[3086] in Kerberos
Kerberos 5 at ARL
daemon@ATHENA.MIT.EDU (Mike Muuss)
Fri Apr 8 22:50:27 1994
Date: Fri, 8 Apr 94 20:20:41 EDT
From: Mike Muuss <mike@ARL.MIL>
To: kerberos@MIT.EDU
Cc: sys-admin-all@ARL.MIL
Greetings!
Kudos to all the folks who have worked to make Kerberos 5 substantially
more secure than version 4! Issues of packaging and portability aside,
I am very impressed with the design of Kerberos 5. It has been really
nice to find that all the mechanisms we needed were ready and waiting
for us.
With the help of several associates (most notably Lee Butler
and Ken Rendard, with assistance from Paul Stay and Phil Dykstra), I
have initiated a large-scale effort to implement Kerberos version 5
across the 3000+ computers at ARL.
So far, our efforts have focused on these areas: (1) upgrading the
R* utilities (appl/bsd/*) to be based on the latest Berkeley sources
[for ease of porting] and to have complete security logging, (2) porting
to additional platforms, (3) integrating with vendor-specific versions
of /usr/bin/login and /bin/su, and (4) adding Kerberos 5 support to our
Annex terminal servers.
Our primary platforms are Sun-3 and Sun-4 machines runing SunOS 4.1.1,
and SGI 4D machines running Irix 4.0.5 and Irix 5.2; Kerberos 5 is
working well on these systems. I set up the Suns, which was easy (4
hours). Lee Butler did the port to the SGI, which took some significant
effort. Ken has made good progress on his port to Solaris 2.2. I'm
still trudging through the port to HPUX release 9.0 on an HP 9000/827.
We will be providing patches back to the developers at MIT under
separate cover.
At present, the only "bug" in Kerberos 5 that we have not been able to
fix on our own pertains to forwarding credentials through RLOGIN.
Observe:
174 vm> klist -f
Ticket cache: /tmp/krb5cc_53
Default principal: mike@ARL.MIL
Valid starting Expires Service principal
8-Apr-94 20:01:28 9-Apr-94 10:01:03 krbtgt/ARL.MIL@ARL.MIL
Flags: FIA
175 vm> rlogin -x -F vm
rlogin: kcmd to host "vm.arl.mil" failed - Unknown code ____ 255
with the following messages sent to syslog:
Apr 8 20:02:49 vm ekrlogind: Can't get forwarded credentials:isode: unacceptable combination of options (len 510)
Apr 8 20:02:49 vm ekrlogind: Can't get forwarded credentials.
Has anyone else seen this problem? Have a fix been developed yet? Any
hints would be greatly appreciated!
One small but vitally useful tidbit (proposed and implemented by Paul
Stay) that we added to KRLOGIND was to set the environment variable
SECURE_LINE=1 when an encrypted session (krlogin -x) is in use. Paul
then modified /bin/su to check for the value of this shell variable; if
it is being used on a non-secure network session, it prints a strong
warning to the invoker, while invocations on a secure line print a short
reassurance that the session is secure. This small modification makes
it possible for our sys-admins to go SU on remote systems with the
confidence that they are using the proper type of session. We have been
very concerned about the use of the SU password over network links which
may be subjected to "sniffer" type monitoring.
Again, kudos to all you folks who helped make Kerberos the strong system
that it is. Your hard work is much appreciated!
Best,
-Mike Muuss
Advanced Computer Systems
The US Army Research Laboratory
APG, MD 21005-5068 USA
