[3179] in Kerberos
Re: Is there Kerberos for VMS?
daemon@ATHENA.MIT.EDU (Greg Blumers)
Tue Apr 26 19:02:54 1994
To: kerberos@MIT.EDU
Date: 25 Apr 1994 23:57 EST
From: uugblum@ariel.lerc.nasa.gov (Greg Blumers)
In article <John-200494112835@electron.mankato.msus.edu>, John@VAX1.Mankato.MSUS.EDU (John Biederstedt) writes...
>Is it possible to run Kerberos under VMS? If so, has anyone done it?
>
>Also: How do you pronounce kerberos?
>
>signature:
>===========================================================================
>John Biederstedt |
>John@VAX1.Mankato.MSUS.EDU |
>Mankato State University | Just say no to Clipper.
>Mankato, MN 56002 |
>44d 8'N 93d 59'W El.1000' |
>===========================================================================
>Disclaimer: My views are not those of my employer, but they should be.
As other people have replied, Multinet V3.2? or higher supports Kerberos.
The Multinet Kerberos documentation assumes that you will be using the
VAX as the KDC server system. If you plan to use another system as the
KDC server, then you need to create a srvtab file on the KDC server system
and copy it to MULTINET:KERBEROS.SRVTAB on the VMS client system.
The Multinet Kerberos support seems to work fine. However, I've requested
a few enhancements from TGV.
- Support an automatic fallback mode on the VMS Client which would try to
establish a Kerberized connection. If unsuccessful, then try a non-
Kerberized connection. This is useful in an environment where not all
systems are kerberized.
- Support the data encryption option (-x on Unix) on the VMS client
and server.
- Support the "ksrvutil add" command which creates a srvtab file
from a password entered at the console terminal. This eliminates
the need to copy the srvtab file. Try finding a compatible medium
between a VAX 9000 and a Sun workstation. If you copy the srvtab file
over the network, then the key isn't secret anymore.
Unfortunately, Kerberos isn't tightly integrated into the VMS or Unix
operating systems. I've noticed several major problems with most Kerberos
KDC server implementations.
- No intrusion detection system. Incorrect passwords can be entered
forever. With an unlimited number of tries, I don't see why a
Kerberized password can't be cracked.
- No expiration time on passwords.
- No password checker which pro-actively checks passwords when they
are changed.
- No last login message (last time kinit password was entered correctly)
The last time I looked, OpenVision was the only company to offer a
Kerberos product which fixed some of these holes. Maybe DCE security
will solve the system integration problem.
--------------------------------------------------------------------------------
The opinions expressed are my own, and not that of my employer.
Greg Blumers Sterling Software
Systems Programmer c/o NASA Lewis Research Center
(216)433-6777 Mail Stop 142-2
21000 Brookpark Road
uugblum@lerc.nasa.gov Cleveland, OH 44135
--------------------------------------------------------------------------------
