Ascend Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: (ASCEND) Ascend Access Control RADIUS <--> Kerberos



> If you check the last public version of Merit RADIUS (2.23c), ...

Ooh, ah.  When someone else suggested "switch to Merit RADIUS" I
looked and found only a $10k version.  I'll look again.

> ... you can see
> the Kerberos support in rad.kerberos.c and krb_get_in_tkt.c.  You have to
> get the afs_stringtokey.c source from somewhere else.

I presume Ascend already did this for me, since

# strings /usr/sbin/radiusd | grep stringto
$Id: afs_stringtokey.c,v 1.5 1997/06/02 21:20:48 steve Exp $
$Id: mit_stringtokey.c,v 1.2 1997/01/22 18:47:32 steve Exp $

> ticket failed.  It is going to be mighty tough to figure out the problem
> since the data is encrypted and Merit RADIUS is pretty careful to destroy
> the secret information as soon as possible to help reduce the risks of
> someone stealing it from a core file or running image.

But remember -- I know the correct key, since it's a function of my
password and realm.  I *could* cook up a program to decrypt the
returned packet, and have actually begun such a program, but what
will I learn?  If I can decrypt it, I conclude radiusd is broken.  I
suppose if I couldn't, then I would know the Kerberos server is
broken, but it passes a more direct test: I can log in to my
workstation.

On the other hand, I could start radiusd with a -x or two under the
debugger and set a breakpoint ...  Ugh.  What a chore.
__________________________________________________________________
Matt Crawford               crawdad@fnal.gov              Fermilab
PGP: 0x566F63C5 - D5 27 83 7A 25 25 7D FB  09 3C BA 33 71 C4 DA 6A
++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>


Follow-Ups: References: