[3184] in Kerberos
Re: V4 to V5 wire protocol translation/gateway?
daemon@ATHENA.MIT.EDU (Theodore Ts'o)
Wed Apr 27 12:26:23 1994
Date: Wed, 27 Apr 94 12:07:20 EDT
From: tytso@MIT.EDU (Theodore Ts'o)
To: brian@nothing.ucsd.edu
Cc: kerberos@MIT.EDU
In-Reply-To: Brian Kantor's message of 27 Apr 1994 14:32:17 GMT,
<2plt1h$9if@network.ucsd.edu>
Date: 27 Apr 1994 14:32:17 GMT
From: brian@nothing.ucsd.edu (Brian Kantor)
In order to use Kerberos to our best advantage, we need to have both v4
and v5 services available.
We need this because many of the microcomputer-based applications which
so desperately need authentication are available only in version 4
implementations.
The best way to do this, I think, is to have something that listens on
the v4 port (750) and translates that into requests on the v5 port (88),
then translates the response back again.
An alternative would be, I suppose, to hack a V4 to use the V5 database,
and simply run two servers. Anyone done this?
That's been done already, and it's folded into the Kerberos V5 KDC. The
V5 KDC is set up to listen on two ports kerberos (88) and kerberos-sec
(750), and the V4 compatibility option is turned on, if it sees a V4
request on either port, it will process it using the V5 database and
return a V4 response to the client.
At MIT, we will be using this backwards compatibility option, probably
for years. Have you ever tried to get a professor to upgrade the
software on his machines? :-)
- Ted
