What is 'flavor'?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

What is 'flavor'?

Mike Friedman
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've just set up a 1.4.1 KDC and I notice what appears to be new
information in kadmind log messages, namely, 'flavor=nnnnn'. I don't think
I've seen this on my current production KDC, which is 1.3.4.  So, some
questions:

o  What does 'flavor' mean in this context?

o Is this information, in particular the meaning of specific flavor
values, documented?

So far, I've seen the following values for 'flavor':  6 and 300001. The
former corresponds to an interactive kadmin authentication;  the latter to
a kadmin using a keytab.  But thus far I have no further information, so
I'm hoping someone can enlighten me.

Thanks.

Mike

_____________________________________________________________________
Mike Friedman                   System and Network Security
[hidden email]          2484 Shattuck Avenue
1-510-642-1410                  University of California at Berkeley
http://ack.Berkeley.EDU/~mikef  http://security.berkeley.edu
_____________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQA/AwUBQvlBea0bf1iNr4mCEQJurwCfefKetfnMkELZNGXS+JHMZZD0XXsAmwTe
OxT13gVUeMwrwMct9SprOmF1
=5Bfw
-----END PGP SIGNATURE-----
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: What is 'flavor'?

Tom Yu
>>>>> "mikef" == Mike Friedman <[hidden email]> writes:

mikef> I've just set up a 1.4.1 KDC and I notice what appears to be new
mikef> information in kadmind log messages, namely, 'flavor=nnnnn'. I don't
mikef> think I've seen this on my current production KDC, which is 1.3.4.
mikef> So, some questions:

mikef> o  What does 'flavor' mean in this context?

That would be the ONCRPC authentication flavor.

mikef> o Is this information, in particular the meaning of specific flavor
mikef> values, documented?

mikef> So far, I've seen the following values for 'flavor':  6 and
mikef> 300001. The former corresponds to an interactive kadmin
mikef> authentication;  the latter to a kadmin using a keytab.  But thus far
mikef> I have no further information, so I'm hoping someone can enlighten me.

6 is RPCSEC_GSS, which is the IETF standards-track authentication
flavor for using GSSAPI in RPC.  300001 would be the AUTH_GSSAPI
flavor developed by OpenVision, which is not standards-track.  See
RFCs 1831, 1832, 2203, etc. for details.

I'm not quite sure why you're seeing 300001 when using a keytab.
Exactly how are you invoking kadmin using a keytab?  And which release
are you running on the kadmin client?  RPCSEC_GSS (flavor 6) should
be used in preference to 300001 by modern MIT krb5.

---Tom
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: What is 'flavor'?

Mike Friedman
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 9 Aug 2005 at 22:07 (-0400), Tom Yu wrote:

>>>>>> "mikef" == Mike Friedman <[hidden email]> writes:
>
> mikef> o Is this information, in particular the meaning of specific flavor
> mikef> values, documented?
>
> mikef> So far, I've seen the following values for 'flavor':  6 and
> mikef> 300001. The former corresponds to an interactive kadmin
> mikef> authentication;  the latter to a kadmin using a keytab.  But thus far
> mikef> I have no further information, so I'm hoping someone can enlighten me.
>
> 6 is RPCSEC_GSS, which is the IETF standards-track authentication
> flavor for using GSSAPI in RPC.  300001 would be the AUTH_GSSAPI
> flavor developed by OpenVision, which is not standards-track.  See
> RFCs 1831, 1832, 2203, etc. for details.
>
> I'm not quite sure why you're seeing 300001 when using a keytab.
> Exactly how are you invoking kadmin using a keytab?  And which release
> are you running on the kadmin client?  RPCSEC_GSS (flavor 6) should
> be used in preference to 300001 by modern MIT krb5.

Tom,

Actually I misspoke a bit.  What I have is my own code, based on code in
kadmin, that does a password change.  (FWIW, although the client now has
1.3.4 installed, this code was, I believe, compiled with an older release
of MIT K5, possibly as far back as 2001).

Here's the admin authentication piece of the code:

    /* Initialize the kadm5 connection, using the supplied keytab */
    retval = kadm5_init_with_skey(
       admin_princstr,
       keytab_name,
       KADM5_ADMIN_SERVICE,
       &params,
       KADM5_STRUCT_VERSION,
       KADM5_API_VERSION_2,
       &handle);

    if (retval) {
       com_err(whoami, retval, "while initializing %s interface", whoami);
       if (handle)
          kadm5_destroy(handle);
       exit(retval);
       }

Followed a bit later by this:

    /* Now try the passphrase change */
    retval = kadm5_chpass_principal(handle, princ, passphrase);
    krb5_free_principal(context, princ);
    if (retval) {
       com_err(whoami, retval,
       "while changing passphrase for \"%s\".", canon);
       rcode = retval;
       }
    else
       printf("Password for \"%s\" changed.\n", canon);

Mike

_____________________________________________________________________
Mike Friedman                   System and Network Security
[hidden email]          2484 Shattuck Avenue
1-510-642-1410                  University of California at Berkeley
http://ack.Berkeley.EDU/~mikef  http://security.berkeley.edu
_____________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQA/AwUBQvpeIa0bf1iNr4mCEQLMZwCgh4vOOnK9wfOG5lIN8tv1YMEZiKcAni3l
3OtOduTan5LiIDpSdx0PERG4
=em9m
-----END PGP SIGNATURE-----
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: What is 'flavor'?

Tom Yu
>>>>> "mikef" == Mike Friedman <[hidden email]> writes:

mikef> Actually I misspoke a bit.  What I have is my own code, based on code
mikef> in kadmin, that does a password change.  (FWIW, although the client
mikef> now has 1.3.4 installed, this code was, I believe, compiled with an
mikef> older release of MIT K5, possibly as far back as 2001).

That might explain it.  It is only krb5-1.4 and later which have
support for RPCSEC_GSS, so you will be using the older AUTH_GSSAPI
authentication flavor for your custom client.

---Tom
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos