[6992] in Kerberos
krb5b5 on hpux9.05 -- questions
daemon@ATHENA.MIT.EDU (Doug Engert)
Wed Apr 3 10:33:46 1996
Date: Wed, 3 Apr 1996 09:21:17 -0600
From: Doug Engert <DEEngert@anl.gov>
To: garlick@ecst.csuchico.edu (Jim Garlick)
Cc: kerberos@MIT.EDU
In-Reply-To: <4jrnup$osl@charnel.ecst.csuchico.edu>
Jim Garlick writes:
> Hello,
>
> I have a couple of questions regarding Kerberos 5 BETA 5.
>
> First, I got most of it working on hpux 9.05, e.g. I can do encrypted
> and kerberos-authenticated rlogin and rsh, and if anybody's interested
> I can try to package up the (relatively minor) changes I needed to make
> to get it to work with HP's ANSI C compiler. These configure options
> do most of the work:
> --with-ccopts="-Ae -Dhpux" --with-ac_cv_c_const=yes
>
> Anyway, I have two questions.
>
> One, do forwardable tickets work at all in BETA 5?
>
Yes they do, if you have all the needed modifications. See
http://achilles.ctd.anl.gov/pub/kerberos.v5/README for more details.
I can forward tickets, get AFS tokens, DCE contexts, and use the
forwarded ticket to login to another system.
I have parts of the 5 beta 5 running on the HPUX 9.04 but have not
tested it very well. I would be interested in your mods to the
krlogind.c. I also have a MIT snapshot from January running on HPUX 10
using the DCE security server as the KDC. So you should see
improvements in the next release of Kerberos from MIT.
> Two, do the "bsd" applications properly implement the "aname" translations?
> When I kinit to "A123456" and then try to krlogin to another machine which
> maps "A123456" to "garlick" in /krb5/aname.[dir,pag], I get some bizzare
> error about not being on a privileged port (?!?). A cursory look through
> the sources to krlogind does reveal a call to krb5_aname_to_localname(),
> but this seems to be in the context of logging. (I will look deeper--just
> wondered if anyone knew this off the top of their head).
Have not tried the aname code. I would be very interested, since there
may be some concern that the user own the .k5login and can give away
the access rights to his own account. The use of the aname table means
that the local system administrator has to update the aname table, and
has some control over who is using which account.
>
> Thanks in advance!
>
> Jim
>
Douglas E. Engert
Systems Programming
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(708) 252-5444
Internet: DEEngert@anl.gov
