From Mark.Phalan at Sun.COM Tue Jul 1 11:53:12 2008 From: Mark.Phalan at Sun.COM (Mark Phalan) Date: Tue, 01 Jul 2008 17:53:12 +0200 Subject: contributing patches Message-ID: <1214927592.2358.41.camel@zup> I have a couple of patches (some bug fixes, heruristic for REALM determination - http://cr.opensolaris.org/~mbp/mit) which I'd like to contribute. Previously I created new tickets with attached patches to http://krbdev.mit.edu/rt/ however I cannot create a new ticket there now. The "New ticket in" button doesn't show any possible queues. If it would speed up the time to integrate these fixes I'm willing to do any testing/pre-integration work that's required. -M From jhutz at cmu.edu Tue Jul 1 14:30:02 2008 From: jhutz at cmu.edu (Jeffrey Hutzelman) Date: Tue, 01 Jul 2008 14:30:02 -0400 Subject: ASN.1 In-Reply-To: <200807011529.m61FT4GI025836@raisinbran.srv.cs.cmu.edu> References: <200807011529.m61FT4GI025836@raisinbran.srv.cs.cmu.edu> Message-ID: <253F05E963F02C6F9A37C603@sirius.fac.cs.cmu.edu> --On Monday, June 30, 2008 04:43:10 PM +0200 mohamed.chaari at orange-ftgroup.com wrote: > I would like to know if I can modify the ASN.1 files of kerberos. As far as I know, you can modify anything you want in your copy of Kerberos. However, the ASN.1 describes the Kerberos protocol, which is specified in RFC4120 and related documents. If you make changes, the resulting protocol will no longer be Kerberos and may not interoperate correctly with existing and/or future implementations of the standard protocol. -- Jeffrey T. Hutzelman (N3NHS) Carnegie Mellon University - Pittsburgh, PA From tlyu at MIT.EDU Tue Jul 1 14:39:33 2008 From: tlyu at MIT.EDU (Tom Yu) Date: Tue, 01 Jul 2008 14:39:33 -0400 Subject: contributing patches In-Reply-To: <1214927592.2358.41.camel@zup> (Mark Phalan's message of "Tue, 01 Jul 2008 17:53:12 +0200") References: <1214927592.2358.41.camel@zup> Message-ID: Mark Phalan writes: > I have a couple of patches (some bug fixes, heruristic for REALM > determination - http://cr.opensolaris.org/~mbp/mit) which I'd like to > contribute. > Previously I created new tickets with attached patches to > http://krbdev.mit.edu/rt/ however I cannot create a new ticket there > now. The "New ticket in" button doesn't show any possible queues. I am going to write more about this later... but we disabled ticket creation and commenting for the "guest" account due to excessive web spam. For now, please submit bugs by sending e-mail to krb5-bugs at mit.edu. Attachments in e-mail usually get transformed into attachments to the ticket. I know this can be an inconvenience for some people, but we are working on an alternative solution. > If it would speed up the time to integrate these fixes I'm willing to do > any testing/pre-integration work that's required. Thanks, that would be helpful. -- Tom Yu Development Manager MIT Kerberos Consortium From sbuckley at MIT.EDU Wed Jul 2 12:43:26 2008 From: sbuckley at MIT.EDU (Stephen C. Buckley) Date: Wed, 2 Jul 2008 12:43:26 -0400 Subject: "Best Practices for Integrating Kerberos Into Your Application" Draft Available Message-ID: <3F0443AE-3EFD-4319-AA51-047B54018EC4@MIT.EDU> I'm pleased to announce to availability our second white paper, "Best Practices for Integrating Kerberos Into Your Application" It is available for free on our web site at: http://www.kerberos.org/software/appskerberos.pdf Additional documentation from a variety of sources is available here: http://www.kerberos.org/software/whitepapers.html Thanks again for your support of the Kerberos Consortium. s _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ Stephen C. Buckley Executive Director Kerberos Consortium Massachusetts Institute of Technology 77 Massachusetts Ave W92-159 Cambridge, MA 02139 web: http://www.kerberos.org From deengert at anl.gov Wed Jul 2 17:00:39 2008 From: deengert at anl.gov (Douglas E. Engert) Date: Wed, 02 Jul 2008 16:00:39 -0500 Subject: pkinit and AD 2008 In-Reply-To: <48650FD5.7020501@citi.umich.edu> References: <48650575.6040209@anl.gov> <48650FD5.7020501@citi.umich.edu> Message-ID: <486BEC77.4050104@anl.gov> Long story short, I needed additional debugging to find out why pkinit did not work in our