Saturday, September 5, 2009

OS X Bug : Problems connecting to WPA Enterprise with 10.5.8

I have recently had trouble connecting to Purdue's wifi network named PAL2.0 (which requires WPA Enterprise/TTLS/MSCHAPv2/PEAP). Purdue's technical support (ITAP) attempted to help me but was unsuccessful (it isn't their fault). I found my own fix and wanted to share it with others who may be having the same problem. Basically the problem was introduced by Apple with Mac OS X, update 10.5.8.

The problem:
- Can't connect to PAL2.0 (sporadic)

Symptoms:
- Repeatedly tries to perform MSCHAPv2 authentication, never gets IP address. I have captured a screencast demonstrating the problem.

Setup:
- Macbook Pro (maybe other models? mine is a 2007 model) running OS X 10.5.8

Fix:
- Revert to the wifi firmware to pre-10.5.8 version. I followed these instructions (proceed at your own risk)
- If you have the right model of mac (I did not), you may be able to apply this patch from Apple.

Posted by D. M. Stanley at 11:41 AM 4 comments

Friday, July 10, 2009

OS X Bug : 802.1x TTLS defaults to CHAP even if changed to PAP

While configuring freeradius I uncovered a nasty Mac OS X bug. My goal is/was to authenticate Mac OS X (leopard) to WPA2 using RADIUS configured to authenticate to LDAP (over EAP+TTLS+PAP).

Scenario #1 (broken)

When I get within range of a WPA2 EAP+TTLS+PAP WIFI connection I am prompted to login. If I try my login, it will fail because I have not configured 802.1x to use TTLS+PAP which is expected. If I then try to configure TTLS to use PAP using the 802.1x configuration dialogs, it will display "PAP" in the configuration dialog but it will not actually use PAP, it will continue to try to use its default CHAP authentication inside of TTLS. I am then never able to connect to this access point without deleting it and starting over (as below).

Scenario #2 (working)

However, if, with my wireless card turned off, I configure 802.1x authentication profile in advance of connecting to the same access point. Then turn on my wireless card. Then instead of entering my user/pass when prompted select "Join Other Network" and manually assign the new and correct 802.1x profile to the new wifi connection. It works as expected. It was nontrivial to track down this problem. I am using freeradius and found that despite having PAP listed under TTLS the following was logged: 
MS-CHAP-Challenge = 0x...
MS-CHAP2-Response = 0x...
I have deliberately not enabled CHAP in my freeradius configuration so I knew something was up. After I finally got it working (using scenario #2), those two MS-CHAP log entries disappeared. A few of the freeradius log messages that were symptoms of the problem are as follows (in hopes that others may find this post): 
pap No clear-text password in the request. Not performing PAP.
...
No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
Failed to authenticate the user.
Posted by D. M. Stanley at 11:01 AM 0 comments

Thursday, June 4, 2009

Apache mod_rewrite and the HTTP Host Header

I am involved with a web project that bases some application logic on the hostname of the server. During the development phase we wanted to test host-specific logic without modifying hostname resolution (through /etc/hosts or DNS) or modifying the code with specific development hostname conditionals. To accomplish this task, I crafted some handy Apache mod_rewrite rules:

<VirtualHost>
...
# requires mod_rewrite and mod_headers
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/set_site.html$
RewriteCond %{HTTP_COOKIE} ^.*choose_site=([^;]*).*$
RewriteRule ^(.*)$ $1 [E=SET_SITE:%1]
RequestHeader set Host %{SET_SITE}e
...
</VirtualHost>

The first condition matches anything but the form used to set the site cookie (choose_site). I am not entirely sure why, but if this conditional is omitted an infinite redirect happens. To keep the application code base clean I used mod_alias to alias this form to a location outside of the DOCUMENT_ROOT.

The second condition extracts the hostname from the cookie and places it in magic variable %1. The rule just passes through all requests and sets the apache environmental variable SET_SITE. This step is necessary because mod_headers can't use the mod_rewrite generated %1 variable.

Finally the last directive sets the Host header of the request, which if you're lucky, will get passed up to your scripting language for use in the logic.

Posted by D. M. Stanley at 7:57 AM 0 comments

Friday, May 29, 2009

Apple Address Book and IM Values

I have recently been working on centralized authentication using OpenLDAP. Beyond authentication, LDAP-based directories can be used as a shared address book. Most desktops being used by our organization are Apple computers. The system address book, known as "Address Book" may be configured to access an LDAP directory. Bingo! Unfortunately, the Address Book is only interested in a subset of attributes that are stored in the LDAP directory. Using wireshark, I found that it asks for the following attributes:

givenName
sn
cn
mail
telephoneNumber
facsimileTelephoneNumber
o
title
ou
buildingName
street
l
st
postalCode
c
jpegPhoto
mobile
co
pager
destinationIndicator
labeledURI
IMHandle

The Address Book works as expected with one exception. The last field it requests, and it receives from LDAP, is IMHandle. It would be nice if IMHandle was *actually* supported by the Address Book, however no matter how much brute force I used, I could not get IMHandle to show up in the Address Book. The application appears to receive the value for IMHandle but discards it. By the way, getting the Apple LDAP schema (which enables the storage of IMHandle) to cooperate with our other LDAP schemas was kind of ugly.

The solution? I figured out that we could use the labeledURI field to store IM information. Both Jabber and AIM have a protocol specification that works with the Mac and Firefox (and likely other software). The format is as follows:

Jabber (such as Google Talk)
im:ACCOUNT_NAME@gmail.com
AOL Instant Messenger
aim:goim?screenname=ACCOUNT_NAME

The Address Book then shows the first (and only the first) labeledURI. So if we set the first value of labeledURI to the user primary IM URI, it shows up in the Address Book and is even "clickable".

Hey Apple Developers, how about supporting IMHandle in Address Book? Or at least show multiple labeledURI values.

Posted by D. M. Stanley at 11:55 AM 0 comments

Saturday, April 21, 2007

Comparative Analysis of OpenPGP and S/MIME

About

Both S/MIME and OpenPGP are end to end security mechanisms that facilitate secure email transmission. S/MIME and OpenPGP are competing technologies that operate in much the same way. This document aims to analyze the difference between the two technologies, and to describe the costs and benefits of each.

PGP is the common name for a security methodology first introduced by Philip Zimmermann. PGP is an acronym for "Pretty Good Privacy". The IETF standard for this methodology is referred to as OpenPGP. OpenPGP is described by RFC 2440.

S/MIME is short for Secure/Multipurpose Internet Mail Extensions. It was first developed by RSA Data Security, Inc. The S/MIME standard is described by RFC 3851. Not all versions of the technology are part of the standard.

History

OpenPGP

PGP was first developed by Philip Zimmermann in 1991. The source code of the project was distributed with the program and a team of developers emerged around the project. In 1996, Philip and his team formed PGP Inc. PGP Inc. created versions three, four and five of PGP.

In 1997, the technology branched in two directions. First, in July, amidst growing concerns over algorithms with licensing difficulties, Philip and a subset of the team proposed an "Unencumbered PGP" to the IETF for standards consideration [WIKIP-OP]. The proposal was accepted and given the formal name OpenPGP..

In December of 1997, PGP Inc. was aquired by Network Associates, Inc (NAI). Philip left NAI in 2001 to join Hush Communications, an OpenPGP based mail service provider. In 2002, NAI sold PGP assets to a group of original PGP team members excluding Philip [WIKIP-OP]. The newly formed company was named PGP Corporation, and it is still in business selling PGP based technolgogies. Philip serves in an advisory role for the company.

OpenPGP is still on the standards track (as of this writing), and is being actively developed. One primary implementation of the standard has emerged from the GNU project, named GNU Privacy Guard (GnuPG).

S/MIME

S/MIME was first developed by the RSA Data Security Inc. in collaboration with other private organizations [IMC]. Early versions of the technology were not part of the standards track, primarily due to patent restrictions on the RSA encryption algorithm used in the technology. Version three of the technology was the first to be part of a standard in 1999. However it was defined by RFC 2633 which has since been obsoleted by S/MIME version 3.1 described by RFC 3851. RFC 3851 is the current standard and the topic of this document.

