Kerberos Outside the US? 65
v1z asks: "I'm administrating a small LAN with semi-public terminals and have been trying to locate a usable version of kerberos, that is available for use in Norway (ie outside the US). I've been looking for the bones, and e-bones package without success, and I'm wondering what I've missed? Is there no working kerberos.v5-like system available outside the US? Kerberos is appealing because it uses secret-key cryptocraphy within a good design, simplifying and removing many concerns with asymetric encryption, and because most ppl more easyily grasp the security-issues involved. On a side note: windows 2000 is said to incorporate kerberos.v5 - how does this relate to US-export-regualtions?"
Kerberos on Xwindows ? (Score:1)
Why OpenBSD? (was Re:eBones) (Score:1)
also available here (java version) (Score:1)
Ralf
Export restrictions (Score:1)
--
Win2000 kerberos (Score:1)
As for the myth that Windows 2000 "supports" kerberos... it doesn't. It uses kerberos as its main authenthication method...
'It's kind of fun to do the impossible.'
gnu.org login requires kerberos 4... (Score:1)
--thi
Re:eBones (Score:1)
Re:Kerberos Outside the US (Score:1)
Re:Win2k security (Score:1)
Kerberos V5 authentication
Kerberos V5 is the primary security protocol for authentication within a domain. The Kerberos V5 protocol verifies both the identity of the user and network services. This dual verification is known as mutual authentication.
How Kerberos V5 works
The Kerberos V5 authentication mechanism issues tickets for accessing network services. These tickets contain encrypted data, including an encrypted password, that confirms the user's identity to the requested service. Except for entering a password or smartcard credentials, the entire authentication process is invisible to the user.
An important service within Kerberos V5 is the Key Distribution Center (KDC). The KDC runs on each domain controller as part of Active Directory, which stores all client passwords and other account information.
The Kerberos V5 authentication process works as follows:
Kerberos V5 interoperability
Windows 2000 supports two types of Kerberos V5 interoperability:
For more information on interoperability between the MIT-based versions of the Kerberos protocol and the Windows 2000 implementation of the Kerberos protocol, see the Windows 2000 Resource Kit.
Re:Free version of kerb 5 (Score:1)
Heimdal is very good. It would, of course, have been illegal for the MIT Kerberos team to have given them any source, but there's nothing wrong with seeing whether two packages will talk to one another...and the folks at MIT spent considerable time doing such testing with the Heimdal team.
Incidentally, don't bother with single-DES Kerberos; it can be cracked in real time. 3DES is good. It may implement other encryption as well -- I'm not sure.
--
weaknesses of kerberos... (Score:1)
what i would like to see is
does anyone know how good this is handled in kerberos 5?
greetings from vienna, austria.
mond
What's wrong with... (Score:1)
It's an install option with FreeBSD. (OpenBSD too, probably.)
Re:Kerberos @ Win2000 (Score:1)
Re:Kerberos dead, SSH lives in Europe (Score:1)
Kerberos is used as an optional authentication component with various database vendors, transaction processors, etc. I've never seen mention of SSH as an option for any of the tools I've used.
Does anyone have examples of open and commercial source products that use SSH for centralized authentication the way Kerberos is?
IPSec (Score:1)
IPSec can easily be set up to support an entire Internet subnet, where it encrypts all data between IPSec-enabled gateways, or encryption and authentication directly between two IPSec configured hosts.
As an added bonus, the Internet Engineering Task Force has included IPSec in the IPv6 specification, so there's a very high chance the protocol will become widely adopted in the near future.
FreeS/WAn can be found here [xs4all.nl] and PGP Freeware here [mit.edu].
Re: Comparison of Kerberos & SSH (Score:1)
ODP Kerberos page? It's at www.dmoz.org [dmoz.org] and could do with a well-informed editor...
Re:But this violates the license (Score:1)
Kerberos @ Win2000 (Score:1)
only downloadable as a software update from within the US. I believe the same goes for FreeBSD.
Re:Kerberos @ Win2000 (Score:1)
Microsoft® Windows® 2000 Professional English Version/Product Upgrade North America CD Encryption Coded Software
I assume this means that there will be other non-North American releases and that it will have to do with the level of Encryption bundled with them.
Re:But this violates the license (Score:1)
Re:OpenBSD? (Score:1)
Here is a link to where Marc Plumb has drawn some general conclusions about exporting crypto from Canada [mcmaster.ca]
It appears that crypto that is public domain has absolutely no restriction as far as the Canadian Government is concerned, but if it originated from the USA, then it has to be approved, and if its not public domain (free) then a permit must be acquired. Interesting to see that the US gov has charged people for exporting crypto from Canada. [mcmaster.ca] (Canadian and american?)
Oh, and I'm a high tax paying Canadian myself.
Re:But this violates the license (Score:1)
But a license violation is not a question of philosophy, unless you can get the judge to listen to arguments about whether the rule of law should prevail (fat chance!).
Many in the Open Source community seem to take pride in holding the moral high ground over closed/proprietary development efforts. As if to say "my code is so much better than yours that I'm willing to subject it to peer review -- and give it away for little or no money" implies and automatically confers some sort of moral superiority.
Well, I happen to agree that contributing to the welfare of a community is a noble undertaking. However, if 'members' of the community behave in dishonorable ways towards others, whether or not those others are part of the community, it reflects poorly on all of us. Not only that, but it sets a precedent within the community, and can begin to spread. If we can ignore the license restrictions of an application that 'had a [draconian] license forced onto it by the government', why can't we ignore the license of software that's 'too expensive', or software who's manufacturer 'is too rich', or who's author you've never met (so he'll never know the difference)? In other words, if the line is not exactly where the copyright holder's license says it is, then where is it, and when have we stepped across?
Judicious application of the Golden Rule (i.e., treat others as I would like to be treated) might give you a different perspective. Instead of proclaiming 'Everyone does it, why shouldn't I?!', try asking 'what if everyone did it, and it was my property being misappropriated?'
Re:But this violates the license (Score:1)
An arbitrary set of rules that we must either live by or be prepared for the consequences of violating. I wish that we (in the U.S.) lived in a system where a sound and consistent philosphy prevailed.
An interesting point. History also shows that unreasonable law can be turned back upon the citizenry. How many millions have been slaughtered in the 20th century under the auspices of 'unreasonable' laws? Should we not work to change laws that are unreasonable? If you don't agree with a law, work to change it from within the system. Civil disobedience should be considered a tool to bring out when other actions within the system turn out to be ineffectual. But applied in a manner where others suffer the consequences, civil disobedience is irresponsible.
My intent was to discourse, not to assault.
I agree wholeheartedly. Illegal use of software, in direct violation of its license, is a far cry from fighting tyrrany.
Re:OpenBSD? (Score:1)
Re:More than that!!! (Score:1)
Here at KTH we use Kerberos all the time, and we don't have any firewalls. That makes things a lot easier for me; being able to access the site from outside is really useful.
-- Oddity - AFS and Kerberos in his Linux box
Kerberos Outside the US (Score:2)
ftp://ftp.zedz.net/pub/crypto/crypto/APPS/kerbe
Have Fun
Free version of kerb 5 (Score:2)
I noticed this as it just became a debian package
Re:Heimdal (Score:2)
Re:eBones (Score:2)
Re:Kerberos dead, SSH lives in Europe (Score:2)
Eivind.
A Kerberos v5 installation in the UK (Score:2)
I haven't found 1.1 outside the US so far. But 1.0.6 is working very nicely for us (with a few tweaks that I keep meaning to put up for download).
Others have mentioned Heimdal. I investigated it about a year ago. But we were transitioning from a MIT Kerberos v4 installation, our site is moderately large (hundreds of machines, thousands of users), and at that time Heimdal did not seem to be up to the job, and the documentation was very sketchy. It might have improved though (I wish I had the time to keep up with its development).
David Wragg
dpw@doc.ic.ac.uk
More than that!!! (Score:2)
This means that kerberos-enhanced CVS allows the CVS server to identify you -- and you to be sure that your CVS server wasn't hijacked via DNS or TCP/IP attacks.
It allows your printer to confirm your identity... and you to confirm that your remote printer hasn't been hijacked by a competitor.
It allows you to know exactly what system is feeding your remote tape backup drive... or requesting to restore sensitive accounting information or source code.
It allows your database to know who is access it... and the user to know that the database hasn't been hijacked by a rogue site offering ludicrious information designed to drive your customers away... or you into backruptcy.
And all of these applications can negotiate session-based encryption.
I could continue, but my fingers are getting tired. The point should be clear: Kerberos packages, by themselves, are best viewed as enabling tools, not the final destination.
BTW, the best description I've seen of a fully Kerberized site is that it doesn't require a firewall -- all of the applications have been sufficiently armored that a firewall offers no additional benefit. That's a bit harsh, but it does reflect the conservative approach that the firewall should be the *last* thing added to your network security model, not the first.
Re:But this violates the license (Score:2)
In the past, if someone wanted something like Kerberos they would have to *mail* a request to the authors and request physical media back. Even after web browsers became common, they had to email a request to the authors who would then explicitly decide whether to grant access.
