archive-org.com » ORG » J » JOSEFSSON.ORG

Total: 236

Choose link from "Titles, links and description words view":

Or switch to "Titles and links view".

  • to acquire a ticket granting ticket 1 Client sends AS REQ to server Server finds address of KDC and forwards the AS REQ to and waits for the AS REP response from the KDC 2 Server sends AS REP to client Client parses AS REP and constructs a TGS REQ using the ticket granting ticket encryption key in order to acquire a ticket for the server 3 Client sends TGS REQ to server Server finds address of KDC and forwards the TGS REQ to and waits for the TGS REP response from the KDC 4 Server sends TGS REP to client Client parses TGS REP and generates the AP REQ using the session encryption key 5 Client sends AP REQ to server Server parses AP REQ and if required the AP REP is generated 6 Optional Server sends AP REP Optional Client parses AP REP If efficiency as a concern and the client have no other use of a ticket granting ticket for the realm step 3 and 4 can be skipped by asking for a ticket for the server directly in the AS REQ Note that the client in subsequent connections may try to re use the ticket negotiated if it is still valid 4 3 Non Infrastructure Mode Kerberos 5 is usually a distributed security system but we wish to point out that this Kerberos 5 SASL mechanism may be used in a standalone SASL server to provide the security advantages that the Kerberos 5 Authentication Service AS provides over other methods Josefsson Expires September 21 2004 Page 7 Internet Draft A Kerberos 5 SASL Mechanism March 2004 Specifically the SASL server may use a legacy password database such as a CRAM MD5 clear text password file to generate Kerberos 5 principals on the fly Authentication may thus proceed as follows 0 Server sends initial token Client constructs AS REQ using username supplied by user in order to acquire a ticket for the server directly The realm can be predetermined by administrators or simply the hostname of the server 1 Client sends AS REQ to server Server parses AS REQ and generates AS REP based on password in database The AS REQ embeds a ticket for the server 2 Server sends AS REP to client Client parses AS REP and extracts the ticket and generates an AP REQ using the session encryption key 3 Client sends AP REQ to server Server parses AP REQ and if required generates the AP REP 4 Optional Server sends AP REP to client Optional Client parses AP REP This may be extended further i e by using the password and Kerberos 5 pre authentication in step 1 Note that the client in subsequent connections may try to re use the ticket negotiated if it is still valid 5 Example The following is one Kerberos version 5 login scenario for the IMAP4 protocol in the non infrastructure mode Note that the line breaks are for editorial clarity Josefsson Expires September 21 2004 Page 8 Internet Draft A Kerberos 5 SASL Mechanism March 2004 S OK IMAP4rev1 server C AUTHENTICATE KERBEROS V5 S CQAAAADp6 ONC2vcprRbmH2J95Gh C an4wfKEDAgEFogMCAQqkcDBuoAcDBQAAAAAAoRAwDqADAgEAoQcwBRsDamFzog sbCWxvY2FsaG9zdKMcMBqgAwIBAKETMBEbBGltYXAbCWxvY2FsaG9zdKURGA8y MDAzMDIwMjE2NDE0M1qnBgIEVAbYn6gLMAkCARECARACAQM S a4IBzDCCAcigAwIBBaEDAgELowsbCWxvY2FsaG9zdKQQMA6gAwIBAKEHMAUb A2phc6WB5GGB4TCB3qADAgEFoQsbCWxvY2FsaG9zdKIcMBqgAwIBAaETMBEbBG ltYXAbCWxvY2FsaG9zdKOBqzCBqKADAgESooGgBIGdeBv2 NG1EgTMMMcHaVY3 f2w6y bA56cVP8Toh A3XFvTw8JFqAJVFGDm3MBrrSFOYcN8 8WY8T1cm0jq68 TcsiMh8y9KbWyeLJZedCVLLIfP1JgsSbBkZ7NLBFYCEEKvoGz2lMAuyJSh4 zT L NbcoIJq2ynCS965JKWWXl4rcBZPKBn5YUoU71dRK4 HFrBoHejr6UHwVKd y0TaaBtTCBsqADAgERooGqBIGnYP7dngXFL2 hUWEs5PxGwlmvpWzGHWyh2QJ7 52eFj1tUpU3qT1NGgfVq2BVVWGDSVTO1vgDrkKCSDQwzkrqfwoZh4t6tt5tAPn MCx2VDGyOu4Uv4PUsw4 uEevqkQRczpCsZT y7pX7CxWHtytT3vLXNA6sANGnu O7v7gTO MGxzNvhVgMlujT2dkVgvCviVgJNuVef1VLVJWYM zc4tuPaPaWToZJ c C boIBvjCCAbqgAwIBBaEDAgEOogcDBQAEAAAAo4HkYYHhMIHeoAMCAQWhCxsJbG 9jYWxob3N0ohwwGqADAgEBoRMwERsEaW1hcBsJbG9jYWxob3N0o4GrMIGooAMC ARKigaAEgZ14G b80bUSBMwwxwdpVjd bDrL5sDnpxU xOiH4DdcW9PDwkWoAl UUYObcwGutIU5hw3z xZjxPVybSOrrxNyyIyHzL0ptbJ4sll50JUssh8 UmCxJ sGRns0sEVgIQQq gbPaUwC7IlKHj7NMv81tyggmrbKcJL3rkkpZZeXitwFk8oG flhShTvV1Erj 4cWsGgd6OvpQfBUp3 LRNpIG9MIG6oAMCARGhAwIBAaKBrQSB qjE doGGFMaz8g nKl45qG5BPxzql0jXI5YMS JqDeNBJIKasB0v9wMzXP9t8L 62PLsanqpow5bxAUtl Dc8hqvc0cB cC1P8RTgb0upMqzxTristf7goWRhQgTJ OOwKJp ZftZOkSdTHBQZL8StYuYe 6RkKkgnkUMK10VSec YamG 5s37GvoRPG Hu126PTyjXs3EziFqf6HT9Da NJnDClFL8 nnlVFVt S b2IwYKADAgEFoQMCAQ iVDBSoAMCARGhAwIBAKJGBESTDM1z2PF5cUYOBmOW IouXfHWtQzYzj1JFsJMV CHMTmBrJavImHjR24f9WyCNOvmJMAWeHHOV9Jtpj6 rFt ytas4U0g C S OK AUTHENTICATE KERBEROS V5 authentication successful The service requested is imap localhost in the realm localhost The password used was foo yielding an aes256 cts hmac sha1 96 encryption key of 0x6aefbaf05423cbc0fb44a41cc221783d7f52b764cca41fe2a05ad6d3bc7a67ea The first packet specify that mutual authentication and no integrity or privacy layer hence a zero maximum buffer size and some random data The second packet contains the AS REQ expanded as follows Josefsson Expires September 21 2004 Page 9 Internet Draft A Kerberos 5 SASL Mechanism March 2004 name KDC REQ type SEQUENCE name pvno type INTEGER value 0x05 name msg type type INTEGER value 0x0a name req body type SEQUENCE name kdc options type BIT STR value 32 00000000 name cname type SEQUENCE name name type type INTEGER value 0x00 name name string type SEQ OF name NULL type GENERALSTRING name 1 type GENERALSTRING value 6a6173 name realm type GENERALSTRING value 6c6f63616c686f7374 name sname type SEQUENCE name name type type INTEGER value 0x00 name name string type SEQ OF name NULL type GENERALSTRING name 1 type GENERALSTRING value 696d6170 name 2 type GENERALSTRING value 6c6f63616c686f7374 name till type TIME value 20030202164143Z name nonce type INTEGER value 0x5406d89f name etype type SEQ OF name NULL type INTEGER name 1 type INTEGER value 0x11 name 2 type INTEGER value 0x10 name 3 type INTEGER value 0x03 BEGIN SHISHI KDC REQ an4wfKEDAgEFogMCAQqkcDBuoAcDBQAAAAAAoRAwDqADAgEAoQcwBRsDamFzogsb CWxvY2FsaG9zdKMcMBqgAwIBAKETMBEbBGltYXAbCWxvY2FsaG9zdKURGA8yMDAz MDIwMjE2NDE0M1qnBgIEVAbYn6gLMAkCARECARACAQM END SHISHI KDC REQ The third packet contains the AS REP expanded as follows name KDC REP type SEQUENCE name pvno type INTEGER value 0x05 name msg type type INTEGER value 0x0b name crealm type GENERALSTRING value 6c6f63616c686f7374 name cname type SEQUENCE name name type type INTEGER value 0x00 name name string type SEQ OF name NULL type GENERALSTRING name 1 type GENERALSTRING value 6a6173 name ticket type SEQUENCE name tkt vno type INTEGER value 0x05 name realm type GENERALSTRING value 6c6f63616c686f7374 name sname type SEQUENCE name name type type INTEGER value 0x01 name name string type SEQ OF name NULL type GENERALSTRING Josefsson Expires September 21 2004 Page 10 Internet Draft A Kerberos 5 SASL Mechanism March 2004 name 1 type GENERALSTRING value 696d6170 name 2 type GENERALSTRING value 6c6f63616c686f7374 name enc part type SEQUENCE name etype type INTEGER value 0x12 name cipher type OCT STR value 781bf6fcd1b51204cc30c7076956377 f6c3acbe6c0e7a7153fc4e887e0375c5bd3c3c245a802551460e6dcc06bad214 e61c37cffc598f13d5c9b48eaebc4dcb22321f32f4a6d6c9e2c965e74254b2c8 7cfd4982c49b06467b34b0456021042afa06cf694c02ec894a1e3ecd32ff35b7 28209ab6ca7092f7ae49296597978adc0593ca067e5852853bd5d44ae3ff8716 b0681de8ebe941f054a77fcb44d name enc part type SEQUENCE name etype type INTEGER value 0x11 name cipher type OCT STR value 60fedd9e05c52f6fe151612ce4fc46c25 9afa56cc61d6ca1d9027be767858f5b54a54dea4f534681f56ad815555860d2553 3b5be00eb90a0920d0c3392ba9fc28661e2deadb79b403e7302c765431b23aee14 bf83d4b30e3eb847afaa4411733a42b194fecbba57ec2c561edcad4f7bcb5cd03a b003469ee3bbbfb8133be306c7336f85580c96e8d3d9d91582f0af89580936e55e 7f554b54959833fcdce2db8f68f6964e86497 BEGIN SHISHI KDC REP a4IBzDCCAcigAwIBBaEDAgELowsbCWxvY2FsaG9zdKQQMA6gAwIBAKEHMAUbA2ph c6WB5GGB4TCB3qADAgEFoQsbCWxvY2FsaG9zdKIcMBqgAwIBAaETMBEbBGltYXAb CWxvY2FsaG9zdKOBqzCBqKADAgESooGgBIGdeBv2 NG1EgTMMMcHaVY3f2w6y bA 56cVP8Toh

    Original URL path: http://www.josefsson.org/gsasl/draft-josefsson-sasl-kerberos5.txt (2016-04-30)
    Open archived version from archive


  • Inline PGP in E-mail is bad, Mm'kay?
    e mail message Example From Simon Josefsson jas extundo com To Simon Josefsson jas extundo com Subject Don t do this Mm kay Date Thu 09 Dec 2004 02 49 22 0100 MIME Version 1 0 Content Type text plain charset us ascii BEGIN PGP SIGNED MESSAGE Hash SHA1 This is signed text BEGIN PGP SIGNATURE Version GnuPG v1 3 93 cvs GNU Linux iQC1AwUBQbevJO2iHpS1ZXFvAQLa AT Koj9YgqqYr1y5G BlaEhQIqZlcXKqRXb rE3AIz5TCI3mYpSpZ9mwEwrdWByT6duEqjxErVoHvBYZhLgX7BahqkiFMeLwXPD MR0fE G9Gg8oANj3UHe64G3JqoQbfa a8k5luYe2b7px2yLtaaTXJZpZqK x qIa 9fW0rsc1q1XXPDR1Z CHQ JqYzoIQZvzhq3 27Vpy8VxE03RAhQc6w uI1y END PGP SIGNATURE Why is it bad The problems include Attachments doesn t work Non ASCII doesn t work reliably Format flowed RFC 2646 3676 doesn t work reliably UseNet signatures trigger space stuffing which break compatibility with RFC 1991 Sending diff patches via inline PGP signed e mail trigger space stuffing which break cut n paste into patch So when can I use it Some people don t regard the above as problems Some people just don t care Reluctantly I have to admit that sending inline PGP can work reliable if you follow the following rules Use only printable ASCII Avoid starting lines with From or to avoid issues caused by over eager From escaping or space stuffing Don

    Original URL path: http://www.josefsson.org/inline-openpgp-considered-harmful.html (2016-04-30)
    Open archived version from archive

  • Problems with the IETF's copying permissions

    (No additional info available in detailed archive for this subpage)
    Original URL path: /bcp78broken/ (2016-04-30)



  • get any sound at all you need to change the volume slightly Software suspend Software suspend does not work When invoked the GNOME power manager said that suspend failed to work and linked to a FAQ which was completely unhelpful It turns out that this machine is not supported mocca s2ram Machine is unknown This machine can be identified by sys vendor Dell Inc sys product Precision M65 sys version bios version A07 See http en opensuse org S2ram for details If you report a problem please include the complete output above mocca Running s2ram f works except that I have to switch to a non X virtual console and back again to fix graphics The non free nvidia driver worked fine Wireless The built in Intel 3945 doesn t work without non free drivers but you can install them like this mocca home jas apt get install ipw3945 modules 2 6 686 ipw3945d firmware ipw3945 mocca home jas modprobe ipw3945 Smartcard reader Seems to work with pcscd and gpg using my FSFEurope OpenPGP smartcard You ll have to install pcscd apt get install pcscd Because of bug 381689 and 381834 which actually refer to the same problem you ll have to change the ifdDriverOptions value from 0x0000 to 0x0004 in etc libccid Info plist jas mocca usr bin gpg card status gpg detected reader O2 Micro Oz776 00 00 Name of cardholder Simon Josefsson General key info pub 1024R AABB1F7B 2006 03 18 Simon Josefsson jas mocca For some reason Debian doesn t seem to have scdaemon which GnuPG 2 x uses so gpg2 cannot use the smartcard Update scdaemon is part of the gpgsm package A small problem is some excessive logging but it is tolerable Update There is a new version of libccid in Debian unstable which should just work fine without any changes etc libccid Info plist Install it like this mocca home jas apt get install libccid t unstable Output from pcscd on startup for reference Mar 24 11 54 47 mocca pcscd pcscdaemon c 464 main pcsc lite 1 3 2 daemon ready Mar 24 11 54 47 mocca pcscd hotplug libusb c 407 HPAddHotPluggable Adding USB device 003 004 Mar 24 11 54 47 mocca pcscd readerfactory c 1093 RFInitializeReader Attempting startup of O2 Micro Oz776 00 00 using usr lib pcsc drivers ifd ccid bundle Contents Linux libccid so 1 2 1 Mar 24 11 54 47 mocca pcscd readerfactory c 964 RFBindFunctions Loading IFD Handler 3 0 Mar 24 11 54 47 mocca pcscd ifdhandler c 1231 init driver LogLevel 0x0003 Mar 24 11 54 47 mocca pcscd ifdhandler c 1241 init driver DriverOptions 0x0000 Mar 24 11 54 47 mocca pcscd ifdhandler c 77 IFDHCreateChannelByName lun 0 device usb 0b97 7762 libusb 003 004 Mar 24 11 54 47 mocca pcscd ccid usb c 229 OpenUSBByName Manufacturer Ludovic Rousseau ludovic rousseau free fr Mar 24 11 54 47 mocca pcscd ccid usb c 239 OpenUSBByName ProductString Generic CCID driver v1

    Original URL path: http://www.josefsson.org/etch-dell-m65.html (2016-04-30)
    Open archived version from archive

  • DNSSEC Walker
    resolver this will print all DNS packets just like dig x Enable the EDNS 0 DNSSEC flag for SIG RRSIG queries Not effective if y is used This is needed for some servers to return SIG RRSIG at all nameserver Query nameserver instead of the default nameserver zone Name of the zone to retrieve master file for For example com startname Optional name to start the zone walk at The default is to start walking from the start This option is useful if the tool failed or was intterupted in the middle of a large zone AUTHOR Simon Josefsson BUGS CNAME CERT and or SRV RRs is known to cause perl warnings during veriâ fications with some versions of Net DNS and Net DNS SEC The cause is belived to be in Perl Net DNS or Net DNS SEC The reader is encouraged to track down and fix these bugs SEE ALSO perl 1 axfr perldig Net DNS Net DNS SEC resolv conf perl v5 8 7 2005 09 14 WALKER 1 Example usage Here is how you would recover the zone file for dnssec se which uses DNSSEC The y parameter is used as well so walker prints out verification results in comments as well jas latte walker y ns1 dnssec se dnssec se Walker by Simon Josefsson Id index html v 1 46 2005 11 21 21 31 45 jas Exp Net DNS 0 53 Net DNS SEC 0 12 02 Using key RR type DNSKEY Key s used to verify signatures dnssec se 300 IN DNSKEY 256 3 5 AQPMj1b Qn 0YAsqlsU6Ei69Sq0zjmSCKnOj 6fx3iMYaXUwBbq L iO16FOIkEBm86lL6UWT 2aHNQuR4Xn2nI TmFphcI WctHXaG7AmozxM 4EZr8vE7JkQnbBzGGxeTyCS4j3mGdtkWlNpp QSV6iYzaTBGrh eFACnIws1N 9L4kQ Key ID 32672 dnssec se 300 IN DNSKEY 257 3 1 AQO9cBGWVBhvrONPJ8cLtigL1yYR2RYL hLs GpTksVZ5rSDrr4WLLGCqkPuauczDTGUDOv8 F4If71PU4oNPlpq Key ID 38554 dnssec se 300 IN DNSKEY 257 3 5 AQPAt5E2t Pf3Yz8 4fRp6r1eN4vIUIpvcrE 23B9ldrsWYcyD4s6EXoErqTqdf4XVwMhGfLu ZjPpmfaTzGE9vC4v0OR9rS9QfY l6FpXksFS 97n7ypGF7JFG2xViQwXpxflVV32 W0Qy Fn y84VzUrASm5t0IKn2lAeFCkMNFtZUQ Key ID 47940 dnssec se 300 IN DNSKEY 257 3 5 AQPQDE29ghF wcdlfbKLGLvsRUHMdMVcL6XN 2X263BehAzcJIj fe46eI3rWJcHP9I5l0YoF LnXjPqmNsUEnwlIr4W8B9gFQeNnmiVEoq2o2 fp WjPvl19grODvmMH9xTO9s7NVn9NTUEacV octWwApZLTHWGmdXGApybJF8McJOgQ Key ID 38577 dnssec se 300 IN DNSKEY 256 3 5 AQPcYh4LTPd7VBzZYz Z0GoIdqcklqUP6aSm IxXVQfuzp x8PQWRIU3as V56JusLvcpFHdC 7uY kv0XKFGyLTs10hCMvY32nVV8Z2IUnhb8 OKMo0xxpIXoS Aeajl7WUBQZ9baEH 0A1EtQ BgEjIV1NcOIDpEUD9l0yHrzIv 1utw Key ID 18476 dnssec se 300 IN DNSKEY 257 3 3 AKUJoB5D0ucsobRDSc1H2Ga4I QPo6CcOhba xW0VqM4GOIL2 M9YAI NmiZNpF5 fECOqbXi cq11I3INOUJvm2Hwo sGs0I eX7sWgLzPhN Nk4qI1NpbX2AFUeRn1XvgeGFHP B61IU jvi bNbPue8yt4va j QPtD4espCNwRbx43onodW gsewvCWhUWPChmgkWq1pmNAmRcOuNZqCc7tj uhw923vzOR4dBHtKxOwDDAoH0FAMugXP K6 Ee1dcOkt6jR1f3eod0aHKaVMy1RnSGPi Key ID 57551 Using next RR type NSEC Using signature RR type RRSIG First SOA dnssec se 300 IN SOA ns1 dnssec se jakob nic se 2005091200 Serial 3600 Refresh 600 Retry 3600 Expire 300 Minimum TTL Getting NXT NSEC for dnssec se Thu Sep 22 10 03 46 2005 dnssec se 300 IN NSEC bind dnssec se DNSKEY NS NSEC RRSIG SOA Looking at type DNSKEY for domain dnssec se dnssec se 300 IN DNSKEY 256 3 5 AQPcYh4LTPd7VBzZYz Z0GoIdqcklqUP6aSm IxXVQfuzp x8PQWRIU3as V56JusLvcpFHdC 7uY kv0XKFGyLTs10hCMvY32nVV8Z2IUnhb8 OKMo0xxpIXoS Aeajl7WUBQZ9baEH 0A1EtQ BgEjIV1NcOIDpEUD9l0yHrzIv 1utw Key ID 18476 dnssec se 300 IN DNSKEY 257 3 1 AQO9cBGWVBhvrONPJ8cLtigL1yYR2RYL hLs GpTksVZ5rSDrr4WLLGCqkPuauczDTGUDOv8 F4If71PU4oNPlpq Key ID 38554 dnssec se 300 IN DNSKEY 257 3 3

    Original URL path: http://www.josefsson.org/walker/ (2016-04-30)
    Open archived version from archive

  • GNU Privacy Guard DNS keyserver client
    installed the libraries put the script in your PATH and add the following to your gnupg options file keyserver jkp dnskeys josefsson org That s it If it isn t it is a bug please let me know You can also grab the tarball which includes the script this HTML page and the Net DNS patch Contact information You can contact the author at simon josefsson org Unless the list managers objects I d prefer discussion to occur on the gnupg devel mailinglist Features Retrieve OpenPGP keys Send your own OpenPGP keys to the server Using DNS means keys often are cached in DNS caches closer to clients Using DNS means there can be many servers in a fail over fashion throughout the world Using DNS often means the closest server in the world is chosen round trip calculations made by DNS resolver software The server software is CKS and CKS DNS TTY Screenshots Verifying some data without having the key locally bash 2 05a gpg imported gpg Total number processed 1 gpg imported 1 gpg Good signature from Red Hat Inc gpg checking the trustdb gpg checking at depth 0 signed 0 ot q n m f u 0

    Original URL path: http://www.josefsson.org/gpgkeys_jkp/ (2016-04-30)
    Open archived version from archive

  • DNS-based OpenPGP Keyserver for CryptNET
    If you run Debian simply do something like apt get install libnet dns perl libdbd pgsql libdbi perl libdbd pg perl Usage Make sure the CryptNET Postgres database is running and invoke it simply as cks dns It needs root for binding to port 53 Dropping its privileges is a todo Some command line parameters port 4711 Specify port to listen on listen 3 4 5 6 Specify interface address to listen on verbose Print debugging info db openpgp keys Chose database name to use default is pgp keys user www data Chose database user default is httpd That s it If it isn t it is a bug please let me know Testing it You can debug the server using any DNS debugging tools such as dig For example jas latte src cks dns dig 3F9061AB dnskeys josefsson org cert Truncated retrying in TCP mode DiG 9 2 4rc2 3F9061AB dnskeys josefsson org cert global options printcmd Got answer HEADER Contact information You can contact the author at simon josefsson org Unless the list managers objects I d prefer discussion to occur on the gnupg devel mailinglist or the cks devl mailinglist Features Retrieve OpenPGP keys Using DNS means keys often are cached in DNS caches closer to clients Using DNS means there can be many servers in a fail over fashion throughout the world Using DNS often means the closest server in the world is chosen round trip calculations made by DNS resolver software The client software used against this server is gpgkeys jkp TTY Screenshots Id index html v 1 11 2004 06 12 17 05 18 jas Exp Net DNS 0 46 port 53 database pgp keys user root creating TCP socket done creating UDP socket done waiting for connections UDP connection from 212 181 54

    Original URL path: http://www.josefsson.org/cks-dns/ (2016-04-30)
    Open archived version from archive

  • Nnimap is part of Gnus now
    is part of Gnus now Please go to the Gnus Information Center for further information For reference the old nnimap pages are available My list of buggy IMAP servers is

    Original URL path: http://www.josefsson.org/nnimap/ (2016-04-30)
    Open archived version from archive



  •