kerberos and freeradius
Steve Langasek
vorlon at dodds.net
Fri Dec 19 15:12:52 EST 2003
On Fri, Dec 19, 2003 at 03:00:05PM -0500, Jeffrey Hutzelman wrote:
> On Friday, December 19, 2003 08:47:27 -0600 dave schrader
> <dave_s at iastate.edu> wrote:
> >Are there any modules available that will allow freeradius to do kerberos
> >authentication under netbsd ? Dave Schrader
> Freeradius includes a 'rlm_krb5' module which will verify passwords against
> your krb5 KDC. Note that this is not the same as using Kerberos to
> authenticate the RADIUS protocol spoken between the NAS and RADIUS server.
> I have attached a patch against freeradius-0.3 which makes some
> improvements to the rlm_krb5 module, including actually validating the
> tickets it obtains in the process of verifying a password. We've been
> running this for a couple of years with good results. It won't be exactly
> what you need, but it should serve as a good starting point. Notably...
freeradius 0.3 is substantially out of date, and probably has remotely
exploitable vulnerabilities (or then again, maybe it's too old for
them...). The current version of the rlm_krb5 module (0.9+) includes the
enhancements you describe, including improved portability between MIT KRB5
and Heimdal (though I recently made some changes to CVS HEAD that I
haven't tested on Heimdal, so I may have ruined that again ;).
--
Steve Langasek
postmodern programmer
More information about the Kerberos
mailing list