testbed. I built pkinit.so with debugging turned on, renamed the original pkinit.so to pkinit.so.no.debug in /usr/lib/krb5/plugins/preauth. Strace showed krb5 lib loaded both pkinit.so and pkinit.so.no.debug and depending on the order, some of the debug lines produce output, and some did not. Moral: Don't rename a plugin, move it out of the plugin directory. The debugging output showed that the original problem was a case mismatch with the pkinit_kdc_hostsname and the name in the cert. I have the pkinit_longhorn = 1 set, but this may not be needed. Suggestions: Please add a debug option to produce extended error messages in the plugins to help find these configuration type problems. Thanks to the UofM people for suggestions on how to get this to work. The card was a HSPD-12 PIV card where the SAN does not match the user or realm, but the AD account had a matching userPrincipalName to the SAN. This works from kinit on Ubuntu to AD 2008 as the kdc. Olga Kornievskaia wrote: > > Can you post the debugging pkinit output that you do get? > > I think there are several possibilities for the failure: > 1. AS_REP coming back from windows is somehow broken and pkinit is > failing to decode it. We should be able to see such message if pkinit > debugging is on. > 2. If we have pasted decoding AS_REP, we can fail if we didn't find an > acceptable SAN in KDC's certificate. I believe it is possible to turn > off KDC's SAN checking. > 3. dnsName in the KDC's certificate doesn't match the hostname specified > in your krb5.conf. Since in you have pkinit_win2k =yes, you should have > pkinit_kdc_hostname. > > I'm not sure if anybody ever tested pkinit with Windows AD. Who knows > what kind of bugs were introduced in that version. > > > Douglas E. Engert wrote: >> I am trying to use krb5-pkinit krb5-1.6.dfsg.3~beta1-2ubuntu1 with >> a Windows AD 2008 server as the KDC. When using kinit it appears that >> all goes well and a AS-REP with pa-data-type (17) is returned by the >> KDC as reported by wireshark, but then kinit falls back to prompting >> for a password. No error messages are produced. >> >> I have tried building the pkinit.so with debugging turned on, but this >> does not show much either. >> >> The smart card being used works with XP and Vista client to AD 2008. >> The card has a subjectAltName that does not match the user or realm, >> but has something like <11 digit number>@FEDIDCARD.GOV for the UPN. >> >> Windows AD 2008 can handle this by changing the userPrincipalName >> in user account. >> >> So has anyone tested pkinit clients against AD 2008, with the SAN >> not matching the kerberos principal name? >> >> Is there any additional debugging to turn on for pkinit that could >> show why it fails after receiving the AS-REP? >> >> The enc-part of the AS-REP is encrypted in aes256-cts-hmac-sha1-96 (18) >> >> A snippet of the krb5.conf: >> [realms] >> ANL.GOV = { >> # first two for testbed >> kdc = test2.anl.gov:88 >> pkinit_kdc_hostname = TEST2.anl.gov >> pkinit_eku_checking = none >> # or kpKDC for RFC 4556 will try none for now >> # will assume the next 2 are not for 2008 >> # pkinit_win2k = yes >> pkinit_win2k_require_binding = false >> pkinit_cert_match = msScLogin >> pkinit_pool = DIR:/opt/smartcard/pool.certdir >> pkinit_anchors = DIR:/opt/smartcard/trusted.certdir >> } >> >> > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From srahul at novell.com Thu Jul 3 03:18:29 2008 From: srahul at novell.com (S Rahul) Date: Thu, 03 Jul 2008 12:48:29 +0530 Subject: SPNEGO and Kerberos credentials Message-ID: <486C7D45.20801@novell.com> Hi, I have a problem using both Kerberos and SPNEGO under GSSAPI in the same service. I created a credential for the Kerberos principal using gss_acquire_cred(). If I pass this to gss_accept_sec_context() and select Kerberos mechanism, there is no problem. But if I select SPNEGO as the mechanism, the credential does not pass down to krb5_gss_accept_sec_context(). It gets filtered in the GSSAPI layer itself and a new credential is generated when spnego_gss_accept_sec_context() calls gss_accept_sec_context(). One problem I have because of this is that the replay cache is opened multiple times and concurrent