maemo.org - Talk - View Single Post - Kerberos support with web browser?

	slvr32	2008-12-31 , 09:00
	Posts: 168 \| Thanked: 104 times \| Joined on Feb 2008 @ California, USA	#4

Originally Posted by edgester

I'm the maintainer for the krb5 and openafs maemo extras packages. Did you compile against the krb5 package from extras? I haven't use SPENGO before, but I have some possible hints. Can you install the LiveHTTPHeaders extension to snoop the traffic? Is NTLM authentication involved? Run "klist -e" and check /etc/krb5.conf to make sure that you have the same encryption types configured as you use on your desktop.

Well, I don't know what the trick is to install packages in the scratchbox environment... variants of fakeroot apt-get install, apt-get install krb5, krb-utils, etc... weren't going anywhere, so I built kerberos (krb5-1.6.3) from source with a --prefix=/usr, and did the same with openssh 4.7p1 from source, --prefix=/usr --sysconfdir=/etc/ssh, but just copied the 'ssh' binary from scratchbox to my tablet.

In other words, kerberos and openssh in the scratchbox environment were built/installed from source, but I installed the krb5 utils from (your) binary packages on the tablet itself, and the only file I grabbed from my scratchbox builds is the 'ssh' binary, and replaced /usr/bin/ssh with my kerberized ssh.

I'm not having trouble with the kerberized ssh; that works great after I do a kinit -f, and I can ssh to other (Unix/Solaris) machines that are kerberos aware.

klist -e looks the same on my desktop and tablet

Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc mode with HMAC/sha1

NTLM authentication isn't involved, as the kerberos servers are also Solaris boxes, and there isn't any Wndows/AD infrastructure tied to any of this.

Silly question... is the LiveHTTPHeaders extension available on the tablet, or is that just an option on the desktop?

I just installed the LiveHTTPHeaders extension on my desktop, and I see the communication in 1), 2), and 3) here. That page is about writing a SPNEGO java client, but the header details are the common part for the browser communication.

http://s2.diffuse.it/blog/show/6602-...tion_with_Java

Looks like there's also a SPNEGO-related RFC mentioned on the curl site...

http://curl.haxx.se/rfc/draft-brezak-spnego-http-04.txt

Finally, I don't have any explicit encryption methods defined in /etc/krb5.conf on my desktop or tablet, and the desktop and tablet have identical krb5.conf files (obfuscated domain for the sake of this post)

[libdefaults]
# Lookup the realm from the TXT record
default_realm = SOMEWHERE.COM
dns_lookup_realm = on

# Lookup the KDCs from SRV records
dns_lookup_kdc = on

# Bind your TGT and service tickets to your IP address
# Prevents a stolen ticket from being used from a different IP address.
noaddresses = on

[appdefaults]
renewable = true
forwardable = true

[realms]
SOMEWHERE.COM = {
admin_server = kerberos-2.somewhere.com
}

[domain_realm]
.somewhere.com = SOMEWHERE.COM
somewhere.com = SOMEWHERE.COM

Last edited by slvr32; 2008-12-31 at 09:12.

Quote & Reply |