Rocksolid Light

Welcome to RetroBBS

mail  files  register  newsreader  groups  login

Message-ID:  

I do not find in orthodox Christianity one redeeming feature. -- Thomas Jefferson

devel / comp.protocols.kerberos / Re: Protocol benchmarking / auditing inquiry

SubjectAuthor
o Re: Protocol benchmarking / auditing inquirypyllyukko

1
Re: Protocol benchmarking / auditing inquiry

<mailman.30.1709208426.2322.kerberos@mit.edu>

  copy mid

https://www.rocksolidbbs.com/devel/article-flat.php?id=481&group=comp.protocols.kerberos#481

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: pyllyukko@maimed.org (pyllyukko)
Newsgroups: comp.protocols.kerberos
Subject: Re: Protocol benchmarking / auditing inquiry
Date: Thu, 29 Feb 2024 14:06:38 +0200
Organization: TNet Consulting
Lines: 21
Message-ID: <mailman.30.1709208426.2322.kerberos@mit.edu>
References: <YT1PR01MB4187CA8C93DE6AC8560FB1BCFA4E2@YT1PR01MB4187.CANPRD01.PROD.OUTLOOK.COM>
<ZeBzTm8Rj0-s477A@maimed.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="3677"; mail-complaints-to="newsmaster@tnetconsulting.net"
To: kerberos@mit.edu
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=kHTAyGcf;
dkim=pass (4096-bit key,
unprotected) header.d=maimed.org header.i=@maimed.org header.a=rsa-sha256
header.s=maimed header.b=dSfRj1R/
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=WMZItrbKcwpbymEmbVHX2pnQYjohpAXpZG9x1FYF9K8v3P5K9AE9SW+2WqMRyv8K/GtyC4GxelqVhdsWu1wYwryfN1vnFUOKvnDMe311E3P4MaELpAsSUblzJFHtA2r7x74HXswhkixOMzU5dl/cmRzxsW88+tgcSukXGQkHtNcAuMyCLnZqtXY6oo6upEMg03Pa0LNy6whTIfIffwpPQTRR1oO5vkZtAiDqobvtiIcUXfixsuquOolnfBkks0xsuS9vdDIrSYsyaJZwzLNq5XtHOezjSjM3QCbs37mzUn7Poav29mz6jg9txj1wmL1Mnk5tXIP9ogqnwSt8Y34zmg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=0lIGEv9kvn2aN/4/wmfJlTt6ZbtKX2nKqqzuYK9+kMI=;
b=CZp4f9p3kSzB89Q2mOW/ob6XyIk1BDmrtnsgtYEZ6cfDvLo/qKBz3cNiYAbmaQWxmMMz4IgOWAlc7mVj6MWHHepDJzsjPl1ufaRrvoUyUre46LPCamism4v6f5XhvcrCFfJnik+V8+cXeTbswnkLXpaFiPzH+CF+TJRkD1GA9RQgFq90Ani4pB1CSk4mZyGo6Z6mbyDZ9bWrHFI8AmkxX3KT/t0/XgSVDHipaasXzBVdXUSP0xCL/PAzWSGvbXeVlbwLNlp1w05UyzjepUnvcl+334XSJSFI0C2HssMyIqv/UTDxrvurPVDX43S7V1v6alGVPyJ4tF7/3MxOD5zdIw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
188.127.197.43) smtp.rcpttodomain=mit.edu smtp.mailfrom=maimed.org;
dmarc=pass (p=none sp=reject pct=100) action=none header.from=maimed.org;
dkim=fail (no key for signature) header.d=maimed.org; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=0lIGEv9kvn2aN/4/wmfJlTt6ZbtKX2nKqqzuYK9+kMI=;
b=kHTAyGcfGYD9K41iMkHKyYiLSSceLdh149roK9Hc+9vLKGui4BrabRZ6u/S7yGS+u324Gj8tEe3OHEW0byvZ6QOj0ThE4QCom0SPL8b12q0pIa1MeVDgOd0ur57B3n5rKsj53jqq6bHNKdwiOEB9quATkv/8IdJIrqtn3l+KCWQ=
Authentication-Results: spf=pass (sender IP is 188.127.197.43)
smtp.mailfrom=maimed.org; dkim=fail (no key for signature)
header.d=maimed.org;dmarc=pass action=none header.from=maimed.org;
Received-SPF: Pass (protection.outlook.com: domain of maimed.org designates
188.127.197.43 as permitted sender) receiver=protection.outlook.com;
client-ip=188.127.197.43; helo=maimed.org; pr=C
X-Virus-Scanned: amavisd-new at maimed.org
DKIM-Filter: OpenDKIM Filter v2.11.0 maimed.org 7BE7C52B28
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=maimed.org;
s=maimed; t=1709208407;
bh=0lIGEv9kvn2aN/4/wmfJlTt6ZbtKX2nKqqzuYK9+kMI=;
h=Date:From:To:Subject:References:In-Reply-To:From;
b=dSfRj1R/GipzvJKRo8pzCIt7T5ySi7yZPBGh/DOmpodIczQdCzkgYZZmxrjbWqE0+
