Re: Is it required to use GSSAPI code for the Kerberos Server Auth? - Kerberos

This is a discussion on Re: Is it required to use GSSAPI code for the Kerberos Server Auth? - Kerberos ; Hi Team, Could you please let me know your thoughts on the below mentioned issue. Point #1 ---------- I am working on SA (Server Authentication) feature of Kerberos. - Is it required to port GSSAPI code for this feature of ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: Re: Is it required to use GSSAPI code for the Kerberos Server Auth?

  1. Re: Is it required to use GSSAPI code for the Kerberos Server Auth?


    Hi Team,

    Could you please let me know your thoughts on the below mentioned issue.

    Point #1
    ----------
    I am working on SA (Server Authentication) feature of Kerberos.
    - Is it required to port GSSAPI code for this feature of SA?
    - If so, where should I use this mechansim in kerberos client code? That
    means, between TGS_REP and AP_REQ?
    - What is the exact procedure to use the GSSAPI code?

    I am using MIT code and Linux Serevr (sendmail server, SMTP as the
    Application server, ie I need to do server authenticatio for that SMTP
    server.

    POINT#2:
    ----------
    I tried by sending AP_REQ to SMTP server successfuly but I could not
    recevice the AP_REP successfuly. I think AP_REQ packet is not properly
    understood by SMTP server since I have not been using the GSSAPI code in my
    implementation. So should I port the GSSAPI code in to my code base and do
    SA??

    POINT#3:
    ======
    - Is the following statement reight?
    Kerberos Server Authentication is not supported by Windows 2003/2000
    exchange SMTP server.
    Kerberos SA can be done (only) with LINUX/Unix- Send mail SMTP server.

    Is this statement true????

    Could you please throw some light on the same?

    Thank you,
    -Surendra
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Is it required to use GSSAPI code for the Kerberos Server Auth?



    Surendra Babu A wrote:
    > Hi Team,
    >
    > Could you please let me know your thoughts on the below mentioned issue.
    >
    > Point #1
    > ----------
    > I am working on SA (Server Authentication) feature of Kerberos.


    What do you mean by SA (Server Authentication) feature of Kerberos?


    > - Is it required to port GSSAPI code for this feature of SA?



    Use GSSAPI everywhere you can. Id you do,you will not have to
    deal with any of the Kerberos *_REQ or *_REP packets, as the
    Kerberos GSSAPI does this for you.

    > - If so, where should I use this mechansim in kerberos client code? That
    > means, between TGS_REP and AP_REQ?
    > - What is the exact procedure to use the GSSAPI code?
    >
    > I am using MIT code and Linux Serevr (sendmail server, SMTP as the
    > Application server, ie I need to do server authenticatio for that SMTP
    > server.
    >


    Google for smtp gssapi
    to find SMPT examples


    > POINT#2:
    > ----------
    > I tried by sending AP_REQ to SMTP server successfuly but I could not
    > recevice the AP_REP successfuly. I think AP_REQ packet is not properly
    > understood by SMTP server since I have not been using the GSSAPI code in my
    > implementation. So should I port the GSSAPI code in to my code base and do
    > SA??
    >


    Use the GSSPAI...


    > POINT#3:
    > ======
    > - Is the following statement reight?
    > Kerberos Server Authentication is not supported by Windows 2003/2000
    > exchange SMTP server.


    What do you mean by Kerberos Server Authenticaion?

    > Kerberos SA can be done (only) with LINUX/Unix- Send mail SMTP server.
    >
    > Is this statement true????
    >
    > Could you please throw some light on the same?
    >
    > Thank you,
    > -Surendra
    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: Is it required to use GSSAPI code for the Kerberos Server Auth?

    Hi Douglas,

    Thanks a lot for the response. Following are my inputs.

    POINT#1:

    Server Authentication means, Mutual Authentication. Sorry for the confusion.

    So for Mutual Authentication with the Server (AP_REQ and AP_REP to be done).
    We have formed the AS_REQ, AS_REP, TGS+REQ and TGS_REP packets on our own
    wby using Krb5 code with out using the GSSPI.

    While sending the AP_REQ packet to SMTP server, should we add GSSAPI
    information? Basically, I am sending the
    - Service ticket and
    - Authenticatior information in the AP_REQ packet. With this information,
    the SMT server is saying, unknown data?

    Is it required to add some GSSAPI header information to the AP_REQ packet?
    What GSSAPI should I use to make the correct AS_REQ packet?

    POINT#2:
    =======
    If we use GSSAPI code, everything will be taken by that. All *_REQ and _REP
    packets will be sent and processed. Can't we plugin our processed AS_REQ,
    AS_REP, TGS_REQ and TGS_REP packets in to that?
    - we are facing probelm in forming the AP_REQ packet for MUTUAL
    AUTHENTICTAION with the Server.

    Any thoughts on the same?

    Thanks a lot in advance,
    -Surendra


    ----- Original Message -----
    From: Douglas E. Engert
    To: Surendra Babu A
    Cc: kerberos@mit.edu
    Sent: Thursday, March 23, 2006 8:14 PM
    Subject: Re: Is it required to use GSSAPI code for the Kerberos Server
    Auth?




    Surendra Babu A wrote:
    > Hi Team,
    >
    > Could you please let me know your thoughts on the below mentioned

    issue.
    >
    > Point #1
    > ----------
    > I am working on SA (Server Authentication) feature of Kerberos.


    What do you mean by SA (Server Authentication) feature of Kerberos?


    > - Is it required to port GSSAPI code for this feature of SA?



    Use GSSAPI everywhere you can. Id you do,you will not have to
    deal with any of the Kerberos *_REQ or *_REP packets, as the
    Kerberos GSSAPI does this for you.

    > - If so, where should I use this mechansim in kerberos client code?

    That
    > means, between TGS_REP and AP_REQ?
    > - What is the exact procedure to use the GSSAPI code?
    >
    > I am using MIT code and Linux Serevr (sendmail server, SMTP as the
    > Application server, ie I need to do server authenticatio for that SMTP
    > server.
    >


    Google for smtp gssapi
    to find SMPT examples


    > POINT#2:
    > ----------
    > I tried by sending AP_REQ to SMTP server successfuly but I could not
    > recevice the AP_REP successfuly. I think AP_REQ packet is not properly
    > understood by SMTP server since I have not been using the GSSAPI code in

    my
    > implementation. So should I port the GSSAPI code in to my code base and

    do
    > SA??
    >


    Use the GSSPAI...


    > POINT#3:
    > ======
    > - Is the following statement reight?
    > Kerberos Server Authentication is not supported by Windows 2003/2000
    > exchange SMTP server.


    What do you mean by Kerberos Server Authenticaion?

    > Kerberos SA can be done (only) with LINUX/Unix- Send mail SMTP server.
    >
    > Is this statement true????
    >
    > Could you please throw some light on the same?
    >
    > Thank you,
    > -Surendra
    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. Re: Is it required to use GSSAPI code for the Kerberos Server Auth?


    http://www.rfc-archive.org/getrfc.php?rfc=1964

    > While sending the AP_REQ packet to SMTP server, should we add GSSAPI
    > information? Basically, I am sending the
    > - Service ticket and
    > - Authenticatior information in the AP_REQ packet. With this information,
    > the SMT server is saying, unknown data?
    >
    > Is it required to add some GSSAPI header information to the AP_REQ packet?
    > What GSSAPI should I use to make the correct AS_REQ packet?


    This is very confusing; are you just sending binary Kerberos tokens
    (BER-encoded ASN.1 as defined in RFC 1510) directly over an SMTP
    connection? That makes no sense; they are not part of the SMTP protocol.

    The only way I know of to do Kerberos-5 authentication over SMTP is via
    the SASL GSSAPI mechanism, e.g.:

    S: 220 server ESMTP Sendmail 8.13.4/8.13.4/Debian-3
    C: EHLO client
    S: 250-server Hello client [192.168.10.1], pleased to meet you
    S: 250-ENHANCEDSTATUSCODES
    S: 250-PIPELINING
    S: 250-8BITMIME
    S: 250-SIZE
    S: 250-DSN
    S: 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5
    S: 250-STARTTLS
    S: 250-DELIVERBY
    S: 250 HELP
    C: AUTH GSSAPI YIICHwYJKoZIhvcSAQICAQBuggIOMIICCqADAgEFoQMCA...
    S: 334 YIGWBgkqhkiG9xIBAgICAG+BhjCBg6ADAgEFoQMCAQ+idzB1oA MCA...
    C:
    S: 334 YD8GCSqGSIb3EgECAgIBBAD/////NjquIGKmcwGEBpaxka32hdsjW...
    C: YD8GCSqGSIb3EgECAgIBBAD/////Na98BB7CsN66s7du++Yd/T4gnuWH9...
    S: 235 2.0.0 OK Authenticated
    Authenticated.
    Security strength factor: 56
    C: QUIT

    These messages are base64 encoded GSSAPI/Kerberos messages as defined in
    RFC 1964.

    > POINT#2:
    > =======
    > If we use GSSAPI code, everything will be taken by that. All *_REQ and _REP
    > packets will be sent and processed. Can't we plugin our processed AS_REQ,
    > AS_REP, TGS_REQ and TGS_REP packets in to that?


    Why would you want to, if the GSSAPI library accomplishes your goal? The
    whole point is abstraction.

    Anyway, if you've gotten as far as doing this much of the Kerberos
    protocol yourself, it's not much more work to do the GSSAPI / SASL
    encoding too and implement the exchange you see above, if you really want
    to.