writes are corrupting the cache. So, I hacked the GSSAPI code and found that the attached patch appears to resolve the problem. I understand that mechanism specific stuff shouldn't go into GSSAPI code. But still ... Thanks, -Rahul -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: gss.diff Url: http://mailman.mit.edu/pipermail/krbdev/attachments/20080703/39cfe49c/gss.bat From raeburn at MIT.EDU Thu Jul 3 16:24:31 2008 From: raeburn at MIT.EDU (Ken Raeburn) Date: Thu, 3 Jul 2008 16:24:31 -0400 Subject: Kerberos dev project for review: domain_realm mapping via KDC referral In-Reply-To: <96BE6D1F-2A33-4204-B02A-7B8C1B75825A@mit.edu> References: <96BE6D1F-2A33-4204-B02A-7B8C1B75825A@mit.edu> Message-ID: <4A6A5E91-71AE-49DF-994F-E46A8E9F49C4@mit.edu> I've updated the project proposal at http://k5wiki.kerberos.org/wiki/Projects/domain_realm_referrals based on the discussions in May, and think it's ready for a new review; the review period runs through July 17. Please have a new look. The purpose of the project: Eliminate the need for the domain_realm mapping table on the client side, in the common case, by implementing minimal referral support in the KDC and providing the mapping information to clients through that protocol. Highlights of the new version: NT-UNKNOWN only gets referral processing if the service is listed in the config file under "host_based_services" (multiple lines of whitespace- or comma-separated names), and the principal name otherwise looks like a host-based principal name. NT-SRV-HST defaults to getting the referral processing. Config file entry "no_host_referral" lists services for which referral processing won't be done, regardless of name type; overrides host_based_services. In both cases, the special service name "*" matches anything. No special explicit entry for enabling or disabling referral processing overall. It's on by default, and for the (hopefully few) sites that explicitly never want it, "no_host_referral=*" should do the trick. Also, no way to turn it off even for all NT-SRV-HST principals but then enable it for a few exceptions; if you want that, you can start working on a plugin interface. :-) No compiled-in default host-based service name list; even host/fqdn won't get referral processing when NT-UNKNOWN. I'm happy to change that, but would object to using a list that's not in sync with the table for krb5/krb4 principal name conversion, until such time as we get rid of that code. (Also known as, "I'll believe we're getting rid of it when I see it." :-) -- Ken Raeburn, Senior Programmer MIT Kerberos Consortium From srahul at novell.com Sat Jul 5 00:53:42 2008 From: srahul at novell.com (Rahul Srinivas) Date: Fri, 04 Jul 2008 22:53:42 -0600 Subject: SPNEGO and Kerberos credentials In-Reply-To: <486D7AAB.2010704@kadzban.is-a-geek.net> References: <486C7D45.20801@novell.com> <486D7AAB.2010704@kadzban.is-a-geek.net> Message-ID: <486F4896.5509.00DD.0@novell.com> There is one difference between my patches and the other two patches. In the other patches, if you do gss_acquire_cred() for gss_mech_spnego, any Kerberos credentials acquired will be available to krb5_gss_accept_sec_context() (either through spnego_gss_accept_sec_context() or directly). But if you do gss_acquire_cred() for gss_mech_krb5, the credential acquired will not be available to spnego_gss_accept_sec_context() - this happens to be the problem in my code. In my patch, the second case is handled but not the first. It looks like both of them are required. But since SPNEGO is a pseudo mechanism, I prefer the second approach - add various credential elements into a credential and give it to the SPNEGO mechanism instead of letting the SPNEGO mechanism acquire the credentials. -Rahul >>> On Fri, Jul 4, 2008 at 6:49 AM, in message <486D7AAB.2010704 at kadzban.is-a-geek.net>, Bryan Kadzban wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > S Rahul wrote: >> But if I select SPNEGO as the mechanism, the credential does not pass >> down to krb5_gss_accept_sec_context(). It gets filtered in the GSSAPI >> layer itself and a new credential is generated when >> spnego_gss_accept_sec_context() calls gss_accept_sec_context(). > > This sounds similar