In contrast, most crypto sites today allow you to fill out an online form and you are granted immediate access. However the license now adds that restrictive clause.
If people started openly violating the terms of the license the authors would not say "oh well, we didn't really care about it anyway." They would say "damn it!" and remove web access to the material. You want a copy of the source code, you'll have to mail a copy of your passport & and signed statement of intent to comply with the laws. The alternative is to have the Feds take it to court and have even stricter limits put on access to the material, e.g., the person must show up in person to get the material.
Re:More than that!!! (Score:2)
Unfortunately, in the real world there are a lot of MIS and IT directors who believe that the average run-of-the-mill MSCE actually knows what he's talking about... and is more grounded in reality than his "ivory tower" Unix sysadmins. So they refuse to use "sudo" or "crack" and depend on a firewall for all of their security. *Those* are the people who should add a firewall last.
MIT Kerberos may become exportable (Score:2)
Also, I have put up unofficial Debian packages on my web site, and I know that someone at the MIT site is looking at updating the "contrib" section to include the recent work.
So don't rule out MIT Kerberos yet... or packages you haven't heard about. I first offered my MIT Kerberos packages probably close to two years ago but my packages were rejected because 1) I'm an American and 2) Debian's maintainer process was beginning it's long descent until the innermost circle of Hell. Among other things, that means that I have a lot of experience with a Linux-based KDC (many other packagers are using foreign KDCs) and Kerberos-enhanced Linux packages. Top of my plate - either converted or soon to convert, are CVS, LPRNG, Postgresql, and possibly XDM (to acquire ticket but not set up MIT-KERBEROS-5 authentication.)
As a packager (Score:2)
YOU can "take a stand" because it's not your fat ass on the line. The unfortunate fact is that if I make packages available when I know that some people plan to violate the law, I know that the feds can come after me. They DON'T have to actually file charges to make my life a living hell, and in fact they will do everything possible to *avoid* filing charges since certain legal protections only kick in to defendents, not people "merely" under investigation for committing a crime.
Since Phil Zimmermann lived in Boulder at the time (and may still live here, although I haven't seen him for awhile) the local press covered his story long after the national press dropped it. This is not an obscure risk that happened to someone, sometime, this is a concrete risk that happened to someone I (casually) know and which caused him a large amount of inconvenience and significant personal expense.
If you want to take a stand, grow some balls and take your own fscking stand. BUT DON'T ACT IN AN IRRESPONSIBLE MANNER THAT EXPOSES OTHERS TO SIGNIFICANT LEGAL RISK JUST SO YOUR SPINELESS SOUL CAN SLEEP WELL AT NIGHT!
Finally, never forget that your zealotry made it risky (even impossible) for many of us moderates to work from within the system. The Feds do not make examples out of well-financed opponents with good connections, they try to cut out the weaker members of the herd. That's why most of the court cases have focused on graduate students. We could have tried to quietly loosen our restrictions to the point that the government would realize that liberalization was a fait accompli, but because of European airheads we were never "out of the spotlight" enough to take big risks.
Free Kerberos Implmentations (Score:2)
- Ferric
OpenBSD? (Score:3)
OpenBSD includes Kerberos, more info http://www.openbsd.org
Re:ssh doesn't do the same thing as kerberos (Score:3)
However, it's not true that ssh is just a secure remote shell. Because of it's port forwarding features, ssh is a secure remote anything.
Ssh! Its free (Score:3)
Its availible to non-us citizens too. Lots of info on it can be found at the url above, but basically, its a good thing(tm).
Heimdal (Score:3)
Comparison of Kerberos & SSH (Score:3)
Kerberos provides strong mutual authentication, plus limited encryption. SSH provides strong encryption, but limited authentication. (SSH authenticates hosts during initial connection, and optionally users connecting to sshd, but not arbitrary client/server authentication.)
Kerberos uses three-party authentication - client, server and domain controller. SSH uses two-party authentication - client and server. (Prior to the government's attempts to escrow encryption keys and Phil Zimmermann's response, three-party authentication was the norm. With Kerberos, the KDC can be run by the employer,
university, or household!)
Local Kerberos security breaches (e.g., exposure of /etc/krb5.keytab) can be handled globally by a single change at the KDC. Local SSH security breaches (e.g., exposure of /etc/ssh/ssh_host_key) must be handled at each site which connects to it.
Global Kerberos security breaches (e.g., exposure of a */admin password) affect everyone within the domain, so good KDC security is crucial. Global SSH security breaches are impossible.
