perlgssapi-users Mailing List for Perl GSSAPI bindings (Page 2)
Brought to you by:
achimgrolms
Menu
▾
▴
perlgssapi-users — How to use the Bindings, help, feature requests
You can subscribe to this list here.
| 2006 |
Jan
|
Feb
(12) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(4) |
Sep
(26) |
Oct
(13) |
Nov
|
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2007 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(9) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2011 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(3) |
Jun
|
Jul
|
Aug
(2) |
Sep
|
Oct
|
Nov
|
Dec
|
| 2012 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(9) |
Dec
(4) |
| 2013 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2016 |
Jan
|
Feb
|
Mar
(2) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(5) |
Nov
|
Dec
|
|
From: David L. <Dav...@qu...> - 2007-05-14 00:56:34
|
Achim Grolms wrote:
> On Saturday 12 May 2007 08:41, simon wrote:
>
>> Hello,
>>
>> nothing is returned from:
>>
>> which krb5-config
>>
>
> OK. Maybe me understanding of how 'which' works or should work
> ist wrong.
> My idea was that 'which krb5-config' locates the absolute path of
> krb5-config if this executeable can be found in $PATH.
>
> Simon, '/usr/bin/' is a member of your PATH environment?
>
> If my understanding of 'which' is wrong - can someone
> more experienced can help me and explain what's wrong
> with my understanding?
>
I'm no expert, but which/whereis have always bitten me in painful ways
when I used them in my .profile/startup scripts. You can't rely on the
platform from giving you something consistent. But, something simple in
Makefile.PL could work and be reliable. Like this:
sub which {
my $prog = shift;
for (split(/:/,$ENV{'PATH'})) {
my $fullpath = "$_/$prog";
return $fullpath if -x $fullpath and -f $fullpath;
}
return undef;
}
(Although this code is broken if $PATH contains a double colon or ends
with a colon.)
> Thank you,
> Achim
>
>
--
David Leonard
Resource Central software engineer
Quest Software; 303 Adelaide St, Brisbane, Australia; www.quest.com
Phone: (US) +1 801 655 2755 (AU) +61 7 3023 5133
|
|
From: Achim G. <ac...@gr...> - 2007-05-12 14:49:35
|
On Saturday 12 May 2007 08:41, simon wrote: > Hello, > > nothing is returned from: > > which krb5-config OK. Maybe me understanding of how 'which' works or should work ist wrong. My idea was that 'which krb5-config' locates the absolute path of krb5-config if this executeable can be found in $PATH. Simon, '/usr/bin/' is a member of your PATH environment? If my understanding of 'which' is wrong - can someone more experienced can help me and explain what's wrong with my understanding? Thank you, Achim |
|
From: simon <l0c...@go...> - 2007-05-12 06:41:43
|
Hello, nothing is returned from: which krb5-config even though whereis krb5-config returns: krb5-config: /usr/bin/krb5-config /usr/X11R6/bin/krb5-config /usr/bin/X11/krb5-config S. On 5/11/07, Achim Grolms <ac...@gr...> wrote: > On Friday 11 May 2007 02:07, David Leonard wrote: > > > I suspect the script is ending up with find_krb5config_cmd() returning > > "/usr/bin/krb5-config /usr/X11R6/bin/krb5-config". > > I am suspicious about how predictable the output of which is. > > I am unsure. > Simon, can you help me and send back the output > of your run of > > which krb5-config > > please? > > > You could > > probably write your own which() function in perl? > > Maybe, yes. > Is there portable vode in CPAN available > (I have searched, but maybe not searched in the right way) > that does a which() and works fine > on all Platforms supported by MIT Kerberos/Heimdal/others? > > Any ideas how to implement this in a portable and reliable > way are welcome! > > Achim > > -- www.hootandholler.co.uk |
|
From: Achim G. <ac...@gr...> - 2007-05-11 16:33:04
|
On Friday 11 May 2007 02:07, David Leonard wrote: > I suspect the script is ending up with find_krb5config_cmd() returning > "/usr/bin/krb5-config /usr/X11R6/bin/krb5-config". > I am suspicious about how predictable the output of which is. I am unsure. Simon, can you help me and send back the output of your run of which krb5-config please? > You could > probably write your own which() function in perl? Maybe, yes. Is there portable vode in CPAN available (I have searched, but maybe not searched in the right way) that does a which() and works fine on all Platforms supported by MIT Kerberos/Heimdal/others? Any ideas how to implement this in a portable and reliable way are welcome! Achim |
|
From: David L. <Dav...@qu...> - 2007-05-11 00:06:26
|
Achim Grolms wrote: > > $r = `which krb5-config 2>/dev/null`; > > to find the krb5-config command. > > What happens if you key in > > which krb5-config > to your shell? > > I suspect the script is ending up with find_krb5config_cmd() returning "/usr/bin/krb5-config /usr/X11R6/bin/krb5-config". I am suspicious about how predictable the output of which is. You could probably write your own which() function in perl? -- David Leonard Resource Central software engineer Quest Software; 303 Adelaide St, Brisbane, Australia; www.quest.com Phone: (US) +1 801 655 2755 (AU) +61 7 3023 5133 |
|
From: Achim G. <ac...@gr...> - 2007-05-10 21:36:24
|
On Thursday 10 May 2007 23:26, simon wrote: > I needed GSSAPI to compile Authen::SASL module OK. There is a *optional* dependency in Authen::SASL::Perl:GSSAPI to GSSAPI.pm. But you really need GSSAPI.pm only if you want to make a real use (do you?) of Authen::SASL::Perl:GSSAPI (To use Kerberos based Authentication for example). In any other case you don't need to install GSSAPI.pm if Authen::SASL is just a dependency. Achim |
|
From: simon <l0c...@go...> - 2007-05-10 21:26:43
|
Hello, thanks for such a speedy reply! your help is much appreciated and has solved my immediate problem. But my first email was not clear, sorry. I needed GSSAPI to compile Authen::SASL module NOT Net::Jabber or Net::XMPP (Net::Jabber and Net::XMPP require Authen::SASL) I can now compile Authen::SASL thanks to your suggestion to use: perl Makefile.PL --gssapiimpl /usr on GSSAPI Thanks a million. S. On 5/10/07, Achim Grolms <ac...@gr...> wrote: > On Thursday 10 May 2007 22:02, simon wrote: > > > Searching krb5-config command... not found! at Makefile.PL line 94. > > This errormessage means the Makefile.PL can not find the > 'krb5-config' provided by your Kerberossystem. > > The Makefile.PL makes use of a backticked 'which' > > $r = `which krb5-config 2>/dev/null`; > > to find the krb5-config command. > > What happens if you key in > > which krb5-config > to your shell? > > In any case an explicit > > perl Makefile.PL --gssapiimpl /usr > > should work if your krb5-config ist > > /usr/bin/krb5-config > > Please let me know if this works for you! > > BTW: Net::Jabber/ Net::XMPP > are making use of GSSAPI.pm or depend on it? > > Achim > -- www.hootandholler.co.uk |
|
From: Achim G. <ac...@gr...> - 2007-05-10 20:31:30
|
On Thursday 10 May 2007 22:02, simon wrote: > Searching krb5-config command... not found! at Makefile.PL line 94. This errormessage means the Makefile.PL can not find the 'krb5-config' provided by your Kerberossystem. The Makefile.PL makes use of a backticked 'which' $r = `which krb5-config 2>/dev/null`; to find the krb5-config command. What happens if you key in which krb5-config to your shell? In any case an explicit perl Makefile.PL --gssapiimpl /usr should work if your krb5-config ist /usr/bin/krb5-config Please let me know if this works for you! BTW: Net::Jabber/ Net::XMPP are making use of GSSAPI.pm or depend on it? Achim |
|
From: simon <l0c...@go...> - 2007-05-10 20:02:36
|
Hello, I want to compile the GSSAPI perl module on Ubuntu 6.10 as I want to use Net::Jabber/ Net::XMPP All I get is this error from the cpan shell: Searching krb5-config command... not found! at Makefile.PL line 94. Warning: No success on command[/usr/bin/perl Makefile.PL INSTALLDIRS=site] CPAN: YAML loaded ok (v0.62) Failed during this command: AGROLMS/GSSAPI-0.24.tar.gz : writemakefile NO '/usr/bin/perl Makefile.PL INSTALLDIRS=site' returned status 256 whereis krb5-config returns: krb5-config: /usr/bin/krb5-config /usr/X11R6/bin/krb5-config /usr/bin/X11/krb5-config What can I do to make this compile, please? I've googled this and no reply so I really hope someone on this list can help. Thanks S. -- www.hootandholler.co.uk -- www.hootandholler.co.uk |