to the issue I had a few weeks back with SPNEGO and > storing delegated credentials. See krbdev RT, ticket 5807 [1] for one > patch, and see Debian bug 480434 [2] for another. > > Looks like your patch modifies the same function as both of these > patches, though it modifies it differently. Do either of these patches > solve the problem you're seeing, or is ypur issue actually different? > (Both patches are basically equivalent: both return the krb5 credential > instead of failing, when the input is an SPNEGO credential. The only > difference is how they get to the SPNEGO OID, to compare it.) > > [1] > http://krbdev.mit.edu/rt/Ticket/Display.html?user=guest&pass=guest&id=5807 > > [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480434 > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFIbXqrS5vET1Wea5wRA0OkAKDFLVQK/kFrNgzvxqmbPhu7vgsXagCgx/UQ > DRGSzZ5At+gtaEnA6G+nvOE= > =NJ7a > -----END PGP SIGNATURE----- From bryan at kadzban.is-a-geek.net Thu Jul 3 21:19:39 2008 From: bryan at kadzban.is-a-geek.net (Bryan Kadzban) Date: Thu, 03 Jul 2008 21:19:39 -0400 Subject: SPNEGO and Kerberos credentials In-Reply-To: <486C7D45.20801@novell.com> References: <486C7D45.20801@novell.com> Message-ID: <486D7AAB.2010704@kadzban.is-a-geek.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 S Rahul wrote: > But if I select SPNEGO as the mechanism, the credential does not pass > down to krb5_gss_accept_sec_context(). It gets filtered in the GSSAPI > layer itself and a new credential is generated when > spnego_gss_accept_sec_context() calls gss_accept_sec_context(). This sounds similar to the issue I had a few weeks back with SPNEGO and storing delegated credentials. See krbdev RT, ticket 5807 [1] for one patch, and see Debian bug 480434 [2] for another. Looks like your patch modifies the same function as both of these patches, though it modifies it differently. Do either of these patches solve the problem you're seeing, or is ypur issue actually different? (Both patches are basically equivalent: both return the krb5 credential instead of failing, when the input is an SPNEGO credential. The only difference is how they get to the SPNEGO OID, to compare it.) [1] http://krbdev.mit.edu/rt/Ticket/Display.html?user=guest&pass=guest&id=5807 [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480434 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIbXqrS5vET1Wea5wRA0OkAKDFLVQK/kFrNgzvxqmbPhu7vgsXagCgx/UQ DRGSzZ5At+gtaEnA6G+nvOE= =NJ7a -----END PGP SIGNATURE----- From kulg123 at gmail.com Fri Jul 4 00:16:03 2008 From: kulg123 at gmail.com (kul gupta) Date: Fri, 4 Jul 2008 09:46:03 +0530 Subject: mod_auth_kerb +aoache issue Message-ID: <2203f95e0807032116j28cdfe42o429c279732c43d4@mail.gmail.com> Hello I am using mod_auth_kerb module( for apache webserver ) for authentication.I am facing the following issues(*Issue (1) and Issue (2)) as described below-* *I also attaching the word document detailing the issues* Apache server is in ?Redhat Enterprise linux 5.0 KDC ?in Redhat Enterprise linux 5.0 I have installed and configure Openssl0.9.8g apache 2.2.8 mod_auth_kerb 2.3 *1)*Apache with SSL is working fine and I am able to access https:\\ ruchita.com\index.html As per given in the INSATLL file of mod_auth_kerb we have done the settings of IE and mozilla as -- For Mozilla - I typed "about:config" in the URL bar and then set the value of "network.negotiate-auth.trusted-uris" to https://ruchita.com It then prompted me for username and password I entered my Kerberos username and password and enter *Issue (1)-->* After entering the details (username and password) it again prompted for the username and password. *2)* For IE also i did the settings as given in n the INSATLL file of mod_auth_kerb I went to "Local intranet" Also edited the file- WINDOWS->system32->drivers->etc->host And added my linux machine(where the apache server is ) ip and its name in it. As 172.25.108.159 ruchita.com *Issue (2)* Now ,when I m trying to access http://ruchita.com, the output coming is Internal Server Error Also while accesing https://ruchita.com ,the output is Page cannot be displayed I will be highly thankful if someone can guide me for the same Thanks Kul From raeburn at MIT.EDU Mon Jul 7 16:45:34 2008 From: raeburn at MIT.EDU (Ken Raeburn) Date: Mon, 7 Jul 2008 16:45:34 -0400 Subject: incremental propagation code In-Reply-To: <38993564-A855-473F-8185-E69E31D74AA2@mit.edu> References: <38993564-A855-473F-8185-E69E31D74AA2@mit.edu> Message-ID: <1A6F3ECB-497C-45A5-9093-3F19B6B2B0E7@mit.edu> On Jun 24, 2008, at 01:17, I wrote: > Hi. I've just merged in to the trunk of the MIT krb5 repository > some changes based on Sun's incremental propagation code. It should > be in time for tonight's nightly snapshot. [...] > If you get a chance to try it out in the next 2-3 weeks or so, > please let me know the results, good or bad.... So far, I haven't heard much... has anyone else tried this code out? Ken From William.Fiveash at sun.com Mon Jul 7 20:20:42 2008 From: William.Fiveash at sun.com (Will Fiveash) Date: Mon, 7 Jul 2008 19:20:42 -0500 Subject: need codereview for krb consortium masterkey keytab stash project In-Reply-To: <20080625231415.GA26989@sun.com> References: <20080625231415.GA26989@sun.com> Message-ID: <20080708002042.GC26989@sun.com> A reminder that the code review end is July 11. One can see the changes via: svn diff -r20368:20493 svn://anonsvn.mit.edu/krb5/branches/mkey_keytab Please post any comments to the krbdev at mit.edu list and cc me as well. On Wed, Jun 25, 2008 at 06:14:15PM -0500, Will Fiveash wrote: > I'm requesting a code review of the changes I made to implement the > Masterkey Keytab Stash project. The project page is: > > http://k5wiki.kerberos.org/wiki/Projects/Masterkey_Keytab_Stash > > The subversion branch is krb5/branches/mkey_keytab. > The RT ticket is 5993. > > Please send comments to this list as well as William.Fiveash at sun.com. > Deadline for comments is July 11, 2008. -- Will Fiveash Sun Microsystems Inc. http://opensolaris.org/os/project/kerberos/ From tlyu at MIT.EDU Thu Jul 10 18:35:44 2008 From: tlyu at MIT.EDU (Tom Yu) Date: Thu, 10 Jul 2008 18:35:44 -0400 Subject: RT server changes on krbdev.mit.edu Message-ID: We have been experiencing some problems on RT with undesired web comments from advertising robots. Due to the RT server's sending of e-mail copies of comments, the server appeared on the Barracuda blacklist, and possibly others. We implemented a few changes and requested removal from the blacklist, which appears to have happened. The account named "guest" no longer has access to make replies or comments on tickets. Also, we have deleted the existing spam comments (numbering in the hundreds). You may continue using the "guest" account to search the database or display tickets. The server continues to be at http://krbdev.mit.edu/rt/ If you wish to reply to a ticket, you may do so by sending e-mail replying to the message that RT sent to the krb5-bugs list, preserving the subject line in your reply. The important part to preserve is the "[krbdev.mit.edu #TICKET_ID]" in the subject line; that will ensure that the reply reaches the correct ticket. -- Tom Yu Development Manager MIT Kerberos Consortium From kulg123 at gmail.com Fri Jul 11 00:11:00 2008 From: kulg123 at gmail.com (kul gupta) Date: Fri, 11 Jul 2008 09:41:00 +0530 Subject: mod_auth_kerb+kerberos authentication Message-ID: <2203f95e0807102111n18ad0acdr48a3684745dee9fe@mail.gmail.com> Hello I want to do the kerberos authentication for apache server on windows. Kerberos KDC-on linux machine NOW, Apache -on windows Can i use mod_auth_kerb with apache on windows or it works only on linux?? Can u please provide me the steps needed for mod_auth_kerb on windows?? if its only for linux ,then what should i use for Kerberos authentication if my apache is on windows I also found mod_spnego should i use mod_auth_kerb or mod_spnego?? Thanks Kul From raeburn at MIT.EDU Mon Jul 14 16:39:24 2008 From: raeburn at MIT.EDU (Ken Raeburn) Date: Mon, 14 Jul 2008 16:39:24 -0400 Subject: need codereview for krb consortium masterkey keytab stash project In-Reply-To: <20080708002042.GC26989@sun.com> References: <20080625231415.GA26989@sun.com> <20080708002042.GC26989@sun.com> Message-ID: <54B50E31-BEEE-4CB2-8FC7-C41688BC02FC@mit.edu> Mostly small stuff... The DAL API is changed, but I think that's still an