Ascend Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: (ASCEND) Ascend Access Control RADIUS <--> Kerberos
> If you check the last public version of Merit RADIUS (2.23c), ...
Ooh, ah. When someone else suggested "switch to Merit RADIUS" I
looked and found only a $10k version. I'll look again.
> ... you can see
> the Kerberos support in rad.kerberos.c and krb_get_in_tkt.c. You have to
> get the afs_stringtokey.c source from somewhere else.
I presume Ascend already did this for me, since
# strings /usr/sbin/radiusd | grep stringto
$Id: afs_stringtokey.c,v 1.5 1997/06/02 21:20:48 steve Exp $
$Id: mit_stringtokey.c,v 1.2 1997/01/22 18:47:32 steve Exp $
> ticket failed. It is going to be mighty tough to figure out the problem
> since the data is encrypted and Merit RADIUS is pretty careful to destroy
> the secret information as soon as possible to help reduce the risks of
> someone stealing it from a core file or running image.
But remember -- I know the correct key, since it's a function of my
password and realm. I *could* cook up a program to decrypt the
returned packet, and have actually begun such a program, but what
will I learn? If I can decrypt it, I conclude radiusd is broken. I
suppose if I couldn't, then I would know the Kerberos server is
broken, but it passes a more direct test: I can log in to my
workstation.
On the other hand, I could start radiusd with a -x or two under the
debugger and set a breakpoint ... Ugh. What a chore.
__________________________________________________________________
Matt Crawford crawdad@fnal.gov Fermilab
PGP: 0x566F63C5 - D5 27 83 7A 25 25 7D FB 09 3C BA 33 71 C4 DA 6A
++ Ascend Users Mailing List ++
To unsubscribe: send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd: <http://www.nealis.net/ascend/faq>
Follow-Ups:
References: