From Credito.Cooperativo at MIT.EDU Mon Feb 1 04:18:45 2010 From: Credito.Cooperativo at MIT.EDU (Credito.Cooperativo@MIT.EDU) Date: 01 Feb 2010 10:18:45 +0100 Subject: No subject Message-ID: <20100201101845.55FD43915885E778@from.header.has.no.domain> Gentile Cliente, da questo momento ? disponibile on-line l'estratto conto mensile riferi al codice del rapporto 01002-33047891: potr? consultarlo, stamparlo sul suo PC per creare un suo archivio personalizzato. Le ricordiamo che ogni estratto conto rimane in linea fino al terzo mese< Grazie ancora per aver scelto i servizi on-line di BCC. I migliori saluti. Servizio Clienti BCC *************************************************************** Per favore, non risponda a questa mail: per eventuali comunicazioni acceda al Portale Aziende e ci scriva attraverso 'Lo sportello del Clie semplice per ottenere una rapida risposta dai nos collaborazione. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: servizio-OnlineBanking.html Url: http://mailman.mit.edu/pipermail/kerberos/attachments/20100201/acd5cf86/attachment.bat From prasad.online at gmail.com Mon Feb 1 05:28:05 2010 From: prasad.online at gmail.com (=?GB2312?B?UHJhc2FkICjG1cCtyPi1wik=?=) Date: Mon, 1 Feb 2010 15:58:05 +0530 Subject: Gitorious & Kerberos Message-ID: Hi I am not able to configure the Gitorious with Kerberos. Anybody tried this? Let me know. -- Prasad S. Wani From noreply at queensofgame.com Mon Feb 1 10:07:16 2010 From: noreply at queensofgame.com (=?UTF-8?B?UXVlZW5zb2ZHYW1l?=) Date: Mon, 1 Feb 2010 15:07:16 +0000 Subject: =?UTF-8?B?QXNobGluaSBLdW1hciBpbnZpdGVzIHlvdSB0byBRdWVlbnMgb2YgR2FtZS4=?= Message-ID: <5c0db8ab1bca09e0ec739878afbbd8ab@www.queensofgame.com> QueensofGame Online Community
QueensofGame™
Hello,
Ashlini Kumar, Has sent you a Invitation to Join QueensofGame. Read below Instructions to Know How to Join.
Follow below Links to Join with QueensofGame Online
Register with QueensofGame Online and get Connected
If you have any Questions, Read our FAQ or Get Some Support.
Thank You,
The QueensofGame Online Team
Sign Up and get Connected
Join With Us
If you can't Understand these Instructions we Provided, Please Contact Assistence Service And Get Some Support.
Copyrights © 2009 - 2010 QueensofGame, Inc. All Rights Reserved.
From djberg96 at gmail.com Mon Feb 1 12:12:32 2010 From: djberg96 at gmail.com (Daniel Berger) Date: Mon, 1 Feb 2010 09:12:32 -0800 (PST) Subject: Detecting kerberos version from header file Message-ID: <6a9db3db-3018-457a-ad2d-464aa4887939@k2g2000pro.googlegroups.com> Hi, Is there a way to detect which version of kerberos I'm using within a C program? Is there a #define somewhere I can use? I ask because the prototype for kadm5_init_with_password changed in 1.6 and later (db_args was added) and I need to alter my code depending on whether or not it takes 7 or 8 arguments. Regards, Dan From ayodeleadlam at MIT.EDU Mon Feb 1 17:25:04 2010 From: ayodeleadlam at MIT.EDU (Ayodele Adlam) Date: Mon, 1 Feb 2010 14:25:04 -0800 Subject: For better climax intensity Message-ID: <000b01caa34a$5abf8a10$0a000284@frontdesk> What do you need to be happy on Christmas night? No impotence and a night of passionate sex? Lost your intimating 'charge'? Restore it instantly! There are only diamonds among male boosters on our web-portal! http://buildcount.com/ From kohls at e.kohls.com Tue Feb 2 03:41:36 2010 From: kohls at e.kohls.com (Kohls.com) Date: Tue, 2 Feb 2010 08:41:36 -0000 Subject: 2 Days Only! Kohl's Cash-In Sale + 99¢ Shipping Message-ID: To view the HTML version of this e-mail, copy and paste the link below into the Address field of your Internet browser: http://e.kohls.com/a/tBLZ83sBBZVhBB74lxvBVGjOh9Q/kohl1?t=BLZ83sBBZVhBB74lxvBVGjOh9Q&email=kerberos at mit.edu ************************************************************************ 99? Standard Shipping per item!* Surcharges still apply. ************************************************************************ 2 DAYS ONLY! Cash-In Sale Plus, everyone gets $10 Kohl's Cash** for every $50 spent in our stores & online now through February 6. Kohl's Cash earned online will arrive via e-mail by February 9. IT'S LIKE GETTING PAID TO SHOP. ************************************************************************ 60% Off Selected Diamond & Gemstone Jewelry 40-55% Off Selected Classic Sportswear for Women 10-40% Off Selected Athletic Shoes for Women & Men ************************************************************************ Shop the EVERYTHING HOME SALE Prices good now through February 6. 10-20% Off Selected Kitchen Electrics 10-20% Off Selected Vacuums & Deep Cleaners 30-50% Off Selected Bedding Collections & Sets ************************************************************************ Head Over Deals. Shop Valentine's Day gifts now! Hassle-Free Returns Gift Cards Get it there on time! Review our Shipping Deadlines. Become a Fan on Facebook ************************************************************************ *Surcharges may apply due to size, weight or special handling required. If your item has a surcharge, it will appear on the product page. **Kohl's Cash is not legal tender. Offer is nontransferable. Customer will receive a $10 Kohl's Cash coupon for the first $50 in purchases. An additional $10 in value will be added to the coupon for each additional $50 spent in that single transaction. Kohl's Cash coupons are earned on the amount of customer purchases after all applicable discounts are applied and before tax is imposed. Eligible customer purchases include sale-, regular- and clearance-priced merchandise purchased February 2-6, 2010, but exclude the purchase of gift cards. Kohl's Cash coupons can be earned in our stores or online, but can only be redeemed in our stores. Kohl's Cash coupons may be redeemed February 7-14, 2010. Kohl's Cash coupons may not be redeemed (1) to purchase Kohl's Cares for Kids merchandise or other charitable items; (2) to reduce a Kohl's Charge or any third party charge account balance; (3) as price adjustments on prior purchases; or (4) to purchase gift cards. If merchandise purchased earning a Kohl's Cash coupon is subsequently returned or price adjusted, the value of the Kohl's Cash coupon previously earned and/or the amount of the merchandise refund may be reduced to reflect any unearned value. Return value of merchandise purchased with Kohl's Cash coupon that is then returned may also be subject to adjustment. Terms and conditions apply. This mailbox is unattended, so please do not reply to this message. Instead, e-mail us at myaccount.help at kohls.com, or write to us at Kohl's Department Stores, Attention: Customer Service, N54 W13600 Woodale Drive, Menomonee Falls, WI 53051. If you no longer wish to receive e-mails from Kohls.com, unsubscribe by pasting this link into the Address field of your Internet browser: http://e.kohls.com/a/tBLZ83sBBZVhBB74lxvBVGjOh9Q/kohl15?email=kerberos at mit.edu&email=kerberos at mit.edu Please allow up to seven days for your e-mail address to be removed. 99? Standard Shipping offer good now through February 4, 2010. Kohl's Cash-In Sale prices good now through February 3, 2010. Home Sale prices good now through February 6, 2010. Kohl's Cash offer good now through February 6, 2010. Redeemable February 7-14, 2010. From nomrhod at googlemail.com Tue Feb 2 07:35:53 2010 From: nomrhod at googlemail.com (rhod davies) Date: Tue, 2 Feb 2010 12:35:53 +0000 Subject: multiple kdc masters with resilient LDAP backend Message-ID: Hi, I've been reading through the mail archives, and doing the obligatory google search, but seem to be hitting a brick wall on trying to get a better understanding of something that should be trivial to get a handle on (I think). MIT Kerberos 1.7 configured with a KLDAP backend to a multi-master resilient LDAP service; single realm. I understand that we can run multiple KDCs in an autonomous way, but sharing the same data store (in LDAP), this is good, and what I want to have - i.e. a resilient KDC service. ?We can misplace a data centre, but still offer a KDC service as LDAP has made sure that the data is replicated around the globe. There are references to individual/groups who have done this, and all looks well. ?However what are the pitfalls with this approach? Specifiaclly: - Is any local state held by the krb5kdc process that would cause issues?down the line? - Ar there any issues with running multiple master (same backing store -?LDAP) for the same realm? In a similar vein can kadmind be made resilient in the same manner (all documents I've seen so far are catagorical that only one kadmind service should be running). Many Thanks. -- Rhod From raeburn at MIT.EDU Tue Feb 2 08:25:44 2010 From: raeburn at MIT.EDU (Ken Raeburn) Date: Tue, 2 Feb 2010 08:25:44 -0500 Subject: multiple kdc masters with resilient LDAP backend In-Reply-To: References: Message-ID: <000774FA-B62D-4C7A-AC7A-128556CE69F1@mit.edu> On Feb 2, 2010, at 07:35, rhod davies wrote: > I understand that we can run multiple KDCs in an autonomous way, but > sharing the same data store (in LDAP), this is good, and what I want > to have - i.e. a resilient KDC service. We can misplace a data > centre, but still offer a KDC service as LDAP has made sure that the > data is replicated around the globe. You can also run multiple KDCs with replicated data without LDAP; the data just needs to be replicated from one master KDC to the others, and MIT ships code to do that, all at once or incrementally. If the master KDC should go offline, the others should have the necessary data for one to be (manually) promoted to be the new master. It is still a one-master-at-a-time setup, though. Just making sure you don't think LDAP is the only way to run multiple KDCs for a realm.... Ken -- Ken Raeburn / raeburn at mit.edu / no longer at MIT Kerberos Consortium From ssorce at redhat.com Tue Feb 2 09:01:50 2010 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 2 Feb 2010 09:01:50 -0500 Subject: multiple kdc masters with resilient LDAP backend In-Reply-To: References: Message-ID: <20100202090150.267fe91b@willson.li.ssimo.org> On Tue, 2 Feb 2010 12:35:53 +0000 rhod davies wrote: > Hi, > > I've been reading through the mail archives, and doing the obligatory > google search, but seem to be hitting a brick wall on trying to get a > better understanding of something that should be trivial to get a > handle on (I think). > > MIT Kerberos 1.7 configured with a KLDAP backend to a multi-master > resilient LDAP > service; single realm. > > I understand that we can run multiple KDCs in an autonomous way, but > sharing the same data store (in LDAP), this is good, and what I want > to have - i.e. a resilient KDC service. ?We can misplace a data > centre, but still offer a KDC service as LDAP has made sure that the > data is replicated around the globe. > > There are references to individual/groups who have done this, and all > looks well. ?However what are the pitfalls with this approach? > Specifiaclly: > > - Is any local state held by the krb5kdc process that would cause > issues?down the line? The only thing that may not work as you may like is account lockouts, unless you want to pay the price of having all aster write down to LDAP for every AS request (unadvisable for performance and replication traffic reasons). > - Ar there any issues with running multiple master (same backing store > -?LDAP) for the same realm? As long as your multi-master replication works properly there should be no problems. Attribute level conflict resolution is strongly recommended over object level conflict resolution to avoid loosing data when 2 servers change different attributes of the same object. > In a similar vein can kadmind be made resilient in the same manner > (all documents I've seen so far are catagorical that only one kadmind > service should be running). I don't use kadmind but I don't really see a big issue in having multiple kadmind running as long as you don't abuse it to administer the same data from 2 places at the same time and cause unnecessary conflicts. Simo. -- Simo Sorce * Red Hat, Inc * New York From nomrhod at googlemail.com Tue Feb 2 09:23:00 2010 From: nomrhod at googlemail.com (rhod davies) Date: Tue, 2 Feb 2010 14:23:00 +0000 Subject: multiple kdc masters with resilient LDAP backend In-Reply-To: <000774FA-B62D-4C7A-AC7A-128556CE69F1@mit.edu> References: <000774FA-B62D-4C7A-AC7A-128556CE69F1@mit.edu> Message-ID: On Tuesday, February 2, 2010, Ken Raeburn wrote: > You can also run multiple KDCs with replicated data without LDAP; the data just needs to be replicated from one master KDC to the others, and MIT ships code to do that, all at once or incrementally. ?If the master KDC should go offline, the others should have the necessary data for one to be (manually) promoted to be the new master. ?It is still a one-master-at-a-time setup, though. > > Just making sure you don't think LDAP is the only way to run multiple KDCs for a realm.... Yes, I get that, thanks. It's that we have a new clean slate to begin with, and want to be as resilient as possible from the start. The benefit of having a multi-master (ldap backed) configuration would be no need to promote a slave to replace a failing master, and also letting ldap take the replication load. Just want to be sure that nothing's going to byte us. Cheers -- Rhod From tlyu at MIT.EDU Tue Feb 2 19:40:40 2010 From: tlyu at MIT.EDU (Tom Yu) Date: Tue, 02 Feb 2010 19:40:40 -0500 Subject: krb5-1.7.1 is released Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The MIT Kerberos Team announces the availability of MIT Kerberos 5 Release 1.7.1. Please see below for a list of some major changes included, or consult the README file in the source tree for a more detailed list of significant changes. RETRIEVING KERBEROS 5 RELEASE 1.7.1 =================================== You may retrieve the Kerberos 5 Release 1.7.1 source from the following URL: http://web.mit.edu/kerberos/dist/ The homepage for the krb5-1.7.1 release is: http://web.mit.edu/kerberos/krb5-1.7/ Further information about Kerberos 5 may be found at the following URL: http://web.mit.edu/kerberos/ and at the MIT Kerberos Consortium web site: http://www.kerberos.org/ DES transition ============== The Data Encryption Standard (DES) is widely recognized as weak. The krb5-1.7 release will contain measures to encourage sites to migrate away from using single-DES cryptosystems. Among these is a configuration variable that enables "weak" enctypes, but will default to "false" in the future. Additional migration aids are planned for future releases. Major changes in 1.7.1 ====================== This is primarily a bugfix release. * Fix vulnerabilities: MITKRB5-SA-2009-003 [CVE-2009-3295], MITKRB5-SA-2009-004 [CVE-2009-4212]. * Restore compatibility for talking to older kadminds and kadmin clients for the "addprinc -randkey" operation. * Fix some build problems and memory leaks. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (SunOS) iEYEARECAAYFAktoxg8ACgkQSO8fWy4vZo5S8gCfZ5tjEMud1U+/JUL7wELbInZj e6EAn3Z4YhDwJQfikxB4qd5GW/RgnZT+ =I6bi -----END PGP SIGNATURE----- _______________________________________________ kerberos-announce mailing list kerberos-announce at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos-announce From sales at americangrantsguide.com Tue Feb 2 20:46:16 2010 From: sales at americangrantsguide.com (sales@americangrantsguide.com) Date: Tue, 02 Feb 2010 23:46:16 -0200 Subject: Government funds available Message-ID: <8A7D7CBD.182B82B4@americangrantsguide.com> Press Release Tue, 02 Feb 2010 23:46:16 -0200 The Federal Grants and Loans Catalog is now available. This publication contains more than 5000 financial programs, subsidies, scholarships, grants and loans offered by the US federal government and various foundations and associations across the United States. That is over 2200 pages of information !!! Contents of the Catalog: Federal agency administering a program Authorization upon which a program is based Objectives and goals of a program Types of financial assistance offered under a program Uses and restrictions placed upon a program Eligibility requirements Application and award process Regulations, guidelines and literature relevant to a program Information contacts at the headquarters, regional, and local offices Programs that are related based upon program objectives and uses Programs in the Catalog provide a wide range of benefits and services, which have been grouped into 20 basic functional categories, and 176 subcategories that identify specific areas of interest. Listed below are the 20 basic categories in which all programs have been grouped by primary purpose. Agriculture Business and Commerce Community Development Consumer Protection Cultural Affairs Disaster Prevention and Relief Education Employment, Labor and Training Energy Environmental Quality Food and Nutrition Health Housing Income Security and Social Services Information and Statistics Law, Justice, and Legal Services Natural Resources Regional Development Science and Technology Transportation CD version: $69.95 Printed version: $149.95 To order please call: 1 800 610 4543 Please do not reply to the sender's email address as this address is only for outgoing mail. Please reply to webmaster at usgrantsguide.info for assistance. If you do not wish to receive communication from us in the future please write "remove" in the subject line to: webmaster at usgrantsguide.info This is a CANSPAM ACT compliant advertising broadcast sent by: American publishing inc, 7025 CR 46A Suite 1071, Lake Mary, Fl. 32746-4753 From sbuckley at MIT.EDU Tue Feb 2 20:43:50 2010 From: sbuckley at MIT.EDU (Stephen Buckley) Date: Tue, 2 Feb 2010 20:43:50 -0500 Subject: krb5-1.7.1 is released In-Reply-To: References: Message-ID: Is this worth spamming the sponsors? And congrats! s _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ Stephen C. Buckley Director, Infrastructure Software Development and Architecture (Interim) Massachusetts Institute of Technology On Feb 2, 2010, at 7:40 PM, Tom Yu wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > The MIT Kerberos Team announces the availability of MIT Kerberos 5 > Release 1.7.1. Please see below for a list of some major changes > included, or consult the README file in the source tree for a more > detailed list of significant changes. > > RETRIEVING KERBEROS 5 RELEASE 1.7.1 > =================================== > > You may retrieve the Kerberos 5 Release 1.7.1 source from the > following URL: > > http://web.mit.edu/kerberos/dist/ > > The homepage for the krb5-1.7.1 release is: > > http://web.mit.edu/kerberos/krb5-1.7/ > > Further information about Kerberos 5 may be found at the following > URL: > > http://web.mit.edu/kerberos/ > > and at the MIT Kerberos Consortium web site: > > http://www.kerberos.org/ > > DES transition > ============== > > The Data Encryption Standard (DES) is widely recognized as weak. The > krb5-1.7 release will contain measures to encourage sites to migrate > away from using single-DES cryptosystems. Among these is a > configuration variable that enables "weak" enctypes, but will default > to "false" in the future. Additional migration aids are planned for > future releases. > > Major changes in 1.7.1 > ====================== > > This is primarily a bugfix release. > > * Fix vulnerabilities: MITKRB5-SA-2009-003 [CVE-2009-3295], > MITKRB5-SA-2009-004 [CVE-2009-4212]. > > * Restore compatibility for talking to older kadminds and kadmin > clients for the "addprinc -randkey" operation. > > * Fix some build problems and memory leaks. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.8 (SunOS) > > iEYEARECAAYFAktoxg8ACgkQSO8fWy4vZo5S8gCfZ5tjEMud1U+/JUL7wELbInZj > e6EAn3Z4YhDwJQfikxB4qd5GW/RgnZT+ > =I6bi > -----END PGP SIGNATURE----- > _______________________________________________ > kerberos-announce mailing list > kerberos-announce at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos-announce > _______________________________________________ > krbdev mailing list krbdev at mit.edu > https://mailman.mit.edu/mailman/listinfo/krbdev From lists at fipscode.ch Tue Feb 2 21:37:34 2010 From: lists at fipscode.ch (Fabiano Sidler) Date: Wed, 3 Feb 2010 03:37:34 +0100 Subject: Copying a principal via LDAP Message-ID: <20100203023734.GA22489@true> Hi folks! I'm using 1.7 with LDAP backend which works quite well so far, but as soon as I copy a principal in LDAP (openldap 2.4.21 and Apache Directory Studio 1.5.2): # kadmin -q listprincs Authenticating as principal root/admin at MYREALM.COM with password. Password for root/admin at MYREALM.COM: get_principals: Unknown code ____ 255 while retrieving list. The error is printed in src/kadmin/cli/kadmin.c:1594 and I'd do some research on it myself, if I were capable enough for it. Can someone here reproduce the error or give me any hints? Greetings, Fabiano From ghudson at MIT.EDU Wed Feb 3 12:52:58 2010 From: ghudson at MIT.EDU (Greg Hudson) Date: Wed, 03 Feb 2010 12:52:58 -0500 Subject: Copying a principal via LDAP In-Reply-To: <20100203023734.GA22489@true> References: <20100203023734.GA22489@true> Message-ID: <1265219578.13397.315.camel@ray> On Tue, 2010-02-02 at 21:37 -0500, Fabiano Sidler wrote: > The error is printed in src/kadmin/cli/kadmin.c:1594 and I'd do some > research on it myself, if I were capable enough for it. Can someone here > reproduce the error or give me any hints? Something is returning -1 instead of a valid error code, which is a bug. Unfortunately, the only way to get more information is to use a debugger and step through the code. From jaltman at secure-endpoints.com Wed Feb 3 14:36:56 2010 From: jaltman at secure-endpoints.com (Jeffrey Altman) Date: Wed, 03 Feb 2010 14:36:56 -0500 Subject: ANNOUNCEMENT: Network Identity Manager Version 2.0 Beta available for public testing Message-ID: <4B69D058.6070106@secure-endpoints.com> URL: http://www.secure-endpoints.com/netidmgr/v2/ Secure Endpoints Inc. is proud to announce the public availability of Network Identity Manager v2 Beta. Version 2.0 is the end of a three year effort to improve the usability and capabilities of the product. Improved usability: * Users no longer have to type their username/realm each time they wish to obtain credentials for a Kerberos v5 identity. Instead, they select previously used identities from a list. * A "New Identity Wizard" walks the user through the configuration of all derived credential types when creating a new identity. * Progress dialogs inform the user of progress of each stage of the credential acquisition process. * Users can assign an icon to each identity to assist in distinguishing identities from one another. * The basic identity view now includes: o an animated battery that visualizes the remaining lifetime and permits users to quickly recharge the credential. o summary information describing the types and numbers of each derived credential obtained by the identity. o dynamic progress bars when credential renewal takes place in the background. o a star button to represent the current default identity and permit setting an alternate default identity. * The notification icon context menu has been improved to reduce the need to open the Network Identity Manager window. * The user documentation has been significantly rewritten. The PDF manual has been retired and the Windows Help documentation is comprehensive. New functionality: * Multiple identity providers can now be active simultaneously. * In addition to the Kerberos v5 identity provider, a KeyStore provider is included and an X.509 identity provider is under development. * The KeyStore provider permits a locally assigned password to be used to protect the passwords of multiple Kerberos v5 principals. Unlocking the KeyStore results in the acquisition of credentials for each of the configured Kerberos v5 identities. Open Framework: * The Network Identity Manager v2 SDK can be used to develop custom identity providers, credential providers, and tool providers. Version 2.0 pre-releases have been in use at many organizations. The beta period is expected to last no more than two weeks. Please try out the new release and provide feedback to netidmgr at secure-endpoints.com. Downloads and documentation are available from URL: http://www.secure-endpoints.com/netidmgr/v2/. Jeffrey Altman and Asanka Herath Secure Endpoints Inc. From bilkazan at bilgiyarismasionline.com Wed Feb 3 17:42:29 2010 From: bilkazan at bilgiyarismasionline.com (=?iso-8859-9?B?RWR1Y2F0dXJrIEJpbGdpIFlhcv3+bWFz/Q==?