    --
    Richard Silverman
    res@qoxp.net


  5. Re: Is it required to use GSSAPI code for the Kerberos Server Auth?



    Surendra Babu A wrote:

    > Hi Douglas,
    >
    > Thanks a lot for the response. Following are my inputs.
    >
    > POINT#1:
    >
    > Server Authentication means, Mutual Authentication. Sorry for the confusion.
    >
    > So for Mutual Authentication with the Server (AP_REQ and AP_REP to be done).
    > We have formed the AS_REQ, AS_REP, TGS+REQ and TGS_REP packets on our own
    > wby using Krb5 code with out using the GSSPI.
    >
    > While sending the AP_REQ packet to SMTP server, should we add GSSAPI
    > information? Basically, I am sending the
    > - Service ticket and
    > - Authenticatior information in the AP_REQ packet. With this information,
    > the SMT server is saying, unknown data?
    >
    > Is it required to add some GSSAPI header information to the AP_REQ packet?
    > What GSSAPI should I use to make the correct AS_REQ packet?
    >


    Are you trying to write your own Kerberos implementation? Or
    are you using MIT, Heimdal or some other version?

    Have you read all the Kerberos RFCs and the GSSAPI RFCs?

    I still can't not understand why you feel you have to program at the
    Kerberos level, rather then the GSSAPI. The GSSAPI is designed to handle
    all these problems you are having. If you want mutual authentication
    with GSSAPI, on the gss_init_sec_context you would add the GSS_C_MUTUAL_FLAG
    flag and the GSSPAI would take care of it for you.

    All the Kerberos implementation come with GSSAPI, and on some systems
    like Solaris 10, the underlying Kerberos is not exposed,only the GSSAPI.
    On Windows the Microsoft SSPI can interoperate with GSSAPI Kerberos
    on other systems.
    There are also gssapi examples with the different implementation.

    Are you starting with some application that that already does
    Kerberos, rather then GSSAPI? Have you done a Google for smtp gssapi?

    Looks like you need SASL too.


    > POINT#2:
    > =======
    > If we use GSSAPI code, everything will be taken by that. All *_REQ and _REP
    > packets will be sent and processed. Can't we plugin our processed AS_REQ,
    > AS_REP, TGS_REQ and TGS_REP packets in to that?


    The AS, and TGS messages are between the client and the KDC. GSSAPI deals
    with the client to the server, and will be doing all the AP_* type
    messages for you.

    With Keeberos GSS, you will still have toi have done a kinit to get
    the initial TGT, wihc isthen saved in a ticket cache. So if you
    used something other the kinit to do the AS_* processing put them
    in a ticket cache.

    The gss_acquire_cred is then called. With the Kerberos GSSPAI implementation
    will look for the ticket cache and will obtain additonal tickets for you
    using the TGS_* messages and the original TGT.

    > - we are facing probelm in forming the AP_REQ packet for MUTUAL
    > AUTHENTICTAION with the Server.
    >
    > Any thoughts on the same?




    >
    > Thanks a lot in advance,
    > -Surendra
    >
    >
    > ----- Original Message -----
    > From: Douglas E. Engert
    > To: Surendra Babu A
    > Cc: kerberos@mit.edu
    > Sent: Thursday, March 23, 2006 8:14 PM
    > Subject: Re: Is it required to use GSSAPI code for the Kerberos Server
    > Auth?
    >
    >
    >
    >
    > Surendra Babu A wrote:
    > > Hi Team,
    > >
    > > Could you please let me know your thoughts on the below mentioned

    > issue.
    > >
    > > Point #1
    > > ----------
    > > I am working on SA (Server Authentication) feature of Kerberos.

    >
    > What do you mean by SA (Server Authentication) feature of Kerberos?
    >
    >
    > > - Is it required to port GSSAPI code for this feature of SA?

    >
    >
    > Use GSSAPI everywhere you can. Id you do,you will not have to
    > deal with any of the Kerberos *_REQ or *_REP packets, as the
    > Kerberos GSSAPI does this for you.
    >
    > > - If so, where should I use this mechansim in kerberos client code?

    > That
    > > means, between TGS_REP and AP_REQ?
    > > - What is the exact procedure to use the GSSAPI code?
    > >
    > > I am using MIT code and Linux Serevr (sendmail server, SMTP as the
    > > Application server, ie I need to do server authenticatio for that SMTP
    > > server.
    > >

    >
    > Google for smtp gssapi
    > to find SMPT examples
    >
    >
    > > POINT#2:
    > > ----------
    > > I tried by sending AP_REQ to SMTP server successfuly but I could not
    > > recevice the AP_REP successfuly. I think AP_REQ packet is not properly
    > > understood by SMTP server since I have not been using the GSSAPI code in

    > my
    > > implementation. So should I port the GSSAPI code in to my code base and

    > do
    > > SA??
    > >

    >
    > Use the GSSPAI...
    >
    >
    > > POINT#3:
    > > ======
    > > - Is the following statement reight?
    > > Kerberos Server Authentication is not supported by Windows 2003/2000
    > > exchange SMTP server.

    >
    > What do you mean by Kerberos Server Authenticaion?
    >
    > > Kerberos SA can be done (only) with LINUX/Unix- Send mail SMTP server.
    > >
    > > Is this statement true????
    > >
    > > Could you please throw some light on the same?
    > >
    > > Thank you,
    > > -Surendra
    > >

    >
    > --
    >
    > Douglas E. Engert
    > Argonne National Laboratory
    > 9700 South Cass Avenue
    > Argonne, Illinois 60439
    > (630) 252-5444
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread