Kerberos fun

July 16, 2009

This actually isn’t a sarcastic title, for once. I’m actually having a blast fiddling with Kerberos these last few days. I was put into a position to do some kerberos debugging for work, so had to re-setup a kerberos realm at home to do the testing. Of course, at the time I also updated my Using Kerberos 5 for Single Sign-On Authentication which was a little out of date. So I updated that to be relevant to RHEL rather than Annvix, and fixed a few bits that were out-dated.

Then I did more poking around and figured out a few bits that were preventing me from actually using it years ago when I first setup a kerberos realm (didn’t seem overly useful to me at the time). I’ve got my OS X workstation kerberized which was… not as straight-forward as I would hope, but not awful (LDAP authentication from OpenLDAP is another matter entirely… still haven’t nailed that yet). So right now on my network I have my workstation, my server, and two vm’s kerberized — just for SSH now (which doesn’t seem really amazing since I’ve been using SSH keys for years so no passwords, but this seems even more hands-off and will help with future vm deployments since it should all be out-of-the-box).

Then I’ve been poking around and found that you can hook Mediawiki up to LDAP/Kerberos for auth. I never knew that. All of a sudden this seems a lot cooler. Oh, and subversion apparently works with kerberos (using mod_auth_kerb). Then, the icing on the cake was to see a python-kerberos module which makes this *way* too interesting to ignore since I’ve been doing some python coding recently and have really enjoyed it, and some future projects/ideas could really benefit from some kerberos love.

Anyways, as I figure new bits out, I’ll be updating my linsec.ca wiki article — the info is out there but some of it isn’t the easiest to grok. Hopefully I can make it a bit more accessible/readable in the future.

Tags: , ,
Post a Comment or Leave a Trackback

1 Comment

  1. vdanen
    Posted July 16, 2009 at 7:54 pm | Permalink

    Well, wouldn’t you know it… this afternoon I had subversion support working and now it’s completely borked. I even tried it on my laptop with OS X, and everything else works fine… Safari uses kerberos tickets, I can ssh with kerberos tickets, but svn is not playing nice. Anyone see this error before? Googling it showed one other guy who had it and never had an answer to his question.

    ah_post_send (#0), code is 401 (want 401), WWW-Authenticate is Negotiate, Basic realm="Kerberos Login"
auth: Got challenge (code 401).
auth: Got 'Negotiate' challenge.
auth: Got 'Basic' challenge.
auth: Trying Negotiate challenge...
2009-07-16 20:49:37.593 svn[6357:10b] *** NSInvocation: warning: object 0x1005dc040 of class 'ReplicaFile' does not implement methodSignatureForSelector: -- trouble ahead
2009-07-16 20:49:37.594 svn[6357:10b] *** NSInvocation: warning: object 0x1005dc040 of class 'ReplicaFile' does not implement doesNotRecognizeSelector: -- abort
[1]    6357 trace trap  svn -vv ls http://svn/svn/anthill/

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*