=) Date: Thu, 4 Feb 2010 00:42:29 +0200 Subject: =?iso-8859-9?B?3XlpIE9sYW4gS2F6YW5z/W4h?= Message-ID: <833eb15c0397763d0da86c7a0314db7b@bilgiyarismasionline.com> Bilgi_Yarismasi_E-mail From omalley at apache.org Wed Feb 3 21:40:37 2010 From: omalley at apache.org (Owen O'Malley) Date: Wed, 3 Feb 2010 18:40:37 -0800 Subject: programatic translation of authentication names to local names Message-ID: <1008729D-0F33-4BD5-ADD4-BBB7160B9EBD@apache.org> We're adding Kerberos security to Apache Hadoop (hadoop.apache.org), which is an open source petabyte-scale distributed file system and MapReduce implementation. Since MapReduce includes running distributed jobs, we need to map the authenticated names to local OS names. Within Kerberos this seems to be done by krb5_aname_to_localname. Unfortunately, that method doesn't seem to be exported via a public API or a CLI tool. Since Hadoop is in Java, the easiest thing to do is re-implement the method, but that seems unfortunate. Can anyone suggest a better path? Thanks, Owen From raeburn at MIT.EDU Wed Feb 3 23:55:26 2010 From: raeburn at MIT.EDU (Ken Raeburn) Date: Wed, 3 Feb 2010 23:55:26 -0500 Subject: programatic translation of authentication names to local names In-Reply-To: <1008729D-0F33-4BD5-ADD4-BBB7160B9EBD@apache.org> References: <1008729D-0F33-4BD5-ADD4-BBB7160B9EBD@apache.org> Message-ID: On Feb 3, 2010, at 21:40, Owen O'Malley wrote: > We're adding Kerberos security to Apache Hadoop (hadoop.apache.org), > which is an open source petabyte-scale distributed file system and > MapReduce implementation. Since MapReduce includes running > distributed jobs, we need to map the authenticated names to local OS > names. Within Kerberos this seems to be done by > krb5_aname_to_localname. Unfortunately, that method doesn't seem to be > exported via a public API or a CLI tool. Looking at the 1.7.1 source tarball, I do see krb5_aname_to_localname in the symbol export list file that should get used to build the library. Are you unable to link against it on some system? You are correct that no CLI tool is shipped for examining the mapping. Perhaps you can do something with the attached, rather hastily written script (assuming it doesn't get stripped out by the mail server). Ken -- Ken Raeburn / raeburn at mit.edu / no longer at MIT Kerberos Consortium -------------- next part -------------- A non-text attachment was scrubbed... Name: aname.py Type: text/x-python-script Size: 951 bytes Desc: not available Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20100203/972ababc/attachment.bin -------------- next part -------------- From kohls at e.kohls.com Thu Feb 4 03:42:25 2010 From: kohls at e.kohls.com (Kohls.com) Date: Thu, 4 Feb 2010 08:42:25 -0000 Subject: 3-Day Shopping Pass. Enjoy! Message-ID: To view the HTML version of this e-mail, copy and paste the link below into the Address field of your Internet browser: http://e.kohls.com/a/tBLanB2BBZVhBB74qhHBVGjOhKI/kohl1?t=BLanB2BBZVhBB74qhHBVGjOhKI&email=kerberos at mit.edu ************************************************************************ FREE Standard Shipping* when you spend $75 or more. Just enter Promo Code FREE75 at checkout. Starts Friday! Surcharges still apply. ************************************************************************ 3-DAY SHOPPING PASS February 5-7, during our Incredible Savings Sale! Take an EXTRA 15% off** EVERYTHING (yes, we mean everything!) when you shop in our stores or online February 5-7! To save your EXTRA 15% in our stores, simply copy and paste the link below into the Address field of your Internet browser, then print the pass and take it to the Kohl's store nearest you February 5-7! http://e.kohls.com/a/tBLanB2BBZVhBB74qhHBVGjOhKI/kohl2 To save your EXTRA 15% online, just enter this Promo Code at checkout: SAVE15FEB ************************************************************************ Visit Today's Ad online to preview our Night Owl deals and Early Bird specials during our Incredible Savings Sale! ************************************************************************ Head Over Deals Shop Valentine's Day gifts now! Hassle-Free Returns Gift Cards Get it there on time! Review our Shipping Deadlines. Facebook ************************************************************************ *Based on merchandise totals after transaction discounts and special promotions. Promo Code must be entered at Kohls.com to receive discount. Surcharges may apply due to size, weight or special handling required. If your item has a surcharge, it will appear on the product page. **Offer is valid in our stores and online. Offer is not valid in conjunction with any other percent-off discounts. Offer is nontransferable and must be presented at time of in-store purchase. Promo Code must be entered at Kohls.com to receive discount. Offer good on all sale-, regular- and clearance-priced merchandise. Offer not valid for price adjustments on prior purchases, on gift card purchases, for payment on a Kohl's Charge account or in conjunction with any other percent-off discounts, including the senior citizen discount. Offer also not valid on purchases of Kohl's Cares for Kids merchandise or other charitable items. Excludes sales tax. This mailbox is unattended, so please do not reply to this message. Instead, e-mail us at myaccount.help at kohls.com, or write to us at Kohl's Department Stores, Attention: Customer Service, N54 W13600 Woodale Drive, Menomonee Falls, WI 53051. If you no longer wish to receive e-mails from Kohls.com, unsubscribe by pasting this link into the Address field of your Internet browser: http://e.kohls.com/a/tBLanB2BBZVhBB74qhHBVGjOhKI/kohl11?email=kerberos at mit.edu&email=kerberos at mit.edu Please allow up to seven days for your e-mail address to be removed. Free Standard Shipping offer good February 5-9, 2010. 15% Off discount offer good February 5-7, 2010. Incredible Savings Sale prices good February 5-6, 2010. Night Owl and Early Bird prices good online 3pm (EST) February 5 to 4pm (EST) February 6, 2010. From ebulten at cilginalisveris.com Thu Feb 4 12:54:22 2010 From: ebulten at cilginalisveris.com (Çılgın Alışveriş) Date: Thu, 04 Feb 2010 19:54:22 +0200 Subject: =?Windows-1254?B?QWz9/nZlcmn+dGUgZml5YXQg?= =?Windows-1254?B?YXJh/nT9cm1hIGRlcmRpbmUgc29uLi4u?= Message-ID: <20100204-19542287-12f0-0@mailofisi1> [1][] [2][1114_=] [3][www.mailofis=] < [4][www.mail=] [5][P=] [6][c=] [7][=] [8][=] [9]3D"" [10]www.cilginalisveris.com [3D=] References 1. ="http://e-pazarlama.mailofisi.net/redirect.asp?l=aHR0cDovL3d3dy5ja 2. 3D"http://e-pazarlama.ma=/ 3. file://localhost/tmp/3D 4. 3D"http://e-pazarlama.mailofisi.net/redirect.asp?l= 5. 3D"http://e-pazarlama.mailofisi.net/re 6. 3D"http://e-pazar=/ 7. 3D"http://e-=/ 8. 3D"http://=/ 9. 3D"http://e-pazarlama.mailofisi.=/ 10. 3D"http://e-pazarlama.mailofisi.net/redirect.asp? From master-gis at export2000.ro Thu Feb 4 14:01:25 2010 From: master-gis at export2000.ro (master-gis@export2000.ro) Date: Thu, 4 Feb 2010 14:01:25 -0500 (EST) Subject: Laboratory Glassware Catalog Message-ID: A non-text attachment was scrubbed... Name: not available Type: text/plain charset=us-ascii Size: 5064 bytes Desc: not available Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20100204/e4353fd7/attachment.bin From members at greatsoftwarefree.com Thu Feb 4 15:19:33 2010 From: members at greatsoftwarefree.com (=?UTF-8?Q?Rosetta=20Stone=20Downloads?=) Date: Thu, 04 Feb 2010 20:19:33 +0000 Subject: =?UTF-8?Q?Spectacular=20Prices=20on=20Latest=20Products=20from?= =?UTF-8?Q?=20Rosetta=20Stone=20Downloads=20kerberos?= Message-ID: <20100204$29a4a41c$0$sxm@6d.2d.79ae.static.theplanet.com> From girish.m22 at gmail.com Thu Feb 4 16:27:25 2010 From: girish.m22 at gmail.com (Girish Mandhania) Date: Thu, 4 Feb 2010 15:27:25 -0600 Subject: Kerberos for Subversion Message-ID: <7383d1de1002041327q49e7ba80x45aa3a3e9680538c@mail.gmail.com> Hello, I am working for a university and have Kerberos installed on our server.I wish to use Kerberos authentication of Subversion(change management application) on Linux. Could you please help me with the clear list of steps to be followed, as I am not able to find relevant information on the web. Let me know if any more details are required.. Cheers. From Sivakumar_Balakrishnan at adp.com Thu Feb 4 17:32:30 2010 From: Sivakumar_Balakrishnan at adp.com (Balakrishnan, Sivakumar) Date: Thu, 4 Feb 2010 16:32:30 -0600 Subject: Merging two keytab files on the windows Message-ID: <0CD5F60B52A040428A5B5EED0CB45DD40F34EC001D@DSMAIL2HE.ds.ad.adp.com> Hi All, I need merge two keytab files on the windows server 2003. Is there any tool like Ktutil on windows? Thanks Siva This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system. From shopik at inblock.ru Fri Feb 5 08:50:49 2010 From: shopik at inblock.ru (Nikolay Shopik) Date: Fri, 05 Feb 2010 16:50:49 +0300 Subject: kerberos and smartphone clients Message-ID: Hello everyone, I'm in middle of process making my mail server Kerberized. Currently my infrastructure is only password based, but I plan move to PKINIT thus using certificate based authentication. Afterward I though about my smartphone clients who use email on their phones this is exclusively iPhone users. So this makes me think I should leave regular password based authentication for these mobile clients, which isn't great because you have to manage two separate db for logins/passwords. In same time I though every mobile phone have smart card already which is SIM card, there even EAP-SIM allowing use it to authenticate to wireless networks. So what best way to accomplish this task, without making huge pain when managing logins/passwords? From shopik at inblock.ru Sat Feb 6 02:18:34 2010 From: shopik at inblock.ru (Nikolay Shopik) Date: Sat, 06 Feb 2010 10:18:34 +0300 Subject: kerberos and smartphone clients Message-ID: <4B6D17CA.80504@inblock.ru> Hello everyone, I'm in middle of process making my mail server Kerberized. Currently my infrastructure is only password based, but I plan move to PKINIT thus using certificate based authentication. Afterward I though about my smartphone clients who use email on their phones this is exclusively iPhone users. So this makes me think I should leave regular password based authentication for these mobile clients, which isn't great because you have to manage two separate db for logins/passwords. In same time I though every mobile phone have smart card already which is SIM card, there even EAP-SIM allowing use it to authenticate to wireless networks. So what best way to accomplish this task, without making huge pain when managing logins/passwords? From armin.iraqi at gmail.com Sun Feb 7 10:42:33 2010 From: armin.iraqi at gmail.com (Armin Iraqi) Date: Sun, 7 Feb 2010 23:42:33 +0800 Subject: KERBEROS IN E-BANKING Message-ID: <4e70eef41002070742r19c236eagd25ec5e6e402215@mail.gmail.com> Dear Sir/Ms., Through this email i would like to kindly bring to your respectful attention that I am an undergraduate student with the following identification: Name: Armin Iraqi Course: Security Technology Hereby I declare that I am doing my final year project and the focus of my project is the use of Kerberos architecture in e-banking. I have done a lot of research on this topic but right now I am facing a problem in designing the system. To be clear the main issue I am confused with is the ticket components granted by the TGS. I will highly appreciate if you please cooperate with me in this field in order to help me to come up with a solution that is a basic design that might be used in the system I am implementing. With respect to the afformentioned I kindly request you to help me in whatever ways you can, especially the design in which the ticket components are provided with the scope to perform mutual authentication between the client and the server using a KDC. I highly appreciate your time in considering my request and your prompt reply is highly essential and appreciated s well. Best Regards, Armin From bjorn.sund at it.uib.no Sat Feb 6 17:38:50 2010 From: bjorn.sund at it.uib.no (=?ISO-8859-1?Q?Bj=F8rn_Tore_Sund?=) Date: Sat, 06 Feb 2010 23:38:50 +0100 Subject: Kerberos for Subversion In-Reply-To: <7383d1de1002041327q49e7ba80x45aa3a3e9680538c@mail.gmail.com> References: <7383d1de1002041327q49e7ba80x45aa3a3e9680538c@mail.gmail.com> Message-ID: <4B6DEF7A.2000707@it.uib.no> On 2/4/10 10:27 PM, Girish Mandhania wrote: > Hello, > I am working for a university and have Kerberos installed on our server.I > wish to use Kerberos authentication of Subversion(change management > application) on Linux. > Could you please help me with the clear list of steps to be followed, as I > am not able to find relevant information on the web. > Let me know if any more details are required.. Assuming you've got subversion running behind Apache you use mod_auth_kerb in exactly the same way you would any other Apache location where you want authentication. http://modauthkerb.sourceforge.net/ -BT -- Bj?rn Tore Sund Phone: 555-84894 Email: bjorn.sund at it.uib.no IT department VIP: 81724 Support: http://bs.uib.no Univ. of Bergen When in fear and when in doubt, run in circles, scream and shout. From edward at murrell.co.nz Sat Feb 6 16:20:21 2010 From: edward at murrell.co.nz (Edward Murrell) Date: Sun, 07 Feb 2010 10:20:21 +1300 Subject: Kerberos for Subversion In-Reply-To: <7383d1de1002041327q49e7ba80x45aa3a3e9680538c@mail.gmail.com> References: <7383d1de1002041327q49e7ba80x45aa3a3e9680538c@mail.gmail.com> Message-ID: <1265491221.20387.3.camel@boyle> Hi, Kerberos isn't specifically built into SVN, it's handled by the carrier protocol, which is usually SSH or HTTP. Depending on what you're using, you'll need to setup Kerberos in OpenSSH or your webserver. OpenSSH already has Kerberos/GSSAPI support. In most cases, it's a matter of turning it on. If you are using HTTP and the Apache webserver, there's a module called mod_auth_kerb that does Kerberos authentication for you. Cheers, Edward On Thu, 2010-02-04 at 15:27 -0600, Girish Mandhania wrote: > Hello, > I am working for a university and have Kerberos installed on our server.I > wish to use Kerberos authentication of Subversion(change management > application) on Linux. > Could you please help me with the clear list of steps to be followed, as I > am not able to find relevant information on the web. > Let me know if any more details are required.. > > Cheers. > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos From raeburn at MIT.EDU Sun Feb 7 15:39:40 2010 From: raeburn at MIT.EDU (Ken Raeburn) Date: Sun, 7 Feb 2010 15:39:40 -0500 Subject: Kerberos for Subversion In-Reply-To: <7383d1de1002041327q49e7ba80x45aa3a3e9680538c@mail.gmail.com> References: <7383d1de1002041327q49e7ba80x45aa3a3e9680538c@mail.gmail.com> Message-ID: <3CDD4DE5-0FFA-4A25-81BA-6A9375216DD9@mit.edu> On Feb 4, 2010, at 16:27, Girish Mandhania wrote: > Hello, > I am working for a university and have Kerberos installed on our server.I > wish to use Kerberos authentication of Subversion(change management > application) on Linux. > Could you please help me with the clear list of steps to be followed, as I > am not able to find relevant information on the web. > Let me know if any more details are required.. I think the usual approach has two relatively simple parts, which can be deployed and tested separately: 1) Use svn+ssh (subversion over ssh) for repository access. 2) Use a Kerberos/GSSAPI-enabled ssh, which is probably available in whatever packaging system you have available for your distribution. If your developers don't currently have accounts on the subversion server, you can set up accounts that only allow one command, "svnserve", to be run. Ken From prp at ALUMNI.CALTECH.EDU Sat Feb 6 20:11:45 2010 From: prp at ALUMNI.CALTECH.EDU (prp@ALUMNI.CALTECH.EDU) Date: Sat, 06 Feb 2010 17:11:45 -0800 Subject: How to Kerberize an application Message-ID: <7562609.290211265505105541.JavaMail.nabble@isper.nabble.com> I'm looking for a tutorial (ideally) that would describe how to modify an existing service, at the point where connection is made to its listener by a prospective client, to support the Kerberos protocol. In fact it would describe how both client and server must prepare their respective portions of the dialogue, or condition the states of their processes, with references to appropriate GSS-API or Kerberos API calls. From Dileep.Kumar at atosorigin.com Mon Feb 8 09:08:37 2010 From: Dileep.Kumar at atosorigin.com (Kumar, Dileep) Date: Mon, 8 Feb 2010 19:38:37 +0530 Subject: unable to get default realm for solaris 10 In-Reply-To: References: Message-ID: Dear Andrea, I have installed native Kerberos on my solaris10 machine from Solaris10 OS DVD. Still I am getting the same error of 'does not specify default realm'. In side the file "/var/log/krb5kdc.log' I am getting following error: " krb5kdc: Configuration file does not specify default realm - while attempting to retrieve default realm" Can you please help me on it? Regards, Dileep Kumar | Atos Origin India | Software Engineer dileep.kumar at atosorigin.com |?D: +91 -22-6733 4392| M: +91 9820585213| www.atosorigin.com ? -----Original Message----- From: Mohammad, Meraj Sent: Monday, February 08, 2010 6:43 PM To: Kumar, Dileep Subject: FW: unable to get default realm for solaris 10 -----Original Message----- From: Will Fiveash [mailto:William.Fiveash at Sun.COM] Sent: Thursday, January 14, 2010 1:48 AM To: Mohammad, Meraj Cc: kerberos at mit.edu Subject: Re: unable to get default realm for solaris 10 On Wed, Jan 13, 2010 at 11:37:45AM +0530, Mohammad, Meraj wrote: > Hi Andrea > > i'm trying to setup Kerberos(krb5-1.7)with Solaris 10. While Why not just use native Solaris 10 Kerberos ? -- Will Fiveash Sun Microsystems Inc. http://opensolaris.org/os/project/kerberos/ Sent from mutt, a sweet ASCII MUA From v.rathor at gmail.com Mon Feb 8 01:09:50 2010 From: v.rathor at gmail.com (Vipin Rathor) Date: Mon, 8 Feb 2010 11:39:50 +0530 Subject: Merging two keytab files on the windows In-Reply-To: <0CD5F60B52A040428A5B5EED0CB45DD40F34EC001D@DSMAIL2HE.ds.ad.adp.com> References: <0CD5F60B52A040428A5B5EED0CB45DD40F34EC001D@DSMAIL2HE.ds.ad.adp.com> Message-ID: <33ab2aef1002072209p22b58f5w2d64f753a9972c9c@mail.gmail.com> > I need merge two keytab files on the windows server 2003. ?Is there any tool like Ktutil on windows? Couldn't find such tool. May be you can take both files to a Linux machine, merge there and bring single file back! What say? -- -Rathor From deengert at anl.gov Mon Feb 8 13:52:20 2010 From: deengert at anl.gov (Douglas E. Engert) Date: Mon, 08 Feb 2010 12:52:20 -0600 Subject: unable to get default realm for solaris 10 In-Reply-To: References: Message-ID: <4B705D64.8080104@anl.gov> Kumar, Dileep wrote: > Dear Andrea, > > I have installed native Kerberos on my solaris10 machine from Solaris10 OS DVD. > Still I am getting the same error of 'does not specify default realm'. > > In side the file "/var/log/krb5kdc.log' I am getting following error: > " krb5kdc: Configuration file does not specify default realm - while attempting to retrieve default realm" > > Can you please help me on it? So are you trying to run a KDC on this machine? What is in your /etc/krb5/krb5.conf and /etc/krb5/kdc.conf? > > > Regards, > Dileep Kumar | Atos Origin India | Software Engineer dileep.kumar at atosorigin.com | D: +91 -22-6733 4392| M: +91 9820585213| > www.atosorigin.com > > > > -----Original Message----- > From: Mohammad, Meraj > Sent: Monday, February 08, 2010 6:43 PM > To: Kumar, Dileep > Subject: FW: unable to get default realm for solaris 10 > > > > -----Original Message----- > From: Will Fiveash [mailto:William.Fiveash at Sun.COM] > Sent: Thursday, January 14, 2010 1:48 AM > To: Mohammad, Meraj > Cc: kerberos at mit.edu > Subject: Re: unable to get default realm for solaris 10 > > On Wed, Jan 13, 2010 at 11:37:45AM +0530, Mohammad, Meraj wrote: >> Hi Andrea >> >> i'm trying to setup Kerberos(krb5-1.7)with Solaris 10. While > > Why not just use native Solaris 10 Kerberos ? > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From ghudson at MIT.EDU Mon Feb 8 13:15:21 2010 From: ghudson at MIT.EDU (Greg Hudson) Date: Mon, 08 Feb 2010 13:15:21 -0500 Subject: Kerberos for Subversion In-Reply-To: <1265491221.20387.3.camel@boyle> References: <7383d1de1002041327q49e7ba80x45aa3a3e9680538c@mail.gmail.com> <1265491221.20387.3.camel@boyle> Message-ID: <1265652921.13397.540.camel@ray> On Sat, 2010-02-06 at 16:20 -0500, Edward Murrell wrote: > Kerberos isn't specifically built into SVN, it's handled by the carrier > protocol, which is usually SSH or HTTP. Depending on what you're using, > you'll need to setup Kerberos in OpenSSH or your webserver. Actually, as of Subversion 1.5, svnserve and ra_svn (the "svn://" prefix, as opposed to "svn+ssh") can use Cyrus SASL. So you can conceivably use Kerberos authentication with any of the network transports (http, svn, or svn+ssh). If you want to use the built-in ra_svn support, the following may be of use: http://svn.apache.org/repos/asf/subversion/trunk/notes/sasl.txt I've never personally set it up that way. You may have better luck getting support on the Subversion users list if you run into problems. From ghudson at MIT.EDU Mon Feb 8 13:20:20 2010 From: ghudson at MIT.EDU (Greg Hudson) Date: Mon, 08 Feb 2010 13:20:20 -0500 Subject: How to Kerberize an application In-Reply-To: <7562609.290211265505105541.JavaMail.nabble@isper.nabble.com> References: <7562609.290211265505105541.JavaMail.nabble@isper.nabble.com> Message-ID: <1265653220.13397.543.camel@ray> On Sat, 2010-02-06 at 20:11 -0500, prp at ALUMNI.CALTECH.EDU wrote: > I'm looking for a tutorial (ideally) that would describe how to modify > an existing service, at the point where connection is made to its > listener by a prospective client, to support the Kerberos protocol. In > fact it would describe how both client and server must prepare their > respective portions of the dialogue, or condition the states of their > processes, with references to appropriate GSS-API or Kerberos API > calls. It might not be at quite the level you want, but this may be of use: http://kerberos.org/software/appskerberos.pdf The sample GSSAPI application (src/appl/gss-sample in the Kerberos sources) may be instructive at a lower level. From shopik at inblock.ru Tue Feb 9 02:24:41 2010 From: shopik at inblock.ru (Nikolay Shopik) Date: Tue, 09 Feb 2010 10:24:41 +0300 Subject: kerberos and smartphone clients In-Reply-To: <4B708636.9080005@clusterbee.net> References: <4B6D17CA.80504@inblock.ru> <4B708636.9080005@clusterbee.net> Message-ID: <4B710DB9.4090705@inblock.ru> On 09.02.2010 0:46, Luke Scharf wrote: > Nikolay Shopik wrote: >> Hello everyone, >> >> I'm in middle of process making my mail server Kerberized. Currently >> my infrastructure is only password based, but I plan move to PKINIT >> thus using certificate based authentication. Afterward I though about >> my smartphone clients who use email on their phones this is >> exclusively iPhone users. >> So this makes me think I should leave regular password based >> authentication for these mobile clients, which isn't great because you >> have to manage two separate db for logins/passwords. In same time I >> though every mobile phone have smart card already which is SIM card, >> there even EAP-SIM allowing use it to authenticate to wireless >> networks. So what best way to accomplish this task, without making >> huge pain when managing logins/passwords? > > You can have PAM check the password that they enter against the Kerberos > database. That way, they can either enter the Kerberos password -- or, > if they have a Kerberos ticket, they will be authenticated > automatically. This is how my mailserver at home is configured. > > In some cases, you might need to configure your mailserver use SASL > instead of PAM to check the entered-password against the Kerberos > password-database. If you have your mailserver configured such that the > users don't show up in "getent passwd", then you'll probably need SASL. > But if they do show up as Unix users, PAM can easily work as the backend. > -Luke > You mean PAM on client? This won't work for me most clients running Windows and few Mac OS X. And I use virtual users so they don't show up in getent passwd. So for now I have only one option run plain text password db along with Kerberos for users who wish login into mail server using their smartphone. From Guillaume.Rousse at inria.fr Tue Feb 9 05:17:49 2010 From: Guillaume.Rousse at inria.fr (Guillaume Rousse) Date: Tue, 09 Feb 2010 11:17:49 +0100 Subject: Automatically distributing nfs/ssh host principals Message-ID: <4B71364D.1050104@inria.fr> Hello list. In order to allow our users to set up their own machines for kerberized NFS, we deployed a custom CGI application allowing them, once autenticated, to create nfs/hostname principals, and extract corresponding keytab file. As part of the process, they register themselves as owner of those principals, for extracting or deleting them later. We thereafter modifed the application to deliver host/hostname principals instead, as they allow both NFS and SSH services. However, this is still a bit painful, as it can't be included in automatic installation scenarios, for instance. And requires us to track information for each user, which doesn't prove to be very useful. I was wondering of the security implication of changing the application behaviour to automatically deliver a keytab file containing a nfs/hostname principal, creating it if not already existing, corresponding to the IP adress of the contacting machine, without any kind of autentication. This way, as simple wget/curl/lynx command in automated installation would allow to install everything needed. Of course, this would allow someone able to spoof the IP adress of another host to also usurpate its principal for those services, but: - the application is only accessible from internal network - our users machines are in a different LAN than our servers - we use switched LANs, not hubs This would reduce the spoofing scope to other workstations only. Moreover, I don't think usurpating another host nfs principal has any interest, and ssh has its own mechanism (host keys) to prevent spoofing. Am I missing something here ? -- BOFH excuse #54: Evil dogs hypnotised the night shift From luke.scharf at clusterbee.net Tue Feb 9 10:08:19 2010 From: luke.scharf at clusterbee.net (Luke Scharf) Date: Tue, 09 Feb 2010 09:08:19 -0600 Subject: kerberos and smartphone clients In-Reply-To: <4B710DB9.4090705@inblock.ru> References: <4B6D17CA.80504@inblock.ru> <4B708636.9080005@clusterbee.net> <4B710DB9.4090705@inblock.ru> Message-ID: <4B717A63.2000709@clusterbee.net> Nikolay Shopik wrote: > You mean PAM on client? This won't work for me most clients running > Windows and few Mac OS X. And I use virtual users so they don't show > up in getent passwd. > > So for now I have only one option run plain text password db along > with Kerberos for users who wish login into mail server using their > smartphone. I meant to suggest configuring PAM this way on the e-mail server. Then your e-mail client uses a plaintext login, the e-mail server daemon hands the password off to PAM (just like sshd would), and then PAM Kerberos module uses Kerberos to say "yay" or "nay" to the password. The e-mail client doesn't know or care how this is implemented -- they're just doing a normal plaintext login, like every e-mail client does, so the machinations on the back end are invisible to it. Since the password really does need to be transmitted from the server to the client, I would recommend using TLS/SSL (and using plaintext within the encrypted connection). This also means that CHAP style authentication won't work, since Kerberos won't reveal the password over the network to the e-mail server. With SSL or TLS, though, this method is secure enough for most environments. Then for e-mail clients that do support Kerberos, they can present their ticket and provide super-secure passwordless login -- which is what I gather you've already configured. If you're using virtual users on the e-mail server, then saslauthd can be configured to attempt to log in to Kerberos to see if the password is valid instead of PAM. This is an application-level way to check credentials, as opposed to a system-level method like PAM -- so if your users don't show up in getent, then saslauthd is the way to go. But your e-mail server-daemon needs to be aware of how to use saslauthd -- most popular e-mail servers are, and if your e-mail server is flexible enough to use GSSAPI, it would probably can use SASL, too. -Luke From raeburn at MIT.EDU Tue Feb 9 10:24:28 2010 From: raeburn at MIT.EDU (Ken Raeburn) Date: Tue, 9 Feb 2010 10:24:28 -0500 Subject: Automatically distributing nfs/ssh host principals In-Reply-To: <4B71364D.1050104@inria.fr> References: <4B71364D.1050104@inria.fr> Message-ID: <676A4421-0E1F-47E3-93D2-43248D84753B@mit.edu> On Feb 9, 2010, at 05:17, Guillaume Rousse wrote: > However, this is still a bit painful, as it can't be included in > automatic installation scenarios, for instance. And requires us to track > information for each user, which doesn't prove to be very useful. I was > wondering of the security implication of changing the application > behaviour to automatically deliver a keytab file containing a > nfs/hostname principal, creating it if not already existing, > corresponding to the IP adress of the contacting machine, without any > kind of autentication. This way, as simple wget/curl/lynx command in > automated installation would allow to install everything needed. The idea has been kicked around before, and I believe one variant (registering a new host principal over a kadmin session protected by anonymous PKINIT) has been tried out in MIT's current development code. > Of course, this would allow someone able to spoof the IP adress of > another host to also usurpate its principal for those services, but: > - the application is only accessible from internal network > - our users machines are in a different LAN than our servers > - we use switched LANs, not hubs > This would reduce the spoofing scope to other workstations only. You might consider making it only work if the principal doesn't already exist. That allows for easy provisioning of a new host, but prevents hacking of one that's already set up and which someone may be actually relying on for something. Depends on your threat model.... You should also look at how the server verifies that the hostname and address match; is it using the insecure DNS protocol, or are you securely providing it with a copy of your host database? > Moreover, I don't think usurpating another host nfs principal has any > interest, and ssh has its own mechanism (host keys) to prevent spoofing. If you can change the NFS key, you can prevent people from accessing files. If you can extract the existing host key, you can access anyone else's files. I don't think Kerberos-enabled SSH uses the SSH-style host keys; I think part of the point was avoiding having to have two authentication mechanisms at work. I could be wrong about that. -- Ken Raeburn / raeburn at mit.edu / no longer at MIT Kerberos Consortium From shopik at inblock.ru Tue Feb 9 12:21:07 2010 From: shopik at inblock.ru (Nikolay Shopik) Date: Tue, 09 Feb 2010 20:21:07 +0300 Subject: kerberos and smartphone clients In-Reply-To: <4B717A63.2000709@clusterbee.net> References: <4B6D17CA.80504@inblock.ru> <4B708636.9080005@clusterbee.net> <4B710DB9.4090705@inblock.ru> <4B717A63.2000709@clusterbee.net> Message-ID: <4B719983.3070407@inblock.ru> On 09.02.2010 18:08, Luke Scharf wrote: > If you're using virtual users on the e-mail server, then saslauthd can > be configured to attempt to log in to Kerberos to see if the password is > valid instead of PAM. This is an application-level way to check > credentials, as opposed to a system-level method like PAM -- so if your > users don't show up in getent, then saslauthd is the way to go. But > your e-mail server-daemon needs to be aware of how to use saslauthd -- > most popular e-mail servers are, and if your e-mail server is flexible > enough to use GSSAPI, it would probably can use SASL, too. Thanks Luke, saslauthd is what I'm actually looking for. From simon at sxw.org.uk Tue Feb 9 12:41:55 2010 From: simon at sxw.org.uk (Simon Wilkinson) Date: Tue, 9 Feb 2010 17:41:55 +0000 Subject: Automatically distributing nfs/ssh host principals In-Reply-To: <676A4421-0E1F-47E3-93D2-43248D84753B@mit.edu> References: <4B71364D.1050104@inria.fr> <676A4421-0E1F-47E3-93D2-43248D84753B@mit.edu> Message-ID: On 9 Feb 2010, at 15:24, Ken Raeburn wrote: > The idea has been kicked around before, and I believe one variant (registering a new host principal over a kadmin session protected by anonymous PKINIT) has been tried out in MIT's current development code. What we do here is require the input of an administrator principal at installation time to create a hostclient/ principal. We then use kadmind ACLs to permit hostclient/ to create */ principals. This all has the big advantage that it works using the standard kadmind ACL syntax, and we don't need any additional logic. We're planning on at some point moving over to Russ's wallet code to manage the creation of subsequent principals, and telling it with our configuration database which principals each machine is allowed to have. >> Moreover, I don't think usurpating another host nfs principal has any >> interest, and ssh has its own mechanism (host keys) to prevent spoofing. > > If you can change the NFS key, you can prevent people from accessing files. Are these NFS server principals, or keys that are used by NFS clients for host-based trust? > I don't think Kerberos-enabled SSH uses the SSH-style host keys; I think part of the point was avoiding having to have two authentication mechanisms at work. I could be wrong about that. SSH supports either GSSAPI user authentication which still uses SSH host keys, and GSSAPI key exchange which doesn't. If you're a Kerberos site, and aren't using key exchange, you either don't have many machines, or you haven't thought hard enough about the problem. S. From shopik at inblock.ru Tue Feb 9 14:40:51 2010 From: shopik at inblock.ru (Nikolay Shopik) Date: Tue, 09 Feb 2010 22:40:51 +0300 Subject: kerberos and smartphone clients In-Reply-To: <4B717A63.2000709@clusterbee.net> References: <4B6D17CA.80504@inblock.ru> <4B708636.9080005@clusterbee.net> <4B710DB9.4090705@inblock.ru> <4B717A63.2000709@clusterbee.net> Message-ID: <4B71BA43.2080304@inblock.ru> On 09.02.2010 18:08, Luke Scharf wrote: > If you're using virtual users on the e-mail server, then saslauthd can > be configured to attempt to log in to Kerberos to see if the password is > valid instead of PAM. This is an application-level way to check > credentials, as opposed to a system-level method like PAM -- so if your > users don't show up in getent, then saslauthd is the way to go. Actually Dovecot SASL + pam_krb5 and virtual users works very well. I've just add two strings to /etc/pam.d/dovecot auth sufficient pam_krb5.so account sufficient pam_krb5.so But thanks anyway pointing to right way. From simon at sxw.org.uk Tue Feb 9 18:05:47 2010 From: simon at sxw.org.uk (Simon Wilkinson) Date: Tue, 9 Feb 2010 23:05:47 +0000 Subject: Fwd: [Bug 1242] GSSAPI Keyexchange support References: Message-ID: <9968BFCD-B6C8-4A94-8190-8956C275849D@sxw.org.uk> Just because I know readers of this list have been following the GSSAPI Key Exchange saga over the last 9 years, I thought the following mail from OpenSSH's bug tracking system might be of interest. I still believe that their argument is bogus, and I will continue to maintain the OpenSSH key exchange patch. As far as I'm aware, RedHat are now the only major vendor who ship OpenSSH without it. Cheers, Simon. Begin forwarded message: > From: bugzilla-daemon at bugzilla.mindrot.org > Date: 9 February 2010 22:49:24 GMT > To: simon at sxw.org.uk > Subject: [Bug 1242] GSSAPI Keyexchange support > > https://bugzilla.mindrot.org/show_bug.cgi?id=1242 > > Damien Miller changed: > > What |Removed |Added > ---------------------------------------------------------------------------- > Status|NEW |RESOLVED > Resolution| |WONTFIX > > --- Comment #7 from Damien Miller 2010-02-10 09:49:24 EST --- > None of the OpenSSH developers are in favour of adding this, and this > situation has not changed for several years. This is not a slight on > Simon's patch, which is of fine quality, but just that a) we don't > trust GSSAPI implementations that much and b) we don't like adding new > KEX since they are pre-auth attack surface. This one is particularly > scary, since it requires hooks out to typically root-owned system > resources. > > -- > Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email > ------- You are receiving this mail because: ------- > You reported the bug. From gdt at ir.bbn.com Wed Feb 10 09:02:35 2010 From: gdt at ir.bbn.com (Greg Troxel) Date: Wed, 10 Feb 2010 09:02:35 -0500 Subject: Kerberos for Subversion In-Reply-To: <4B6DEF7A.2000707@it.uib.no> (=?utf-8?Q?=22Bj=C3=B8rn?= Tore Sund"'s message of "Sat, 06 Feb 2010 23:38:50 +0100") References: <7383d1de1002041327q49e7ba80x45aa3a3e9680538c@mail.gmail.com> <4B6DEF7A.2000707@it.uib.no> Message-ID: Bj?rn Tore Sund writes: > On 2/4/10 10:27 PM, Girish Mandhania wrote: >> Hello, >> I am working for a university and have Kerberos installed on our server.I >> wish to use Kerberos authentication of Subversion(change management >> application) on Linux. >> Could you please help me with the clear list of steps to be followed, as I >> am not able to find relevant information on the web. >> Let me know if any more details are required.. > > Assuming you've got subversion running behind Apache you use > mod_auth_kerb in exactly the same way you would any other Apache > location where you want authentication. > > http://modauthkerb.sourceforge.net/ That makes the server take passwords and validate them against the kerberos database, or else requires for browser-side access the Negotiate mechanism. It seems bad practice to send ones kerberos password to the server (or perhaps worse, to have svn store it), so obviously the only reasonable thing to do is use Negotitate. neon seems to have a gssapi option - does that work from svn with modauthkerb? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 194 bytes Desc: not available Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20100210/9a0553f6/attachment.bin From ssorce at redhat.com Wed Feb 10 11:01:20 2010 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 10 Feb 2010 11:01:20 -0500 Subject: [Bug 1242] GSSAPI Keyexchange support In-Reply-To: <9968BFCD-B6C8-4A94-8190-8956C275849D@sxw.org.uk> References: <9968BFCD-B6C8-4A94-8190-8956C275849D@sxw.org.uk> Message-ID: <20100210110120.1de6a0a2@willson.li.ssimo.org> On Tue, 9 Feb 2010 23:05:47 +0000 Simon Wilkinson wrote: > Just because I know readers of this list have been following the > GSSAPI Key Exchange saga over the last 9 years, I thought the > following mail from OpenSSH's bug tracking system might be of > interest. > > I still believe that their argument is bogus, and I will continue to > maintain the OpenSSH key exchange patch. As far as I'm aware, RedHat > are now the only major vendor who ship OpenSSH without it. Simon, as far as I know, the patch is in Fedora 12 and will be in Fedora 13 too. This means there is a very good chance it will be picked up for the next major release I guess. Simo. -- Simo Sorce * Red Hat, Inc * New York From prp at alumni.caltech.edu Wed Feb 10 00:13:49 2010 From: prp at alumni.caltech.edu (Phillip Pfaffman) Date: Tue, 09 Feb 2010 21:13:49 -0800 Subject: How to Kerberize an application In-Reply-To: <1265653220.13397.543.camel@ray> References: <7562609.290211265505105541.JavaMail.nabble@isper.nabble.com> <1265653220.13397.543.camel@ray> Message-ID: <4B72408D.8080905@alumni.caltech.edu> On 2/8/2010 10:20 AM, Greg Hudson wrote: > On Sat, 2010-02-06 at 20:11 -0500, prp at ALUMNI.CALTECH.EDU wrote: > >> I'm looking for a tutorial (ideally) that would describe how to modify >> an existing service, at the point where connection is made to its >> listener by a prospective client, to support the Kerberos protocol. In >> fact it would describe how both client and server must prepare their >> respective portions of the dialogue, or condition the states of their >> processes, with references to appropriate GSS-API or Kerberos API >> calls. >> > It might not be at quite the level you want, but this may be of use: > > http://kerberos.org/software/appskerberos.pdf > > The sample GSSAPI application (src/appl/gss-sample in the Kerberos > sources) may be instructive at a lower level. > > > > Well, the reference you have given is certainly something I would have asked for if I had known how. At the level of my question the sample is instructive. Thank you very much. From wollman at bimajority.org Wed Feb 10 01:04:30 2010 From: wollman at bimajority.org (Garrett Wollman) Date: Wed, 10 Feb 2010 06:04:30 +0000 (UTC) Subject: Fwd: [Bug 1242] GSSAPI Keyexchange support References: Message-ID: In article , Simon Wilkinson wrote: >Just because I know readers of this list have been following the GSSAPI >Key Exchange saga over the last 9 years, I thought the following mail >from OpenSSH's bug tracking system might be of interest. > >I still believe that their argument is bogus, and I will continue to >maintain the OpenSSH key exchange patch. As far as I'm aware, RedHat are >now the only major vendor who ship OpenSSH without it. Is it time to just fork OpenSSH and be done with it? -GAWollman -- Garrett A. Wollman | What intellectual phenomenon can be older, or more oft wollman at bimajority.org| repeated, than the story of a large research program Opinions not shared by| that impaled itself upon a false central assumption my employers. | accepted by all practitioners? - S.J. Gould, 1993 From benp at reed.edu Wed Feb 10 13:20:30 2010 From: benp at reed.edu (Ben Poliakoff) Date: Wed, 10 Feb 2010 10:20:30 -0800 Subject: Kerberos for Subversion In-Reply-To: References: <7383d1de1002041327q49e7ba80x45aa3a3e9680538c@mail.gmail.com> <4B6DEF7A.2000707@it.uib.no> Message-ID: <20100210182030.GD13308@garage.reed.edu> * Greg Troxel [20100210 09:44]: > > http://modauthkerb.sourceforge.net/ > > That makes the server take passwords and validate them against the > kerberos database, or else requires for browser-side access the > Negotiate mechanism. It seems bad practice to send ones kerberos > password to the server (or perhaps worse, to have svn store it), so > obviously the only reasonable thing to do is use Negotitate. > > neon seems to have a gssapi option - does that work from svn with > modauthkerb? Yes it does, with reasonably recent versions. That's how we do it at my work. -- ________________________________________________________________________ PGP (318B6A97): 3F23 EBC8 B73E 92B7 0A67 705A 8219 DCF0 318B 6A97 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 827 bytes Desc: Digital signature Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20100210/022dd8f3/attachment.bin From admin at dei.unipd.it Thu Feb 11 10:06:14 2010 From: admin at dei.unipd.it (Sysmen DEI) Date: Thu, 11 Feb 2010 16:06:14 +0100 Subject: Kerberos for Subversion In-Reply-To: <7383d1de1002041327q49e7ba80x45aa3a3e9680538c@mail.gmail.com> References: <7383d1de1002041327q49e7ba80x45aa3a3e9680538c@mail.gmail.com> Message-ID: <4B741CE6.5070502@dei.unipd.it> On 02/04/2010 10:27 PM, Girish Mandhania wrote: > Hello, > I am working for a university and have Kerberos installed on our server.I > wish to use Kerberos authentication of Subversion(change management > application) on Linux. > Could you please help me with the clear list of steps to be followed, as I > am not able to find relevant information on the web. > Let me know if any more details are required.. > > Cheers. > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > My standard Subversion installation is based on: -apache mod_dav_svn mod_authz_svn -mod_authn_kerb (mod_auth_kerb patched by me inspired on mod_authn_pam) -svn protected by HTTPS mod_ssl -svnmanager.org php webapp to manage svn access/repository (patched by me to get both Kerberos and "external" users in .htpasswd file) -websvn.tigris.org php webapp for better repository browsing Main advantages are: -external collaborators don't need to be in our Kerberos -there are no filesystem ownership/acl headaches or svn running as root because all svn files are owned by apache user -svn external users management can be delegated to Svnmanager admins. Regards Valerio Pulese From jblaine at kickflop.net Thu Feb 11 11:48:57 2010 From: jblaine at kickflop.net (Jeff Blaine) Date: Thu, 11 Feb 2010 11:48:57 -0500 Subject: Testing master key? Message-ID: <4B7434F9.3070301@kickflop.net> Remind me again how to test my master key? I can't find that I documented it anywhere in my safe, so now it's time to start guessing and hope for a hit :/ From deengert at anl.gov Fri Feb 12 08:27:38 2010 From: deengert at anl.gov (Douglas E. Engert) Date: Fri, 12 Feb 2010 07:27:38 -0600 Subject: unable to get default realm for solaris 10 In-Reply-To: References: <4B705D64.8080104@anl.gov> Message-ID: <4B75574A.2060806@anl.gov> Kumar, Dileep wrote: > Dear Engert, > > You are right. I am trying to run a KDC on Solaris10 machine when I am getting error. > In the directory "/etc/krb5/" I have following two files: > kadm5.acl -> /usr/local/var/krb5kdc/kadm5.acl > krb5.conf -> /etc/krb5.conf > > There is no kdc.conf file at /etc/krb5/ location. > All krb5.conf file linked with same /etc/krb5.conf file. > > We have following three files at location '/usr/local/var/krb5kdc': So this is not the Solaris 10 /usr/lib/krb5/krb5kdc, but the MIT 1.7 version? You may want to rephrase your question, as this does not sound like a Solaris specific question, but a configuration issue with 1.7 > > kadm5.acl > kdc.conf > krb5.conf -> /etc/krb5.conf > > I have attached all three files for your reference. > > Regards, > Dileep Kumar | Atos Origin India | Software Engineer dileep.kumar at atosorigin.com | D: +91 -22-6733 4392| M: +91 9820585213| > www.atosorigin.com > > > -----Original Message----- > From: Douglas E. Engert [mailto:deengert at anl.gov] > Sent: Tuesday, February 09, 2010 12:22 AM > To: Kumar, Dileep > Cc: William.Fiveash at sun.com; kerberos at mit.edu > Subject: Re: unable to get default realm for solaris 10 > > > > Kumar, Dileep wrote: >> Dear Andrea, >> >> I have installed native Kerberos on my solaris10 machine from Solaris10 OS DVD. >> Still I am getting the same error of 'does not specify default realm'. >> >> In side the file "/var/log/krb5kdc.log' I am getting following error: >> " krb5kdc: Configuration file does not specify default realm - while attempting to retrieve default realm" >> >> Can