[1897] in Kerberos
newer version of kerberos version 5 available
daemon@ATHENA.MIT.EDU (Roy Marantz)
Fri May 8 16:38:04 1992
Date: 8 May 92 19:06:12 GMT
From: marantz@dartagnan.RUTGERS.EDU (Roy Marantz)
To: kerberos@shelby.Stanford.EDU
Glenn Machin (from sandia) has provided access to their extended
kerberos version 5. The files are available via anonymous ftp from
rutgers.edu (128.6.21.9) as ~ftp/src/krb5-sandia.README and
ftp/src/krb5-sandia_src.tar.Z. Below is some description of what
he/they have changed.
Roy
It has been built on hpux, SunOs, ultrix, Unicos, and
a version of system5 for the IMP (Integrated Micro Products) system.
The krb5kdc and kadmind have been "tested" on Sun4 and IMP.
Some info on port changes are given in Sandia_port_changes.
Changes: Summary
Added ticket flags to mark whether or not initial ticket was
pre-authenticated and possibly further authenticated via
hardware such as a smart card.
The kdc database was modified to add principal attributes which
may require that the client preauthenticate/hardware authenticate
initial ticket, along with forcing the client to change his
password(key).
Additional data fields added :
An alternate key field to store version 4 and version 5
keys. This full interoperabilty when clients are going
back at forth between version 4 and version 5 systems.
The only problem is when a user uses version 4 kpasswd,
and changes his password, the verion 5 kinit will fail.
However if version5 kpasswd will reinstate full functionality.
Enabled when ALT_KEY_SALT is defined:
krb5_encrypted_keyblock alt_key;
krb5_int32 alt_salt_type:8,
alt_salt_length:24;
krb5_octet *alt_salt;
Enabled when SANDIA is defined:
krb5_timestamp last_pwd_change; /* Date password was last
changed */
krb5_timestamp last_success; /* Last time successful
inital ticket request
was performed */
krb5_kvno fail_auth_count; /* Number of unsuccessful
initial ticket requests.
(Blacklisting) */
int lastreqid; /* Last request id: used
for replay of preauth
data. This info is also
placed in the authoriz-
ation field on the TGT.
This can be used for
tracking all service
tickets issued from this
TGT */
krb5_get_in_tkt() (api) was changed so that type of preauthentication
could be passed in and last_req information could be passed back.
This resulted in changes to krb5_get_in_tkt_with_password()(api),
in_tkt_sky.c, and kinit.c.
Added routines: See lib/snlmodules plus krb4_*.c in lib/krb425
Added Applications:
kadmind:
kpasswd:
ksrvutil:
ksrvtgt:
appl/bsd/(rsuites)
appl/telnet/telnet(d)
appl/kftp
appl/nfsid
appl/snlapasswd
appl/tdset
local_tools/db425_cnvrt
Application Description:
kadmind : Admistration server, handles version4 and version 5
change key requests from kpasswd, and ksrvutil.
( Note Sandia requires machine generated passwords and
this has been incorporated into kpasswd/kadmind.)
kpasswd : Version change password...
ksrvutil : V5srvtab utility : add,delete,change keys.
concat srvtabs.
translate version4 srvtab to
version 5 and vice versa.
ksrvtgt : Like version4 but default lifetime is greater.
bsd(rsuites) : rlogin(d), rsh(d), rcp. Rlogind used autologin
option (-r) available in login program rather than
suppling a login program. This means .rhosts dont go
away. Also rcp uses USER to USER capablities so it
no longer needs to be setuid. ( Must have forwardable
TGT however "-f" on kinit. ).
NOTE: when forwarding is requested through kinit, rshd
and rlogind will automatically get TGT for server
machine, and setup environment variable
KRB5CCNAME ( except for Ultrix ).
( 1 time authentication ).
telnet(d) : Bormans telnet, with fixes and changes for 1 time
authentication (see note above). Also added option to
telnetd which would enforce encrypted sessions only.
kftp(d) : Our ftp note: a kerberos ticket is substituted for a
password. Uses separate port.
nfsid : Nfs authentication program for NFS servers requiring
kerberos authentication ( came with version 4 )
snlpasswd: Interface to /bin/passwd for machine generated passwords
, with option to set to kerberos password..
tdset : Time synchronization tool.
db425_cnvrt: Kerberos v4 database to v5 database conversion tool.
Note : not all site.def.(system) and system.cf have been tested. Just
sun3, sun4, dsultrix, vultrix4.2, unicos61, and hp9000.
--
Internet: marantz@cs.rutgers.edu
uucp: {backbone}!rutgers!cs.rutgers.edu!marantz
US Mail: Rutgers University - LCSR * PO Box 879 * Piscataway, NJ 08855
Phone: 908/932-3995