Kerberos uses DES session encryption by default, although some implementations support 3DES and IDEA. SSH uses IDEA (iirc), so SSH encryption is somewhat stronger "out of the box."
Kerberos does not support "tunneling". SSH does.
Kerberos PAM modules exist, but all I have seen to date violate the Kerberos security model and should never be used. I'm not sure if SSH PAM modules exist, but again I'm sure they violate the SSH security model and should never be used.
Kerberos access can be mediated by "digital certificates" and smart cards. I expect the same could be same of SSH, although I am not certain.
Finally, Kerberos-enhanced SSH exists although I am not familiar with the details of it. However, the important thing is that a site may use both SSH and Kerberos, if desired.
Re:weaknesses of kerberos... (Score:3)
As for encryption, I've been using encrypted ktelnet, kftp, krlogin and cvs without any problems. It's possible that the package was built with user-level encryption turned off for some reason.
But this violates the license (Score:3)
But anyone who uses it violates the terms of the MIT license since it explicitly requires that the users be domestic (US and Canada) or have acquired it via a legal export.
It's easy to say "well, I don't care I'm gonna run it anyway!", but then where do you stop? Do you use GPL (not LGPL) libraries because you can? Do you reuse GPL source in your proprietary code?
If we want our licenses to be respected by others, we MUST respect the licenses ourself. Otherwise we'll find ourself in the same position as the proprietary software known to pirate other companies' software -- an obvious hyprocrite who has absolutely no moral grounds to complain when it's our ox being gored.
Yes and no... (Score:3)
One of the major changes in Kerberos 5 is support for X authentication "MIT-KERBEROS-5". This allows you to use Kerberos principal names to control access to your system, e.g.,
$ xhost +:krb5:coyote@LOCAL
This grants access to your system to a particular user regardless of location. The other authentication methods generally grant access to all users of a particular system, or require that you manually exchange authentication information.
Kerberos 5 XDM should also acquire Kerberos 5 credentials for you, if properly configured.
HOWEVER, before you run off and start recompiling xfree86 you should be aware that the current version has been "broken" for some time, at least with the current MIT Kerberos API. You might be able to get it to work with an older version, but that would force you to retain known security bugs as well.
Because of XFree86 4 and the changing US export rules some of us are revisiting the problem and XDM patches should be available soon. MIT-KERBEROS-5 support is a different matter, since one of the biggest items on everyone's wish list is the ability to specify Kerberos encryption on the wire. This would people working from home to use encrypted wire protocol when connecting to their office via xDSL or cable modems.
Kerberos 4 does not support MIT-KERBEROS-5 authentication, although it might be patched to collect a Kerberos credentials for you.
Finally, I'm sure it's possible to modify NIS to require Kerberos authentication (and encryption), but AFAIK nobody's done it. However, in this case NIS would be an application with Kerberos enhancements, not a Kerberos login mechanism.
Kerberos dead, SSH lives in Europe (Score:3)
I would guess that it has something to do with license and/or export restrictions, although I frankly don't know what the conditions for using Kerberos are. SSH, on the other hand, was developed in Finland, and at least versions 1.x are free (as in both beer and speech).
Win2k security (Score:4)
Of course, you can download the 128 bit version by just going through a US based proxy, but I don't know whether the resultant code would be legally usable in Norway. (I mention this only for completeness, and don't in anyway recommend or sanction that approach).
BTW, Win2k VPN security seems pretty good now--the old broken PPTP protocols have been completely replaced, as far as I can tell. Mind you, I'm sure Schneir (sp?) will find a way to break it within a couple of days of official release! (It is MS Encryption, after all...)
Re:Kerberos (Score:4)
The Kerberos system authenticates individual users in a network environment. After authenticating yourself to Kerberos, you can use network utilities such as rlogin, rcp, and rsh without having to present passwords to remote hosts and without having to bother with .rhosts files. Note that these utilities will work without passwords only if the remote machines you deal with support the Kerberos system.
For more, read it online at http://www.openbsd.org/cgi-bi n/man.cgi?query=kerberos [openbsd.org].
eBones (Score:5)
The latest versions of export-restricted code for FreeBSD (2.0C or later) (eBones and secure) are also being made available at the following locations. If you are outside the U.S. or Canada, please get secure (DES) and eBones (Kerberos) from one of the following foreign distribution sites:
South Africa
ftp://ftp.internat.FreeBSD.ORG/pub/FreeBSD
ftp://ftp2.internat.FreeBSD.ORG/pub/FreeBSD
Brazil
ftp://ftp.br.FreeBSD.ORG/pub/FreeBSD
Finland
ftp://nic.funet.fi/pub/unix/FreeBSD/eurocrypt