kerberos and freeradius
Jeffrey Hutzelman
jhutz at cmu.edu
Fri Dec 19 15:00:05 EST 2003
On Friday, December 19, 2003 08:47:27 -0600 dave schrader
<dave_s at iastate.edu> wrote:
> Are there any modules available that will allow freeradius to do kerberos
> authentication under netbsd ? Dave Schrader
Freeradius includes a 'rlm_krb5' module which will verify passwords against
your krb5 KDC. Note that this is not the same as using Kerberos to
authenticate the RADIUS protocol spoken between the NAS and RADIUS server.
I have attached a patch against freeradius-0.3 which makes some
improvements to the rlm_krb5 module, including actually validating the
tickets it obtains in the process of verifying a password. We've been
running this for a couple of years with good results. It won't be exactly
what you need, but it should serve as a good starting point. Notably...
- We've run this on Linux, but not any of the BSD's
- I've made no attempt to port to newer versions of freeradius
- We build against Heimdal, and there are some API differences. I can't
promise this will build as-is against MIT krb5.
If you have an AFS client (see www.openafs.org), you can find our full
source tree in /afs/cs.cmu.edu/misc/nettools/src/freeradius-0.3 (and
patches in ../Patches), and our configuration (minus the actual keys) in
/afs/cs.cmu.edu/data/domain/config/raddb
Good luck...
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeradius-krb5.patch
Type: application/octet-stream
Size: 5793 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20031219/f9a1c621/attachment.obj
More information about the Kerberos
mailing list