ZlqJNKLpX5RssOQsITGCn1TnvJhPNXWc+jS0oeqxNzvMmVvc0ZOgmVl5WPaSYntn7J
zgTm4Vi8/xi4enLaT6gGmqe8AShMy1sKZs8Wg35T9B6WM6JnJ79qdKl+3mq0jJNqTX
HwUp4jjcTacUd6QV1F1dqhVh99OhTw2ytnFX8d/tjxG1vewkkmqwj7lMFV0wwhzb6k
ag25wjdqQ9V/cOFCwa0Aw2sPar0H8J1DCQJjkPkP+VdFmsMwYtc9emDO1XnC5GLXcO
/GfWpzphQSYiuTdd0Q5rBzd9YbTK8cW8jc+ACQInfXEDCFuApl6wQL2EcWoFknJWlv
R6TArhu2eYPwhhThMSpHL1VkkvWr6bmZ7kigb0t7GWfjjpHcEhpOUfTFecIDU46NAC
6EvbEyevtSvE9kVV8qDgbBcSLtMEg6+s6wuZQkSe1kZ0T+MBMfmeQZYunnnJe8EWqX
R6bI1dnS2ia9vEKQik4VXGS/jyZiC+/46rhcbW7rxEzuOJHuqicQfnHGGQq5aS/Es+
tXMkgviQmV9Bu4pvbBiRoDxlPrUJcwIaW3TUldGlqHj8WGr8mbatxseoQb8yRx6P5M
DsUw8AtOzGCGxahwCjo1l3AM=
Content-Disposition: inline
In-Reply-To: <YT1PR01MB4187CA8C93DE6AC8560FB1BCFA4E2@YT1PR01MB4187.CANPRD01.PROD.OUTLOOK.COM>
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: SJ1PEPF00001CE4:EE_|PH0PR01MB7925:EE_
X-MS-Office365-Filtering-Correlation-Id: 3c068a0e-66e0-4b55-2462-08dc391eeb62
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: rNOXYB3Av9ftPHY2Em9EiKnfCLWOJvACuPC/ug5/gGLg8yn626xngDPpnhg1/hNbWVfk51OwFhrj7JaU+V9IOx0zqZrZ+ISPwBffALt+8KTZyS0MgGq3nOCwuyp82XJhY/UzKRm6ewrx7VhXSj3ppirWOEe6bMbFqKc20qi+XxccXAaW6svNW1aHbcVvypKmdlvPcFtrbqhtsMNJuJGkJho1tcVW5SmTQwKwIgC92P5mvwwwaIJHEzFPmrHh8EFRrGviOGHWGTaE5W7jm27gCqmxptWJ/hCScG/xaCS+qrOvQsI3lPXmSJnn51x1XN4rS/LKMUzGEG2kxCN9vlVeQJGlPSuv+Wl8Uqx7AAu+fbWODhhsfZJYzl1xN2dxBD4MEVztSdojP+hcpUgg6Ylmk0spMLm7iaJ96y9X5WeS6vGO0NLzwP9VECUp7qZLZZW6cOzoAf75S2w+Yz11fr+q0oAdjK0TdaJH8ooH6+Ahh72Ixsx1VsUFRK1p9MogRfvCuAYU1c0IxVqxpco+6unXXFIF6Gk7UTGjCUfhbLsqRx0v/NpKIc/bXnvl03TWNNNHFfxKDGyR7ybCD6LW91YAkFIs5HD/7QB4NPZMwUsHgq5gBNnh54lwZYRNDdCYUhAjDDco110n194HZwcix0WLfCcXcwgqZIKlT7E4ZrT1CHbiolnOeVxT4D+uyDx2G6X1FgXudEFttVlJydBggna7La0qiR+rPvNtyneujRO0qc98qTYn6lLwYPvukr5f4BfM
X-Forefront-Antispam-Report: CIP:188.127.197.43; CTRY:FI; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:maimed.org; PTR:maimed.org; CAT:NONE;
SFS:(13230031)(3613699003); DIR:OUT; SFP:1102;
X-ExternalRecipientOutboundConnectors: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-OriginatorOrg: mitprod.onmicrosoft.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 Feb 2024 12:06:53.6428 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 3c068a0e-66e0-4b55-2462-08dc391eeb62
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: SJ1PEPF00001CE4.namprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR01MB7925
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <ZeBzTm8Rj0-s477A@maimed.org>
X-Mailman-Original-References: <YT1PR01MB4187CA8C93DE6AC8560FB1BCFA4E2@YT1PR01MB4187.CANPRD01.PROD.OUTLOOK.COM>
 by: pyllyukko - Thu, 29 Feb 2024 12:06 UTC

Ehlo.

On Wed, Feb 14, 2024 at 05:43:47PM +0000, Brent Kimberley via Kerberos wrote:
> Can anyone point me to some methods to benchmark and/or audit Kerberos v5?

A short while ago I submitted a PR[1] for the Lynis project that does
something like that. I also started documenting some of my own Kerberos
hardening stuff here[2].

Disclaimer: I'm quite new to Kerberos, so I might be off with some of
the hardenings, so all additional pointers/corrections are more than
welcome.

[1] https://github.com/CISOfy/lynis/pull/1456
[2] https://github.com/pyllyukko/harden.yml/wiki/Kerberos_hardening_and_maintenance

--
pyllyukko
email: <pyllyukko@maimed.org>
PGP: https://keybase.io/pyllyukko
twitter: https://twitter.com/pyllyukko

1
server_pubkey.txt

rocksolid light 0.9.81
clearnet tor