(RADIATOR) Testing help with new Kerberos5 Auth Module.
Mike McCauley
mikem at open.com.au
Fri Mar 26 21:20:36 CST 2004
Helo Steve,
On Sat, 27 Mar 2004 11:53 am, Steve Harper wrote:
> Hello, I work for the University of Utah where we have a site license for
> Radiator. I've written a Kerberos 5 Authentication module for Radiator
> (AuthKRB5.pm) because of Authen::PAM's segfaulting on Solaris 2.8 and up.
> Its based on AuthTEST.pm and AuthPAM.pm, and uses the CPAN Perl module
> Authen::KRB5 V1.3 which requires MIT kerberos.
>
> I'm running this on Solaris 2.9, with Perl 5.8.1, MIT Kerberos 1.2.7, and
> Radiator 3.9.
Ive just tested your module with ordinary Radius PAP, KRB5 1.2.7 and Authen
KRB5 1.3 and it works as you say. Nice work.
The problem with EAP, is that the AuthTEST.pm you based your code on is not
really designed to work well with EAP. However, I would expect your code to
work OK with TTLS-PAP, where you had your AuthBy KRB5 inside your <Handler
TunnelledByTTLS> clause.
In fact, the only types of EAP authentication that would be possible to work
with Kerberos passwords would be TTLS-PAP, because all the other types of EAP
rely on one-way hashes of the plaintext password (and/or certificates). This
means that recovering the plaintext password to give to Kerberos is
impossible excpet with TTLS-PAP).
To tell any more what your problem might be, we would need to see the complete
log file at trace level 4 plus your config file (no secrets).
Cheers.
>
> It works fine with the radpwtst utility shipped with Radiator, but when I
> try to use it with our 802.1x clients / access point it fails with:
>
> Access rejected for testuser: Kinit failed: No such device or address
>
> The corresponding point of failure looking at things with truss seems to
> be where the * is. It opens a socket, requests the TGT for the users,
> polls, and then recieves it. ENXIO maps to "No such device or address".
> It then opens and unlinks the credential cache.
>
> so_socket(PF_INET, SOCK_DGRAM, IPPROTO_IP, "", 1) = 6
> connect(6, 0x004D1460, 16, 1) = 0
> send(6, 0x006D6E00, 184, 0) = 184
> j81B5 081B2A103020105A2030201\nA481A5 081A2A0070305\0\0\0\0\0A1
> <snip>
> poll(0xFFBFF408, 1, 1000) = 1
> recv(6, 0x00BBA980, 4096, 0) = 525
> k8202\t 0820205A003020105A1030201\vA3\n1B\b U T A H . E D UA415
> <snip>
> close(6) = 0
> *ioctl(0, TCGETS, 0xFFBFF520) Err#6 ENXIO
> open("/tmp/krb5cc_0", O_RDWR) = 6
> unlink("/tmp/krb5cc_0") = 0
>
> I was curious if anyone had any idea why I might be getting such an error
> or would be willing to test the code in their environment and let me know
> their results. Any code improvements or suggestions would likewise be
> greatly appreciated.
>
> You can download the code from
> http://dev.scl.utah.edu/AuthKRB5.pm
>
> Thanks in advance for any help,
>
> Steve Harper Campus Student Computing
> Sys Admin Marriott Library
> s.harper at utah.edu University of Utah
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS etc.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list