you please help me on it? > > So are you trying to run a KDC on this machine? > > What is in your /etc/krb5/krb5.conf and /etc/krb5/kdc.conf? > > > >> >> Regards, >> Dileep Kumar | Atos Origin India | Software Engineer dileep.kumar at atosorigin.com | D: +91 -22-6733 4392| M: +91 9820585213| >> www.atosorigin.com >> >> >> >> -----Original Message----- >> From: Mohammad, Meraj >> Sent: Monday, February 08, 2010 6:43 PM >> To: Kumar, Dileep >> Subject: FW: unable to get default realm for solaris 10 >> >> >> >> -----Original Message----- >> From: Will Fiveash [mailto:William.Fiveash at Sun.COM] >> Sent: Thursday, January 14, 2010 1:48 AM >> To: Mohammad, Meraj >> Cc: kerberos at mit.edu >> Subject: Re: unable to get default realm for solaris 10 >> >> On Wed, Jan 13, 2010 at 11:37:45AM +0530, Mohammad, Meraj wrote: >>> Hi Andrea >>> >>> i'm trying to setup Kerberos(krb5-1.7)with Solaris 10. While >> Why not just use native Solaris 10 Kerberos ? >> > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From Dileep.Kumar at atosorigin.com Fri Feb 12 07:21:19 2010 From: Dileep.Kumar at atosorigin.com (Kumar, Dileep) Date: Fri, 12 Feb 2010 17:51:19 +0530 Subject: unable to get default realm for solaris 10 In-Reply-To: <4B705D64.8080104@anl.gov> References: <4B705D64.8080104@anl.gov> Message-ID: Dear Engert, You are right. I am trying to run a KDC on Solaris10 machine when I am getting error. In the directory "/etc/krb5/" I have following two files: kadm5.acl -> /usr/local/var/krb5kdc/kadm5.acl krb5.conf -> /etc/krb5.conf There is no kdc.conf file at /etc/krb5/ location. All krb5.conf file linked with same /etc/krb5.conf file. We have following three files at location '/usr/local/var/krb5kdc': kadm5.acl kdc.conf krb5.conf -> /etc/krb5.conf I have attached all three files for your reference. Regards, Dileep Kumar | Atos Origin India | Software Engineer dileep.kumar at atosorigin.com |?D: +91 -22-6733 4392| M: +91 9820585213| www.atosorigin.com ? -----Original Message----- From: Douglas E. Engert [mailto:deengert at anl.gov] Sent: Tuesday, February 09, 2010 12:22 AM To: Kumar, Dileep Cc: William.Fiveash at sun.com; kerberos at mit.edu Subject: Re: unable to get default realm for solaris 10 Kumar, Dileep wrote: > Dear Andrea, > > I have installed native Kerberos on my solaris10 machine from Solaris10 OS DVD. > Still I am getting the same error of 'does not specify default realm'. > > In side the file "/var/log/krb5kdc.log' I am getting following error: > " krb5kdc: Configuration file does not specify default realm - while attempting to retrieve default realm" > > Can you please help me on it? So are you trying to run a KDC on this machine? What is in your /etc/krb5/krb5.conf and /etc/krb5/kdc.conf? > > > Regards, > Dileep Kumar | Atos Origin India | Software Engineer dileep.kumar at atosorigin.com | D: +91 -22-6733 4392| M: +91 9820585213| > www.atosorigin.com > > > > -----Original Message----- > From: Mohammad, Meraj > Sent: Monday, February 08, 2010 6:43 PM > To: Kumar, Dileep > Subject: FW: unable to get default realm for solaris 10 > > > > -----Original Message----- > From: Will Fiveash [mailto:William.Fiveash at Sun.COM] > Sent: Thursday, January 14, 2010 1:48 AM > To: Mohammad, Meraj > Cc: kerberos at mit.edu > Subject: Re: unable to get default realm for solaris 10 > > On Wed, Jan 13, 2010 at 11:37:45AM +0530, Mohammad, Meraj wrote: >> Hi Andrea >> >> i'm trying to setup Kerberos(krb5-1.7)with Solaris 10. While > > Why not just use native Solaris 10 Kerberos ? > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From pereniguez at um.es Mon Feb 15 08:51:55 2010 From: pereniguez at um.es (=?iso-8859-1?Q?Fernando_Pere=F1=EDguez_Garcia?=) Date: Mon, 15 Feb 2010 14:51:55 +0100 Subject: Question about cryptographic protection of message fields Message-ID: Hi all, Looking for into the Kerberos specification and the MIT implementation, I've found that not all the fields defined in the Kerberos messages are cryptographically protected. For example, in the KDC-REQ/KDC-REP, the padata field is sent in clear and (at least) is not integrity protected. Therefore, an attacker can change the information contained in any of these fields and the client is not able to detect this attack. For this reason, I was wondering if my conclusions are right. Thanks in advance, Fernando. --- ------------------------------------------------------ Fernando Pere??guez Garc?a Dept. Information and Communications Engineering (DIIC) Faculty of Computer Science University of Murcia 30100 Murcia - Spain Phone: +34 868 887882 E-mail: pereniguez at um.es ------------------------------------------------------ From ghudson at MIT.EDU Mon Feb 15 18:37:13 2010 From: ghudson at MIT.EDU (Greg Hudson) Date: Mon, 15 Feb 2010 18:37:13 -0500 Subject: Question about cryptographic protection of message fields In-Reply-To: References: Message-ID: <1266277033.20257.236.camel@ray> On Mon, 2010-02-15 at 08:51 -0500, Fernando Pere??guez Garcia wrote: > Hi all, > Looking for into the Kerberos specification and the MIT > implementation, I've found that not all the fields defined in the > Kerberos messages are cryptographically protected. For example, in the > KDC-REQ/KDC-REP, the padata field is sent in clear and (at least) is > not integrity protected. Therefore, an attacker can change the > information contained in any of these fields and the client is not > able to detect this attack. For this reason, I was wondering if my > conclusions are right. Yes, some fields of the Kerberos message exchanges are unprotected, and the design of what goes into those fields needs to take that into account. Also see the security considerations section of RFC 4120 for some consequences, such as this: Kerberos credentials contain clear-text information identifying the principals to which they apply. If privacy of this information is needed, this exchange should itself be encapsulated in a protocol providing for confidentiality on the exchange of these credentials. There is a new extension called FAST which protects more of the KDC exchange when used; see: http://tools.ietf.org/html/draft-ietf-krb-wg-preauth-framework-15 From rra at stanford.edu Tue Feb 16 02:36:30 2010 From: rra at stanford.edu (Russ Allbery) Date: Mon, 15 Feb 2010 23:36:30 -0800 Subject: krb5-sync 2.0 released Message-ID: <874olhzl6p.fsf@windlord.stanford.edu> I'm pleased to announce release 2.0 of krb5-sync. krb5-sync is a toolkit for updating passwords and account status from an MIT or Heimdal Kerberos master KDC to Active Directory. It is implemented as a patch to libkadm5srv and a plugin module that will push password changes and selected account flag changes to Active Directory at the same time as they are made to the local KDC database. Changes from previous release: Dropped support for AFS synchronization and all Kerberos v4 support. This package now only synchronizes with Active Directory. Add plugin support for the proposed kadmin hooks for Heimdal and ported the code to Heimdal as well as MIT Kerberos. Add a patch for Heimdal 1.3.1 to the patches directory. The implementation for Heimdal is preliminary and will change in later releases. Add an ad_ldap_base configuration option to specify the base DN for Active Directory. Patch from Andreas Johansson. Ignore connection timeouts from AD when running the queue with krb5-sync-backend in silent mode. Improve error reporting in the standalone krb5-sync utility. Enable Automake silent rules. For a quieter build, pass the --enable-silent-rules option to configure or build with make V=0. Add portability code for platforms without a working snprintf or other deficiencies and updated the code to take advantage of those guarantees. Update Kerberos Autoconf macros from rra-c-util 2.3: * Check for networking libraries before Kerberos libraries. * Sanity-check the results of krb5-config before proceeding. * Fall back on manual probing if krb5-config doesn't work. * Prefer KRB5_CONFIG from the environment. * If krb5-config isn't executable, don't use it. * Add --with-krb5-lib and --with-krb5-include configure options. You can download it from: This package is maintained using Git; see the instructions on the above page to access the Git repository. Please let me know of any problems or feature requests not already listed in the TODO file. -- Russ Allbery (rra at stanford.edu) From winay.l at gmail.com Tue Feb 16 01:30:04 2010 From: winay.l at gmail.com (vinay kumar) Date: Tue, 16 Feb 2010 12:00:04 +0530 Subject: URG: PKINIT error Message-ID: Hi all, I am implementing PKINIT. My krb5.conf and kdc.conf are as follows *************krb5.conf************ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] ticket_lifetime = 24000 default_realm = GLOBALEDGESOFT.COM dns_lookup_realm = false dns_lookup_kdc = false pkinit_anchors = DIR:/ca/ [realms] GLOBALEDGESOFT.COM = { kdc = 172.16.10.211 admin_server = 172.16.10.211 default_domain = globaledgesoft.com pkinit_identity = DIR:/client/ } [domain_realm] .globaledgesoft.com = GLOBALEDGESOFT.COM globaledgesoft.com = GLOBALEDGESOFT.COM [kdc] profile = /etc/kdc.conf require-preauth = yes pkinit_identity = DIR:/kdc/ [kadmin] require-preauth = yes [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } ******************************************************** **************kdc.conf******************************** [kdcdefaults] kdc_ports = 750,88 pkinit_anchors = DIR:/ca/ pkinit_identity = DIR:/kdc/ [realms] GLOBALEDGESOFT.COM = { database_name = /usr/local/var/krb5kdc/principal admin_keytab = FILE:/usr/local/var/krb5kdc/kadm5.keytab acl_file = /usr/local/var/krb5kdc/kadm5.acl key_stash_file = /usr/local/var/krb5kdc/. k5.GLOBALEDGESOFT.COM kdc_ports = 750,88 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s pkinit_identity = FILE:/client/ } [kdc] require-preauth = yes *********************************************************** I have generated the certificates using openssl: /ca contains ca.crt ca.csr ca.key /kdc contains kdc.crt kdc.csr kdc.key /client contains client.crt client.csr client.key *********************************************************** I have set preauth flag for principals. When i do kinit vinay at GLOBALEDGESOFT.COM, its sending only AS_REQ and in reply i am getting KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED. Why am i getting these error? Why its sending only AS_REQ(without containing preauthentication data)? What are the modifications needed? Plz guide me. Regards, Vinay From kwcoffman at gmail.com Tue Feb 16 11:52:12 2010 From: kwcoffman at gmail.com (Kevin Coffman) Date: Tue, 16 Feb 2010 11:52:12 -0500 Subject: URG: PKINIT error In-Reply-To: References: Message-ID: <4d569c331002160852n25438c7dg33503bf894b129fd@mail.gmail.com> On Tue, Feb 16, 2010 at 1:30 AM, vinay kumar wrote: > Hi all, > > ? ? ? ? I am implementing PKINIT. My krb5.conf and kdc.conf are as follows > > *************krb5.conf************ > [logging] > ?default = FILE:/var/log/krb5libs.log > ?kdc = FILE:/var/log/krb5kdc.log > ?admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > ?ticket_lifetime = 24000 > ?default_realm = GLOBALEDGESOFT.COM > ?dns_lookup_realm = false > ?dns_lookup_kdc = false > ?pkinit_anchors = DIR:/ca/ > > [realms] > ?GLOBALEDGESOFT.COM = { > ?kdc = 172.16.10.211 > ?admin_server = 172.16.10.211 > ?default_domain = globaledgesoft.com > ?pkinit_identity = DIR:/client/ > ?} > > [domain_realm] > ?.globaledgesoft.com = GLOBALEDGESOFT.COM > ?globaledgesoft.com = GLOBALEDGESOFT.COM > > [kdc] > ?profile = /etc/kdc.conf > ?require-preauth = yes > ?pkinit_identity = DIR:/kdc/ > > [kadmin] > ?require-preauth = yes > > [appdefaults] > ?pam = { > ? debug = false > ? ticket_lifetime = 36000 > ? renew_lifetime = 36000 > ? forwardable = true > ? krb4_convert = false > ?} > ******************************************************** > **************kdc.conf******************************** > [kdcdefaults] > ? ? ? ?kdc_ports = 750,88 > ? ? ? ?pkinit_anchors = DIR:/ca/ > ? ? ? ?pkinit_identity = DIR:/kdc/ > > [realms] > ? ? ? ?GLOBALEDGESOFT.COM = { > ? ? ? ? ? ? ? ?database_name = /usr/local/var/krb5kdc/principal > ? ? ? ? ? ? ? ?admin_keytab = FILE:/usr/local/var/krb5kdc/kadm5.keytab > ? ? ? ? ? ? ? ?acl_file = /usr/local/var/krb5kdc/kadm5.acl > ? ? ? ? ? ? ? ?key_stash_file = /usr/local/var/krb5kdc/. > k5.GLOBALEDGESOFT.COM > ? ? ? ? ? ? ? ?kdc_ports = 750,88 > ? ? ? ? ? ? ? ?max_life = 10h 0m 0s > ? ? ? ? ? ? ? ?max_renewable_life = 7d 0h 0m 0s > ? ? ? ? ? ? ? ?pkinit_identity = FILE:/client/ > ? ? ? ?} > > [kdc] > ?require-preauth = yes > *********************************************************** > I have generated the certificates using openssl: > /ca contains ca.crt ?ca.csr ?ca.key > /kdc contains kdc.crt ?kdc.csr ?kdc.key > /client contains client.crt ?client.csr ?client.key > *********************************************************** > > I have set preauth flag for principals. When i do kinit > vinay at GLOBALEDGESOFT.COM, its sending only AS_REQ and in reply i am getting > KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED. Why am i getting these error? Why > its sending only AS_REQ(without containing preauthentication data)? What are > the modifications needed? Plz guide me. > > Regards, > Vinay This is normal. If the KDC's pkinit configuration is correct (the plugin is available and correctly configured), its KRB5KDC_ERR_PREAUTH_REQUIRED reply should list pkint as a suitable preauthentication method. The client should then respond with another AS_REQ including the pkinit preauth information. K.C. From tlyu at MIT.EDU Tue Feb 16 14:18:33 2010 From: tlyu at MIT.EDU (Tom Yu) Date: Tue, 16 Feb 2010 14:18:33 -0500 Subject: MITKRB5-SA-2010-001 [CVE-2010-0283] krb5-1.7 KDC denial of service Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MITKRB5-SA-2010-001 MIT krb5 Security Advisory 2010-001 Original release: 2010-02-16 Last update: 2010-02-16 Topic: krb5-1.7 KDC denial of service CVE-2010-0283 krb5-1.7 KDC denial of service CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:O/RC:C CVSSv2 Base Score: 7.8 Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Complete CVSSv2 Temporal Score: 6.4 Exploitability: Functional Remediation Level: Official Fix Report Confidence: Confirmed SUMMARY ======= Improper input validation in the KDC can cause an assertion failure and process termination. A functional exploit exists, but is not known to be publicly circulated. Releases prior to krb5-1.7 did not contain the vulnerable code. This is an implementation vulnerability in MIT krb5, and is not a vulnerability in the Kerberos protocol. IMPACT ====== An unauthenticated remote attacker can send an invalid request to a KDC process that will cause it to crash due to an assertion failure, creating a denial of service. AFFECTED SOFTWARE ================= * KDC in MIT krb5-1.7 and later * Prerelease (alpha test) code for krb5-1.8 is also vulnerable. FIXES ===== * The upcoming krb5-1.7.2 release will contain a fix for this vulnerability. * The final krb5-1.8 release will contain a fix for this vulnerability. * For the krb5-1.7 and krb5-1.7.1 releases, apply the following patch: diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index 52fbda5..680e6a1 100644 - --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -137,6 +137,11 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, session_key.contents = 0; enc_tkt_reply.authorization_data = NULL; + if (request->msg_type != KRB5_AS_REQ) { + status = "msg_type mismatch"; + errcode = KRB5_BADMSGTYPE; + goto errout; + } errcode = kdc_make_rstate(&state); if (errcode != 0) { status = "constructing state"; diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index 12180ff..c8cf692 100644 - --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -135,6 +135,8 @@ process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from, retval = decode_krb5_tgs_req(pkt, &request); if (retval) return retval; + if (request->msg_type != KRB5_TGS_REQ) + return KRB5_BADMSGTYPE; /* * setup_server_realm() sets up the global realm-specific data pointer. diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c index d88e0cb..2639047 100644 - --- a/src/kdc/fast_util.c +++ b/src/kdc/fast_util.c @@ -384,7 +384,7 @@ krb5_error_code kdc_fast_handle_error krb5_data *encoded_e_data = NULL; memset(outer_pa, 0, sizeof(outer_pa)); - - if (!state->armor_key) + if (!state || !state->armor_key) return 0; fx_error = *err; fx_error.e_data.data = NULL; This patch is also available at http://web.mit.edu/kerberos/advisories/2010-001-patch.txt A PGP-signed patch is available at http://web.mit.edu/kerberos/advisories/2010-001-patch.txt.asc * The above patch will apply to krb5-1.8 prerelease code if whitespace is ignored. REFERENCES ========== This announcement is posted at: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-001.txt This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html CVSSv2: http://www.first.org/cvss/cvss-guide.html http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 CVE: CVE-2010-0283 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0283 ACKNOWLEDGMENTS =============== Thanks to Emmanuel Bouillon (NATO C3 Agency) for discovering and reporting this vulnerability. CONTACT ======= The MIT Kerberos Team security contact address is . When sending sensitive information, please PGP-encrypt it using the following key: pub 2048R/8B8DF501 2010-01-15 [expires: 2011-02-01] uid MIT Kerberos Team Security Contact DETAILS ======= In new code introduced in the KDC for the krb5-1.7 release, code that handles authorization data (handle_tgt_authdata()) contains a call to assert() that ensures that the function arguments are consistent with value of the msg_type field of the request that it is processing. This assertion can fail because the msg_type can be inconsistent with the ASN.1 tag that previously-executed code used to choose whether to process the request as a request for initial tickets (AS-REQ) or as a request for additional tickets (TGS-REQ). REVISION HISTORY ================ 2010-02-16 original release Copyright (C) 2010 Massachusetts Institute of Technology -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (SunOS) iEYEARECAAYFAkt66lcACgkQSO8fWy4vZo7I0ACfasGx8aeoSggpGZ+pT9rbcKSj QJIAoNPvn30+XmGb5Q7nXaAy0jiLIftg =yYBl -----END PGP SIGNATURE----- _______________________________________________ kerberos-announce mailing list kerberos-announce at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos-announce From rra at stanford.edu Wed Feb 17 02:42:59 2010 From: rra at stanford.edu (Russ Allbery) Date: Tue, 16 Feb 2010 23:42:59 -0800 Subject: krb5-strength 1.0 released Message-ID: <87bpfo2tq4.fsf@windlord.stanford.edu> I'm pleased to announce release 1.0 of krb5-strength. krb5-strength provides mechanisms for checking the strength of Kerberos passwords against an external dictionary when a user changes passwords in a Kerberos KDC. It is roughly equivalent to checking password strength via CrackLib, except that it embeds a copy of Alec Muffett's CrackLib that has been modified to perform slightly more strenuous tests. It is usable as-is with Heimdal. With MIT Kerberos, it requires an included patch to libkadm5srv to support a dynamically loaded password check module. I was hoping to finish, for this release, an updated version of the patch for MIT Kerberos based on extensive work by Marcus Watts, but I unfortunately ran out of time. Hopefully the next release. Changes from previous release: Add heimdal-strength, a program that checks password strength using the protocol for a Heimdal external check program. The shared module now also exports the interface expected by Heimdal's dynamically loaded password strength checking API and can be used as a Heimdal kadmin plugin. Add a new plugin API for MIT Kerberos modelled after the plugin API used for other MIT Kerberos plugins. Thanks to Marcus Watts for substantial research and contributions to the interface design. This work is incomplete in this release, missing the corresponding patch to MIT Kerberos. Fixed the data format written by the included packer program to add enough nul bytes at the end of the data. Previously, there was not enough trailing nul bytes for the expected input format, leading to uninitialized memory reads in the password lookup. Add a test suite using the driver and library from C TAP Harness 1.1. Add portability code for platforms without a working snprintf or other deficiencies and updated the code to take advantage of those guarantees. You can download it from: This package is maintained using Git; see the instructions on the above page to access the Git repository. Please let me know of any problems or feature requests not already listed in the TODO file. -- Russ Allbery (rra at stanford.edu) From winay.l at gmail.com Wed Feb 17 11:49:09 2010 From: winay.l at gmail.com (vinay kumar) Date: Wed, 17 Feb 2010 22:19:09 +0530 Subject: PA-PK-AS-REQ missing Message-ID: Hi all, I am implementing PKINIT, but i am not getting PA-DASS, PA-PK-AS-REQ, PA-PK-AS-REP fields in the reply( KRB5KDC_ERR_PREAUTH_REQUIRED) from KDC. Its asking password to authenticate and sending encrypted time-stamp in the second AS_REQ to KDC, but i want to use certificate based authentication. So the fields PA-DASS, PA-PK-AS-REQ, PA-PK-AS-REP are needed in the reply( KRB5KDC_ERR_PREAUTH_REQUIRED) from KDC. My KDC's krb5.conf and kdc.conf are as follows: ****************************krb5.conf************************************ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] ticket_lifetime = 24000 default_realm = GLOBALEDGESOFT.COM dns_lookup_realm = false dns_lookup_kdc = false pkinit_anchors = DIR:/ca/ GLOBALEDGESOFT.COM={ pkinit_require_eku = true pkinit_require_krbtgt_otherName = true pkinit_require_hostname_match = true } [realms] GLOBALEDGESOFT.COM = { kdc = 172.16.10.211 admin_server = 172.16.10.211 default_domain = globaledgesoft.com } [domain_realm] .globaledgesoft.com = GLOBALEDGESOFT.COM globaledgesoft.com = GLOBALEDGESOFT.COM [kdc] profile = /etc/kdc.conf pkinit_identity = FILE:/kdc/kdc.crt,/kdc/kdc.key require-preauth = yes [kadmin] require-preauth = yes [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } **************************************************************************** ***********************kdc.conf******************************************* [kdcdefaults] kdc_ports = 750,88 pkinit_anchors = DIR:/ca/ pkinit_identity = DIR:/kdc/ [realms] GLOBALEDGESOFT.COM = { database_name = /usr/local/var/krb5kdc/principal admin_keytab = FILE:/usr/local/var/krb5kdc/kadm5.keytab acl_file = /usr/local/var/krb5kdc/kadm5.acl key_stash_file = /usr/local/var/krb5kdc/. k5.GLOBALEDGESOFT.COM kdc_ports = 750,88 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s pkinit_identity = FILE:/client/client.crt,/client/client.key pkinit_anchors = DIR:/ca/ default_principal_expiration = +preauth, -pwservice } [kdc] require-preauth = yes ************************************************************************* I have generated the certificates using openssl: /ca contains ca.crt ca.csr ca.key /kdc contains kdc.crt kdc.csr kdc.key /client contains client.crt client.csr client.key ************************************************************************* I have not used any intermediate certificates, so i have not included PKINIT_POOL and PKINIT_REVOKE in the above kdc.conf files. kdc.crt and client.crt are signed by ca.crt. ca.crt i have generated as follows: ************* CA certificates ***********/ ** openssl genrsa -out ca.key 2048 ** openssl req -new -key ca.key -out ca.csr ** openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt ** ** at the end of this i have ca.crt and ca.key which is self signed ** ** /************* END of CA crt **************/ * Plz kindly check the above kdc.conf, krb5.conf files and guide me what are modifications needed so as to