Difference between revisions of "LKDC"
(New page: The local KDC in Leopard is pretty rad. This page will be a jumble of research and various investigations regarding the LKDC. ==Discovery== The LKDC realm name of a remote Mac OS X machin...) |
(No difference)
|
Revision as of 16:05, 12 May 2008
The local KDC in Leopard is pretty rad. This page will be a jumble of research and various investigations regarding the LKDC.
Discovery
The LKDC realm name of a remote Mac OS X machine may be discovered as follows:
dns-sd -Q "_kerberos.donk.local" txt
Replace "donk" with the rendezvous name of a Leopard machine on your local network (can test on yourself if needed).
The result is a string of hex characters. This command does not terminate, so control-C to stop it. Now take the hex and run it through xxd -r -c 256.
xxd -r -c 256
<paste in the hex string, press return>
The result is the LKDC realm name, such as LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
Resources
This documents how to kerberize ssh / sshd, but does not leverage the LKDC. This is more of a manual / traditional approach that requires defining the remote realm in the client's kerberos configuration.
Exploring Leopard with DTrace - was useful in determining how some of the service clients interact with Kerberos.
Daemons and Agents. Fantastic technote by Quinn. This helped me understand a bit more about the mach service that is provided by LKDCHelper.
Multicast DNS libraries for Ruby
Discovering local identity services. Outlines several methods for dynamic discovery of how to bootstrap authentication sessions with a remote system.
This expired draft documents how kerberos realm information might be discovered using multicast dns.
multicast DNS service types
This expired draft documents multicast DNS in general
Kerberos install document; this section documents how Kerberos finds realm information.