internal-only interface so not doing version checks is okay. KADM5_CONFIG_KVNO will need to be reassigned when merging; the iprop merge used up that number. That'll be trivial. It may be my viewer, but some of the indentation in dump.c doesn't seem to match MIT's code style (indenting function arguments on continuation lines to line up with the first argument). Function definitions shouldn't have spaces between the parens and the arguments. kdb_default.c: On my Solaris system, mktemp(3C) is documented as wanting a string with six trailing Xs; your template string has five. (The Mac version says it'll take any number, but I've seen six mentioned elsewhere.) The new keytab code should be exercised by the test suite; do you have a test to verify that an old-format stash file will still work? Ken From raeburn at MIT.EDU Tue Jul 15 11:54:22 2008 From: raeburn at MIT.EDU (Ken Raeburn) Date: Tue, 15 Jul 2008 11:54:22 -0400 Subject: Kerberos dev project for review: domain_realm mapping via KDC referral In-Reply-To: <4A6A5E91-71AE-49DF-994F-E46A8E9F49C4@mit.edu> References: <96BE6D1F-2A33-4204-B02A-7B8C1B75825A@mit.edu> <4A6A5E91-71AE-49DF-994F-E46A8E9F49C4@mit.edu> Message-ID: <7E5F2D12-508C-41F7-B0CB-792637FF11D1@mit.edu> On Jul 3, 2008, at 16:24, Ken Raeburn wrote: > I've updated the project proposal at http://k5wiki.kerberos.org/wiki/Projects/domain_realm_referrals > based on the discussions in May, and think it's ready for a new > review; the review period runs through July 17. Please have a new > look. No comments yet? Everybody thinks it's great as is? Ken From john at iastate.edu Tue Jul 15 12:30:11 2008 From: john at iastate.edu (John Hascall) Date: Tue, 15 Jul 2008 11:30:11 CDT Subject: Kerberos dev project for review: domain_realm mapping via KDC referral In-Reply-To: Your message of Tue, 15 Jul 2008 11:54:22 -0400. <7E5F2D12-508C-41F7-B0CB-792637FF11D1@mit.edu> Message-ID: <3531.1216139411@malison.ait.iastate.edu> > On Jul 3, 2008, at 16:24, Ken Raeburn wrote: > > I've updated the project proposal at http://k5wiki.kerberos.org/wiki/Projec ts/domain_realm_referrals > > based on the discussions in May, and think it's ready for a new > > review; the review period runs through July 17. Please have a new > > look. > No comments yet? Everybody thinks it's great as is? I like everything except: ... start with the hardcoded list in the 524 name conversion code ... That thing is evil and should itself go away. John From raeburn at MIT.EDU Tue Jul 15 12:50:27 2008 From: raeburn at MIT.EDU (Ken Raeburn) Date: Tue, 15 Jul 2008 12:50:27 -0400 Subject: Kerberos dev project for review: domain_realm mapping via KDC referral In-Reply-To: <3531.1216139411@malison.ait.iastate.edu> References: <3531.1216139411@malison.ait.iastate.edu> Message-ID: On Jul 15, 2008, at 12:30, John Hascall wrote: > I like everything except: > > ... start with the hardcoded list in the 524 name conversion code ... > > That thing is evil and should itself go away. Yeah, well, not as part of this project. I'm fine with having no list compiled in. I'm just not happy with having a compiled-in list that is different from (or not kept in sync with) the 524 one while that one is still around. Ken From William.Fiveash at Sun.COM Tue Jul 15 13:40:26 2008 From: William.Fiveash at Sun.COM (Will Fiveash) Date: Tue, 15 Jul 2008 12:40:26 -0500 Subject: need codereview for krb consortium masterkey keytab stash project In-Reply-To: <54B50E31-BEEE-4CB2-8FC7-C41688BC02FC@mit.edu> References: <20080625231415.GA26989@sun.com> <20080708002042.GC26989@sun.com> <54B50E31-BEEE-4CB2-8FC7-C41688BC02FC@mit.edu> Message-ID: <20080715174026.GF26405@sun.com> On Mon, Jul 14, 2008 at 04:39:24PM -0400, Ken Raeburn wrote: > Mostly small stuff... > > The DAL API is changed, but I think that's still an internal-only interface > so not doing version checks is okay. That's what I was assuming. > KADM5_CONFIG_KVNO will need to be reassigned when merging; the iprop merge > used up that number. That'll be trivial. Okay. > It may be my viewer, but some of the indentation in dump.c doesn't seem to > match MIT's code style (indenting function arguments on continuation lines > to line up with the first argument). > > Function