Displaying 20 results from an estimated 200 matches similar to: "[PATCH] Set KRB5PRINCIPAL in user environment"
2017 Jan 06
2
[PATCH] Set KRB5PRINCIPAL in user environment
Hey,
On 05/01, Jakub Jelen wrote:
>On 01/04/2017 10:57 AM, Johannes L?thberg wrote:
>>Signed-off-by: Johannes L?thberg <johannes at kyriasis.com>
>>---
>> gss-serv-krb5.c | 5 +++++
>> 1 file changed, 5 insertions(+)
>>
>>diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
>>index 795992d9..a12bb244 100644
>>--- a/gss-serv-krb5.c
>>+++
2014 Dec 28
2
pubkey fingerprint and krb princ name in environment
Hey,
I use gitolite for git hosting on my server, and because I want to use
kerberos authentication I patched OpenSSH to put the name of the
kerberos principal name or the ssh fingerprint as environment variables
so my ForceCommand script can use them to actually authorize the user by
the principal/fingerprint.
It?s a bit annoying to keep my own patch and I thought it might be
something
2015 Jun 30
2
how is the sha fingerprint generated?
You really don't need openssl for that.
And the fingerprints are simple.
Here is a python script that do the same as ssh-keygen
-fl /path/to/key :
#!/usr/bin/env python3
import binascii
import hashlib
import sys
if __name__ == "__main__":
key = binascii.a2b_base64(sys.argv[1])
if sys.argv[2] == "md5":
m = hashlib.new("md5")
2018 Mar 16
2
[PATCH] Set KRB5PRINCIPAL in user environment
Hello
There is no reply about this demand since the firt proposition has if nobody in dev team cares about it :(
Strange ...
Le 14 mars 2018 20:39:53 GMT+01:00, "Johannes L?thberg" <johannes at kyriasis.com> a ?crit :
>Quoting Johannes L?thberg (2017-01-06 02:34:43)
>> >this change request is already tracked as a bug #2063 [1] (with the
>> >related
2014 Jul 15
3
GSSAPI
If I am trying to build OpenSSH 6.6 with Kerberos GSSAPI support, do I still need to get Simon Wilkinson's patches?
---
Scott Neugroschl | XYPRO Technology Corporation
4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |
2015 Mar 26
3
FYI: SSH1 now disabled at compile-time by default
On 26/03, Nico Kadel-Garcia wrote:
>Yanking it out wholesale should be part of a 7.0 build, not an
>incremental release. That's a major incompatibility with one heck of a
>lot of existing code, much of which is on extended support.
>
And it?s been said multiple times in this thread that the OpenSSH
version number is just a incrementing decimal number, it doesn?t have
any major
2015 Jun 30
3
how is the sha fingerprint generated?
% cat ext_rsa.pub| sed -r 's/.*(AAAA[^ ]+).*/\1/' | sha256sum
~/.ssh swlap1
d4bf8b06f2d9d9af7a11583a5367205ed310a84f0dee68d062e2ddca1e85c3ff -
% ssh-keygen -lf ext_rsa.pub
~/.ssh swlap1
8192 SHA256:FgrfxmdjTM/j4wwRa7nVdPSUaJdqHYMJtJ6aciPl9ug swilson at swlap1 (RSA)
Why do those differ and how would i generate the equivalent (mainly
just curious)? I've also tried base64 and a
2001 Jun 28
1
Adding 'name' key types
Playing around with the [wonderful] GSS-API patches for OpenSSH [1] I
noticed that there is a bit of functionality missing from
OpenSSH/GSS-API, namely that authorized_keys2 has no meaning when using
GSS authentication.
Yes, ~/.k5login can be used to grant access to an account for
applications that support Kerberos, as does OpenSSH with those GSS
patches, but .k5login does not and cannot provide
2003 Aug 10
9
updated gssapi diff
this is the proposed gssapi diff against OpenSSH-current (non-portable).
note: if this goes in, the old krb5 auth (ssh.com compatible) will be
removed.
please comment.
jakob
Index: auth.h
===================================================================
RCS file: /home/hack/jakob/mycvs/sshgss/auth.h,v
retrieving revision 1.1.1.2
retrieving revision 1.3
diff -u -r1.1.1.2 -r1.3
--- auth.h
2015 Mar 25
3
FYI: SSH1 now disabled at compile-time by default
On Wed, 2015-03-25 at 18:48 +1100, Damien Miller wrote:
> Our ability to influence people who run truly obsolete software is
> extremely limited.
