(RADIATOR) Testing help with new Kerberos5 Auth Module.

Terry Simons galimore at mac.com
Fri Mar 26 22:58:51 CST 2004 

Mike,

I have been working with Steve on this project (though he has done most 
of the work! ;-)

I have a few comments inline...

On Mar 26, 2004, at 8:20 PM, Mike McCauley wrote:

> Helo Steve,
>
>
> On Sat, 27 Mar 2004 11:53 am, Steve Harper wrote:
>> Hello, I work for the University of Utah where we have a site license 
>> for
>> Radiator.  I've written a Kerberos 5 Authentication module for 
>> Radiator
>> (AuthKRB5.pm) because of Authen::PAM's segfaulting on Solaris 2.8 and 
>> up.
>> Its based on AuthTEST.pm and AuthPAM.pm, and uses the CPAN Perl module
>> Authen::KRB5 V1.3 which requires MIT kerberos.
>>
>> I'm running this on Solaris 2.9, with Perl 5.8.1, MIT Kerberos 1.2.7, 
>> and
>> Radiator 3.9.
>
> Ive just tested your module with ordinary Radius PAP, KRB5 1.2.7 and 
> Authen
> KRB5 1.3 and it works as you say. Nice work.
>
> The problem with EAP, is that the AuthTEST.pm you based your code on 
> is not
> really designed to work well with EAP. However, I would expect your 
> code to
> work OK with TTLS-PAP, where you had your AuthBy KRB5 inside your 
> <Handler
> TunnelledByTTLS> clause.

Would not having a TunnelledByTTLS clause cause what we are seeing?

We don't currently have one, but things work for regular Sybase queries 
(although that is on a different server with a different version of 
Radiator...)

>
> In fact, the only types of EAP authentication that would be possible 
> to work
> with Kerberos passwords would be TTLS-PAP, because all the other types 
> of EAP
> rely on one-way hashes of the plaintext password (and/or certificates).

Yeah, that's not a problem.  I'm sure you have seen me ranting about 
TTLS vs PEAP on the list already. :-)


> This
> means that recovering the plaintext password to give to Kerberos is
> impossible excpet with TTLS-PAP).

No problem there... our security office has mandated encrypted 
passwords, so it's pretty easy for us to justify TTLS->PAP vs other 
authentication types.

Why we're going to use Kerberos is kind of a long story, but it's 
already deployed for the student labs, so we're just utilizing our 
infrastructure.  ;-)

>
> To tell any more what your problem might be, we would need to see the 
> complete
> log file at trace level 4 plus your config file (no secrets).

As usual.

I'll test a new configuration with the TunnelledByTTLS clause on Monday 
and if that doesn't work we'll get the information to you (of course, 
Steve might send it to you anyway, but if he doesn't it'll happen 
Monday).

Thanks!

- Terry

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list