get PA-DASS, PA-PK-AS-REQ, PA-PK-AS-REP fields in the reply( KRB5KDC_ERR_PREAUTH_REQUIRED ) from KDC. Regards, Vinay From jaltman at secure-endpoints.com Wed Feb 17 18:47:49 2010 From: jaltman at secure-endpoints.com (Jeffrey Altman) Date: Wed, 17 Feb 2010 18:47:49 -0500 Subject: ANNOUNCEMENT: Network Identity Manager Version 2.0 Beta 2 available for public testing Message-ID: <4B7C8025.2020109@secure-endpoints.com> URL: http://www.secure-endpoints.com/netidmgr/v2/ Secure Endpoints Inc. is proud to announce the public availability of Network Identity Manager v2 Beta 2. Version 2.0 is the end of a three year effort to improve the usability and capabilities of the product. Improved usability: * Users no longer have to type their username/realm each time they wish to obtain credentials for a Kerberos v5 identity. Instead, they select previously used identities from a list. * A "New Identity Wizard" walks the user through the configuration of all derived credential types when creating a new identity. * Progress dialogs inform the user of progress of each stage of the credential acquisition process. * Users can assign an icon to each identity to assist in distinguishing identities from one another. * The basic identity view now includes: o an animated battery that visualizes the remaining lifetime and permits users to quickly recharge the credential. o summary information describing the types and numbers of each derived credential obtained by the identity. o dynamic progress bars when credential renewal takes place in the background. o a star button to represent the current default identity and permit setting an alternate default identity. * The notification icon context menu has been improved to reduce the need to open the Network Identity Manager window. * The user documentation has been significantly rewritten. The PDF manual has been retired and the Windows Help documentation is comprehensive. New functionality: * Multiple identity providers can now be active simultaneously. * In addition to the Kerberos v5 identity provider, a KeyStore provider is included and an X.509 identity provider is under development. * The KeyStore provider permits a locally assigned password to be used to protect the passwords of multiple Kerberos v5 principals. Unlocking the KeyStore results in the acquisition of credentials for each of the configured Kerberos v5 identities. Open Framework: * The Network Identity Manager v2 SDK can be used to develop custom identity providers, credential providers, and tool providers. Changes since 1.99.24.128 (Pre v2.0 Beta 1) Application: - Support for non-expiring identities. - Identity icon selection dialog now makes HTTP requests asynchronously. The UI reports any errors that may occur during an HTTP fetch and provides a 'Stop' button to abort lengthy operations. KeyStore: - Master key lifetime can now be configured. It can also be set to never expire. Kerberos v5: - Added UI controls for setting the 'Proxiable' flag for a new TGT. The setting can be controlled as a global default and as a per-identity setting. Bug fixes: - Handling of custom menus was fixed to avoid a situation where the wrong submenu may be displayed for an action. - Fixed several memory leaks. - The generated description for the default keystore had an unexpanded insertion sequence. - Saved originals of an identity icon image may have a different resolution than the source image and may not matched the saved crop rectangle. Thanks to all of the testers from 17 countries that have downloaded Version 2.0 Beta 1. This beta period will last two weeks. Please try out the new release and provide feedback to netidmgr at secure-endpoints.com. Downloads and documentation are available from URL: http://www.secure-endpoints.com/netidmgr/v2/. Jeffrey Altman and Asanka Herath Secure Endpoints Inc. From rra at stanford.edu Wed Feb 17 23:29:01 2010 From: rra at stanford.edu (Russ Allbery) Date: Wed, 17 Feb 2010 20:29:01 -0800 Subject: kadmin-remctl 3.0 released Message-ID: <87iq9vdv5e.fsf@windlord.stanford.edu> I'm pleased to announce release 3.0 of kadmin-remctl. kadmin-remctl provides a remctl backend that implements basic Kerberos account administration functions (create, delete, enable, disable, reset password, examine) plus user password changes and a call to strength-check a given password. It can also provide similar management of instances and creation, deletion, and management of accounts in Heimdal, MIT Kerberos, Active Directory, and an AFS kaserver where appropriate. Also included is a client for privileged users to use for password resets. Many of the defaults and namespace checks are Stanford-specific, but it can be modified for other sites. Changes from previous release: Add kadmin-backend-heim, which duplicates the kadmin-backend functionality for Heimdal. The examine function of this backend duplicates the output of the MIT getprinc function so that the output is compatible with the output of kadmin-backend. This separate script is a temporary measure until both scripts can be refactored as Perl modules and use a better method to avoid code duplication. Use the Heimdal external program API for password strength checking in kadmin-backend-heim and check password strength on create if strength checking is enabled for that instance, since the Heimdal kadmin API doesn't enforce password strength on passwords changed by administrators. Allow - in principal names for the examine function. Add new config item for each instance, locked. This optional value contains an array of a command and any arguments to it, which is called to determine if the instance is locked for some external policy reason. If so, the enable command will fail for this instance. Significantly improve the error reporting in ksetpass and passwd_change by using modern Kerberos error functions where available, and avoid Kerberos API calls that are deprecated on Heimdal. You can download it from: This package is maintained using Git; see the instructions on the above page to access the Git repository. Please let me know of any problems or feature requests not already listed in the TODO file. -- Russ Allbery (rra at stanford.edu) From klongfel at yahoo.com Thu Feb 18 17:00:51 2010 From: klongfel at yahoo.com (Kevin Longfellow) Date: Thu, 18 Feb 2010 14:00:51 -0800 (PST) Subject: MIT Kerberos version 1.6 with F5 BigIP Message-ID: <85157.68478.qm@web53507.mail.re2.yahoo.com> Hi, Just wondering if anyone can tell me if it's possible or reasonable to put multiple kdc's behind a F5 BigIP for load balance purposes? We have tried a simple configuration with port 88 UDP but it seems to causes some issues with the kdc's. Getting a TGT with kinit seems to work just fine but using an application (e.g. nfs) the TGS seems to fail. It would be nice to use the F5 load balancer since we have to use krb5.conf deploying it on Thousands of systems. KDC issue in log file: tail -f /var/log/krb5kdc.log krb5kdc: Invalid message type - while dispatching (udp) krb5kdc: Invalid message type - while dispatching (udp) krb5kdc: Invalid message type - while dispatching (udp) krb5kdc: Invalid message type - while dispatching (udp) We suspect this is the F5 probe to determine if port 88 is alive? When trying to access a Kerberos nfs mount point the kinit works but the TGS seems to fail. Briefly looking at a packet trace of the failure shows as the last packet received from the F5: KRB ERROR: KRB5KRB_AP_ERR_BADADDR Any information on load balancing kdc's with a F5 would be highly appreciated. Thanks, Kevin From dkelson at gurulabs.com Thu Feb 18 17:21:23 2010 From: dkelson at gurulabs.com (Dax Kelson) Date: Thu, 18 Feb 2010 15:21:23 -0700 Subject: MIT Kerberos version 1.6 with F5 BigIP In-Reply-To: <85157.68478.qm@web53507.mail.re2.yahoo.com> References: <85157.68478.qm@web53507.mail.re2.yahoo.com> Message-ID: <1266531683.2649.9.camel@localhost> On Thu, 2010-02-18 at 14:00 -0800, Kevin Longfellow wrote: > When trying to access a Kerberos nfs mount point the kinit works but the TGS seems to fail. Briefly looking at a packet trace of the failure shows as the last packet received from the F5: > > KRB ERROR: KRB5KRB_AP_ERR_BADADDR Hi Kevin, In your krb5.conf in the [libdefaults] section are you using: noaddresses = true Dax Kelson Guru Labs From jaltman at secure-endpoints.com Fri Feb 19 13:15:18 2010 From: jaltman at secure-endpoints.com (Jeffrey Altman) Date: Fri, 19 Feb 2010 13:15:18 -0500 Subject: ANNOUNCEMENT: KCA Provider 2.4 for Network Identity Manager (aka kx509) Message-ID: <4B7ED536.8010008@secure-endpoints.com> Secure Endpoints Inc. is proud to announce the availability of the Kerberized Certificate Authority Provider (aka kx509) version 2.4 for Network Identity Manager. The KCA provider enables Network Identity Manager to obtain one or more X.509 certificates for each configured identity from Kerberos realms that have deployed a Kerberized Certificate Authority service. The obtained certificates are stored in the Windows logon session's "my certificate store". The KCA provider distribution includes a PKCS#11 module that will enable applications such as Firefox and Thunderbird to access the KCA issued certificates. Version 2.4 improves upon prior releases in the following ways: * Support for KCA servers that do not include the KCA_REALM extension OID in the published certificates. Instead, the provider maintains a database of IssuerDN to Realm mappings for use in tracking the KCA issued certificates All users of prior KCA provider releases are encouraged to upgrade. The latest KCA provider can be downloaded from https://www.secure-endpoints.com/#kcacred Documentation can be reviewed at https://www.secure-endpoints.com/kcacred/index.html All software distributions from Secure Endpoints Inc. are digitally signed using a Verisign Authenticode certificate. Jeffrey Altman Secure Endpoints Inc. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: Attached Message Part Url: http://mailman.mit.edu/pipermail/kerberos/attachments/20100219/9112dfdd/attachment.bat From l_v_k_1986 at yahoo.co.in Sun Feb 21 11:47:54 2010 From: l_v_k_1986 at yahoo.co.in (lokesh kumar) Date: Sun, 21 Feb 2010 22:17:54 +0530 (IST) Subject: preauth pkinit failed to initialize Message-ID: <740612.81727.qm@web94615.mail.in2.yahoo.com> Hi all, ????????? I have enabled pkinit, but i am not getting PA-DASS, PA-PK-AS-REQ, PA-PK-AS-REP fields in the reply( KRB5KDC_ERR_PREAUTH_REQUIRED) from KDC. In the kdc log file i found following data: preauth pkinit failed to initialize: No realms configured correctly for pkinit support ? Plz tell me how to configure the realms. plz guide me. Regards, Vinay The INTERNET now has a personality. YOURS! See your Yahoo! Homepage. http://in.yahoo.com/ From huaraz at moeller.plus.com Sun Feb 21 12:28:12 2010 From: huaraz at moeller.plus.com (Markus Moeller) Date: Sun, 21 Feb 2010 17:28:12 -0000 Subject: KDC name resolution question Message-ID: I have a Kerberos 1.4 client configure to use DNS lookup for kdc. The environment has 23 AD servers for the domain. Everything is resiliently setup with 3 DNS servers. I now observe that when the first DNS server fails a kinit takes 80 seconds or more. Some application using Kerberos via pam_krb5 timeout after 20 or 30 seconds or even less. I wonder what would be the best way to configure the clients to reduce the authentication time ? When I only configure 3 servers with DNS names in krb5.conf I still get 20 seconds delays. A simple DNS lookup is about a second (e.g. it detects very quickly the second working DNS server) Is the same DNS resolution method used in the newer Kerberos releases (I couldn't check yet) ? Thank you Markus From rra at stanford.edu Mon Feb 22 01:06:10 2010 From: rra at stanford.edu (Russ Allbery) Date: Sun, 21 Feb 2010 22:06:10 -0800 Subject: wallet 0.10 released Message-ID: <87iq9prei5.fsf@windlord.stanford.edu> I'm pleased to announce release 0.10 of wallet. The wallet is a system for managing secure data, authorization rules to retrieve or change that data, and audit rules for documenting actions taken on that data. Objects of various types may be stored in the wallet or generated on request and retrieved by authorized users. The wallet tracks ACLs, metadata, and trace information. It is built on top of the remctl protocol and uses Kerberos GSS-API authentication. One of the object types it supports is Kerberos keytabs, making it suitable as a user-accessible front-end to Kerberos kadmind with richer ACL and metadata operations. Changes from previous release: Add support for Heimdal KDCs as well as MIT Kerberos KDCs. There is now a mandatory new setting in Wallet::Config: $KEYTAB_KRBTYPE. It should be set to either "MIT" or "Heimdal" depending on the Kerberos KDC implementation used. The Heimdal support requires the Heimdal::Kadm5 Perl module. Remove kaserver synchronization support. It is no longer tested, and retaining the code was increasing the complexity of wallet, and some specific requirements (such as different realm names between kaserver and Kerberos v5 and the kvno handling) were Stanford-specific. Rather than using this support, AFS sites running kaserver will probably find deploying Heimdal with its internal kaserver compatibility is probably an easier transition approach. Remove the kasetkey client for setting keys in an AFS kaserver. The wallet client no longer enables kaserver synchronization when a srvtab is requested with -S. Instead, it just extracts the DES key from the keytab and writes it to a srvtab. It no longer forces the kvno of the srvtab to 0 (a Stanford-specific action) and instead preserves the kvno from the key in the keytab. This should now do the right thing for sites that use a KDC that serves both Kerberos v4 and Kerberos v5 from the same database. The wallet client can now store data containing nul characters and wallet-backend will accept it if passed on standard input instead of as a command-line argument. See config/wallet for the new required remctld configuration. Storing data containing nul characters requires remctl 2.14 or later. Correctly handle storing of data that begins with a dash and don't parse it as an argument to wallet-backend. Fix logging in wallet-backend and the remctl configuration to not log the data passed to store. Move all reporting from Wallet::Admin to Wallet::Report and simplify the method names since they're now part of a dedicated reporting class. Similarly, create a new wallet-report script to wrap Wallet::Report, moving all reporting commands to it from wallet-admin, and simplify the commands since they're for a dedicated reporting script. Add additional reports for wallet-report: objects owned by a specific ACL, objects owned by no one, objects of a specific type, objects with a specific flag, objects for which a specific ACL has privileges, ACLs with an entry with a given type and identifier, and ACLs with no members. Add a new owners command to wallet-report and corresponding owners() method to Wallet::Report, which returns all ACL lines on owner ACLs for matching objects. Report ACL names as well as numbers in object history. The wallet client now uses a temporary disk ticket cache when obtaining tickets with the -u option rather than an in-memory cache, allowing for a libremctl built against a different Kerberos implementation than the wallet client. This primarily helps with testing. Update to rra-c-util 2.3: * Use Kerberos portability layer to support Heimdal. * Avoid Kerberos API calls deprecated on Heimdal. * Sanity-check the results of krb5-config before proceeding. * Fall back on manual probing if krb5-config results don't work. * Add --with-krb5-include and --with-krb5-lib configure options. * Add --with-remctl-include and --with-remctl-lib configure options. * Add --with-gssapi-include and --with-gssapi-lib configure options. * Don't break if the user clobbers CPPFLAGS at build time. * Suppress error output from krb5-config probes. * Prefer KRB5_CONFIG over a path constructed from --with-*. * Update GSS-API probes for Solaris 10's native implementation. * Change AC_TRY_* to AC_*_IFELSE as recommended by Autoconf. * Use AC_TYPE_LONG_LONG_INT instead of AC_CHECK_TYPES([long long]). * Provide a proper bool type with Sun Studio 12 on Solaris 10. * Break util/util.h into separate header files per module. * Update portable and util tests for C TAP Harness 1.1. Update to C TAP Harness 1.1: * Remove the need for Autoconf substitution in test programs. * Support running a single test program with runtests -o. * Properly handle test cases that are skipped in their entirety. * Much improved C TAP library more closely matching Test::More. You can download it from: This package is maintained using Git; see the instructions on the above page to access the Git repository. Please let me know of any problems or feature requests not already listed in the TODO file. -- Russ Allbery (rra at stanford.edu) From klongfel at yahoo.com Mon Feb 22 10:02:49 2010 From: klongfel at yahoo.com (Kevin Longfellow) Date: Mon, 22 Feb 2010 07:02:49 -0800 (PST) Subject: krb5kdc: Invalid message type - while dispatching (udp) Message-ID: <706643.67256.qm@web53507.mail.re2.yahoo.com> Hi, We are testing using a F5 BigIP load balancer for the kdc's. Setting the F5 for port 88 UDP works but the F5 probe produces the below kdc issue in the log file. The response from F5 is to "paste a proper Kerberos UDP payload into the health monitor". I think if F5 knew what that was they would tell us. Anyone know what should be put in send string under properties for the UDP probe? [root at dadvig0065 log]# tail krb5kdc.log krb5kdc: Invalid message type - while dispatching (udp) krb5kdc: Invalid message type - while dispatching (udp) krb5kdc: Invalid message type - while dispatching (udp) krb5kdc: Invalid message type - while dispatching (udp) krb5kdc: Invalid message type - while dispatching (udp) Thanks, Kevin From mcc171 at psu.edu Mon Feb 22 10:16:05 2010 From: mcc171 at psu.edu (Mark Campbell) Date: Mon, 22 Feb 2010 10:16:05 -0500 Subject: MAC cached credentials MIT Krb Message-ID: <4B829FB5.7020307@psu.edu> We are trying to get our MACs to use our central MIT kerberos realm. We need the ability for users to use cached credentails in order to log in outside of work say on travel trips on an airline, etc... where a network connection is not available. So far the mobile account creation does not work. Does any one know how to make this work with a MIT Krb5 realm? Thanks Mark From winay.l at gmail.com Fri Feb 19 05:57:32 2010 From: winay.l at gmail.com (vinay kumar) Date: Fri, 19 Feb 2010 16:27:32 +0530 Subject: Preauthentication Error Message-ID: Hi all, I am implementing PKINIT. I have generated certificates using openssl tool, but i am not getting PA-DASS, PA-PK-AS-REQ, PA-PK-AS-REP fields in the reply ( KRB5KDC_ERR_PREAUTH_REQUIRED) from KDC. Its asking password to authenticate and sending encrypted time-stamp in the second AS_REQ to KDC, but i want to use certificate based authentication. So the fields PA-DASS, PA-PK-AS-REQ, PA-PK-AS-REP are needed in the reply(KRB5KDC_ERR_PREAUTH_REQUIRED) from KDC. I have compiled preauth pkinit plugin with '-DDEBUG' option, following data displayed when i run kdc foreground: *********************************************************************************************************** bash-3.1# /usr/local/sbin/krb5kdc -n pkinit_server_plugin_init: processing realm 'GLOBALEDGESOFT.COM' pkinit_server_plugin_init_realm: initializing context at 0x8065e98 for realm 'GLOBALEDGESOFT.COM' pkinit_init_plg_crypto: initializing openssl crypto context at 0x806ff28 pkinit_init_identity_crypto: returning ctx at 0x8070fa8 pkinit_init_kdc_profile: entered for realm GLOBALEDGESOFT.COM pkinit_fini_identity_crypto: freeing ctx at 0x8070fa8 pkinit_fini_plg_crypto: freeing context at 0x806ff28 pkinit_server_plugin_fini: freeing context at 0x8064a58 ********************************************************************************************************** Nothing extra data displayed when i do kinit for a principal from the client system. The reply((KRB5KDC_ERR_PREAUTH_REQUIRED) from KDC captured on wireshark contains following fields: ********************************************************************************************************* e-text: NEEDED-PREAUTH e-data padata: PA-ENC-TIMESTAMP Unknown:B6 PA-ENCTYPE-INFO2 PA-SAM-RESPONSE Unknown:133 Type: PA-ENC-TIMESTAMP(2) Type: Unknown(136) Type:PA-ENCTYPE-INFO2(19) Type:PA-SAM-RESPONSE(13) Type:Unknown(133) ********************************************************************************************************* Plz guide me what are modifications needed so as to get PA-DASS, PA-PK-AS-REQ, PA-PK-AS-REP fields in the reply( KRB5KDC_ERR_PREAUTH_REQUIRED ) from KDC. Regards, Vinay From jawashin at illinois.edu Sun Feb 21 21:30:05 2010 From: jawashin at illinois.edu (John Washington) Date: Sun, 21 Feb 2010 20:30:05 -0600 Subject: KDC name resolution question In-Reply-To: References: Message-ID: <20100222022751.GB24883@kyoto.cites.uiuc.edu> * Markus Moeller [2010-02-21 12:55]: > I have a Kerberos 1.4 client configure to use DNS lookup for kdc. The > environment has 23 AD servers for the domain. Everything is resiliently > setup with 3 DNS servers. I now observe that when the first DNS server > fails a kinit takes 80 seconds or more. DNS server, or domain controller, or both? Sounds like you may be getting double timeouts (DNS timeout then Kerberos timeout). I would try to have different orders for DNS servers and kerberos servers if they are hosted on the same hardware: DNS: server1 server2 server3 kerberos: server2 server3 server1 > Some application using Kerberos via > pam_krb5 timeout after 20 or 30 seconds or even less. I wonder what would > be the best way to configure the clients to reduce the authentication time ? > When I only configure 3 servers with DNS names in krb5.conf I still get 20 > seconds delays. A simple DNS lookup is about a second (e.g. it detects very > quickly the second working DNS server) You will always get downtime if there isn't a response back, as both DNS and Kerberos will ask in serial to minimize network chatter. 3 servers will look the same as 300 if only the primary host is down. Caching DNS libraries also alter the behavior for DNS, as the normal DNS downtime may have been absorbed somewhere else (the library drops the first server after a resolution failure), or it may be using a previously seen address. > > Is the same DNS resolution method used in the newer Kerberos releases (I > couldn't check yet) ? DNS is handled by the operating system libraries. This means that caching and other behaviors are controlled by your environment. > > Thank you > Markus > > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos -- John Washington Network Security Officer, University of Illinois Urbana-Champaign From raeburn at MIT.EDU Mon Feb 22 10:58:23 2010 From: raeburn at MIT.EDU (Ken Raeburn) Date: Mon, 22 Feb 2010 10:58:23 -0500 Subject: krb5kdc: Invalid message type - while dispatching (udp) In-Reply-To: <706643.67256.qm@web53507.mail.re2.yahoo.com> References: <706643.67256.qm@web53507.mail.re2.yahoo.com> Message-ID: <22BA3E3E-6FF6-4E1D-99D0-B1AFFBD05F30@mit.edu> On Feb 22, 2010, at 10:02, Kevin Longfellow wrote: > > Hi, > > We are testing using a F5 BigIP load balancer for the kdc's. Setting the F5 for port 88 UDP works but the F5 probe produces the below kdc issue in the log file. The response from F5 is to "paste a proper Kerberos UDP payload into the health monitor". I think if F5 knew what that was they would tell us. Anyone know what should be put in send string under properties for the UDP probe? > > [root at dadvig0065 log]# tail krb5kdc.log > krb5kdc: Invalid message type - while dispatching (udp) If the F5 doesn't conclude that the KDC is offline because of this, you could just leave it be. (Though, we probably should be logging at least the address the bogus packet is coming from.) Or, you could use tcpdump or wireshark or some such tool to capture a real Kerberos request triggered by running "kinit", and have the F5 replay that. It doesn't even have to be for a valid principal -- you could use "kinit F5-probe at YOUR.REALM", so that you can know from the name in the logged error messages that they're triggered by the F5 probes. There isn't any sort of simple "are you there" message in the Kerberos protocol. Ken P.S. If you're willing to reveal it, I'm curious about what kind of environment you have that actually needs load balancing for KDCs. It's pretty common to have multiple KDCs for redundancy in case of hardware problems, or locality if there are multiple sites, but I've heard of few cases where KDC performance was actually a problem. If you've got any sort of analysis available showing when performance of a single KDC becomes inadequate with what kind of hardware, etc., I'd like to see it. (E.g., peak request rates, KDC maxing out its CPU usage, timeouts, whatever you've observed.) -- Ken Raeburn / raeburn at mit.edu / no longer at MIT Kerberos Consortium From wrbeaudo at eos.ncsu.edu Mon Feb 22 09:52:04 2010 From: wrbeaudo at eos.ncsu.edu (Billy Beaudoin) Date: Mon, 22 Feb 2010 09:52:04 -0500 Subject: KfW 3.2.2 - use_dns_lookup not using DNS responses on Win 7 Message-ID: <4B8253C4.0625.0078.0@gw.ncsu.edu> I suspect this is something broken in our setup, and likely not an issue with KfW itself, but I've exhausted just about everything I know trying to figure this one out, so I'm sending it to the list and hoping someone's already hit this one. Using KfW 3.2.2 (w/ OpenAFS 1.5.68) on Win 7 (64 or 32), when setting use_dns_lookup=1, I get a KDC not found error. Specifying a KDC works fine. Doing a packet capture, I can see that it is actually doing the DNS lookup and gets back the correct information. Its looking for both the UDP and TCP records (we only use UDP), and getting back correct UDP info, Its just not actually using it when it gets back. We're running an AD and doing GPO deployment of the package so it should be consistent, and all of the XP/Vista boxes are happy. We are making use of the MS EC WSSG policies with some tweaks, but we've not found any settings that seem to make a bit of difference (enabling/disabling packet signing, disabling IPv6, etc.). Process Monitor from Sysinternals isn't giving me anything useful, and the logging from KfW isn't either. So here's to hoping someone's already run into this and can point me in the right direction. Billy Beaudoin ITECS Systems NC State University From huaraz at moeller.plus.com Mon Feb 22 15:14:44 2010 From: huaraz at moeller.plus.com (Markus Moeller) Date: Mon, 22 Feb 2010 20:14:44 -0000 Subject: KDC name resolution question In-Reply-To: <20100222022751.GB24883@kyoto.cites.uiuc.edu> References: <20100222022751.GB24883@kyoto.cites.uiuc.edu> Message-ID: "John Washington" wrote in message news:20100222022751.GB24883 at kyoto.cites.uiuc.edu... >* Markus Moeller [2010-02-21 12:55]: >> I have a Kerberos 1.4 client configure to use DNS lookup for kdc. The >> environment has 23 AD servers for the domain. Everything is resiliently >> setup with 3 DNS servers. I now observe that when the first DNS server >> fails a kinit takes 80 seconds or more. > > DNS server, or domain controller, or both? Sounds like you may be > getting double timeouts (DNS timeout then Kerberos timeout). I would > try to have different orders for DNS servers and kerberos servers if > they are hosted on the same hardware: > No it is only DNS. The DNS server is not the same as the AD server and when I look at the traffic I don't see any Kerberos traffic for 80 seconds only DNS traffic. > DNS: > > server1 > server2 > server3 > > kerberos: > > server2 > server3 > server1 > >> Some application using Kerberos via >> pam_krb5 timeout after 20 or 30 seconds or even less. I wonder what >> would >> be the best way to configure the clients to reduce the authentication >> time ? >> When I only configure 3 servers with DNS names in krb5.conf I still get >> 20 >> seconds delays. A simple DNS lookup is about a second (e.g. it detects >> very >> quickly the second working DNS server) > > You will always get downtime if there isn't a response back, as both DNS > and Kerberos will ask in serial to minimize network chatter. 3 servers > will look the same as 300 if only the primary host is down. Caching DNS > libraries also alter the behavior for DNS, as the normal DNS downtime may > have > been absorbed somewhere else (the library drops the first server after a > resolution failure), or it may be using a previously seen address. > >> >> Is the same DNS resolution method used in the newer Kerberos releases (I >> couldn't check yet) ? > > DNS is handled by the operating system libraries. This means that > caching and other behaviors are controlled by your environment. > Yes but the Kerberos library has the logic of reverse DNS if I remember right and it looks like the library does all the DNS before attempting Kerberos instead of DNS of the first server and try Kerberos and if that fails do revers lookup of the second server. >> >> Thank you >> Markus >> >> >> ________________________________________________ >> Kerberos mailing list Kerberos at mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos > > -- > John Washington Network Security Officer, > University of Illinois Urbana-Champaign > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > From nshopik at gmail.com Mon Feb 22 12:30:13 2010 From: nshopik at gmail.com (Nikolay Shopik) Date: Mon, 22 Feb 2010 20:30:13 +0300 Subject: MAC cached credentials MIT Krb In-Reply-To: <4B829FB5.7020307@psu.edu> References: <4B829FB5.7020307@psu.edu> Message-ID: <4B82BF25.6010902@inblock.ru> On 22.02.2010 18:16, Mark Campbell wrote: > We are trying to get our MACs to use our central MIT kerberos realm. We > need the ability for users to use cached credentails in order to log in > outside of work say on travel trips on an airline, etc... where a > network connection is not available. So far the mobile account creation > does not work. Does any one know how to make this work with a MIT Krb5 > realm? > > Thanks > > Mark > > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > You probably need pam_ccreds for that task. From shopik at inblock.ru Mon Feb 22 12:30:13 2010 From: shopik at inblock.ru (Nikolay Shopik) Date: Mon, 22 Feb 2010 20:30:13 +0300 Subject: MAC cached credentials MIT Krb In-Reply-To: <4B829FB5.7020307@psu.edu> References: <4B829FB5.7020307@psu.edu> Message-ID: <4B82BF25.6010902@inblock.ru> On 22.02.2010 18:16, Mark Campbell wrote: > We are trying to get our MACs to use our central MIT kerberos realm. We > need the ability for users to use cached credentails in order to log in > outside of work say on travel trips on an airline, etc... where a > network connection is not available. So far the mobile account creation > does not work. Does any one know how to make this work with a MIT Krb5 > realm? > > Thanks > > Mark > > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > You probably need pam_ccreds for that task. From abe at ligo.caltech.edu Mon Feb 22 16:54:19 2010 From: abe at ligo.caltech.edu (Abe Singer) Date: Mon, 22 Feb 2010 13:54:19 -0800 Subject: another (different) KDC name resolution question Message-ID: <20100222215418.GA60489@ligo.caltech.edu> I'm trying to understand whether this is a bug or a feature, but it's problematic for us: When a Kerberized daemon (server) gets contacts by a client, the server does a name lookup of *all* the KDCs in the realm before attempting to contact any KDC. Normally this doesn't pose a problem. But if the KDCs are hosted in different domains, with different authoritative servers, and one of those DNS servers is not responding, then the server waits for timeout before eventually contacting the first KDC on the list for ticket validation. In other words, if your krb5.conf has this: [realms] EXAMPLE.COM = { kdc = kdc1.example.com kdc = kdc2.other-domain.com kdc = kdc3.another-domain.com:88 And the nameserver(s) for kdc3.another-domain.com are not responding, all servers will respond very slowly to clients, because they will wait for the DNS lookups for kdc3.another-domain.com to timeout before attempting to contact kdc1.example.com. The intuitive behavior would be for the server to lookup only kdc1.example.com and contact it, and if no answer, *then* lookup the next kdc on the list. So, is this behavior intentional, or a bug triggered by an unusual situation? And yes, we have actually observed this behavior, and verified that the server does name lookups before doing KDC queries. Thanks, -- Abe From abe at ligo.caltech.edu Mon Feb 22 16:56:17 2010 From: abe at ligo.caltech.edu (Abe Singer) Date: Mon, 22 Feb 2010 13:56:17 -0800 Subject: bind KDC to single interface? Message-ID: <20100222215617.GB60489@ligo.caltech.edu> Am I missing something in the documentation, or is there no way to tell krb5kdc to bind to a single network interface (as oppposed to binding to all of them)? From phalenor at gmail.com Mon Feb 22 17:14:00 2010 From: phalenor at gmail.com (Andy Cobaugh) Date: Mon, 22 Feb 2010 17:14:00 -0500 (EST) Subject: another (different) KDC name resolution question In-Reply-To: <20100222215418.GA60489@ligo.caltech.edu> References: <20100222215418.GA60489@ligo.caltech.edu> Message-ID: Try turning off dns_lookup_* in krb5.conf ? Then the client *should* try kdcs in the order they're listed in krb5.conf. --andy From phalenor at gmail.com Mon Feb 22 17:12:42 2010 From: phalenor at gmail.com (Andy Cobaugh) Date: Mon, 22 Feb 2010 17:12:42 -0500 (EST) Subject: another (different) KDC name resolution question In-Reply-To: <20100222215418.GA60489@ligo.caltech.edu> References: <20100222215418.GA60489@ligo.caltech.edu> Message-ID: Try turning off dns_lookup_* in krb5.conf ? Then the client *should* try kdcs in the order they're listed in krb5.conf. --andy From abe at ligo.caltech.edu Mon Feb 22 17:27:39 2010 From: abe at ligo.caltech.edu (Abe Singer) Date: Mon, 22 Feb 2010 14:27:39 -0800 Subject: another (different) KDC name resolution question In-Reply-To: References: <20100222215418.GA60489@ligo.caltech.edu> Message-ID: <20100222222737.GD60489@ligo.caltech.edu> That *was* with dns_lookup_kdc and dns_lookup_realm turned off. The server still has to resolve the hostnames listed in krb5.conf, even with the DNS options turned off. And it appears to lookup all of them before contact any KDCs. I already know of workarounds, but I'm trying to understand whether what I'm seeing is actually a big. One workaround is putting A records all in one domain that have the IP addresses of the hosts, even though they actually live somewhere else. It works, but should I *have* to do that? On Mon, Feb 22, 2010 at 05:12:42PM -0500, Andy Cobaugh wrote: > > > Try turning off dns_lookup_* in krb5.conf ? Then the client *should* try > kdcs in the order they're listed in krb5.conf. From ghudson at MIT.EDU Mon Feb 22 18:13:08 2010 From: ghudson at MIT.EDU (Greg Hudson) Date: Mon, 22 Feb 2010 18:13:08 -0500 Subject: another (different) KDC name resolution question In-Reply-To: <20100222215418.GA60489@ligo.caltech.edu> References: <20100222215418.GA60489@ligo.caltech.edu> Message-ID: <1266880388.20257.543.camel@ray> On Mon, 2010-02-22 at 16:54 -0500, Abe Singer wrote: > When a Kerberized daemon (server) gets contacts by a client, the server > does a name lookup of *all* the KDCs in the realm before attempting to contact > any KDC. [...] > So, is this behavior intentional, or a bug triggered by an unusual situation? This behavior follows from the internal APIs. krb5_locate_kdc takes a realm name and returns a complete list of addresses, and then krb5_sendto_kdc iterates over the address list. So it's not a bug, although I'd be happy to call it a misfeature. There are some complications in the way of changing the behavior (specifically, a plugin interface which assumes the realm -> addrlist interface), so I don't know if it's likely to get better in the near future. From abe at ligo.caltech.edu Mon Feb 22 18:30:20 2010 From: abe at ligo.caltech.edu (Abe Singer) Date: Mon, 22 Feb 2010 15:30:20 -0800 Subject: another (different) KDC name resolution question In-Reply-To: <1266880388.20257.543.camel@ray> References: <20100222215418.GA60489@ligo.caltech.edu> <1266880388.20257.543.camel@ray> Message-ID: <20100222233019.GF60489@ligo.caltech.edu> Well, that at least explains it. You could call it a misfeature, or just an unanticipated consequence. I suspect what we're doing here is a rare case. If it's not going to change anytime soon, some documentation in the right place (e.g. admin or install manual) could help. Thanks, -- Abe On Mon, Feb 22, 2010 at 06:13:08PM -0500, Greg Hudson wrote: > > On Mon, 2010-02-22 at 16:54 -0500, Abe Singer wrote: > > When a Kerberized daemon (server) gets contacts by a client, the server > > does a name lookup of *all* the KDCs in the realm before attempting to contact > > any KDC. > [...] > > So, is this behavior intentional, or a bug triggered by an unusual situation? > > This behavior follows from the internal APIs. krb5_locate_kdc takes a > realm name and returns a complete list of addresses, and then > krb5_sendto_kdc iterates over the address list. So it's not a bug, > although I'd be happy to call it a misfeature. There are some > complications in the way of changing the behavior (specifically, a > plugin interface which assumes the realm -> addrlist interface), so I > don't know if it's likely to get better in the near future. > > From ghudson at MIT.EDU Mon Feb 22 18:32:32 2010 From: ghudson at MIT.EDU (Greg Hudson) Date: Mon, 22 Feb 2010 18:32:32 -0500 Subject: bind KDC to single interface? In-Reply-To: <20100222215617.GB60489@ligo.caltech.edu> References: <20100222215617.GB60489@ligo.caltech.edu> Message-ID: <1266881552.20257.546.camel@ray> On Mon, 2010-02-22 at 16:56 -0500, Abe Singer wrote: > Am I missing something in the documentation, or is there no way to tell > krb5kdc to bind to a single network interface (as oppposed to binding to > all of them)? My reading of the code is that the KDC listener sockets are always bound to INADDR_ANY (or the IPv6 equivalent). From rra at stanford.edu Mon Feb 22 18:38:52 2010 From: rra at stanford.edu (Russ Allbery) Date: Mon, 22 Feb 2010 15:38:52 -0800 Subject: another (different) KDC name resolution question In-Reply-To: <20100222233019.GF60489@ligo.caltech.edu> (Abe Singer's message of "Mon, 22 Feb 2010 15:30:20 -0800") References: <20100222215418.GA60489@ligo.caltech.edu> <1266880388.20257.543.camel@ray> <20100222233019.GF60489@ligo.caltech.edu> Message-ID: <87mxz0zvqr.fsf@windlord.stanford.edu> Abe Singer writes: > Well, that at least explains it. > You could call it a misfeature, or just an unanticipated consequence. > I suspect what we're doing here is a rare case. Actually, you are far from the only person to have had trouble with this. It's one of the more frequent complaints about the library behavior that I've seen, and it can cause some significant delays if one's DNS resolver is slow for some reason. -- Russ Allbery (rra at stanford.edu) From tlyu at MIT.EDU Mon Feb 22 19:20:40 2010 From: tlyu at MIT.EDU (Tom Yu) Date: Mon, 22 Feb 2010 19:20:40 -0500 Subject: another (different) KDC name resolution question In-Reply-To: <87mxz0zvqr.fsf@windlord.stanford.edu> (Russ Allbery's message of "Mon, 22 Feb 2010 15:38:52 -0800") References: <20100222215418.GA60489@ligo.caltech.edu> <1266880388.20257.543.camel@ray> <20100222233019.GF60489@ligo.caltech.edu> <87mxz0zvqr.fsf@windlord.stanford.edu> Message-ID: Russ Allbery writes: > Abe Singer writes: > >> Well, that at least explains it. > >> You could call it a misfeature, or just an unanticipated consequence. >> I suspect what we're doing here is a rare case. > > Actually, you are far from the only person to have had trouble with this. > It's one of the more frequent complaints about the library behavior that > I've seen, and it can cause some significant delays if one's DNS resolver > is slow for some reason. Thanks; this is useful input. Working around the address resolution latency issue probably requires redesign of some internal interfaces, as Greg mentioned, so we will need to allocate resources accordingly. I've added it to the roadmap. If you and others could rank its priority relative to the roadmap items that are already tentatively slated for 1.9, that would also be helpful. http://k5wiki.kerberos.org/wiki/Roadmap From abe at ligo.caltech.edu Mon Feb 22 19:28:45 2010 From: abe at ligo.caltech.edu (Abe Singer) Date: Mon, 22 Feb 2010 16:28:45 -0800 Subject: another (different) KDC name resolution question In-Reply-To: References: <20100222215418.GA60489@ligo.caltech.edu> <1266880388.20257.543.camel@ray> <20100222233019.GF60489@ligo.caltech.edu> <87mxz0zvqr.fsf@windlord.stanford.edu> Message-ID: <20100223002844.GH60489@ligo.caltech.edu> >From my perspective on the DNS issue, we've got a workaround here that should be good enough for us for the time being. Thanks for the pointer to the roadmap. I'd like to know more about the item "plugins for password quality checks." We're rolling our own mod of kadmin that implements libcrack for password checking (I've got a lot of good arguments for why that's way better than complexity rules). I was going to submit a patch for consideration. If you're going to be implemeting that sort of capability, I'd vote for high priority for that. On Mon, Feb 22, 2010 at 07:20:40PM -0500, Tom Yu wrote: > To: Russ Allbery > Cc: Abe Singer , kerberos at mit.edu > Subject: Re: another (different) KDC name resolution question > From: Tom Yu > Date: Mon, 22 Feb 2010 19:20:40 -0500 > > Russ Allbery writes: > > > Abe Singer writes: > > > >> Well, that at least explains it. > > > >> You could call it a misfeature, or just an unanticipated consequence. > >> I suspect what we're doing here is a rare case. > > > > Actually, you are far from the only person to have had trouble with this. > > It's one of the more frequent complaints about the library behavior that > > I've seen, and it can cause some significant delays if one's DNS resolver > > is slow for some reason. > > Thanks; this is useful input. Working around the address resolution > latency issue probably requires redesign of some internal interfaces, > as Greg mentioned, so we will need to allocate resources accordingly. > I've added it to the roadmap. If you and others could rank its > priority relative to the roadmap items that are already tentatively > slated for 1.9, that would also be helpful. > > http://k5wiki.kerberos.org/wiki/Roadmap From rra at stanford.edu Mon Feb 22 19:32:04 2010 From: rra at stanford.edu (Russ Allbery) Date: Mon, 22 Feb 2010 16:32:04 -0800 Subject: another (different) KDC name resolution question In-Reply-To: <20100223002844.GH60489@ligo.caltech.edu> (Abe Singer's message of "Mon, 22 Feb 2010 16:28:45 -0800") References: <20100222215418.GA60489@ligo.caltech.edu> <1266880388.20257.543.camel@ray> <20100222233019.GF60489@ligo.caltech.edu> <87mxz0zvqr.fsf@windlord.stanford.edu> <20100223002844.GH60489@ligo.caltech.edu> Message-ID: <87y6ikyepn.fsf@windlord.stanford.edu> Abe Singer writes: > Thanks for the pointer to the roadmap. I'd like to know more about the > item "plugins for password quality checks." We're rolling our own mod > of kadmin that implements libcrack for password checking (I've got a lot > of good arguments for why that's way better than complexity rules). I > was going to submit a patch for consideration. See also: http://www.eyrie.org/~eagle/software/krb5-strength/ which does the same thing except its embedded copy of CrackLib has stronger rules, since we found Jack the Ripper could guess passwords passed by CrackLib. Marcus Watts has a much-improved libkadm5srv patch than the one included in that package. -- Russ Allbery (rra at stanford.edu) From jblaine at kickflop.net Mon Feb 22 19:50:51 2010 From: jblaine at kickflop.net (Jeff Blaine) Date: Mon, 22 Feb 2010 19:50:51 -0500 Subject: another (different) KDC name resolution question In-Reply-To: <87y6ikyepn.fsf@windlord.stanford.edu> References: <20100222215418.GA60489@ligo.caltech.edu> <1266880388.20257.543.camel@ray> <20100222233019.GF60489@ligo.caltech.edu> <87mxz0zvqr.fsf@windlord.stanford.edu> <20100223002844.GH60489@ligo.caltech.edu> <87y6ikyepn.fsf@windlord.stanford.edu> Message-ID: <4B83266B.8050603@kickflop.net> Roadmap votes: + Trace logging for easier troubleshooting Plus, if I may be so bold as to add one: Plugin support improvements + Document existing plugin architecture From tlyu at MIT.EDU Mon Feb 22 23:34:02 2010 From: tlyu at MIT.EDU (Tom Yu) Date: Mon, 22 Feb 2010 23:34:02 -0500 Subject: another (different) KDC name resolution question In-Reply-To: <87y6ikyepn.fsf@windlord.stanford.edu> (Russ Allbery's message of "Mon, 22 Feb 2010 16:32:04 -0800") References: <20100222215418.GA60489@ligo.caltech.edu> <1266880388.20257.543.camel@ray> <20100222233019.GF60489@ligo.caltech.edu> <87mxz0zvqr.fsf@windlord.stanford.edu> <20100223002844.GH60489@ligo.caltech.edu> <87y6ikyepn.fsf@windlord.stanford.edu> Message-ID: Russ Allbery writes: > Abe Singer writes: > >> Thanks for the pointer to the roadmap. I'd like to know more about the >> item "plugins for password quality checks." We're rolling our own mod >> of kadmin that implements libcrack for password checking (I've got a lot >> of good arguments for why that's way better than complexity rules). I >> was going to submit a patch for consideration. > > See also: > > http://www.eyrie.org/~eagle/software/krb5-strength/ > > which does the same thing except its embedded copy of CrackLib has > stronger rules, since we found Jack the Ripper could guess passwords > passed by CrackLib. > > Marcus Watts has a much-improved libkadm5srv patch than the one included > in that package. Is there a recent pointer to this patch by Marcus Watts? From rra at stanford.edu Mon Feb 22 23:46:31 2010 From: rra at stanford.edu (Russ Allbery) Date: Mon, 22 Feb 2010 20:46:31 -0800 Subject: another (different) KDC name resolution question In-Reply-To: (Tom Yu's message of "Mon, 22 Feb 2010 23:34:02 -0500") References: <20100222215418.GA60489@ligo.caltech.edu> <1266880388.20257.543.camel@ray> <20100222233019.GF60489@ligo.caltech.edu> <87mxz0zvqr.fsf@windlord.stanford.edu> <20100223002844.GH60489@ligo.caltech.edu> <87y6ikyepn.fsf@windlord.stanford.edu> Message-ID: <87ljekwod4.fsf@windlord.stanford.edu> Tom Yu writes: > Russ Allbery writes: >> See also: >> >> http://www.eyrie.org/~eagle/software/krb5-strength/ >> >> which does the same thing except its embedded copy of CrackLib has >> stronger rules, since we found Jack the Ripper could guess passwords >> passed by CrackLib. >> >> Marcus Watts has a much-improved libkadm5srv patch than the one included >> in that package. > Is there a recent pointer to this patch by Marcus Watts? Marcus sent me one privately. I think it's generally available, but I'm not sure he's mentioned it in public, so I'll leave him to decide whether to send a pointer. (Copied.) -- Russ Allbery (rra at stanford.edu) From raeburn at MIT.EDU Tue Feb 23 02:17:17 2010 From: raeburn at MIT.EDU (Ken Raeburn) Date: Tue, 23 Feb 2010 02:17:17 -0500 Subject: bind KDC to single interface? In-Reply-To: <1266881552.20257.546.camel@ray> References: <20100222215617.GB60489@ligo.caltech.edu> <1266881552.20257.546.camel@ray> Message-ID: <5EFBA81F-DA68-4870-998E-24862926D22D@mit.edu> On Feb 22, 2010, at 18:32, Greg Hudson wrote: > On Mon, 2010-02-22 at 16:56 -0500, Abe Singer wrote: >> Am I missing something in the documentation, or is there no