Subject: RE: SPNEGO APIs and Apache modules - msg#00019

Previous Message by Date:

Re: SPNEGO APIs and Apache modules

Why are your SPNEGO extensions part of OpenSSL? That seems like a rather unfortunate place for them. _______________________________________________ krbdev mailing list krbdev@xxxxxxx https://mailman.mit.edu/mailman/listinfo/krbdev

Next Message by Date:

RE: Win2000 PAC-Credentials Implementation

> -----Original Message----- > From: kerberos-bounces@xxxxxxx > [mailto:kerberos-bounces@xxxxxxx] On Behalf Of Tobias Heide > Sent: Tuesday, September 02, 2003 10:43 PM > To: kerberos@xxxxxxx > Subject: Win2000 PAC-Credentials Implementation > > Hi there! > > I wanted to have Windows 2000 Clients authenticate against a > MIT Kerberos > 1.3.1 KDC. But during implementation I came across some questions: > > 1. Is there an implementation for the Windows 2000 additional > authorization information, which they keep in their tickets? > There is an internet draft (which is expired), but is there > an implementation as well? AFAIK there is no implementation released by Microsoft or others. The PAC specification can be found at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnkerb/ html/MSDN_PAC.asp > > 2. Does any one know, why MS messes up DNS with certain > _mscd, _tcp (etc.) Domains? What is the sense behind this? > These are SRV records that support service location. The _msdcs is used for dc location. The _tcp, _udp for the KDC. > 3. Is there a backend for LDAP in MIT Kerberos? Could as well > be beta, because this is only a case study until now. > > 4. Did anyone get it to run? (both, LDAP and/or Win2000 Clients) > You can get W2K clients to work against a MIT KDC even without having any PAC support on the MIT KDC. You will have to use ksetup to map the kerberos users to local accounts. See http://www.microsoft.com/windows2000/techinfo/planning/security/kerbstep s.asp > Overall goal would be, to have some kind of active directory, > but based on Open Source Software. > > Thanks in advance, > tobi > -- > System Administrator DAASI International GmbH > http://www.daasi.de ________________________________________________ > Kerberos mailing list Kerberos@xxxxxxx > https://mailman.mit.edu/mailman/listinfo/kerberos This posting is provided "AS IS" with no warranties, and confers no rights. ________________________________________________ Kerberos mailing list Kerberos@xxxxxxx https://mailman.mit.edu/mailman/listinfo/kerberos

Previous Message by Thread:

Re: SPNEGO APIs and Apache modules

Frank Balluffi wrote: > Markus Moeller and I have made SPNEGO C APIs and Apache modules > available at https://sourceforge.net/projects/modgssapache/. The project > contains three packages: > > fbopenssl > mod_spnego > modgssapache > > fbopenssl (for lack of a better name) is a library of extensions to > OpenSSL, including APIs for GSS-API and SPNEGO ASN.1 messages (or PDUs). > fbopenssl has been tested on Linux, Microsoft Windows and Sun Solaris. > fbopenssl still needs to be tested for memory leaks using a tool like > Purify. > > mod_spnego is an Apache 2.0 SPNEGO module that supports Kerberos > authentication and user-level authorization. mod_spnego uses fbopenssl, > MIT GSS-API and OpenSSL. mod_spnego has been tested on Linux, Microsoft > Windows and Sun Solaris using Microsoft Internet Explorer 6.0. > Currently, mod_spnego does not support Apache 1.3 and group-level > authorization. > > modgssapache is a modified version of the Apache 1.3 GSS-API module > located at http://meta.cesnet.cz/software/heimdal/negotiate.en.html. > This version has been modified to support SPNEGO using open-source > SPNEGO APIs from Microsoft. modgssapache has been tested on Linux and > Sun Solaris. FYI, current release (published today) of the modauthkerb module available from http://sourceforge.net/projects/modauthkerb also supports the Negotiate method compatible with the Microsoft products. This module supports both MIT and Heimdal implementation of Krb5, and allows verification of passwords against krb5 and krb4 KDC's. The module supports both Apache 1.3 and 2.0. The SPNEGO routines are mainly based on code from the Heimdal developers and don't depend on any additional libs (such as openssl). These routines are part of a full SPNEGO implementation I'm just finishing (I'm using the krb5 and GSI GSS-API libs for testing). I'm also preparing SPNEGO support for the Mozilla kerberos "plugin", available from negotiateauth.mozdev.org, so that it can use the Negotiate method against apache or IIS. -- Dan ________________________________________________ Kerberos mailing list Kerberos@xxxxxxx https://mailman.mit.edu/mailman/listinfo/kerberos

Next Message by Thread:

Re: SPNEGO APIs and Apache modules

>>>>> "Nebergall," == Nebergall, Christopher <cneberg@xxxxxxxxxx> writes: Nebergall,> If you hammer on a page with Internet Explorer it will Nebergall,> send what MIT Kerberos considers replays of the Nebergall,> gss-init-sec-context tokens. So in order to get Nebergall,> around this you either need to always use SSL and Nebergall,> disable the replay cache on the server, (Which unless Nebergall,> the api has changed in recent versions of MIT Kerberos Nebergall,> there is no api to do this), or it might also work to Nebergall,> tweak MIT's replay cache to include sequence Nebergall,> numbers. (MS seems to pick a random number for their Nebergall,> initial sequence number, and these seem to change with Nebergall,> each request.) Disabling the replay cache for this protocol would be a bad idea from a security standpoint. ________________________________________________ Kerberos mailing list Kerberos@xxxxxxx https://mailman.mit.edu/mailman/listinfo/kerberos