[3814] in Kerberos
Re: Kerberos on Ultrix
daemon@ATHENA.MIT.EDU (Shawn Mamros)
Thu Sep 8 10:02:10 1994
To: kerberos@MIT.EDU
Date: Thu, 08 Sep 1994 09:29:34
From: mamros@ftp.com (Shawn Mamros)
Reply-To: mamros@ftp.com
ccprl@xdm039.ccc.cranfield.ac.uk (Peter Lister) writes:
>In article <34kb55$f6u@brimstone.unipalm.co.uk>, andys@unipalm.co.uk (Andy Smith) writes:
>|> Can you run Kerberos v 5 on ULTRIX?
>
>I hope so!
Many moons ago, I compiled Beta 2 on a decmips box. Worked fine as far
as I could tell. I believe the ULTRIX/MIPS platform is one of the ones
that MIT does their devlopment/testing on, but I could be wrong...
>|> Is kerberos 4 & 5 directly supported on the MIT release?
>
>For Ultrix? eBones compiled first time, so I guess so.
MIT does have V4 and V5 releases, but they're separate.
>|> Has anyone got Kerberos running under ULTRIX 4.3?
>
>Yes. Well, 4.3a. We have DECathena, and DECathena Kerberos is much closer
>to MIT Kerberos. In fact, to install DECathena, one must *remove* Ultrix
>Kerberos if it's installed.
Only because of the confusion that would result from having two kinit
binaries, two klist binaries, two kerberos server binaries, etc...
Just to (hopefully) clarify things: The biggest difference between
MIT's Kerberos V4 and what ULTRIX and DECathena supply is that the
ULTRIX and DECathena libkrb and libdes do not provide any routines
which perform raw encryption/decryption (i.e., no des_pcbc_encrypt(),
krb_mk_priv(), etc.), because of the "wonderful" (*cough*) export
restrictions we have to live with in the US. However, it still uses
the *same identical* encryption algorithms as does the MIT code in
order to support the authentication capabilities - it's just that
they're "in-lined" into the libkrb routines which need them. So,
authentication is just as secure as it is with MIT's code (and in fact
is 100% compatible with it, as far as KDC transactions and passing
tickets/authenticators to application servers go); it's just that
there's no bulk encryption capabilities.
ULTRIX only uses Kerberos to secure its distributed auth database
as part of its "enhanced" security setup. This scheme does not require
users to have Kerberos principals; therefore, if you follow the ULTRIX
setup guidelines, you won't have user principals. Moreover, none of
the software supplied with ULTRIX itself knows how to take advantage
of user principals. But... there's nothing that prevents one from
setting up user principals in the ULTRIX KDC, and you should be able to
link *most* software using Kerberos V4 with the ULTRIX libraries (provided
the software doesn't use krb_mk_priv(), krb_rd_priv(), or the DES encryption
functions). The biggest stumbling block is that the ULTRIX libraries
use /var/dss/kerberos/tkt as the directory for ticket files instead of
/tmp, and that directory is normally writeable only by root. But this
can be worked around either by making the directory more writeable, or
(better) by using the KRBTKFILE environment variable, which still works
as expected.
DECathena does use (in fact, requires) user principals, so its Kerberos
libraries move the ticket files back to /tmp. The private message and
raw encryption routines are still missing from its libraries, however,
and programs like "Kerberized" rlogin don't support the encrypted session
option.
Hope this helps...
(Disclaimer: I used to work for Digital and DECathena "many moons ago".
However, the information in this article isn't "privileged" in any way;
it's all in the respective manuals, man pages etc. for ULTRIX and
DECathena...)
-Shawn Mamros
E-mail to: mamros@ftp.com