way to tell >> krb5kdc to bind to a single network interface (as oppposed to binding to >> all of them)? > > My reading of the code is that the KDC listener sockets are always bound > to INADDR_ANY (or the IPv6 equivalent). Sort of... the KDC needs to be able to return a response from the same (KDC-side) address that the client used, so it either needs something like IP(V6)_PKTINFO support, in which case it can use IN(6)ADDR_ANY, or it needs to bind a socket on each local address. While I've occasionally heard queries about whether it's possible to bind to one address only, and it would probably be good to offer that someday, I've never heard anyone indicate why accepting Kerberos traffic on the other addresses is a problem.... Perhaps if you want to run a KDC for a different realm on a different address on the same machine, but you can serve up multiple realms from one KDC process. Or maybe they're running the KDC on a machine accessible from both internal and external networks, and have a security policy in place that prohibits the latter because of the offline-password-attack risk? But, short answer, yeah, there's no option for that currently. It's one of a few things I've been thinking about tweaking in the KDC network handling though... Ken From D.H.Davis at bath.ac.uk Tue Feb 23 06:46:19 2010 From: D.H.Davis at bath.ac.uk (Dennis Davis) Date: Tue, 23 Feb 2010 11:46:19 +0000 (GMT) Subject: bind KDC to single interface? In-Reply-To: <5EFBA81F-DA68-4870-998E-24862926D22D@mit.edu> References: <20100222215617.GB60489@ligo.caltech.edu> <1266881552.20257.546.camel@ray> <5EFBA81F-DA68-4870-998E-24862926D22D@mit.edu> Message-ID: On Tue, 23 Feb 2010, Ken Raeburn wrote: > From: Ken Raeburn > To: Greg Hudson > Cc: "kerberos at mit.edu" > Date: Tue, 23 Feb 2010 07:17:17 > Subject: Re: bind KDC to single interface? > > On Feb 22, 2010, at 18:32, Greg Hudson wrote: > > On Mon, 2010-02-22 at 16:56 -0500, Abe Singer wrote: > >> Am I missing something in the documentation, or is there no way to tell > >> krb5kdc to bind to a single network interface (as oppposed to binding to > >> all of them)? > > > > My reading of the code is that the KDC listener sockets are always bound > > to INADDR_ANY (or the IPv6 equivalent). > > Sort of... the KDC needs to be able to return a response from the > same (KDC-side) address that the client used, so it either needs > something like IP(V6)_PKTINFO support, in which case it can use > IN(6)ADDR_ANY, or it needs to bind a socket on each local address. > While I've occasionally heard queries about whether it's possible > to bind to one address only, and it would probably be good to > offer that someday, I've never heard anyone indicate why accepting > Kerberos traffic on the other addresses is a problem.... Perhaps > if you want to run a KDC for a different realm on a different > address on the same machine, but you can serve up multiple realms > from one KDC process. Or maybe they're running the KDC on a > machine accessible from both internal and external networks, and > have a security policy in place that prohibits the latter because > of the offline-password-attack risk? This is where your firewalling software (iptables on Linux, pf on OpenBSD etc) comes in. Use it to make sure that only Kerberos connections on the desired interface are allowed and all others are denied. I'd also be strongly tempted to make pre-authentication the default on all principals if offline-password-attacks are a worry. -- Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK D.H.Davis at bath.ac.uk Phone: +44 1225 386101 From winay.l at gmail.com Tue Feb 23 06:28:33 2010 From: winay.l at gmail.com (vinay kumar) Date: Tue, 23 Feb 2010 16:58:33 +0530 Subject: Invalid signature while getting initial credentials Message-ID: Hi all, I have enabled PKINIT, but when i try to do kinit -X X509_user_identity=FILE:/client/client.crt,/client/client.key vinay i am getting following error: kinit(v5): Invalid signature while getting initial credentials client.crt and kdc.crt both are signed by ca.key. The method i have adopted to generate certificate is as follows: /************ CA certificates ***********/ openssl genrsa -out ca.key 2048 openssl req -new -key ca.key -out ca.csr openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt at the end of this i have ca.crt and ca.key which is self signed /************* END of CA crt **************/ /************* Client certificate *********/ openssl genrsa -out client.key 2048 openssl req -new -key client.key -out client.csr openssl x509 -req -days 365 -in client.csr -signkey -extfile extension.c ca.key -extensions client_cert -out client.crt at the end of this i have client.crt and client.key which is signed by the ca.key /************* END of client crt ***********/ /************* KDC certificate *************/ openssl genrsa -out kdc.key 2048 openssl req -new -key kdc.key -out kdc.csr openssl x509 -req -days 365 -in kdc.csr -signkey ca.key -extfile extension.c -extensions kdc_cert -out kdc.crt /************* END of KDC crt **************/ extension file contains the details for including extensions which is contains the data from following link: http://mailman.mit.edu/pipermail/krbdev/2006-November/005180.html ***************************client.crt************************************************** Certificate: Data: Version: 3 (0x2) Serial Number: d4:f0:fe:50:5f:4a:13:ba Signature Algorithm: sha1WithRSAEncryption Issuer: OU=gesl, CN=vinay Validity Not Before: Feb 23 08:50:32 2010 GMT Not After : Feb 23 08:50:32 2011 GMT Subject: OU=gesl, CN=vinay Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:d6:38:14:2f:e0:20:46:da:7c:1e:5c:3d:3a:c3: c8:f5:0c:d4:50:9d:20:5e:e7:e6:9a:07:b8:48:e9: ee:9a:6a:3c:c2:6c:6c:e0:c6:6d:e4:67:9f:a0:9a: c3:16:4d:41:3a:79:d0:8b:c2:48:d0:16:c4:78:d8: 6a:97:06:85:8e:fe:e6:32:ea:6d:70:c7:0b:76:1e: 95:37:f2:01:d7:e2:34:9f:54:33:69:38:23:27:eb: d4:d0:22:2a:7e:12:7f:06:27:a5:a0:5f:65:4e:f9: 77:9c:74:e3:0f:95:06:c4:e2:45:4e:69:be:0b:50: 57:5d:f5:7b:30:da:c2:cb:c6:4c:3a:43:3c:5b:73: 1f:46:4c:44:b5:f9:d6:60:83:c2:43:5d:51:5c:f2: fc:bf:5d:87:10:be:93:5c:b4:15:79:e3:0b:32:5e: c9:e0:b4:82:74:3e:73:7e:7d:1d:c2:88:a1:5f:93: 5e:34:e0:fe:ba:95:a5:2d:ac:17:b7:db:16:63:9e: 8b:eb:66:c6:8f:5c:71:66:71:7a:ec:28:57:b9:73: ed:47:e9:6f:1e:ea:53:14:14:19:87:57:a2:74:f6: bc:7e:25:33:64:42:c7:93:4d:ea:b7:74:44:8b:7d: 0d:eb:17:b7:19:db:c5:89:ef:9a:d7:9c:26:a8:0d: 8b:7f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: 1.3.6.1.5.2.3.4 X509v3 Subject Key Identifier: 30:D5:14:7E:AD:68:02:92:E1:17:9D:A8:EF:A1:43:3B:54:C7:D4:83 X509v3 Authority Key Identifier: keyid:30:D5:14:7E:AD:68:02:92:E1:17:9D:A8:EF:A1:43:3B:54:C7:D4:83 X509v3 Subject Alternative Name: othername: X509v3 Issuer Alternative Name: othername: Signature Algorithm: sha1WithRSAEncryption 31:85:60:ff:18:7c:5f:9f:b7:73:92:f9:89:4b:03:24:26:b9: 8e:e0:11:5a:2d:a5:fb:06:e3:de:c1:9b:a5:75:4c:0b:f3:2f: b5:f5:97:13:d0:42:ee:af:b1:e3:30:32:5b:95:8d:ed:3f:2a: f6:0a:50:24:13:b2:4a:59:14:85:f9:92:22:5d:c3:f4:07:31: 1b:73:9f:76:c7:de:30:53:46:61:d4:11:6d:f3:18:40:09:c0: 04:d3:81:38:2b:46:4d:13:38:44:e9:57:d1:e7:dc:04:49:bf: 09:b4:cb:98:84:c2:57:bd:83:f9:b9:f5:17:95:9c:63:c8:30: e5:88:1b:19:7d:bd:02:21:f8:a0:9d:91:d9:f5:6b:a2:fb:72: 4a:ad:a4:a3:4c:f7:e2:74:7a:27:3f:b0:9c:61:d1:51:73:eb: d6:c0:7c:07:47:10:59:bf:a9:23:90:a0:f4:61:e5:59:3d:28: df:67:6d:ad:54:8d:31:fe:03:af:4f:ba:b8:cd:1a:4d:16:33: 47:b8:cf:31:47:05:c8:8a:df:64:c0:b6:7b:f6:1b:e5:87:dc: eb:19:fb:61:4d:ca:cf:70:18:b5:bf:fd:11:a3:b3:ab:1e:a2: 32:f2:b1:97:fc:87:45:05:83:cf:da:25:ee:8b:0b:5d:9e:b3: d5:d1:0c:a4 ******************************************************************************************** My kdc.crt is as follows: ****************************kdc.crt******************************************************** Certificate: Data: Version: 3 (0x2) Serial Number: d5:61:4d:c6:f6:3e:e9:11 Signature Algorithm: sha1WithRSAEncryption Issuer: OU=gesl, CN=vinay Validity Not Before: Feb 23 08:52:16 2010 GMT Not After : Feb 23 08:52:16 2011 GMT Subject: OU=gesl, CN=vinay Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:d6:38:14:2f:e0:20:46:da:7c:1e:5c:3d:3a:c3: c8:f5:0c:d4:50:9d:20:5e:e7:e6:9a:07:b8:48:e9: ee:9a:6a:3c:c2:6c:6c:e0:c6:6d:e4:67:9f:a0:9a: c3:16:4d:41:3a:79:d0:8b:c2:48:d0:16:c4:78:d8: 6a:97:06:85:8e:fe:e6:32:ea:6d:70:c7:0b:76:1e: 95:37:f2:01:d7:e2:34:9f:54:33:69:38:23:27:eb: d4:d0:22:2a:7e:12:7f:06:27:a5:a0:5f:65:4e:f9: 77:9c:74:e3:0f:95:06:c4:e2:45:4e:69:be:0b:50: 57:5d:f5:7b:30:da:c2:cb:c6:4c:3a:43:3c:5b:73: 1f:46:4c:44:b5:f9:d6:60:83:c2:43:5d:51:5c:f2: fc:bf:5d:87:10:be:93:5c:b4:15:79:e3:0b:32:5e: c9:e0:b4:82:74:3e:73:7e:7d:1d:c2:88:a1:5f:93: 5e:34:e0:fe:ba:95:a5:2d:ac:17:b7:db:16:63:9e: 8b:eb:66:c6:8f:5c:71:66:71:7a:ec:28:57:b9:73: ed:47:e9:6f:1e:ea:53:14:14:19:87:57:a2:74:f6: bc:7e:25:33:64:42:c7:93:4d:ea:b7:74:44:8b:7d: 0d:eb:17:b7:19:db:c5:89:ef:9a:d7:9c:26:a8:0d: 8b:7f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment, Key Agreement X509v3 Extended Key Usage: 1.3.6.1.5.2.3.5 X509v3 Subject Key Identifier: 30:D5:14:7E:AD:68:02:92:E1:17:9D:A8:EF:A1:43:3B:54:C7:D4:83 X509v3 Authority Key Identifier: keyid:30:D5:14:7E:AD:68:02:92:E1:17:9D:A8:EF:A1:43:3B:54:C7:D4:83 X509v3 Issuer Alternative Name: X509v3 Subject Alternative Name: othername: Signature Algorithm: sha1WithRSAEncryption 76:f4:f8:3d:9d:cc:9b:52:4c:27:a2:77:bb:c1:09:2c:8d:1f: d0:c6:08:4f:5f:e6:30:50:c0:f8:83:94:b4:91:4e:2d:35:aa: 11:d2:8e:4e:70:27:7b:cb:00:89:66:40:17:cf:2b:f0:d3:19: 1b:dc:7c:9e:0b:78:b2:b3:df:ef:bd:da:a3:10:49:fc:9c:f7: b9:39:06:75:6d:a9:3f:82:67:93:01:9f:ac:ba:bd:aa:0a:85: a6:97:8c:a9:00:74:80:d1:80:2b:1c:30:d3:2d:fe:ca:27:98: 7d:41:1e:fe:1b:d9:30:ab:c4:1e:84:01:60:d4:12:1b:f1:15: 3b:8a:a3:a7:f3:15:c7:54:e4:7b:2a:8b:a7:45:7b:4b:5b:a2: 30:c6:bf:6c:fb:39:c2:09:cb:33:1d:5d:19:91:f5:26:5f:09: 85:12:60:b6:fb:dc:de:71:7a:9d:5e:32:8f:30:f1:73:10:39: f9:e7:24:4b:e4:43:6e:43:84:69:17:6f:95:54:53:f1:a7:83: b0:e1:a7:7b:5b:07:e5:ec:c4:ae:9c:39:e3:c4:8c:b2:e9:a6: 7d:20:92:3a:d6:6c:64:91:d5:23:f7:5a:a6:96:81:64:b9:30: f7:8c:1a:90:03:6d:6b:63:5a:d6:24:1b:e7:2e:75:7b:44:17: 58:a3:0e:64 ********************************************************************************************* what is the reason for getting this error? Is the method followed to generate the certificates is right? Plz kindly guide me. Regards, Vinay From abe at ligo.caltech.edu Tue Feb 23 10:12:06 2010 From: abe at ligo.caltech.edu (Abe Singer) Date: Tue, 23 Feb 2010 07:12:06 -0800 Subject: another (different) KDC name resolution question In-Reply-To: References: <20100222215418.GA60489@ligo.caltech.edu> <1266880388.20257.543.camel@ray> <20100222233019.GF60489@ligo.caltech.edu> <87mxz0zvqr.fsf@windlord.stanford.edu> Message-ID: <20100223151204.GB63917@ligo.caltech.edu> Here's a small (I think) suggestion for the roadmap: * Add command-line option to kinit to allow specifying alternate credential cache, a la the -c option for kadmin. On Mon, Feb 22, 2010 at 07:20:40PM -0500, Tom Yu wrote: > > Thanks; this is useful input. Working around the address resolution > latency issue probably requires redesign of some internal interfaces, > as Greg mentioned, so we will need to allocate resources accordingly. > I've added it to the roadmap. If you and others could rank its > priority relative to the roadmap items that are already tentatively > slated for 1.9, that would also be helpful. > > http://k5wiki.kerberos.org/wiki/Roadmap From deengert at anl.gov Tue Feb 23 10:26:49 2010 From: deengert at anl.gov (Douglas E. Engert) Date: Tue, 23 Feb 2010 09:26:49 -0600 Subject: Invalid signature while getting initial credentials In-Reply-To: References: Message-ID: <4B83F3B9.80505@anl.gov> vinay kumar wrote: > Hi all, > > I have enabled PKINIT, but when i try to do kinit -X > X509_user_identity=FILE:/client/client.crt,/client/client.key vinay > i am getting following error: > > kinit(v5): Invalid signature while getting initial credentials > > client.crt and kdc.crt both are signed by ca.key. The method i have > adopted to generate certificate is as follows: > /************ CA certificates ***********/ > openssl genrsa -out ca.key 2048 > openssl req -new -key ca.key -out ca.csr > openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt > > at the end of this i have ca.crt and ca.key which is self signed > > /************* END of CA crt **************/ > > /************* Client certificate *********/ > > openssl genrsa -out client.key 2048 > openssl req -new -key client.key -out client.csr > openssl x509 -req -days 365 -in client.csr -signkey -extfile > extension.c ca.key -extensions > client_cert -out client.crt > > at the end of this i have client.crt and client.key which is signed by the > ca.key > > /************* END of client crt ***********/ > > /************* KDC certificate *************/ > > openssl genrsa -out kdc.key 2048 > openssl req -new -key kdc.key -out kdc.csr > openssl x509 -req -days 365 -in kdc.csr -signkey ca.key -extfile > extension.c -extensions kdc_cert > -out kdc.crt > > /************* END of KDC crt **************/ > > extension file contains the details for including extensions which is > contains the data from following link: > http://mailman.mit.edu/pipermail/krbdev/2006-November/005180.html > > ***************************client.crt************************************************** > Certificate: > Data: > Version: 3 (0x2) > Serial Number: > d4:f0:fe:50:5f:4a:13:ba > Signature Algorithm: sha1WithRSAEncryption > Issuer: OU=gesl, CN=vinay > Validity > Not Before: Feb 23 08:50:32 2010 GMT > Not After : Feb 23 08:50:32 2011 GMT > Subject: OU=gesl, CN=vinay > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > RSA Public Key: (2048 bit) > Modulus (2048 bit): > 00:d6:38:14:2f:e0:20:46:da:7c:1e:5c:3d:3a:c3: > c8:f5:0c:d4:50:9d:20:5e:e7:e6:9a:07:b8:48:e9: > ee:9a:6a:3c:c2:6c:6c:e0:c6:6d:e4:67:9f:a0:9a: > c3:16:4d:41:3a:79:d0:8b:c2:48:d0:16:c4:78:d8: > 6a:97:06:85:8e:fe:e6:32:ea:6d:70:c7:0b:76:1e: > 95:37:f2:01:d7:e2:34:9f:54:33:69:38:23:27:eb: > d4:d0:22:2a:7e:12:7f:06:27:a5:a0:5f:65:4e:f9: > 77:9c:74:e3:0f:95:06:c4:e2:45:4e:69:be:0b:50: > 57:5d:f5:7b:30:da:c2:cb:c6:4c:3a:43:3c:5b:73: > 1f:46:4c:44:b5:f9:d6:60:83:c2:43:5d:51:5c:f2: > fc:bf:5d:87:10:be:93:5c:b4:15:79:e3:0b:32:5e: > c9:e0:b4:82:74:3e:73:7e:7d:1d:c2:88:a1:5f:93: > 5e:34:e0:fe:ba:95:a5:2d:ac:17:b7:db:16:63:9e: > 8b:eb:66:c6:8f:5c:71:66:71:7a:ec:28:57:b9:73: > ed:47:e9:6f:1e:ea:53:14:14:19:87:57:a2:74:f6: > bc:7e:25:33:64:42:c7:93:4d:ea:b7:74:44:8b:7d: > 0d:eb:17:b7:19:db:c5:89:ef:9a:d7:9c:26:a8:0d: > 8b:7f > Exponent: 65537 (0x10001) > X509v3 extensions: > X509v3 Basic Constraints: > CA:FALSE > X509v3 Key Usage: > Digital Signature, Key Encipherment, Key Agreement > X509v3 Extended Key Usage: > 1.3.6.1.5.2.3.4 > X509v3 Subject Key Identifier: > 30:D5:14:7E:AD:68:02:92:E1:17:9D:A8:EF:A1:43:3B:54:C7:D4:83 > X509v3 Authority Key Identifier: > > keyid:30:D5:14:7E:AD:68:02:92:E1:17:9D:A8:EF:A1:43:3B:54:C7:D4:83 > > X509v3 Subject Alternative Name: > othername: > X509v3 Issuer Alternative Name: > othername: > Signature Algorithm: sha1WithRSAEncryption > 31:85:60:ff:18:7c:5f:9f:b7:73:92:f9:89:4b:03:24:26:b9: > 8e:e0:11:5a:2d:a5:fb:06:e3:de:c1:9b:a5:75:4c:0b:f3:2f: > b5:f5:97:13:d0:42:ee:af:b1:e3:30:32:5b:95:8d:ed:3f:2a: > f6:0a:50:24:13:b2:4a:59:14:85:f9:92:22:5d:c3:f4:07:31: > 1b:73:9f:76:c7:de:30:53:46:61:d4:11:6d:f3:18:40:09:c0: > 04:d3:81:38:2b:46:4d:13:38:44:e9:57:d1:e7:dc:04:49:bf: > 09:b4:cb:98:84:c2:57:bd:83:f9:b9:f5:17:95:9c:63:c8:30: > e5:88:1b:19:7d:bd:02:21:f8:a0:9d:91:d9:f5:6b:a2:fb:72: > 4a:ad:a4:a3:4c:f7:e2:74:7a:27:3f:b0:9c:61:d1:51:73:eb: > d6:c0:7c:07:47:10:59:bf:a9:23:90:a0:f4:61:e5:59:3d:28: > df:67:6d:ad:54:8d:31:fe:03:af:4f:ba:b8:cd:1a:4d:16:33: > 47:b8:cf:31:47:05:c8:8a:df:64:c0:b6:7b:f6:1b:e5:87:dc: > eb:19:fb:61:4d:ca:cf:70:18:b5:bf:fd:11:a3:b3:ab:1e:a2: > 32:f2:b1:97:fc:87:45:05:83:cf:da:25:ee:8b:0b:5d:9e:b3: > d5:d1:0c:a4 > ******************************************************************************************** > My kdc.crt is as follows: > ****************************kdc.crt******************************************************** > Certificate: > Data: > Version: 3 (0x2) > Serial Number: > d5:61:4d:c6:f6:3e:e9:11 > Signature Algorithm: sha1WithRSAEncryption > Issuer: OU=gesl, CN=vinay > Validity > Not Before: Feb 23 08:52:16 2010 GMT > Not After : Feb 23 08:52:16 2011 GMT > Subject: OU=gesl, CN=vinay > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > RSA Public Key: (2048 bit) > Modulus (2048 bit): > 00:d6:38:14:2f:e0:20:46:da:7c:1e:5c:3d:3a:c3: > c8:f5:0c:d4:50:9d:20:5e:e7:e6:9a:07:b8:48:e9: > ee:9a:6a:3c:c2:6c:6c:e0:c6:6d:e4:67:9f:a0:9a: > c3:16:4d:41:3a:79:d0:8b:c2:48:d0:16:c4:78:d8: > 6a:97:06:85:8e:fe:e6:32:ea:6d:70:c7:0b:76:1e: > 95:37:f2:01:d7:e2:34:9f:54:33:69:38:23:27:eb: > d4:d0:22:2a:7e:12:7f:06:27:a5:a0:5f:65:4e:f9: > 77:9c:74:e3:0f:95:06:c4:e2:45:4e:69:be:0b:50: > 57:5d:f5:7b:30:da:c2:cb:c6:4c:3a:43:3c:5b:73: > 1f:46:4c:44:b5:f9:d6:60:83:c2:43:5d:51:5c:f2: > fc:bf:5d:87:10:be:93:5c:b4:15:79:e3:0b:32:5e: > c9:e0:b4:82:74:3e:73:7e:7d:1d:c2:88:a1:5f:93: > 5e:34:e0:fe:ba:95:a5:2d:ac:17:b7:db:16:63:9e: > 8b:eb:66:c6:8f:5c:71:66:71:7a:ec:28:57:b9:73: > ed:47:e9:6f:1e:ea:53:14:14:19:87:57:a2:74:f6: > bc:7e:25:33:64:42:c7:93:4d:ea:b7:74:44:8b:7d: > 0d:eb:17:b7:19:db:c5:89:ef:9a:d7:9c:26:a8:0d: > 8b:7f > Exponent: 65537 (0x10001) > X509v3 extensions: > X509v3 Basic Constraints: > CA:FALSE > X509v3 Key Usage: > Digital Signature, Non Repudiation, Key Encipherment, > Key Agreement > X509v3 Extended Key Usage: > 1.3.6.1.5.2.3.5 > X509v3 Subject Key Identifier: > 30:D5:14:7E:AD:68:02:92:E1:17:9D:A8:EF:A1:43:3B:54:C7:D4:83 > X509v3 Authority Key Identifier: > > keyid:30:D5:14:7E:AD:68:02:92:E1:17:9D:A8:EF:A1:43:3B:54:C7:D4:83 > > X509v3 Issuer Alternative Name: > > > X509v3 Subject Alternative Name: > othername: > Signature Algorithm: sha1WithRSAEncryption > 76:f4:f8:3d:9d:cc:9b:52:4c:27:a2:77:bb:c1:09:2c:8d:1f: > d0:c6:08:4f:5f:e6:30:50:c0:f8:83:94:b4:91:4e:2d:35:aa: > 11:d2:8e:4e:70:27:7b:cb:00:89:66:40:17:cf:2b:f0:d3:19: > 1b:dc:7c:9e:0b:78:b2:b3:df:ef:bd:da:a3:10:49:fc:9c:f7: > b9:39:06:75:6d:a9:3f:82:67:93:01:9f:ac:ba:bd:aa:0a:85: > a6:97:8c:a9:00:74:80:d1:80:2b:1c:30:d3:2d:fe:ca:27:98: > 7d:41:1e:fe:1b:d9:30:ab:c4:1e:84:01:60:d4:12:1b:f1:15: > 3b:8a:a3:a7:f3:15:c7:54:e4:7b:2a:8b:a7:45:7b:4b:5b:a2: > 30:c6:bf:6c:fb:39:c2:09:cb:33:1d:5d:19:91:f5:26:5f:09: > 85:12:60:b6:fb:dc:de:71:7a:9d:5e:32:8f:30:f1:73:10:39: > f9:e7:24:4b:e4:43:6e:43:84:69:17:6f:95:54:53:f1:a7:83: > b0:e1:a7:7b:5b:07:e5:ec:c4:ae:9c:39:e3:c4:8c:b2:e9:a6: > 7d:20:92:3a:d6:6c:64:91:d5:23:f7:5a:a6:96:81:64:b9:30: > f7:8c:1a:90:03:6d:6b:63:5a:d6:24:1b:e7:2e:75:7b:44:17: > 58:a3:0e:64 > ********************************************************************************************* > what is the reason for getting this error? Is the method followed to > generate the certificates is right? Plz kindly guide me. Both certificates have the same key! That won't work. They also have the same SubjectName and thus the same issuerName. I would suggest that you use the OpenSSL ssl/misc/CA.sh script to generate the CA and other certificates. Try running the openssl verify command against your CA and user certs before trying the PKINIT. If you send the certs in futrue e-mail, send the PEM format too, so people can verify the signatures too. > > Regards, > Vinay > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From ghudson at MIT.EDU Tue Feb 23 11:46:01 2010 From: ghudson at MIT.EDU (Greg Hudson) Date: Tue, 23 Feb 2010 11:46:01 -0500 Subject: another (different) KDC name resolution question In-Reply-To: <20100223151204.GB63917@ligo.caltech.edu> References: <20100222215418.GA60489@ligo.caltech.edu> <1266880388.20257.543.camel@ray> <20100222233019.GF60489@ligo.caltech.edu> <87mxz0zvqr.fsf@windlord.stanford.edu> <20100223151204.GB63917@ligo.caltech.edu> Message-ID: <1266943561.28206.1.camel@equal-rites.mit.edu> On Tue, 2010-02-23 at 10:12 -0500, Abe Singer wrote: > Here's a small (I think) suggestion for the roadmap: > > * Add command-line option to kinit to allow specifying alternate > credential cache, a la the -c option for kadmin. We already seem to have a kinit -c option which does this. From abe at ligo.caltech.edu Tue Feb 23 12:44:24 2010 From: abe at ligo.caltech.edu (Abe Singer) Date: Tue, 23 Feb 2010 09:44:24 -0800 Subject: another (different) KDC name resolution question In-Reply-To: <1266943561.28206.1.camel@equal-rites.mit.edu> References: <20100222215418.GA60489@ligo.caltech.edu> <1266880388.20257.543.camel@ray> <20100222233019.GF60489@ligo.caltech.edu> <87mxz0zvqr.fsf@windlord.stanford.edu> <20100223151204.GB63917@ligo.caltech.edu> <1266943561.28206.1.camel@equal-rites.mit.edu> Message-ID: <20100223174423.GB64291@ligo.caltech.edu> Ah, I must be using an older version of Kerberos on my laptop (mac). It doesn't have that option. But I see it's documented in the current version. Silly me. Thanks, -- Abe On Tue, Feb 23, 2010 at 11:46:01AM -0500, Greg Hudson wrote: > > On Tue, 2010-02-23 at 10:12 -0500, Abe Singer wrote: > > Here's a small (I think) suggestion for the roadmap: > > > > * Add command-line option to kinit to allow specifying alternate > > credential cache, a la the -c option for kadmin. > > We already seem to have a kinit -c option which does this. > > From arturo.sandrigo at gmail.com Wed Feb 24 11:23:38 2010 From: arturo.sandrigo at gmail.com (Arturo Sandrigo) Date: Wed, 24 Feb 2010 17:23:38 +0100 Subject: Sendauth from windows(client) to linux(server) Message-ID: <162116331002240823y62fefc49wf086d722f8ac95e3@mail.gmail.com> Hi, I'm writing a client server application and i need to develop a windows client. Actually i developed the server and a basic linux client to test it. all it's working ok and the interaction between server and client is correct. Now i'm trying to port the client to windows, but i have problem with sendauth. Even if i can get the TGT for my client's pincipal and the TGS for my service when i use sendauth i got the -1765328178 error,on the linux client everything works ok so i wonder ho i can fix this problem, can anyone point me on the right direction ? Thanks Arturo Sandrigo From winay.l at gmail.com Wed Feb 24 23:45:31 2010 From: winay.l at gmail.com (vinay kumar) Date: Thu, 25 Feb 2010 10:15:31 +0530 Subject: Couldn't authenticate to server Message-ID: Hi all, I have setup kerberos client, server and application server, but when i try to do rlogin i am getting following error: ***********************************ERROR*************************************************** Couldn't authenticate to server: Connection reset by peer ************************************************************************************************ I have obtained tickets TGS_REQ, TGS_REP and also created keytab file for application server. What is this error? Plz guide me. Regards, Vinay From rra at stanford.edu Thu Feb 25 00:13:02 2010 From: rra at stanford.edu (Russ Allbery) Date: Wed, 24 Feb 2010 21:13:02 -0800 Subject: Couldn't authenticate to server In-Reply-To: (vinay kumar's message of "Thu, 25 Feb 2010 10:15:31 +0530") References: Message-ID: <87tyt5vqxt.fsf@windlord.stanford.edu> vinay kumar writes: > I have setup kerberos client, server and application server, > but when i try to do rlogin i am getting following error: > Couldn't authenticate to server: Connection reset by peer Kerberos rlogin usually doesn't return useful error messages to the client for protocol-level failures. Check syslog on the server, where normally a more useful error message will be logged. -- Russ Allbery (rra at stanford.edu) From abe at ligo.caltech.edu Thu Feb 25 12:12:40 2010 From: abe at ligo.caltech.edu (Abe Singer) Date: Thu, 25 Feb 2010 09:12:40 -0800 Subject: bind KDC to single interface? In-Reply-To: <5EFBA81F-DA68-4870-998E-24862926D22D@mit.edu> References: <20100222215617.GB60489@ligo.caltech.edu> <1266881552.20257.546.camel@ray> <5EFBA81F-DA68-4870-998E-24862926D22D@mit.edu> Message-ID: <20100225171237.GF71077@ligo.caltech.edu> I'll give you a reason for why I need it. I'm trying to fire up krb5kdbc listening on a virtual interface on a host where there's another process (not krb5kdc) listening on the same port on other interfaces. I'm sure that at least some of the other people who ask have some other valid reason for doing so. As for binding a socket on each separate address, the syslog messages from krb5kdc indicate that it is already doing just that for UDP (see below). There's just no feature to restrict which of those get bound. Syslog messages (ip addresses changed to protect the innocent): Feb 25 08:31:39 mykdc krb5kdc[2948](info): setting up network... Feb 25 08:31:39 mykdc krb5kdc[2948](info): skipping unrecognized local address family 17 Feb 25 08:31:39 mykdc krb5kdc[2948](info): listening on fd 8: udp 10.0.0.1.89 Feb 25 08:31:39 mykdc krb5kdc[2948](info): listening on fd 9: udp 10.0.0.2.89 Feb 25 08:31:39 mykdc krb5kdc[2948](info): listening on fd 10: udp 10.0.0.3.89 Feb 25 08:31:39 mykdc krb5kdc[2948](info): listening on fd 11: udp 10.0.0.4.8.89 Feb 25 08:31:39 mykdc krb5kdc[2948](info): listening on fd 14: tcp 0.0.0.0.89 Feb 25 08:31:39 mykdc krb5kdc[2948](info): listening on fd 13: tcp ::.89 Feb 25 08:31:39 mykdc krb5kdc[2948](info): set up 6 sockets On Tue, Feb 23, 2010 at 02:17:17AM -0500, Ken Raeburn wrote: > > Sort of... the KDC needs to be able to return a response from the same (KDC-side) address that the client used, so it either needs something like IP(V6)_PKTINFO support, in which case it can use IN(6)ADDR_ANY, or it needs to bind a socket on each local address. While I've occasionally heard queries about whether it's possible to bind to one address only, and it would probably be good to offer that someday, I've never heard anyone indicate why accepting Kerberos traffic on the other addresses is a problem.... Perhaps if you want to run a KDC for a different realm on a different address on the same machine, but you can serve up multiple realms from one KDC process. Or maybe they're running the KDC on a machine accessible from both internal and external networks, and have a security policy in place that prohibits the latter because of the offline-password-attack risk? > > But, short answer, yeah, there's no option for that currently. It's one of a few things I've been thinking about tweaking in the KDC network handling though... From raeburn at MIT.EDU Thu Feb 25 20:01:08 2010 From: raeburn at MIT.EDU (Ken Raeburn) Date: Thu, 25 Feb 2010 20:01:08 -0500 Subject: bind KDC to single interface? In-Reply-To: <20100225171237.GF71077@ligo.caltech.edu> References: <20100222215617.GB60489@ligo.caltech.edu> <1266881552.20257.546.camel@ray> <5EFBA81F-DA68-4870-998E-24862926D22D@mit.edu> <20100225171237.GF71077@ligo.caltech.edu> Message-ID: <1EA91D38-BC90-47C6-9914-EC95892D4E23@mit.edu> On Feb 25, 2010, at 12:12, Abe Singer wrote: > I'll give you a reason for why I need it. I'm trying to fire up > krb5kdbc listening on a virtual interface on a host where there's another > process (not krb5kdc) listening on the same port on other interfaces. That makes sense, thanks; though I'm curious what other software wants the privileged port assigned to Kerberos. (Actually, the KDC grabs two privileged ports by default, 88 and 750, and I don't know if 750 is assigned by IANA, but my /etc/services lists other services for it. It's there for Kerberos v4 support, and probably should be dropped from the current release now that the v4 support has been deleted.) > I'm sure that at least some of the other people who ask have some other > valid reason for doing so. Oh, I'm sure at least some do, and we should eventually support it; I just don't think I've heard the reasons. And strictly speaking, I don't need to, but I'm curious. :-) > As for binding a socket on each separate address, the syslog messages > from krb5kdc indicate that it is already doing just that for UDP (see below). Yes, like I said, it depends on system attributes. If it could do what it needs to with one UDP socket on 0.0.0.0, it would do it that way, but it can't, so it grabs all addresses; that's just how it's written at the moment. (There's even code in the current sources to -- at least on some systems -- monitor the routing table to try to figure out when interfaces or addresses are added and removed, and reconfigure if necessary.) > There's just no feature to restrict which of those get bound. Nope. :-( I've been poking at some of the related code recently in my private development tree; maybe I'll get around to fixing this sometime soon and submit it upstream. (The code for dealing with this is duplicated in the KDC and kadmind code, which should probably be unified; that would make it easier to make the same change to kadmind, too.) Ken From jason at rampaginggeek.com Thu Feb 25 20:25:18 2010 From: jason at rampaginggeek.com (Jason Edgecombe) Date: Thu, 25 Feb 2010 20:25:18 -0500 Subject: remctld on windows Message-ID: <4B8722FE.6030901@rampaginggeek.com> hi Everyone, I noticed that remctld is not supported on windows. Is it possible to run on windows XP? It would be ideal for some in-house programs that are needed. what issues are involved when running remctld on windows? Thanks, Jason From rra at stanford.edu Thu Feb 25 20:54:02 2010 From: rra at stanford.edu (Russ Allbery) Date: Thu, 25 Feb 2010 17:54:02 -0800 Subject: remctld on windows In-Reply-To: <4B8722FE.6030901@rampaginggeek.com> (Jason Edgecombe's message of "Thu, 25 Feb 2010 20:25:18 -0500") References: <4B8722FE.6030901@rampaginggeek.com> Message-ID: <87fx4obw3p.fsf@windlord.stanford.edu> Jason Edgecombe writes: > I noticed that remctld is not supported on windows. Is it possible to > run on windows XP? It would be ideal for some in-house programs that are > needed. what issues are involved when running remctld on windows? remctld relies heavily on UNIX fork and select semantics and will not run on native Windows of any variety. I'm not sure it would even work on Cygwin. However, the server component of the Java implementation should work on Windows provided that the same security classes are available. The first step to getting the server to work natively on Windows would be to move the network protocol components of the server into a library. This is on my to-do list, but I have no ETA (not soon). -- Russ Allbery (rra at stanford.edu) From jason at rampaginggeek.com Thu Feb 25 21:50:18 2010 From: jason at rampaginggeek.com (Jason Edgecombe) Date: Thu, 25 Feb 2010 21:50:18 -0500 Subject: remctld on windows In-Reply-To: <87fx4obw3p.fsf@windlord.stanford.edu> References: <4B8722FE.6030901@rampaginggeek.com> <87fx4obw3p.fsf@windlord.stanford.edu> Message-ID: <4B8736EA.4000509@rampaginggeek.com> Russ Allbery wrote: > Jason Edgecombe writes: > > >> I noticed that remctld is not supported on windows. Is it possible to >> run on windows XP? It would be ideal for some in-house programs that are >> needed. what issues are involved when running remctld on windows? >> > > remctld relies heavily on UNIX fork and select semantics and will not run > on native Windows of any variety. I'm not sure it would even work on > Cygwin. However, the server component of the Java implementation should > work on Windows provided that the same security classes are available. > > The first step to getting the server to work natively on Windows would be > to move the network protocol components of the server into a library. > This is on my to-do list, but I have no ETA (not soon). > > Dang. Thanks. Jason From rra at stanford.edu Thu Feb 25 21:52:16 2010 From: rra at stanford.edu (Russ Allbery) Date: Thu, 25 Feb 2010 18:52:16 -0800 Subject: remctld on windows In-Reply-To: <4B8736EA.4000509@rampaginggeek.com> (Jason Edgecombe's message of "Thu, 25 Feb 2010 21:50:18 -0500") References: <4B8722FE.6030901@rampaginggeek.com> <87fx4obw3p.fsf@windlord.stanford.edu> <4B8736EA.4000509@rampaginggeek.com> Message-ID: <87pr3saeu7.fsf@windlord.stanford.edu> Jason Edgecombe writes: > Dang. Thanks. The drawback to the Java server implementation is that it doesn't actually run anything, just provides a Java class that handles the protocol and lets you get the command to do with what you want. But with that said, if you have any Java developers on staff, you may want to try that approach and see if that gives you what you want. I expect to have some resources allocated to do additional work on the Java code (both client and server) within the next six months if there's anything anyone would particularly like to see. -- Russ Allbery (rra at stanford.edu) From abe at ligo.caltech.edu Thu Feb 25 22:13:09 2010 From: abe at ligo.caltech.edu (Abe Singer) Date: Thu, 25 Feb 2010 19:13:09 -0800 Subject: experiences with krb clients on guest wireless networks? Message-ID: <20100226031307.GB72201@ligo.caltech.edu> Forgive me if this has been discussed before on this list... Some of our users have had the problem of being on "guest" wireless networks (e.g. at universities) which are heavily firewalled, blocking everything except tcp ports 22, 80, and 443 (and sometimes udp/tcp 53). Needless to say, clients can't talk to our KDC from that network. Has anyone else had experience with this? If so, what have you done about it? We're thinking about having our KDCs respond on tcp port 443, since that's almost always open, and it's rarely filtered for protocol compliance (e.g. some network check port 80 traffic for valid HTTP). (We have heard a story abouta network that only allowed port 80, but at that point we give up), VPN is not an option for many of our users, and we've also had the experience of *that* not working from guest networks, depending on what's blocked. So we need to find a way for clients to reach our KDCs directly. Thanks, -- Abe From jaltman at secure-endpoints.com Thu Feb 25 22:28:23 2010 From: jaltman at secure-endpoints.com (Jeffrey Altman) Date: Thu, 25 Feb 2010 22:28:23 -0500 Subject: remctld on windows In-Reply-To: <87pr3saeu7.fsf@windlord.stanford.edu> References: <4B8722FE.6030901@rampaginggeek.com> <87fx4obw3p.fsf@windlord.stanford.edu> <4B8736EA.4000509@rampaginggeek.com> <87pr3saeu7.fsf@windlord.stanford.edu> Message-ID: <4B873FD7.6040800@secure-endpoints.com> On 2/25/2010 9:52 PM, Russ Allbery wrote: > Jason Edgecombe writes: > >> Dang. Thanks. > > The drawback to the Java server implementation is that it doesn't actually > run anything, just provides a Java class that handles the protocol and > lets you get the command to do with what you want. But with that said, if > you have any Java developers on staff, you may want to try that approach > and see if that gives you what you want. > > I expect to have some resources allocated to do additional work on the > Java code (both client and server) within the next six months if there's > anything anyone would particularly like to see. > The important question is "what commands do you want to execute on Windows using remctld?" I want to add a remctl interface to Network Identity Manager for the client side and create a native remctld that adds commands via a dll based plugin interface for the server side. Jeffrey Altman From benjaminkiessling at bttec.org Fri Feb 26 03:40:04 2010 From: benjaminkiessling at bttec.org (Benjamin Kiessling) Date: Fri, 26 Feb 2010 09:40:04 +0100 Subject: experiences with krb clients on guest wireless networks? In-Reply-To: <20100226031307.GB72201@ligo.caltech.edu> References: <20100226031307.GB72201@ligo.caltech.edu> Message-ID: <20100226084004.GA2146@blender> Hi, the "best" solution as far as I know would be a IP over DNS tunnel. That works even when using other DNS servers is prohibited, but it is almost certainly illegal in the US (in Europe it is) to use them to circumvent port blocking. This will get you around almost all fascist firewalls and censorship systems. If you just want to get Kerberos working in most environments (i.e. not some authoritarian dictatorships like Saudi Arabia or China) just using port 443 should be completely sufficient. Best Regards, Benjamin -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 490 bytes Desc: Digital signature Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20100226/32bbad35/attachment.bin From jason at rampaginggeek.com Thu Feb 25 16:55:46 2010 From: jason at rampaginggeek.com (Jason Edgecombe) Date: Thu, 25 Feb 2010 16:55:46 -0500 Subject: remctld on windows XP Message-ID: <4B86F1E2.6050903@rampaginggeek.com> Hi Everyone, Looking at the remctl web site, it says that the remctl server is not supported on windows. We would like to use remctld on Windows XP. What would be involved in making that work? Is that possible? Thanks, Jason From ghudson at MIT.EDU Fri Feb 26 13:01:34 2010 From: ghudson at MIT.EDU (Greg Hudson) Date: Fri, 26 Feb 2010 13:01:34 -0500 Subject: experiences with krb clients on guest wireless networks? In-Reply-To: <20100226031307.GB72201@ligo.caltech.edu> References: <20100226031307.GB72201@ligo.caltech.edu> Message-ID: <1267207294.20257.695.camel@ray> On Thu, 2010-02-25 at 22:13 -0500, Abe Singer wrote: > Some of our users have had the problem of being on "guest" wireless > networks (e.g. at universities) which are heavily firewalled, blocking > everything except tcp ports 22, 80, and 443 (and sometimes udp/tcp 53). > Needless to say, clients can't talk to our KDC from that network. It doesn't help you now, but we're hoping that IAKERB (due out in 1.9) can eventually help with this situation, although it will require app support. With IAKERB, heavily firewalled clients can get tickets using app servers as a proxy, without trusting the app server like you would sending the password. From jason at rampaginggeek.com Fri Feb 26 18:43:37 2010 From: jason at rampaginggeek.com (Jason Edgecombe) Date: Fri, 26 Feb 2010 18:43:37 -0500 Subject: remctld on windows In-Reply-To: <4B873FD7.6040800@secure-endpoints.com> References: <4B8722FE.6030901@rampaginggeek.com> <87fx4obw3p.fsf@windlord.stanford.edu> <4B8736EA.4000509@rampaginggeek.com> <87pr3saeu7.fsf@windlord.stanford.edu> <4B873FD7.6040800@secure-endpoints.com> Message-ID: <4B885CA9.1070303@rampaginggeek.com> Jeffrey Altman wrote: > On 2/25/2010 9:52 PM, Russ Allbery wrote: > >> Jason Edgecombe writes: >> >> >>> Dang. Thanks. >>> >> The drawback to the Java server implementation is that it doesn't actually >> run anything, just provides a Java class that handles the protocol and >> lets you get the command to do with what you want. But with that said, if >> you have any Java developers on staff, you may want to try that approach >> and see if that gives you what you want. >> >> I expect to have some resources allocated to do additional work on the >> Java code (both client and server) within the next six months if there's >> anything anyone would particularly like to see. >> >> > > The important question is "what commands do you want to execute on > Windows using remctld?" > > I want to add a remctl interface to Network Identity Manager for the > client side and create > a native remctld that adds commands via a dll based plugin interface for > the server side. > > Jeffrey Altman > We want to have a tool for our help desk students to list and kill processes for other users on workstations along with being able to trigger a remote shutdown or reboot. Sincerely, Jason From cclausen at acm.org Fri Feb 26 19:42:59 2010 From: cclausen at acm.org (Christopher D. Clausen) Date: Fri, 26 Feb 2010 18:42:59 -0600 Subject: remctld on windows References: <4B8722FE.6030901@rampaginggeek.com> <87fx4obw3p.fsf@windlord.stanford.edu> <4B8736EA.4000509@rampaginggeek.com> <87pr3saeu7.fsf@windlord.stanford.edu><4B873FD7.6040800@secure-endpoints.com> <4B885CA9.1070303@rampaginggeek.com> Message-ID: <72CCE1A8778E4465B837D9DE9099BD2B@CDCHOME> Jason Edgecombe wrote: > We want to have a tool for our help desk students to list and kill > processes for other users on workstations along with being able to > trigger a remote shutdown or reboot. Tasklist.exe, taskkill.exe and shutdown.exe are already on Windows systems and already do this, assuming you have the proper admin share access enabled on the remote system. The more generic psexec.exe is available from sysinternals: http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx and the Linux version of it at: http://eol.ovh.org/winexe/ There is also the wmic.exe command and its associated options: http://technet.microsoft.com/en-us/library/bb742610.aspx < References: <4B8722FE.6030901@rampaginggeek.com> <87fx4obw3p.fsf@windlord.stanford.edu> <4B8736EA.4000509@rampaginggeek.com> <87pr3saeu7.fsf@windlord.stanford.edu><4B873FD7.6040800@secure-endpoints.com> <4B885CA9.1070303@rampaginggeek.com> <72CCE1A8778E4465B837D9DE9099BD2B@CDCHOME> Message-ID: <4B887A8F.3040804@rampaginggeek.com> Christopher D. Clausen wrote: > Jason Edgecombe wrote: >> We want to have a tool for our help desk students to list and kill >> processes for other users on workstations along with being able to >> trigger a remote shutdown or reboot. > > Tasklist.exe, taskkill.exe and shutdown.exe are already on Windows > systems and already do this, assuming you have the proper admin share > access enabled on the remote system. > > The more generic psexec.exe is available from sysinternals: > http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx > and the Linux version of it at: > http://eol.ovh.org/winexe/ > > There is also the wmic.exe command and its associated options: > http://technet.microsoft.com/en-us/library/bb742610.aspx Can this be run by non-priviledged used without needing the admin password? I need a kind of remote sudo to do the task list and such, preferably cross-platform. We have an in-house system that I would like to replace for various reasons. Jason From cclausen at acm.org Fri Feb 26 22:46:15 2010 From: cclausen at acm.org (Christopher D. Clausen) Date: Fri, 26 Feb 2010 21:46:15 -0600 Subject: remctld on windows References: <4B8722FE.6030901@rampaginggeek.com> <87fx4obw3p.fsf@windlord.stanford.edu> <4B8736EA.4000509@rampaginggeek.com> <87pr3saeu7.fsf@windlord.stanford.edu><4B873FD7.6040800@secure-endpoints.com> <4B885CA9.1070303@rampaginggeek.com> <72CCE1A8778E4465B837D9DE9099BD2B@CDCHOME> <4B887A8F.3040804@rampaginggeek.com> Message-ID: <18FC4EC1F35945E980FF18D224EDD44B@CDCHOME> Jason Edgecombe wrote: > Christopher D. Clausen wrote: >> Jason Edgecombe wrote: >>> We want to have a tool for our help desk students to list and kill >>> processes for other users on workstations along with being able to >>> trigger a remote shutdown or reboot. >> >> Tasklist.exe, taskkill.exe and shutdown.exe are already on Windows >> systems and already do this, assuming you have the proper admin share >> access enabled on the remote system. >> >> The more generic psexec.exe is available from sysinternals: >> http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx >> and the Linux version of it at: >> http://eol.ovh.org/winexe/ >> >> There is also the wmic.exe command and its associated options: >> http://technet.microsoft.com/en-us/library/bb742610.aspx > > Can this be run by non-priviledged used without needing the admin > password? > I need a kind of remote sudo to do the task list and such, preferably > cross-platform. We have an in-house system that I would like to > replace for various reasons. I am fairly certain you can grant the ability to "force shutdown from a remote system" without needing a user to be in the Administrators group on a system. Not sure about the other commands. I'd hope not just anyone could start killing my processes though, that would be bad. ----- You could have remctld on non-windows call commands using http://eol.ovh.org/winexe/ with the appropriate parameters passed in. This actually might be simpler as you could keep the credentials used for authentication on the single system running remctld and ACL commands there to subsets of computers instead of needing to configure remctld on every computer. In theory the user on the remctl side only needs permission to make the call through remctld and it will have embedded credentials to access the system. < URL: http://www.secure-endpoints.com/netidmgr/v2/ Secure Endpoints Inc. is proud to announce the public availability of Network Identity Manager v2 Beta 3 (1.99.27.227). Version 2.0 is the end of a three year effort to improve the usability and capabilities of the product. Improved usability: * Users no longer have to type their username/realm each time they wish to obtain credentials for a Kerberos v5 identity. Instead, they select previously used identities from a list. * A "New Identity Wizard" walks the user through the configuration of all derived credential types when creating a new identity. * Progress dialogs inform the user of progress of each stage of the credential acquisition process. * Users can assign an icon to each identity to assist in distinguishing identities from one another. * The basic identity view now includes: o an animated battery that visualizes the remaining lifetime and permits users to quickly recharge the credential. o summary information describing the types and numbers of each derived credential obtained by the identity. o dynamic progress bars when credential renewal takes place in the background. o a star button to represent the current default identity and permit setting an alternate default identity. * The notification icon context menu has been improved to reduce the need to open the Network Identity Manager window. * The user documentation has been significantly rewritten. The PDF manual has been retired and the Windows Help documentation is comprehensive. New functionality: * Multiple identity providers can now be active simultaneously. * In addition to the Kerberos v5 identity provider, a KeyStore provider is included and an X.509 identity provider is under development. * The KeyStore provider permits a locally assigned password to be used to protect the passwords of multiple Kerberos v5 principals. Unlocking the KeyStore results in the acquisition of credentials for each of the configured Kerberos v5 identities. Open Framework: * The Network Identity Manager v2 SDK can be used to develop custom identity providers, credential providers, and tool providers. Changes since 1.99.25.217 (Pre v2.0 Beta 2) Application: - Identity and credential property sheets no longer display empty properties. - Debug log file includes details about the process token for the Network Identity Manager process. This is to help identify recurrent problems with restricted tokens on Vista and Windows 7. - Redundant change notifications have been suppressed within in the Network Identity Manager framework. Kerberos v5: - Logged Kerberos v5 errors now include the description as well as the code. User documentation: - Broken links have been fixed. - Includes explanation of Kerberos v5 proxiable tickets. - Explains UI changes in identity icon dialog. - Registry documentation layout and content have been revised. Bug fixes: - A race condition where the initial credentials listing can be attempted before the identity provider has finished intializing has been fixed. Earlier, the credentials listing will fail at first and if the `--autoinit` option is used, Network Identity Manager may display the new credentials dialog even when the user has credentials. Thanks to all of the testers that have downloaded Version 2.0 Beta 2. This beta period will last one week. Please try out the new release and provide positive and negative feedback to: netidmgr at secure-endpoints.com Downloads and documentation are available from URL: http://www.secure-endpoints.com/netidmgr/v2/ Jeffrey Altman and Asanka Herath Secure Endpoints Inc.