty. Obtain a new version of both. petesea at bigfoot.com wrote: > I have a Kerberos enabled version of PuTTY which works fine on XP using > both KfW 3.1.0 and 3.2.2. It also works fine on Vista using KfW 3.1.0. > > But on Vista using KfW 3.2.2, plink triggers a Vista error popup with the > following detailed info. > > Is this a problem with KfW? Or plink? Or Vista? > > Problem signature: > Problem Event Name: APPCRASH > Application Name: plink.exe > Application Version: 0.0.0.0 > Application Timestamp: 442da71c > Fault Module Name: ntdll.dll > Fault Module Version: 6.0.6001.18000 > Fault Module Timestamp: 4791a7a6 > Exception Code: c0000005 > Exception Offset: 000659c3 > OS Version: 6.0.6001.2.1.0.256.16 > Locale ID: 1033 > Additional Information 1: 0278 > Additional Information 2: fca079b4ae336117388507dcafefd8fe > Additional Information 3: ed28 > Additional Information 4: e4da8b766cc83f8ab38503727fc11ef0 > > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3355 bytes Desc: S/MIME Cryptographic Signature Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20080730/aae88098/smime.bin From petesea at bigfoot.com Wed Jul 30 11:39:48 2008 From: petesea at bigfoot.com (petesea@bigfoot.com) Date: Wed, 30 Jul 2008 08:39:48 -0700 (PDT) Subject: KfW 3.2.2 and plink on Vista In-Reply-To: <48906A58.5060109@secure-endpoints.com> References: <48906A58.5060109@secure-endpoints.com> Message-ID: If it's plink (and I'm not saying it isn't), then why does plink work fine on Vista using KfW 3.1.0? It's only Vista using KfW 3.2.2 that triggers the problem. In other words, what's different between 3.1.0 and 3.2.2 that triggers the problem... and only on Vista? On Wed, 30 Jul 2008, Jeffrey Altman wrote: > The error is in plink and putty. > Obtain a new version of both. > > petesea at bigfoot.com wrote: > >> I have a Kerberos enabled version of PuTTY which works fine on XP using >> both KfW 3.1.0 and 3.2.2. It also works fine on Vista using KfW 3.1.0. >> >> But on Vista using KfW 3.2.2, plink triggers a Vista error popup with the >> following detailed info. >> >> Is this a problem with KfW? Or plink? Or Vista? >> >> Problem signature: >> Problem Event Name: APPCRASH >> Application Name: plink.exe >> Application Version: 0.0.0.0 >> Application Timestamp: 442da71c >> Fault Module Name: ntdll.dll >> Fault Module Version: 6.0.6001.18000 >> Fault Module Timestamp: 4791a7a6 >> Exception Code: c0000005 >> Exception Offset: 000659c3 >> OS Version: 6.0.6001.2.1.0.256.16 >> Locale ID: 1033 >> Additional Information 1: 0278 >> Additional Information 2: fca079b4ae336117388507dcafefd8fe >> Additional Information 3: ed28 >> Additional Information 4: e4da8b766cc83f8ab38503727fc11ef0 From jaltman at secure-endpoints.com Wed Jul 30 11:51:34 2008 From: jaltman at secure-endpoints.com (Jeffrey Altman) Date: Wed, 30 Jul 2008 11:51:34 -0400 Subject: KfW 3.2.2 and plink on Vista In-Reply-To: References: <48906A58.5060109@secure-endpoints.com> Message-ID: <48908E06.3050805@secure-endpoints.com> petesea at bigfoot.com wrote: > If it's plink (and I'm not saying it isn't), then why does plink work > fine on Vista using KfW 3.1.0? It's only Vista using KfW 3.2.2 that > triggers the problem. In other words, what's different between 3.1.0 > and 3.2.2 that triggers the problem... and only on Vista? Its not Vista. Its KFW 3.1 vs 3.2. The GSSAPI implementation was replaced between those releases. In 3.1 a single mechanism GSSAPI implementation was included. In 3.2 a multi-mechanism implementation is included. In 3.1 the GSSAPI could refuse to deallocate memory that wasn't allocated by the mechanism. In 3.2 the GSSAPI does not. plink/putty has a bug. I know it has a bug because the bug was fixed a long time ago. the bug was masked by KFW 3.1 and is not masked by 3.2. Please get a new putty. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3355 bytes Desc: S/MIME Cryptographic Signature Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20080730/a717858f/smime.bin From abhishek.brave at gmail.com Wed Jul 30 05:17:49 2008 From: abhishek.brave at gmail.com (Abhishek Chowdhury) Date: Wed, 30 Jul 2008 02:17:49 -0700 (PDT) Subject: SSH configuration In-Reply-To: <488EF7AA.6000109@civ.zcu.cz> References: <18707809.post@talk.nabble.com> <694F45BD-AED4-4143-ADC9-0D98CBB4A82B@tpg.com.au> <488EF7AA.6000109@civ.zcu.cz> Message-ID: <18729232.post@talk.nabble.com> > I am getting the initial krtgt ticket and the service ticket also when I > am trying to do ssh. But still the ssh is asking for passowrd. I have done > the configuration required in the ssh and sshd file. > > bodik wrote: > > hi, > > I think, that you also need: > > * krb5.conf > a proper configuration for your realm > > * sshd_config > KerberosAuthentication yes > KerberosOrLocalPasswd yes > KerberosTicketCleanup yes > > * ssh_config > > GSSAPIAuthentication yes > GSSAPIDelegateCredentials yes > > * pam.d/ssh > pam_krb5.so > > * krb5.keytab > service key in keytab for host > (to establish a trust between service and KDC) > >>> any pointers in this regard? > there should be many howto's out there, but just now i cann't find any > suitable walkthrough. but this looks fine (i didn't read it :) > > http://www.visolve.com/security/ssh_kerberos.php > > bodik > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- View this message in context: http://www.nabble.com/SSH-configuration-tp18707809p18729232.html Sent from the Kerberos - General mailing list archive at Nabble.com. From abhishek.brave at gmail.com Wed Jul 30 06:09:16 2008 From: abhishek.brave at gmail.com (Abhishek Chowdhury) Date: Wed, 30 Jul 2008 03:09:16 -0700 (PDT) Subject: Any workaround for [domain_realm] section In-Reply-To: References: <18707098.post@talk.nabble.com> Message-ID: <18730120.post@talk.nabble.com> >From where I can get steps to implement the TXT records method if I want to do it. Javier Palacios-2 wrote: > > On Tue, Jul 29, 2008 at 9:49 AM, Abhishek Chowdhury > wrote: >> >> I am using kerberos v5 version >> Following is the domain realm section of my kerberos configuration file >> >> [domain_realm] >> abhi.com = AS.ABHI.COM >> .abhi.com = AS.ABHI.COM >> >> abhi-amit.abhi.com = AMIT.ABHI.COM >> as.abhi.com = AMIT.ABHI.COM >> >> Now in the realm AMIT.ABHI.COM I have around 400 entries(servics).If I go >> through the method above then I have to enter the 400 entries separately >> for >> the services in AMIT.ABHI.COM. Also I cannot write abhi.com = >> AMIT.ABHI.COM >> or .abhi.com=AMIT.ABHI.COM because it is already used for AS.ABHI.COM. >> >> So is there any workaround for this problem. >> Changing of DNS name is also not possible. >> Any pointers in this regard will be very helpful. > > Not completelly sure, but I believe that the TXT records allow you to do > that > > Javier Palacios > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- View this message in context: http://www.nabble.com/Any-workaround-for--domain_realm--section-tp18707098p18730120.html Sent from the Kerberos - General mailing list archive at Nabble.com. From abhishek.brave at gmail.com Wed Jul 30 10:04:39 2008 From: abhishek.brave at gmail.com (Abhishek Chowdhury) Date: Wed, 30 Jul 2008 07:04:39 -0700 (PDT) Subject: SSH configuration Message-ID: <18729232.post@talk.nabble.com> > I am getting the initial krtgt ticket and the service ticket also when I > am trying to do ssh. But still the ssh is asking for passowrd. I have done > the configuration required in the ssh and sshd file. > > bodik wrote: > > hi, > > I think, that you also need: > > * krb5.conf > a proper configuration for your realm > > * sshd_config > KerberosAuthentication yes > KerberosOrLocalPasswd yes > KerberosTicketCleanup yes > > * ssh_config > > GSSAPIAuthentication yes > GSSAPIDelegateCredentials yes > > * pam.d/ssh > pam_krb5.so > > * krb5.keytab > service key in keytab for host > (to establish a trust between service and KDC) > >>> any pointers in this regard? > there should be many howto's out there, but just now i cann't find any > suitable walkthrough. but this looks fine (i didn't read it :) > > http://www.visolve.com/security/ssh_kerberos.php > > bodik > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- View this message in context: http://www.nabble.com/SSH-configuration-tp18707809p18729232.html Sent from the Kerberos - General mailing list archive at Nabble.com. From vas at mpeks.no-spam-here.tomsk.su Tue Jul 29 22:02:41 2008 From: vas at mpeks.no-spam-here.tomsk.su (Victor Sudakov) Date: Wed, 30 Jul 2008 02:02:41 +0000 (UTC) Subject: ktutil get References: Message-ID: Victor Sudakov wrote: > There is a very useful command "ktutil get" in Heimdal. It allows to > conveniently join a host into a Kerberos domain, without bothering > about transferring the keytab. > What is the analogous command in the Solaris Kerberos implementation? No Solaris Kerberos experts here? Well, what is the analogous command in MIT Kerberos? TIA. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49 at fidonet http://vas.tomsk.ru/ From paul.moore at centrify.com Wed Jul 30 13:34:40 2008 From: paul.moore at centrify.com (Paul Moore) Date: Wed, 30 Jul 2008 10:34:40 -0700 Subject: SSH configuration In-Reply-To: <18729232.post@talk.nabble.com> References: <18729232.post@talk.nabble.com> Message-ID: Start sshd on a private port with -dddde Start ssh client with -vvv You can ususally see the casue then Do you have a .krb5login file? This is needed if the stripped upn != unix name -----Original Message----- From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Abhishek Chowdhury Sent: Wednesday, July 30, 2008 7:05 AM To: kerberos at mit.edu Subject: Re: SSH configuration > I am getting the initial krtgt ticket and the service ticket also when > I am trying to do ssh. But still the ssh is asking for passowrd. I > have done the configuration required in the ssh and sshd file. > > bodik wrote: > > hi, > > I think, that you also need: > > * krb5.conf > a proper configuration for your realm > > * sshd_config > KerberosAuthentication yes > KerberosOrLocalPasswd yes > KerberosTicketCleanup yes > > * ssh_config > > GSSAPIAuthentication yes > GSSAPIDelegateCredentials yes > > * pam.d/ssh > pam_krb5.so > > * krb5.keytab > service key in keytab for host > (to establish a trust between service and KDC) > >>> any pointers in this regard? > there should be many howto's out there, but just now i cann't find any > suitable walkthrough. but this looks fine (i didn't read it :) > > http://www.visolve.com/security/ssh_kerberos.php > > bodik > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- View this message in context: http://www.nabble.com/SSH-configuration-tp18707809p18729232.html Sent from the Kerberos - General mailing list archive at Nabble.com. ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos From petesea at bigfoot.com Wed Jul 30 17:43:28 2008 From: petesea at bigfoot.com (petesea@bigfoot.com) Date: Wed, 30 Jul 2008 14:43:28 -0700 (PDT) Subject: KfW 3.2.2 and plink on Vista In-Reply-To: <48908E06.3050805@secure-endpoints.com> References: <48906A58.5060109@secure-endpoints.com> <48908E06.3050805@secure-endpoints.com> Message-ID: On Wed, 30 Jul 2008, Jeffrey Altman wrote: > petesea at bigfoot.com wrote: > >> If it's plink (and I'm not saying it isn't), then why does plink work >> fine on Vista using KfW 3.1.0? It's only Vista using KfW 3.2.2 that >> triggers the problem. In other words, what's different between 3.1.0 >> and 3.2.2 that triggers the problem... and only on Vista? > > Its not Vista. Its KFW 3.1 vs 3.2. So how come 3.2 works fine with my existing plink on XP? Sorry, not trying to be difficult, I just need to be able to clarify (to my management) why we only see this on Vista and what it will take to fix it. > The GSSAPI implementation was replaced between those releases. In 3.1 a > single mechanism GSSAPI implementation was included. In 3.2 a > multi-mechanism implementation is included. In 3.1 the GSSAPI could > refuse to deallocate memory that wasn't allocated by the mechanism. In > 3.2 the GSSAPI does not. > > plink/putty has a bug. I know it has a bug because the bug was fixed a > long time ago. the bug was masked by KFW 3.1 and is not masked by 3.2. OK. I wasn't trying to dispute the possibility of a bug in plink/putty... I was just looking for a more detailed explanation. Thanks for providing it. But I still would like to see a reason for why 3.2 works on XP if you know. > Please get a new putty. Unfortunately, since the GSSAPI patch I have is for 0.58, I'll need to do quite a bit of work to get it into 0.60 (the latest version of PuTTY). Since this problem only seems to occur with KfW 3.2.2, I need to weight the advantages of upgrading to 3.2.2 vs the time it will take to adapt my patch to PuTTY 0.60 and test. From abhishek.brave at gmail.com Thu Jul 31 05:32:12 2008 From: abhishek.brave at gmail.com (Abhishek Chowdhury) Date: Thu, 31 Jul 2008 02:32:12 -0700 (PDT) Subject: configure AFP and VNC services for kerberos? Message-ID: <18750862.post@talk.nabble.com> hi i am using kerberos V5, MAC OSX 10.5.2. i want to configure AFP and VNC services for kerberos. what configuration steps do i need to follow? any pointers in this regard will be really helpful. -- View this message in context: http://www.nabble.com/configure-AFP-and-VNC-services-for-kerberos--tp18750862p18750862.html Sent from the Kerberos - General mailing list archive at Nabble.com. From matthew at loar.name Wed Jul 30 18:26:13 2008 From: matthew at loar.name (Matthew Loar) Date: Wed, 30 Jul 2008 22:26:13 +0000 (UTC) Subject: KfW 3.2.2 and plink on Vista References: <48906A58.5060109@secure-endpoints.com> <48908E06.3050805@secure-endpoints.com> Message-ID: petesea at bigfoot.com wrote: > Unfortunately, since the GSSAPI patch I have is for 0.58, I'll need to do > quite a bit of work to get it into 0.60 (the latest version of PuTTY). > Since this problem only seems to occur with KfW 3.2.2, I need to weight > the advantages of upgrading to 3.2.2 vs the time it will take to adapt my > patch to PuTTY 0.60 and test. The version I have at http://matthew.loar.name/software/putty/ might save you some effort. I started with the GSSAPI patch from http://sweb.cz/v_t_m and have been following PuTTY trunk. I don't have a Vista box with KFW 3.2, so I'm afraid I can't speak to whether it would solve your problem. Matt Loar From SBuckley at MIT.EDU Thu Jul 31 08:49:37 2008 From: SBuckley at MIT.EDU (Stephen C. Buckley) Date: Thu, 31 Jul 2008 08:49:37 -0400 Subject: "The MIT Kerberos Administrator's How-to Guide" white paper available Message-ID: <16EC2632-98F2-4BA6-A54D-91FB1852EC12@MIT.EDU> A new white paper by Jean-Yves Migeon, entitled, "The MIT Kerberos Administrator's How-to Guide: Protocol, Installation and Single Sign On" is now available at: http://www.kerberos.org/software/adminkerberos.pdf This 62 page document is divided into three parts; an introduction to Kerberos, instructions for deploying Kerberos, and using services with Kerberos. Also included are sections on troubleshooting, and a glossary of terms. Additional white papers and specifications are available at: http://www.kerberos.org/software/whitepapers.html Kind regards, s _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ Stephen C. Buckley Executive Director MIT Kerberos Consortium web: http://www.kerberos.org office: + 1 617.324.9167 To subscribe to our announcement list, visit: http://mailman.mit.edu/ mailman/listinfo/mitkc-announce From rra at stanford.edu Thu Jul 31 23:23:04 2008 From: rra at stanford.edu (Russ Allbery) Date: Thu, 31 Jul 2008 20:23:04 -0700 Subject: kadmin-remctl 2.2 released Message-ID: <87y73h4dwn.fsf@windlord.stanford.edu> I'm pleased to announce release 2.2 of kadmin-remctl. kadmin-remctl provides a remctl backend that implements basic Kerberos account administration functions (create, delete, enable, disable, reset password, examine) plus user password changes and a call to strength-check a given password. It can also provide similar management of instances and creation, deletion, and management of accounts in MIT Kerberos, Active Directory, and an AFS kaserver where appropriate. Also included is a client for privileged users to use for password resets. Many of the defaults and namespace checks are Stanford-specific, but it can be modified for other sites. Changes from previous release: As of this release, AFS kaserver support is frozen and no longer tested. It may be removed in a future release if there is significant code restructuring. Close the kasetkey output file descriptor before checking its exit status so that we get accurate results. Produce better error messages if REMOTE_USER isn't set in the environment when checking authorization for instance management and document the use of REMOTE_USER in the man page. You can download it from: As of this release, kadmin-remctl is now maintained in Git. See the above URL for more details. Please let me know of any problems or feature requests not already listed in the TODO file. -- Russ Allbery (rra at stanford.edu) From abhishek.brave at gmail.com Thu Jul 31 07:15:33 2008 From: abhishek.brave at gmail.com (Abhishek Chowdhury) Date: Thu, 31 Jul 2008 04:15:33 -0700 (PDT) Subject: configure AFP and VNC services for kerberos? Message-ID: <18750879.post@talk.nabble.com> hi i am using kerberos V5, MAC OSX 10.5.2. i want to configure AFP and VNC services for kerberos. what configuration steps do i need to follow? any pointers in this regard will be really helpful. -- View this message in context: http://www.nabble.com/configure-AFP-and-VNC-services-for-kerberos--tp18750879p18750879.html Sent from the Kerberos - General mailing list archive at Nabble.com.