kerberos and freeradius
Jeffrey Hutzelman
jhutz at cmu.edu
Fri Dec 19 15:29:38 EST 2003
On Friday, December 19, 2003 14:12:52 -0600 Steve Langasek
<vorlon at dodds.net> wrote:
> On Fri, Dec 19, 2003 at 03:00:05PM -0500, Jeffrey Hutzelman wrote:
>> On Friday, December 19, 2003 08:47:27 -0600 dave schrader
>> <dave_s at iastate.edu> wrote:
>
>> > Are there any modules available that will allow freeradius to do
>> > kerberos authentication under netbsd ? Dave Schrader
>
>> Freeradius includes a 'rlm_krb5' module which will verify passwords
>> against your krb5 KDC. Note that this is not the same as using
>> Kerberos to authenticate the RADIUS protocol spoken between the NAS and
>> RADIUS server.
>
>> I have attached a patch against freeradius-0.3 which makes some
>> improvements to the rlm_krb5 module, including actually validating the
>> tickets it obtains in the process of verifying a password. We've been
>> running this for a couple of years with good results. It won't be
>> exactly what you need, but it should serve as a good starting point.
>> Notably...
>
> freeradius 0.3 is substantially out of date, and probably has remotely
> exploitable vulnerabilities (or then again, maybe it's too old for
> them...). The current version of the rlm_krb5 module (0.9+) includes the
> enhancements you describe, including improved portability between MIT KRB5
> and Heimdal (though I recently made some changes to CVS HEAD that I
> haven't tested on Heimdal, so I may have ruined that again ;).
Yeah; that doesn't surprise me. We don't actually use it much, and keeping
it up to date hasn't been a high priority for me...
I'm glad to hear that work has been done on improving the rlm_krb5 module;
I seem to recall last I looked that it was still broken, but that was quite
some time ago.
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA
More information about the Kerberos
mailing list