One Distinct Difference

OpenPGP is a general purpose encryption methodology. As stated by the OpenPGP RFC it is "data integrity services for messages and data files." S/MIME is specifically designed for MIME-encapsulated data. Generally this means email, but technically it could mean any technology supporting MIME encoding. From the S/MIME RFC, "S/MIME provides a consistent way to send and receive secure MIME data."

This is an important distinction. OpenPGP can and does have practical application outside of the context of Internet messaging. For example:

  • A user may choose to encrypt their entire home directory to protect data on disk. All documents stored inside the directory would be encrypted and only accesible with the corresponding private key.
  • A user could encrypt a single file, then use delivery mechanisms other than email, such as FTP, to transfer the file to its destination.

Products exist for both the commerical PGP specification and the OpenPGP specification. Additionally GnuPG can be used as a library by third party programs to enable encryption and decryption for many different scenerios.

Similarities

Both OpenPGP and S/MIME function in much the same way. We will ignore the fact, for now, that OpenPGP has use outside of email and focus on its merits as an email encryption methodology. Both OpenPGP and S/MIME are end-to-end encryption methodologies. In other words, the data is encrypted at the origination site, transmitted in a standard networking envelope (the traffic patterns are not protected) and decrypted at the destination site. Additionally, both use public-private key type encryption.

Process

The following list describes the common path taken by an email message transformed by either technology:

  1. Compose message
  2. Encrypt/sign message with private key
    • Sign message
    • Encrypt data (requires recipients public key)
    • Sign message and encrypt data (requires recipients public key)
  3. Transmit message
  4. Decrypt/verify message with senders public key
    • Verify signed message
    • Decrypt data (requires recipients private key)
    • Verify message and decrypt data (requires recipients private key)
  5. Read message

Encryption and Signing Process

There are many details involved in describing the encryption and signing process. For the purposes of this document we will explore where they are different in the process. For simplicity, we will compare S/MIME to OpenPGP, not OpenPGP/MIME (see below), and we will show situations where encyption and signing are occuring.

OpenPGP Encryption & Signing

  1. Plaintext message created (M)
  2. M hashed (H)
  3. H encrypted (EH)
  4. EH and M concatenated (EHM)
  5. EHM compressed (Z)
  6. Z symettrically encrypted with session key (ZS)
  7. Session key encrypted with recipient's public key (SP)
  8. ZS and SP concatenated (EM)
  9. Encrypted and signed message, EM, complete

S/MIME Encryption & Signing

OpenPGP is assembled as shown with a couple of concatenations of parts. S/MIME divides these parts into separate subtype MIME entities. These separate entities can encapsulate each other and be applied in any order because they all result in MIME encapuslated output. Following is a listing of the relevant "Content Types" according to the RFC:

  1. Data
  2. SignedData
  3. EnvelopedData
  4. CompressedData

S/MIME prior to version 3.1 did not provide compression. Compression was added to 3.1 as a MIME type. It is not clear how well current S/MIME client programs support compression . The prevailing community information indicates that compression is not well supported. Presumably, if compression were implemented, OpenPGP and S/MIME would map roughly in the following way:

OpenPGP StepS/MIME Content Type
  • Plaintext message created (M)
 Data
  • M hashed (H)
  • H encrypted (EH)
  • EH and M concatenated (EHM)
 SignedData
  • EHM compressed (Z)
 CompressedData (see above)
  • Z symettrically encrypted with session key (ZS)
  • Session key encrypted with recipient's public key (SP)
  • ZS and SP concatenated (EM)
  • Encrypted and signed message, EM, complete
 EnvelopedData

Transmission Format

OpenPGP has two message formats: OpenPGP and OpenPGP/MIME. OpenPGP, by default, offers a non-mime-encapsulated message transmission. In other words it is equivalent to a standard plain text email without any attachements. OpenPGP/MIME is similar in formatting to S/MIME. Both use MIME encapsulation for the transmission of data and signtures. Following are actual transmissions of encrypted and signed data (just signed or just encrypted would have similar characteristics):

OpenPGP - Signed & Encrypted



From: sender@555.com
To: recipient@555.com
Subject: Test Sign and Enc
Content-Type: text/plain;
 charset="iso-8859-1"

-----BEGIN PGP MESSAGE-----
Charset: ISO-8859-1
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

hQIOA1D+V4G4ChJkEAf/Q9gyX3nshwfjJiwBZVoZ/RcRRDeDmZC1czezhw2IHERT
CUEPlOvis/s7X7iv/6Fs3ycdOEB0/B74oTeIOIK7hdHGkDXg5LL1fPj9eBm46ETa
fN1unMpzdXrk94R6eg+s0Pz1/+cR4Dv45BX2pqZJBTSg4WrC0TBT5U9uKWS4lXYQ
QMTRlvSl+K6ZlM5VCeB8FpRcKGqFs6mTIUNo/l+oTGFaDE/iWd4cd07WXbBekiNZ
...[segment snipped for readability]...
2f30QgYMWXnyAZAh//dapq7yg+UFIaiZinF4pYOIR5U2VmctEygXIm8+a433UypG
Ot0RErIE+gwUGyfkGG5aXrG1plcvrPuvR3pFkwvf19jpatlL4pMARr+eGHIG/rQN
HuE1M2OUOsIr7pKkpbZ423gcgE1MYoGo8YWGRRBwNTbsRdwaLGfJ1IjYCCRT5eap
os8XHKH2SITlYazz6gpG7htkSFDhj8a+UeoezXmyYnuYA13VLQHDKQ/eYMvQOpum
1sh9VmHjGp1jypC1pcY=3D
=3D1HFW
-----END PGP MESSAGE-----

OpenPGP/MIME - Signed & Encrypted


From: sender@555.com
To:  recipient@555.com
Subject: test PGP/MIME
Content-Type: multipart/encrypted;
 protocol="application/pgp-encrypted";
 boundary="------------enig371AFEE0FF01CE1E773B775E"

This is an OpenPGP/MIME encrypted message (RFC 2440 and 3156)
--------------enig371AFEE0FF01CE1E773B775E
Content-Type: application/pgp-encrypted
Content-Description: PGP/MIME version identification

Version: 1

--------------enig371AFEE0FF01CE1E773B775E
Content-Type: application/octet-stream; name="encrypted.asc"
Content-Description: OpenPGP encrypted message
Content-Disposition: inline; filename="encrypted.asc"

-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

hQIOA1D+V4G4ChJkEAf/R5yUQuWvLQY1XBdi9I3qCLIzKFCMv+XzOx1HUvs4kbGL
0FrQulEBzCtkNR9E6iflWkrlxZoPyrZ2Jec3wPidvVX6FxAoKFVdr/WW2pKd5iyW
KfKztEl35PjInwlqsT/XS9JXFL2yy83uzCr/R9K0KgRUUa0evr0IdhI7xCEXQoIj
5rYAoG8lxQzzkaMb+l3V/HwBiKu9unmQcrcTF9VU3IG9FqMkex9eiqbSjefoWOmm
...[segment snipped for readability]...
WAdF3IxeZbxLMDBlQCuvc8Kug6jXaKeONYrhva7rzaBHvdILECJeJXznd4hyPsuk
CCN3momgnC2y2RFWVosl0JxJiIjd2a8JALK2N07DVX7Z3qd4rw/Ra1fpnhcCX0ob
Nbs+ahvAccTegkfOeisUYQOGrrNz7uxDhSlM1JVd4dQd2mB9VA9eQwpHtIM7QOA1
pfNprvFq7vVP3GZ0Nbo71I2BgMklhnuVl919vyOXQjpkTaxh4i/6lztTV4ay+4yb
smiF0cgByg==
=1wu6
-----END PGP MESSAGE-----

--------------enig371AFEE0FF01CE1E773B775E--

S/MIME - Signed & Encrypted


From: sender@555.com
To: recipient@555.com
Subject: Testing S/MIME Enc
Content-Type: application/x-pkcs7-mime; name="smime.p7m"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7m"
Content-Description: S/MIME Encrypted Message

MIAGCSqGSIb3DQEHA6CAMIACAQAxggMkMIIBjgIBADB2MGIxCzAJBgNVBAYTAlpBMSUwIwYD
VQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVy
c29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQTSqaMaVxLd7IQrJvKRr4vjANBgkqhkiG9w0B
AQEFAASCAQAFYfRWKLZvmLlehIFYRNb153/H07aveQvVpWIMB7IDVnJvuMfANSFFnn2Dr8CP
...[segment snipped for readability]...
RSfYf9wEj40OMZGWDHfHbwNPCIz0usiD4xhUdqEUmmQMb8JtZ+NNf72Lepla/l57n3YSoLUf
LX+RqhtCX56MI2ynbXRHIAC1519NDFVwJArF225km6lic3A7/GoxvQDMPHocMJUf7OW6Fs5T
mWj/DriO18fsdbDZbAM2FgTyaszWi8QhEglcSw5bDSfQPdYtU8HyBaA6lxrZcTjshp5vt8Or
UcaGG0NQINx/KQYxkksREExI3mnSPTaxapyl2JjXSAQIpNuen07JarwAAAAAAAAAAAAA

Algorithms

Both technologies share a number of algorithms. The following table represents each function and its corresponding set of technologies as described by their respective RFCs (shared algorithms have added emphasis):

FunctionOpenPGPS/MIME
Public Key RSA, Diffie-Hellman, DSA, Elgamal, Elliptic Curve, ECDSA RSA, Diffie-Hellman, DSA
Symmetric Key AES, Triple-DES, IDEA, CAST5, Blowfish, SAFER-SK128, DES/SK, AES, Triple-DES, RC2
Compression ZLIB, ZIP ZLIB (as described in related RFC 3274)
Hash MD5, SHA-1, RIPE-MD/160, Double-Width SHA, MD2, TIGER, HAVAL MD5, SHA-1

Web of Trust and Public Key Infrastructure

OpenPGP and S/MIME both provide mechanisms for authenticating parties. OpenPGP relies on a concept called a "Web of Trust." It is essentially a distributed peer validating service. The concept was introduced by Philip Zimmermann. It works much like social networking. Person A, Alice, sends her public key to person B, Bob. Bob adds Alice's public key to his key ring and optionally indicates his level of trust in Alice's key. Over time the trust endorsements are calculated and the net effect is a decentralized "web of trust."

S/MIME relies on Certificate Authorities (CA) to authenticate parties. This is similar in nature to the way SSL certificates are issued for serving secure web sites. Various models are used by CA's to authenticate a person. Generally it is similar to authenticating with a government agency. A person must provide several forms of identification.

Both OpenPGP and S/MIME allow you to use them relatively untrusted. In other words, you may generate or obtain valid private and public keys that are useable but are "untrusted". This is a good thing for getting started quickly with each technology. For example if one wanted to communicate securely with someone who had never used either technology the recipient could quickly be up and running enabling them to communicate in a timely manner.

The primary difference between a Web of Trust and a Public Key Infrastructure is a matter of trust. Do you trust a decentralized peer group or a centralized organization?

Implementation

Both OpenPGP and S/MIME are well supported across many platforms and applications. For the purposes of this document, a test was conducted on the following platforms and applications:

Linux
OpenPGP
S/MIME
Mac OS X
OpenPGP
S/MIME
Windows
OpenPGP
S/MIME

Evolution, Mail.app and Outlook were considered, for the purposes of this paper, to be the most entrenched mail applications on each platform. This is not a completely fair assertion for the Linux platform as many good email clients exist for that platform. However, Evolution is very similar to Outlook which increase its likely usage in business settings.

All tested software listed above were fairly easily installed and configured. It is worth noting that all tested Mail User Agent's (MUA) support S/MIME by default and all MUA's required a plugin to support OpenPGP. With the exception of Evolution which came preconfigured for both technologies.

Problems only occurred with one tested program, Gpg4win's Outlook plugin. Specifically, Outlook with Gpg4win could not encrypt plaintext formatted email messages. Working from a bug report found online it was discovered that by composing HTML formatted email messages worked as expected. For Outlook PGP integration PGP.com's PGP Desktop may be a better choice.

A few notes from the tested products:

  • S/MIME integration was very easy for all mail clients
  • Enigmail makes OpenPGP integration very easy for Thunderbird.
  • Evolution could use an integrated GPG key management window. External applications exist for this purpose but an integrated window, similar to Enigmail, would improve usability.
  • Similar criticism applies to Mail.app. An integrated key management window would improve usability.
  • The easiest configuration was S/MIME for Mail.app. Though most S/MIME configurations were simple, Mail.app was completely configured by adding the S/MIME key to the system keyring, simply by double-clicking the key file.
  • Thunderbird should be noted. It was the only cross platform mail application. Additionally it was easily configured to use both OpenPGP and S/MIME. Certainly Enigmail makes it the easiest OpenGPG implementation.

Summary

The largest difference between OpenPGP and S/MIME is the ability for OpenPGP to encrypt a variety of data types not limited to MIME encoded data types. This gives OpenPGP a decided edge over S/MIME in the way of versatility.

For large data streams, OpenPGP provides more efficient compression. Though compression is available in the S/MIME specification it is implemented as an MIME container. In other words, the contents to be compressed have already been encoded per the MIME specification, usually Base64. Base64 actually grows the data by about 137% [WIKIP-B64]. In contrast, OpenPGP compresses the original plaintext, and optionally the signature prior to encryption or any type of encoding.

Both OpenPGP and S/MIME use industry standard encryption algorithms. Neither technology is more secure than the other, barring esoteric arguments. Some would rank each technology based on the trust model used. However, the security aspect of each trust model is subjective.

The trust models used for each technology are very different in philosophy. In practice, neither method is more difficult to use than the other. It is arguable that S/MIME is more attractive due to its similarities to SSL certificate distribution, a model already trusted by most web users implicitly.

S/MIME has an advantage when it comes to implementation. All mail clients tested came with S/MIME support built in. As a result, the barriers to entry for a new user are lower. Generating an S/MIME certificate required a bit more effort than OpenPGP. So the time commitment for setting up each initially is similar. However the zero-footprint install may be attractive to those managing many workstations.

How would one choose between the two technologies? Many factors play a part in this decision. The following table provides a visual representation of the pros and cons of each technology:

FunctionOpenPGPS/MIME
Versatility + -
Space Efficiency + -
Security + +
Trust Model + +
Implementation - +

References

[WIKIP-OP] - Wikipedia:Pretty Good Privacy
http://en.wikipedia.org/wiki/Openpgp
[WIKIP-B64] - Wikipedia:Base64
http://en.wikipedia.org/wiki/Base64
[IMC] - S/MIME and OpenPGP
http://www.imc.org/smime-pgpmime.html
RFC 2440 - OpenPGP Message Format
http://www.ietf.org/rfc/rfc2440.txt
RFC 3851 - Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Message Specification
http://www.ietf.org/rfc/rfc3851.txt
RFC 2633 - S/MIME Version 3 Message Specification
http://www.ietf.org/rfc/rfc2633.txt
RFC 3274 - Compressed Data Content Type for Cryptographic Message Syntax (CMS)
http://www.ietf.org/rfc/rfc3274.txt
Posted by D. M. Stanley at 4:23 PM 0 comments

Monday, January 9, 2006

Linux Kerberos Authentication

Summary

This document describes the methods used to authenticate Linux machines against a central kerberos realm.

Please note: Many documents found on the web describe Kerberos authentication as it relates to Samba and joining a Samba server to a Windows domain. They are two different things, so don't confuse them. This document describes how to authenticate against a Kerberos realm (Active Directory in our case) via PAM (Pluggable Authentication Modules).

Why use Kerberos and not NTLM

  • Kerberos is a standard protocol, NTLM is proprietary.
  • Kerberos is more secure than NTLM.
  • Kerberos is the "new" mechanism used by Windows servers. NTLM is the Windows NT domain authentication method.
  • According to Microsoft Kerberos is more efficient than NTLM.

Server Configuration

This document contains diff files which are relevant only to Red Hat Enterprise Linux AS release 3 (Taroon Update 5). Concepts should transfer.
  1. Be sure to have proper rpms installed: up2date pam_krb5 krb5-libs krb5-devel krb5-workstation
  2. Modify /etc/krb5.conf
  3. Modify /var/kerberos/krb5kdc/kdc.conf
    • Might not exist so make it first:
      • mkdir -p /var/kerberos/krb5kdc
      • touch /var/kerberos/krb5kdc/kdc.conf
    • Reference (these links give you in-depth information, skip to examples if you don't care)
    • Examples
  4. Modify relevant PAM service files:
    • For LOGIN service only (telnet,ftp,xinetd-based-services), modify /etc/pam.d/login
      • login.diff Diff for a working login file.
        • Copy the contents or the file login.diff to the server.
        • cd /etc/pam.d
        • patch -i login.diff login
      • login Working login file.
    • For SSHD service only, modify /etc/pam.d/sshd
      • sshd.diff Diff for a working sshd file.
        • Copy the contents or the file sshd.diff to the server.
        • cd /etc/pam.d
        • patch -i sshd.diff sshd
      • sshd Working sshd file.

How It Works

At this point the server has the capability of authenticating against a kerberos realm. For a user to properly authenticate they must have an active account on the domain and a local account on the Linux machine (no password). If both of these things are not true, authentication will fail.
  • useradd dannies

Now that the user is local you assign file permissions and groups the same as you would any user account. If a user is disabled on the domain they will no longer be able to login to the kerberos authenticated machine.

More Information

Posted by D. M. Stanley at 9:00 PM 0 comments

Thursday, February 10, 2005

How To Calculate Subnet Masks

Following is an illustration of how subnet calculations work. I had to refresh my memory so I thought I would share:

  • 192.168.168.168 --> This is a 32 bit IP address. 8 bits times 4 segments.
  • 255.255.255.0 --> This is a 24 bit network mask. 8 bits times 3 segments.

For it to make most sense convert the number to binary. So consider an 8 bit segment you can calculate it like this:


Place 1: 0 or 1 = 128
Place 2: 0 or 1 = 64
Place 3: 0 or 1 = 32
Place 4: 0 or 1 = 16
Place 5: 0 or 1 = 8
Place 6: 0 or 1 = 4
Place 7: 0 or 1 = 2
Place 8: 0 or 1 = 1
======================
  Total = 255

I.E. segment 255 would be 11111111, and 0 would be 00000000, and 192 would be 11000000. In the case of the subnet mask being 255.255.255.224. The binary looks like:

11111111.11111111.11111111.11100000

Which leaves the last 5 bits for the host IP address. A network with a subnet mask declared 255.255.255.224 would actually have 8 IP ranges (2^3), with 32 addresses in each. Only 30 are usable for hosts as the the first is the "network" and the last is the "broadcast".


(Last Segment)
-------------------------------------------
000xxxxx -> 00000000 - 00011111 (000 - 031)
001xxxxx -> 00100000 - 00111111 (032 - 063)
010xxxxx -> 01000000 - 01011111 (064 - 095)
011xxxxx -> 01100000 - 01111111 (096 - 127)
100xxxxx -> 10000000 - 10011111 (128 - 159)
101xxxxx -> 10100000 - 10111111 (160 - 191)
110xxxxx -> 11000000 - 11011111 (192 - 223)
111xxxxx -> 11100000 - 11111111 (224 - 255)

It is worth noting that netmask is sometimes identified by using the "network" address slash the number of bits to mask. As example you could represent the above IP ranges like this:


192.168.0.0/27
192.168.0.32/27
192.168.0.64/27
192.168.0.96/27
192.168.0.128/27
192.168.0.160/27
192.168.0.192/27
192.168.0.224/27

Maybe the following is a bit more familiar to you:

192.168.0.0/24 (192.168.0.0 - 192.168.0.255)
Posted by D. M. Stanley at 11:52 AM 0 comments
Labels:
Subscribe to: Posts (Atom)