[3297] in Kerberos
Re: Is there Kerberos for VMS?
daemon@ATHENA.MIT.EDU (Sam Sjogren)
Wed May 18 20:14:30 1994
Date: Wed, 18 May 94 17:02:48 PDT
From: sjogren@TGV.COM (Sam Sjogren)
In-Reply-To: Your message <25APR199423574507@ariel.lerc.nasa.gov> dated 25-Apr-1994
To: uugblum@lerc.nasa.gov
Cc: kerberos@MIT.EDU
In article <25APR199423574507@ariel.lerc.nasa.gov>, uugblum@ariel.lerc.nasa.gov (Greg Blumers) writes:
> As other people have replied, Multinet V3.2? or higher supports Kerberos.
3.2 and on is correct. Btw, note that if you're going to be using
MultiNet (the capitalization of this is a bit of a pet peeve) as your
KDC, either upgrade to version 3.3 (starting to ship as I type) or get
a hold of me for a fixed KDC image for 3.2 that fixes a memory management
bug that on some systems has caused some principals to be invisible.
> The Multinet Kerberos documentation assumes that you will be using the
> VAX as the KDC server system. If you plan to use another system as the
> KDC server, then you need to create a srvtab file on the KDC server system
> and copy it to MULTINET:KERBEROS.SRVTAB on the VMS client system.
Yes, the srvtab file is binary compatible with Unix systems and the like.
> The Multinet Kerberos support seems to work fine. However, I've requested
> a few enhancements from TGV.
> - Support an automatic fallback mode on the VMS Client which would try to
> establish a Kerberized connection. If unsuccessful, then try a non-
> Kerberized connection. This is useful in an environment where not all
> systems are kerberized.
I'll note that if you're using Kerberized TELNET this does automatically
happen, but not with RLOGIN. Note that beginning with version 3.3 you can
configure a MultiNet TELNET/RLOGIN server to allow any type of login, or
only via Kerberos, or selectively based on the origin (e.g., allow regular
TELNET/RLOGIN from the local subnet, but not from the rest of the Internet).
The RLOGIN enhancement is noted, but is not in version 3.3.
> - Support the data encryption option (-x on Unix) on the VMS client
> and server.
I'm working on it. The encryption add-on won't be exportable, of course.
I'm tearing my hair out over in-kernel network_pty encryption support so
that the RLOGIN server can deal with encryption blocks split across mbufs,
stuff like that. It'll be available later this year, maybe not until we
get our Windows product out the door, but I'll call for beta testers when
it's ready for that.
> - Support the "ksrvutil add" command which creates a srvtab file
> from a password entered at the console terminal. This eliminates
> the need to copy the srvtab file. Try finding a compatible medium
> between a VAX 9000 and a Sun workstation. If you copy the srvtab file
> over the network, then the key isn't secret anymore.
Request noted, but it isn't in version 3.3.
> Unfortunately, Kerberos isn't tightly integrated into the VMS or Unix
> operating systems. I've noticed several major problems with most Kerberos
> KDC server implementations.
Other messages have addressed the off-line cracking problems with V4 Kerberos.
Cheers,
-Sam Sjogren
TGV Engineering