|
From: Massimiliano M. <mas...@ce...> - 2006-10-17 07:39:24
|
Hi, On Tuesday 17 October 2006, alle 07:56, David Leonard wrote: > I've not tried these, but they might do what you want? > > GSSAPI::Context::export(context, token) > GSSAPI::Context::import(class, context, token) Seems to be. From the manpage: The gss_export_sec_context() deactivates the security context for the calling process and creates an interprocess token which, when passed to gss_import_sec_context() in another process, will re-activate the context in the second process. [...] The ability to transfer a security context is indicated when the context is created, by gss_init_sec_context() or gss_accept_sec_context() setting the GSS_C_TRANS_FLAG bit in their ret_flags parameter. I'll try with these two functions. :-) -- Massimiliano Masi http://www.comunidelchianti.it/~max |
|
From: David L. <Dav...@qu...> - 2006-10-16 21:59:06
|
Massimiliano Masi wrote: > Hi, > > On luned? 16 ottobre 2006, alle 18:53, Achim Grolms wrote: > >>> Yes, I see. Have you any examples of use >>> >> Authen::SASL::Perl::GSSAPI >> > > Ok, I got the examples working with gss_wrap and gss_unwrap. It's really easy! :) > > But my problem persist: how can I store the context? > > I've to send two messages to my webservice: one for mutual authentication, > and one for sending the message encrypted. But In the first message, I've to > store in the disk the servercontext (The webservice is stateless). > > How can I? > > Someone has any idea? > > I've not tried these, but they might do what you want? GSSAPI::Context::export(context, token) GSSAPI::Context::import(class, context, token) d |
|
From: Massimiliano M. <mas...@ce...> - 2006-10-16 18:24:27
|
Hi, On luned? 16 ottobre 2006, alle 18:53, Achim Grolms wrote: > > Yes, I see. Have you any examples of use > > Authen::SASL::Perl::GSSAPI Ok, I got the examples working with gss_wrap and gss_unwrap. It's really easy! :) But my problem persist: how can I store the context? I've to send two messages to my webservice: one for mutual authentication, and one for sending the message encrypted. But In the first message, I've to store in the disk the servercontext (The webservice is stateless). How can I? Someone has any idea? Thank you a lot! -- Massimiliano Masi http://gauss.comunidelchianti.it/~max |
|
From: Achim G. <ac...@gr...> - 2006-10-16 16:53:26
|
On Monday 16 October 2006 09:15, Massimiliano Masi wrote: > Hi, > > On Sunday 15 October 2006, alle 18:56, Achim Grolms wrote: > > > As you told me, once created the context, I would like to use > > > this context, using GSS_wrap() and GSS_unwrap(). > > > > > > First question: are these function available in your perl module? > > > > Both are available. > > Yes, I see. Have you any examples of use Authen::SASL::Perl::GSSAPI |
|
From: Massimiliano M. <mas...@ce...> - 2006-10-16 07:15:52
|
Hi, On Sunday 15 October 2006, alle 18:56, Achim Grolms wrote: > > As you told me, once created the context, I would like to use > > this context, using GSS_wrap() and GSS_unwrap(). > > > > First question: are these function available in your perl module? > > Both are available. Yes, I see. Have you any examples of use or documentation? What I should maintain on the server side for having a valid context between the client and the webservice? Thank you! -- Massimiliano Masi http://www.comunidelchianti.it/~max |
|
From: Achim G. <ac...@gr...> - 2006-10-15 16:57:05
|
On Friday 13 October 2006 15:57, Massimiliano Masi wrote: > As you told me, once created the context, I would like to use > this context, using GSS_wrap() and GSS_unwrap(). > > First question: are these function available in your perl module? Both are available. Achim |
|
From: Massimiliano M. <mas...@ce...> - 2006-10-13 13:57:47
|
Hello,
I've another tedious question. I've decided to implement
my webservices as is, exchanging gss messages in the soap
envelope. Is secure by the protocol.
