Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: conserver: users

Kerberos authentication?

  

 
conserver users RSS feed   Index | Next | Previous | View Threaded


Andras.Horvath at cern

Sep 16, 2009, 8:33 AM

Post #1 of 4 (236 views)
Permalink
Kerberos authentication?
Hi,

I'm wondering if anyone has a patch to use Kerberos5 tokens for
authentication between the client and the server?

I can use the appropriate passwords (via PAM) but it would be much
easier for my users to directly use the tokens they have already.

Andras
_______________________________________________
users mailing list
users[at]conserver.com
https://www.conserver.com/mailman/listinfo/users


nstraz at redhat

Sep 16, 2009, 10:21 AM

Post #2 of 4 (225 views)
Permalink
Re: Kerberos authentication? [In reply to]
On Sep 16 17:33, Andras.Horvath[at]cern.ch wrote:
> I'm wondering if anyone has a patch to use Kerberos5 tokens for
> authentication between the client and the server?
>
> I can use the appropriate passwords (via PAM) but it would be much
> easier for my users to directly use the tokens they have already.

Here is my most recent patch with works with libgssapi and libgssglue.

I would love to get this patch upstream.

Nate
Attachments: conserver-8.1.16-gssglue.patch (23.9 KB)


Andras.Horvath at cern

Sep 17, 2009, 6:03 AM

Post #3 of 4 (220 views)
Permalink
Re: Kerberos authentication? [In reply to]
> Here is my most recent patch with works with libgssapi and libgssglue.

Works for me, thank you!

Note: authentication info has to be in username[at]REALM.DOMAIN format
instead of just 'username' for krb5 to work. This prevents users from
falling back to password authentication if they don't have a token (PAM
will come back with 'username' only). :-/ Perhaps a default realm could
be supplied somehow? I'm no gssapi expert :-/

> I would love to get this patch upstream.

I second that.
I've started tracking my (packaging-only) changes in git..

Andras
_______________________________________________
users mailing list
users[at]conserver.com
https://www.conserver.com/mailman/listinfo/users


Andras.Horvath at cern

Sep 18, 2009, 5:47 AM

Post #4 of 4 (215 views)
Permalink
Re: Kerberos authentication? [In reply to]
On Thu, Sep 17, 2009 at 03:03:04PM +0200, Andras.Horvath[at]cern.ch wrote:
>
> Note: authentication info has to be in username[at]REALM.DOMAIN format
> instead of just 'username' for krb5 to work. This prevents users from
> falling back to password authentication if they don't have a token (PAM
> will come back with 'username' only). :-/ Perhaps a default realm could
> be supplied somehow? I'm no gssapi expert :-/

Ahm, well, attached is a hack that, if logging in with a given username
fails, retries login with any '@REALM' parts stripped off.
(The whole patch only makes sense together with Nate's GSSAPI patch.)

This serves me right for Kerberos and should be backwards compatible
unless you use both 'bozouser' and 'bozouser[at]bozo.com' as usernames and
they're two different people.

Disclaimer: I'm not an experienced C programmer -- please feel free to
criticize and/or fix.

Andras
Attachments: conserver-8.1.16-krb5strip.patch (1.90 KB)

conserver users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact lists@gossamer-threads.com
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.