(RADIATOR) Patch for authenticating KDC response in AuthKRB5

Mike McCauley mikem at open.com.au
Tue Apr 10 17:46:13 CDT 2007 

Hello Eric,

Thank you for your patch and thorough documentation. Do we have your 
permission to apply it and distribute it in the base code?

Cheers.

On Wednesday 11 April 2007 04:27, Erik Klavon wrote:
> KrbKeyTab
> This optional parameter provides the path to a Kerberos keytab
> file. When this option is present, a service ticket will be obtained
> as part of each Kerberos authentication attempt to guard against Key
> Distribution Center spoofing. By default, the keytab is examined to
> locate the key for the service radius/server at realm where server is
> the fully qualified domain name of the machine running Radiator and
> realm is the Kerberos realm used during authentication. The name of
> the service may be overridden with the KrbService parameter, the
> fully qualified domain name with the KrbServer parameter and the realm
> with the KrbRealm parameter.
>
> # Enable KDC spoof detection using service ticket
> KrbKeyTab /etc/krb5-radius.keytab
>
> KrbService
> This optional parameter overrides the default value of "radius" for
> the service name used when locating a key to obtain a service ticket
> as part of Kerberos Key Distribution Center spoof detection. This
> parameter has no effect unless the KrbKeyTab parameter is defined. See
> the KrbKeyTab parameter for more information. This parameter should be
> set to the service name of the service key obtained from your Kerberos
> administrator.
>
> # Service name for radius
> KrbService radiusproxyauthenciation
>
> KrbServer
> This optional parameter overrides the default value of the fully
> qualified domain name of the server running radiator when locating a
> key to obtain a service ticket as part of Kerberos Key Distribution
> Center spoof detection. This parameter has no effect unless the
> KrbKeyTab parameter is defined. See the KrbKeyTab parameter for more
> information. This parameter should be set to the hostname included in
> the service key obtained from your Kerberos administrator.
>
> # Hostname of the server
> KrbServer radius.example.com

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list