I'm referring at your examples, from now:
As you told me, once created the context, I would like to use
this context, using GSS_wrap() and GSS_unwrap().
First question: are these function available in your perl module?
What is the value of the variable $gss_output_token, after the first call
to GSSAPI::Context::init?
Where is stored the session key?
Second question: of course, the webservice is stateless. I've to
mantaining a state between the client and the webserver, as a session.
I've to create a function like this (your example: line 123 and following):
# $gss_output_token is returned by the init() context
if($gss_output_token) {
print "$counter CLIENT::have token to send ...\n";
print "$counter CLIENT::GSS token length is " . length($gss_output_token) . "\n";
#
# $gss_output_token is binary data
#
my $gss_input_token = soap_send(encode_base64($gss_output_token, ''),
uniqueid);
print "$counter CLIENT::sent token to server\n";
}
if ($status->major & GSS_S_CONTINUE_NEEDED) {
print "$counter CLIENT::Mutual auth requested ...\n";
if ($gss_input_token) {
print "$counter CLIENT::got mutual auth token from server\n";
$gss_input_token = decode_base64($gss_input_token);
print "$counter CLIENT::mutual auth token length is " . length($gss_input_token) . "\n";
} else {
print "$counter CLIENT::server did not send needed continue token back\n";
$error = 1;
}
And then, second time of while, call to init() for the second time,
and get mutualauth.
Where uniqueid is a value unique for the client that the server stores
in the disk as httpsession for maintaining a state. My question is:
Imagine that now I've to send a message to the server, containing the
string "Achim".
What I should pass now to the server, for using the context? What I must
store with the uniqueid for continuing to use the context, after the
death of the webserice?
Thank you!
--
Massimiliano Masi
http://www.comunidelchianti.it/~max
|
|
From: Achim G. <ac...@gr...> - 2006-10-06 11:36:13
|
On Friday 06 October 2006 11:41, Massimiliano Masi wrote: > I was thinking: don't care about the transportation level. > Every message are sent from the client to the server > with soap messages. The only thing that I've to do > is to maintain a session between the client and the server, > for example an unique ID used from the server for retrieving the > session key. > > But, How? Bookkeeping. Achim |
|
From: Massimiliano M. <mas...@ce...> - 2006-10-06 09:41:42
|
Hi, On Thursday 05 October 2006, alle 19:19, Achim Grolms wrote: > I do not understand why you want to use mutual authentication > (round trip of tokens). Because for now I'm in HTTPs, but I would like to remove the HTTPS. This because I've some problem accessing the CA for validating the message. I was thinking: don't care about the transportation level. Every message are sent from the client to the server with soap messages. The only thing that I've to do is to maintain a session between the client and the server, for example an unique ID used from the server for retrieving the session key. But, How? Thanks -- Massimiliano Masi http://www.comunidelchianti.it/~max |
|
From: Achim G. <ac...@gr...> - 2006-10-05 17:19:12
|
On Thursday 05 October 2006 16:17, Massimiliano Masi wrote: > Hi, > > Maybe I've found a solution (with some helps). Doens't matter on which > transport layer we're using. My problem is how to maintain a state. > > So, I can create the context, and receive in the client the > mutual token. The server, before return the mutual token, I do not understand why you want to use mutual authentication (round trip of tokens). If the server's identity is ensured by HTTPS, you dont' need mutual auth, you only meed simple authentication (only one SOAP message). I do not undertstand why you need mutual auth. Achim |
|
From: Achim G. <ac...@gr...> - 2006-10-05 17:07:27
|
On Thursday 05 October 2006 11:03, you wrote: > Hi! > > Now I've some clear ideas on my mind. > > I think you remember my webservice problems. > > Now I now what SPNEGO stands for. It is an extension of the > HTTP that creates some TCP connection for having mutual > authentication BEFORE the GET. I'm wrong? You are wrong. - SPNEGO is an GSSAPI-mechanism, designed to do Negotiaton of GSSAPI-mechanism to choose. - <http://www.kerberosprotocols.org/index.php/Draft-brezak-spnego-http-03.txt> describes how GSSAPI-Autentication is used in HTTP-Autentication. Achim |
|
From: Massimiliano M. <mas...@ce...> - 2006-10-05 14:17:26
|
Hi, Maybe I've found a solution (with some helps). Doens't matter on which transport layer we're using. My problem is how to maintain a state. So, I can create the context, and receive in the client the mutual token. The server, before return the mutual token, and drop the connection, simply stores the temporary key in his disk in an hash, where the key of the hash can be a random number used as cookie. The client, at the second soap messages, sends the session key and this cookie. The server loads the key and can use GSS_wrap() and GSS_unwrap() for the following messages. Is it right? But. What's happen if someone replay the second message? I need to use anonymous https connection... Mmmmm. Any hints? -- Massimiliano Masi http://www.comunidelchianti.it/~max |
|
From: Massimiliano M. <mas...@ce...> - 2006-10-05 09:03:16
|
Hi! Now I've some clear ideas on my mind. I think you remember my webservice problems. Now I now what SPNEGO stands for. It is an extension of the HTTP that creates some TCP connection for having mutual authentication BEFORE the GET. I'm wrong? Now, since I cannot have mutual authentication because I'm in a webservice, and I would like to reach this auth in some way, I think I'll study SPNEGO. But, for now, my problem is: I've the token for my service. If I resend the token to the kerberos, this token has the same nonce, so kdc find the Replay Attack. If I can create a nonce=nonce+1, everything should be OK. How can I? (I hope you'll remember my problem, otherwise, I can explain ... let me know) Thanks! -- Massimiliano Masi http://www.comunidelchianti.it/~max |
|
From: Achim G. <ac...@gr...> - 2006-09-25 15:08:59
|
On Monday 25 September 2006 14:25, Massimiliano Masi wrote: > If you're interested, look at the little thread GSI-GSSAPI: > > > http://www.globus.org/mail_archive/gt-user/2006/09/threads.html#00157 This says: " GSI Secure Message security is based on WS-Security and to my knowledge doesn't use GSSAPI. GSI Secure Conversation is based on WS-SecureConversation, and I believe it encodes the GSI GSSAPI tokens (i.e., SSL/TLS handshake protocol messages) in the WS-SecureConversation protocol. " And I said on Date: 05.09.2006 15:32 "If you want to do Authentication on level of SOAP-messages (one level "higher") I think the WS-security standard describes what to do.". and "If you use SOAP::Lite for doing SOAP: Examples of SOAP-authentication were discussed on Mailinglist soa...@ya..." Achim |
|
From: Massimiliano M. <mas...@ce...> - 2006-09-25 12:25:33
|
Hi, On Monday 25 September 2006, alle 14:20, Achim Grolms wrote: > I think your RPC is more of "hit and run" style, with no state needed. > Integrity protection is done by HTTPS. Yes, > That means: Create one new context per SOAP-Mesage, used for authentication > only. Yes, Is correct. People point me on information on GSI-GSSAPI and webservices security. If you're interested, look at the little thread GSI-GSSAPI: http://www.globus.org/mail_archive/gt-user/2006/09/threads.html#00157 -- Massimiliano Masi http://www.comunidelchianti.it/~max |
|
From: Achim G. <ac...@gr...> - 2006-09-25 12:20:29
|
On Monday 25 September 2006 14:11, Massimiliano Masi wrote: > Hi, > > On Monday 25 September 2006, alle 13:50, Achim Grolms wrote: > > > So, I've to create a context on every soap message... > > > > or you *use* the context and use gss_wrap/gss_unwrap > > for integrity protection and/or encryption of messages paylod. > > This looks good. Once I've created the context, I can use > the gss_wrap for cypher all the text. > > But is a webservice. All the connections are stateless. Yes. I think your RPC is more of "hit and run" style, with no state needed. Integrity protection is done by HTTPS. That means: Create one new context per SOAP-Mesage, used for authentication only. Correct? Achim |
1 message has been excluded from this view by a project administrator.
