[2093] in Kerberos
Re: is kadmind exportable as a binary? if so, begging letter.
daemon@ATHENA.MIT.EDU (Shawn Mamros)
Thu Aug 13 21:05:30 1992
Date: 13 Aug 92 23:18:43 GMT
From: mamros@athena.lkg.dec.com (Shawn Mamros)
Reply-To: mamros@athena.lkg.dec.com (Shawn Mamros)
To: kerberos@shelby.Stanford.EDU
ggm@brolga.cc.uq.oz.au (George Michaelson) writes:
> I suspect that DEC's product actually does something less than
> full encyption of the packet, but there don't seem to be
> halfway house #ifdefs in the V4 bones code to cope with this.
This is not true. From experience, I can tell you that code compiled with
the MIT libkrb.a and libdes.a is compatible with code compiled with the
ULTRIX versions of those libraries. The only difference is that the
ULTRIX libraries don't have any routines which allow encryption of raw data -
any functions or programs which need to encrypt/decrypt have the algorithm
in-lined into them. The algorithm itself is the same.
As far as the Kerberos daemon itself is concerned, there are only a few
lines different between the MIT code and the ULTRIX code, none of which
have to do with encryption.
As an experiment, I tried just now running an ULTRIX Kerberos daemon with
an MIT kadmind, and the MIT kadmin client. Worked fine here.
My guess is that there's something different between your DES routines
and the ones MIT used.
With regards to the exportability issue, from what I've seen getting export
permission is not difficult providing you can prove that what you ship
doesn't allow encryption of random data streams. Encryption for the purposes
of authentication is OK; "encryption for encryption's sake" is not.
Disclaimer: I'm not speaking as any sort of "official representative", merely
as one who has access to both ULTRIX and MIT sources.
-Shawn Mamros
E-mail to: mamros@athena.lkg.dec.com