+1, mostly because those who still use something that outdated in their
products are either dead, or simply don't care about their customer's
security (which is typical in the embedded devices area).
Just by us (or anyone else) saying
2002 Jan 24
1
PATCH: krb4/krb5/... names/patterns in auth_keys entries
This patch (to OpenSSH 3.0.2p1) adds support for using krb4, krb5 and
other principal names in authorized_keys entries.
It's a sort of replacement for .klogin and .k5login, but it's much more
general than .k*login as it applies to any authentication mechanism
where a name is associated with the ssh client and it supports name
patterns and all the normal authorized_keys entry options
2006 Mar 17
1
samba3 and heimdal: both using ldap as backends
samba-3.0.21c, heimdal-0.7.2
The heimdal documentation[1] talks about a samba integration when both
samba and heimdal are using ldap as their backends. I quote:
"Now you can proceed as in See Using LDAP to store the database. Heimdal
will pick up the Samba LDAP entries if they are in the same search space
as the Kerberos entries."
There is absolutely no further documentation.
I tried
2018 Mar 16
2
[PATCH] Set KRB5PRINCIPAL in user environment
On Fri, 2018-03-16 at 19:07 +1030, David Newall wrote:
> > There is no reply about this demand since the firt proposition
> > has if nobody in dev team cares about it :(
>
> I'm curious about the first section of the diff, which exports
> SSH_GSSAPI_DISPLAYNAME to PAM. Is that useful? Am I right that the
> PAM
> environment forms no part of the client session?
2016 Feb 18
2
Let PAM know about accepted pubkey?
Hi,
first of: my familiarity with OpenSSH/Pam code-base is very limited..
Please excuse me if some of this does not make any sense or seems stupid!
I'm investigating if it is possible for a PAM module to find out which
public key was accepted (when 'AuthenticationMethods
publickey,keyboard-interactive' is used). From my digging in the source,
it seems it is currently not.
Would
2003 Aug 22
1
GSSAPI patch sync from OpenBSD to Portable
Hi All.
Markus has commited the long-awaited GSSAPI patch to OpenBSD's ssh.
There are patches. The first [1] is a straightforward port of the
OpenBSD code to Portable.
The second [2] contains the parts I've stolen from Simon Wilkinson's
portable GSSAPI patch in an attempt to make it build. It is incomplete
and doesn't currently work.
The PAM support is not there and
2011 Sep 06
16
[Bug 983] Required authentication
https://bugzilla.mindrot.org/show_bug.cgi?id=983
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |1930
--- Comment #34 from Damien Miller <djm at mindrot.org> 2011-09-06 10:34:24 EST ---
Retarget unresolved
2006 Nov 29
2
Samba and Heimdal Kerberos V Authentication
Hello,
I maintain a network of numerous Linux workstations, several Apples,
and a few Windows machines. The Apples and Windows XP machines already
grab shared data via Samba and the remaining data is exported to the
Linux machines via NFS.
I am in the process of migrating the existing authentication system
from XYZ123 to Kerberos and going to place user data---with the
exception of passwords
2004 Aug 12
14
Pending OpenSSH release, call for testing.
Hi All.
OpenSSH is getting ready for a release soon, so we are asking for all
interested parties to test a snapshot.
Changes include:
* sshd will now re-exec itself for each new connection (the "-e" option
is required when running sshd in debug mode).
* PAM password authentication has been (re)added.
* Interface improvements to sftp(1)
* Many bug fixes and improvements, for
2001 Aug 15
0
[ossh patch] principal name/patterns in authorized_keys2
As you know, revoking RSA/DSA keys in an SSH environment requires
editing all authorized_keys and authorized_keys2 files that reference
those public keys. This is, well, difficult at best but certainly very
obnoxious, particularly in a large environment.
SSH key management is difficult. This patch simplifies key management
wherever GSS-API/Kerberos is used and is general enough to be used with
2005 Jun 10
2
samba ldap problem
I have tried to create a samba domain with a ldap backend.
This is how my ldap structure looks like.
# example.com
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
o: example
dc: example
# groups, example.com
dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groups
# Domain Admins, groups, example.com
dn: cn=Domain Admins,ou=groups,dc=example,dc=com