[1131] in Kerberos
Re: So much for kerberos in Ultrix 4.0 (outside the USA)
daemon@ATHENA.MIT.EDU (bbrown@abyss.MIT.EDU)
Mon Oct 8 16:15:26 1990
To: eay@surf.sics.bu.oz (Eric the Young)
Cc: kerberos@ATHENA.MIT.EDU, bbrown@decvax.dec.com
In-Reply-To: Your message of 05 Oct 90 00:54:04 +0000.
Date: Mon, 08 Oct 90 15:18:03 EDT
From: bbrown@abyss.MIT.EDU
In article <1322@surf.sics.bu.oz>, eay@surf.sics.bu.oz (Eric the Young (me)) wri
tes:
>(For those that don't know, DEC claimed that kerberos with full encryption
>(in binary form only) was being sent will all versions with ultrix 4,
Hi,
I am the engineer who, as you put it, fiddled with the
kerberos libraries. In the future you should first get all of your
facts straight before loudly and publicly complaining about the
product. After you understand what you have you may not be as upset.
In order to ship the kerberos libraries overseas, any ability
that the MIT kerberos libraries had to serve as a general purpose
encryption facility was stripped. A general purpose encryption
facility is anything which allows the user to encrypt text of his/her
choosing and decrypt the same. This means, for example, that the
krb_mk_priv and krb_rd_priv routines were not included in the Ultrix
version of libkrb.d. This does not mean that the libraries do not
perform DES encryption and decryption. They do DES encrypt and decrypt
data, but, only data which is choosen by the libraries in order to
allow for the authentication of a principle A to a principle B.
So, an application built with the ULTRIX kerberos libraries
supports the same on the wire protocol as an application built with the
U.S. distribution of the MIT Athena Kerberos V4 libraries. This is the
most functionality from the kerberos libraries you could possibly hope
for from any vendor shipping product from the U.S given the current
export laws. DEC is the first and only vendor who supplies it.
Yes, kerberos was not integrated into login and the "r*"
commands in ULTRIX 4.0. If you need this sort of functionality
immediately you can build it using the tools you already have, an
ULTRIX source license, the ULTRIX 4.0 libraries, and the International
distribution of MIT Athena Kerberos 4.0 source code. Add the MIT
Kerberos changes to the "r*" commands to the ULTRIX source making sure
that any use made of the libraries would not allow the user of the "r*"
tools to use the libraries to encrypt or decrypt data of his/her
choosing. This implies that, for example, the MIT's rlogin program
must be stripped of its abililty to provide an encrypted session.
Compile the new code with the ULTRIX libraries. If any routines or
options are missing from the libraries then you have not completely
stripped the "r*" commands of their ability to encrypt generic data.
Once you get the package to work correctly you will have a set of
binaries that could be run at MIT and would successfully interoperate
with the rest of the Athena environment.
Bill Brown
p.s. Just so you don't feel discriminated against, you should know that
there is no U.S. specific distribution of ULTRIX kerberos. Nobody gets
the source code, nobody gets to use the libraries as a general
encryption service. Since we have no internal method to ship a
different kit to the U.S., we opted to eliminate the possibility of
sending the fully functioning libraries to the U.S. in order to provide
authentication abilities to our overseas customers. Your business is
very important to DEC.