definitions shouldn't have spaces between the parens and the > arguments. The problem I have is trying to decide what is correct. If you look at the definition of kdb_def_set_mkey() (which I did not modify) in kdb_default.c you'll see a space between the parens and the args. I've gone ahead and modified the formatting to remove the space between the parens and the args for the functions I modified. In general I was told by Tom that he preferred a C-style where indentation was 4 columns and spaces are used instead of hard tabs. This was what I was using however I understand your point about not introducing unnecessary diffs so I've gone back and fixed the obvious places where the formatting was different. > kdb_default.c: On my Solaris system, mktemp(3C) is documented as wanting a > string with six trailing Xs; your template string has five. (The Mac > version says it'll take any number, but I've seen six mentioned elsewhere.) Fixed this to use six X's. > The new keytab code should be exercised by the test suite; do you have a > test to verify that an old-format stash file will still work? Not yet but I will. Can this be postponed? -- Will Fiveash Sun Microsystems Inc. http://opensolaris.org/os/project/kerberos/ From William.Fiveash at Sun.COM Tue Jul 15 14:25:05 2008 From: William.Fiveash at Sun.COM (Will Fiveash) Date: Tue, 15 Jul 2008 13:25:05 -0500 Subject: need codereview for krb consortium masterkey keytab stash project In-Reply-To: <20080715174026.GF26405@sun.com> References: <20080625231415.GA26989@sun.com> <20080708002042.GC26989@sun.com> <54B50E31-BEEE-4CB2-8FC7-C41688BC02FC@mit.edu> <20080715174026.GF26405@sun.com> Message-ID: <20080715182505.GA26554@sun.com> I've committed the code changes based on your review to the mkey_keytab branch. On Tue, Jul 15, 2008 at 12:40:26PM -0500, Will Fiveash wrote: > On Mon, Jul 14, 2008 at 04:39:24PM -0400, Ken Raeburn wrote: > > Mostly small stuff... > > > > The DAL API is changed, but I think that's still an internal-only interface > > so not doing version checks is okay. > > That's what I was assuming. > > > KADM5_CONFIG_KVNO will need to be reassigned when merging; the iprop merge > > used up that number. That'll be trivial. > > Okay. > > > It may be my viewer, but some of the indentation in dump.c doesn't seem to > > match MIT's code style (indenting function arguments on continuation lines > > to line up with the first argument). > > > > Function definitions shouldn't have spaces between the parens and the > > arguments. > > The problem I have is trying to decide what is correct. If you look at > the definition of kdb_def_set_mkey() (which I did not modify) in > kdb_default.c you'll see a space between the parens and the args. > I've gone ahead and modified the formatting to remove the space between > the parens and the args for the functions I modified. > > In general I was told by Tom that he preferred a C-style where > indentation was 4 columns and spaces are used instead of hard tabs. > This was what I was using however I understand your point about not > introducing unnecessary diffs so I've gone back and fixed the obvious > places where the formatting was different. > > > kdb_default.c: On my Solaris system, mktemp(3C) is documented as wanting a > > string with six trailing Xs; your template string has five. (The Mac > > version says it'll take any number, but I've seen six mentioned elsewhere.) > > Fixed this to use six X's. > > > The new keytab code should be exercised by the test suite; do you have a > > test to verify that an old-format stash file will still work? > > Not yet but I will. Can this be postponed? > > -- > Will Fiveash > Sun Microsystems Inc. > http://opensolaris.org/os/project/kerberos/ -- Will Fiveash Sun Microsystems Inc. http://opensolaris.org/os/project/kerberos/ From ssorce at redhat.com Tue Jul 15 14:52:39 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 15 Jul 2008 14:52:39 -0400 Subject: Kerberos dev project for review: domain_realm mapping via KDC referral In-Reply-To: <7E5F2D12-508C-41F7-B0CB-792637FF11D1@mit.edu> References: <96BE6D1F-2A33-4204-B02A-7B8C1B75825A@mit.edu> <4A6A5E91-71AE-49DF-994F-E46A8E9F49C4@mit.edu> <7E5F2D12-508C-41F7-B0CB-792637FF11D1@mit.edu> Message-ID: <1216147959.23973.55.camel@localhost.localdomain> On Tue, 2008-07-15 at 11:54 -0400, Ken Raeburn wrote: > On Jul 3, 2008, at 16:24, Ken Raeburn wrote: > > I've updated the project proposal at http://k5wiki.kerberos.org/wiki/Projects/domain_realm_referrals > > based on the discussions in May, and think it's ready for a new > > review; the review period runs through July 17. Please have a new > > look. > > No comments yet? Everybody thinks it's great as is? Would it be possible to develop this functionality as a plugin? I would be interested in experimenting feeding the KDC using mappings stored and/or generated through LDAP queries by writing an alternate plugin. Simo. -- Simo Sorce * Red Hat, Inc * New York From raeburn at MIT.EDU Tue Jul 15 14:59:34 2008 From: raeburn at MIT.EDU (Ken Raeburn) Date: Tue, 15 Jul 2008 14:59:34 -0400 Subject: Kerberos dev project for review: domain_realm mapping via KDC referral In-Reply-To: <1216147959.23973.55.camel@localhost.localdomain> References: <96BE6D1F-2A33-4204-B02A-7B8C1B75825A@mit.edu> <4A6A5E91-71AE-49DF-994F-E46A8E9F49C4@mit.edu> <7E5F2D12-508C-41F7-B0CB-792637FF11D1@mit.edu> <1216147959.23973.55.camel@localhost.localdomain> Message-ID: On Jul 15, 2008, at 14:52, Simo Sorce wrote: > Would it be possible to develop this functionality as a plugin? > I would be interested in experimenting feeding the KDC using mappings > stored and/or generated through LDAP queries by writing an alternate > plugin. I think the general intent is that we get a plugin interface for this later, just not as part of this (hopefully) quick project. Ken From raeburn at MIT.EDU Wed Jul 23 19:02:29 2008 From: raeburn at MIT.EDU (Ken Raeburn) Date: Wed, 23 Jul 2008 19:02:29 -0400 Subject: Kerberos dev project for review: domain_realm mapping via KDC referral In-Reply-To: References: <3531.1216139411@malison.ait.iastate.edu> Message-ID: On Jul 15, 2008, at 12:50, Ken Raeburn wrote: > On Jul 15, 2008, at 12:30, John Hascall wrote: >> I like everything except: >> >> ... start with the hardcoded list in the 524 name conversion code ... >> >> That thing is evil and should itself go away. > > Yeah, well, not as part of this project. I'm fine with having no > list compiled in. I'm just not happy with having a compiled-in list > that is different from (or not kept in sync with) the 524 one while > that one is still around. Since there's opposition to using the 524 list, and I don't think anyone was really strongly in favor of using it, I've dropped the idea from the "open issues" section. And since the only other thing there was a note about the lack of caching, the section is now named "notes" instead. :) Otherwise, no complaints with the proposal as is (except for Simo wanting a plugin API)? Ken From dzhugashvili9 at hotmail.com Tue Jul 29 21:02:41 2008 From: dzhugashvili9 at hotmail.com (Nathanael Warren) Date: Tue, 29 Jul 2008 21:02:41 -0400 Subject: kerberos password test function source code Message-ID: Hey, I was wondering if anybody out there had a simple, straightforward kerberos test function available. I already checked out the Brezak Internet draft (draft-brezak-win2k-krb-rc4-hmac-03.txt), but it's a little over my head as far as implementing it in code. I am pretty new to programming, and I am attempting to build an application in C++ that will test passwords for strength. I was looking for something along the lines of a bool function that is supplied a plaintext password candidate in a word[] array and the Kerberos 5 pre Authentication hash (like in Cain, the authenticator?), and return a bool TRUE or FALSE, depending on whether or not the password checks. Here is an example: bool IsPasswordTrue(char password[], authenticator) { if ((encrypt(password))==authenticator) { return TRUE; } else { return FALSE; } } if anybody could help, that would be great! This is the optimal code, but if you have anything at all that might be helpful, I would appreciate it. Thanks! _________________________________________________________________ With Windows Live for mobile, your contacts travel with you. http://www.windowslive.com/mobile/overview.html?ocid=TXT_TAGLM_WL_mobile_072008