kerberos and freeradius

Jeffrey Hutzelman jhutz at cmu.edu
Fri Dec 19 15:29:38 EST 2003



On Friday, December 19, 2003 14:12:52 -0600 Steve Langasek 
<vorlon at dodds.net> wrote:

> On Fri, Dec 19, 2003 at 03:00:05PM -0500, Jeffrey Hutzelman wrote:
>> On Friday, December 19, 2003 08:47:27 -0600 dave schrader
>> <dave_s at iastate.edu> wrote:
>
>> > Are there any modules available that will allow freeradius to do
>> > kerberos authentication under netbsd ? Dave Schrader
>
>> Freeradius includes a 'rlm_krb5' module which will verify passwords
>> against  your krb5 KDC.  Note that this is not the same as using
>> Kerberos to  authenticate the RADIUS protocol spoken between the NAS and
>> RADIUS server.
>
>> I have attached a patch against freeradius-0.3 which makes some
>> improvements to the rlm_krb5 module, including actually validating the
>> tickets it obtains in the process of verifying a password.  We've been
>> running this for a couple of years with good results.  It won't be
>> exactly  what you need, but it should serve as a good starting point.
>> Notably...
>
> freeradius 0.3 is substantially out of date, and probably has remotely
> exploitable vulnerabilities (or then again, maybe it's too old for
> them...).  The current version of the rlm_krb5 module (0.9+) includes the
> enhancements you describe, including improved portability between MIT KRB5
> and Heimdal (though I recently made some changes to CVS HEAD that I
> haven't tested on Heimdal, so I may have ruined that again ;).

Yeah; that doesn't surprise me.  We don't actually use it much, and keeping 
it up to date hasn't been a high priority for me...

I'm glad to hear that work has been done on improving the rlm_krb5 module; 
I seem to recall last I looked that it was still broken, but that was quite 
some time ago.

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA



More information about the Kerberos mailing list