Thanks for info Nico , can someone please let me know about what is the latest situation in handling this verify TGT, I will be very glad if someone let me know where I can download the latest libpam_krb5 if there is any ( hopefully) . thanks bandi Nicolas Williams wrote: > Think about this situation: the user logging in is also spoofing the AS-REP. > > Then the user knows his password (it could be anything). > > The key thing is: the client must be able to use a secret key to verify > the authentication process. > > Our PAM_KRB5:pam_sm_authenticate() returns PAM_IGNORE if it cannot > verify the AS exchange because of a missing keytab. It returns > PAM_SUCCESS if it can very a successful AS exchange. It returns an error > under other circumstances. Various options can change this behaviour. > > Nico > > On Tue, Sep 18, 2001 at 07:22:47PM +0530, SRIDHAR BANDI wrote: > > Thank you so much for the clarification but I have a small doubt in that , > > > > When rlogind (for example) is the server who makes as [AS_REQ] to the KDC on > > behalf of the client (user) then the KDC to issues the [AS_REP] ( without any > > preauthentication if no preauth are present) that contains the ticket(TGT) and > > the encrypted data that can be decrypted by clients password, on receiving the > > [AS-REP] the server (rlogind) will try to decrypt the data that is obtained > > from the KDC , So the client is said to be authenticated if he knows the > > password which can decrypt the data in [AS-REP] . Now if the KDC is spoofed > > then the password of the clients also need to be known to the KDC so that the > > client's password can be used to decrypt the packet as its at the server > > (rlogind) end that the decryption takes place. So I still have a doubt that, > > will the spoofing of KDC be caught by doing verify_krb_v5_tgt() . > > please help me out . > > > > I could think of a problem that is addressed with this is that when both the > > user and the KDC are spoofed this will work , but even this will fail in the > > case when the keytab file is not present for the serveras it will ignore the > > case and allows the user in. > > > > thanks you so much for the help > > > > regards > > bandi > > > > > > Nicolas Williams wrote: > > > > > Also, one might want to use pam_krb5 with no keytab, as a convenience > > > kinit. Thus, if there's no keytab pam_krb5:auth returns PAM_IGNORE, but > > > it does fetch the TGT and its setcred() will create the ccache. > > > > > > Nico > > > > > > On Tue, Sep 18, 2001 at 09:04:35AM -0400, Nicolas Williams wrote: > > > > AS replies can be spoofed as nothing in them authenticates the KDC to > > > > the client doing the AS request. Therefore something must be done to > > > > authenticate the AS reply or else you can't use Kerberos for password > > > > validation. The thing to do is this: use the TGT from the AS reply to > > > > get a TGT from the TGS (the KDC) for talking to a service corresponding > > > > to the client and for which the client knows the current key -- if the > > > > TGS response can be validated against such a key then the client knows > > > > that the AS reply must is valid, that it came from the correct KDC and > > > > was not spoofed. > > > > > > > > Cheers, > > > > > > > > Nico > > > > > > > > > > > > On Tue, Sep 18, 2001 at 03:03:14PM +0530, SRIDHAR BANDI wrote: > > > > > I am sorry if I had hit the wrong list . > > > > > can someone enlighten me about the PAM Kerberos authentication ( > > > > > downloaded from fcusack) validating the TGT that it obtained with the > > > > > host service principal's keytab entry (using the funciton > > > > > verify_krb_v5_tgt) , I dont understand the purpose of doing this because > > > > > the server machine is the one who gets the TGT on behalf of the client( > > > > > principal ) and its the one who is handling the host entry also . And > > > > > this call fails if the keytab file exists and there is no valid entry > > > > > for the host service principal and the authentication will be successful > > > > > if there is a valid entry for host principal or there is no keytab file > > > > > at all . > > > > > > > > > > thanks in advance for the help . > > > > > bandi > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > > Pam-list@redhat.com > > > > > https://listman.redhat.com/mailman/listinfo/pam-list > > > > -- > > > -- > > > -DISCLAIMER: an automatically appended disclaimer may follow. By posting- > > > -to a public e-mail mailing list I hereby grant permission to distribute- > > > -and copy this message.- > > > > > > Visit our website at http://www.ubswarburg.com > > > > > > This message contains confidential information and is intended only > > > for the individual named. If you are not the named addressee you > > > should not disseminate, distribute or copy this e-mail. Please > > > notify the sender immediately by e-mail if you have received this > > > e-mail by mistake and delete this e-mail from your system. > > > > > > E-mail transmission cannot be guaranteed to be secure or error-free > > > as information could be intercepted, corrupted, lost, destroyed, > > > arrive late or incomplete, or contain viruses. The sender therefore > > > does not accept liability for any errors or omissions in the contents > > > of this message which arise as a result of e-mail transmission. If > > > verification is required please request a hard-copy version. This > > > message is provided for informational purposes and should not be > > > construed as a solicitation or offer to buy or sell any securities or > > > related financial instruments. > > > > > > _______________________________________________ > > > > > > Pam-list@redhat.com > > > https://listman.redhat.com/mailman/listinfo/pam-list > > > > > > > > _______________________________________________ > > > > Pam-list@redhat.com > > https://listman.redhat.com/mailman/listinfo/pam-list > -- > > Visit our website at http://www.ubswarburg.com > > This message contains confidential information and is intended only > for the individual named. If you are not the named addressee you > should not disseminate, distribute or copy this e-mail. Please > notify the sender immediately by e-mail if you have received this > e-mail by mistake and delete this e-mail from your system. > > E-mail transmission cannot be guaranteed to be secure or error-free > as information could be intercepted, corrupted, lost, destroyed, > arrive late or incomplete, or contain viruses. The sender therefore > does not accept liability for any errors or omissions in the contents > of this message which arise as a result of e-mail transmission. If > verification is required please request a hard-copy version. This > message is provided for informational purposes and should not be > construed as a solicitation or offer to buy or sell any securities or > related financial instruments. > > _______________________________________________ > > Pam-list@redhat.com > https://listman.redhat.com/mailman/listinfo/pam-list
