[942] in Kerberos_V5_Development
Howard Chu: Windows Kerberos library
daemon@ATHENA.MIT.EDU (Sam Hartman)
Thu Nov 2 18:14:18 1995
To: krbdev@MIT.EDU
Date: Thu, 02 Nov 1995 18:14:05 EST
From: Sam Hartman <hartmans@MIT.EDU>
------- Forwarded Message
Received: from PACIFIC-CARRIER-ANNEX.MIT.EDU by po9.MIT.EDU (5.61/4.7) id AA21511; Thu, 2 Nov 95 17:35:37 EST
Received: from lccma.bos.locus.com by MIT.EDU with SMTP
id AA23052; Thu, 2 Nov 95 17:35:15 EST
Received: from orchard.la.locus.com by lccma.bos.locus.com with SMTP (PP) id <04817-0@lccma.bos.locus.com>; Thu, 2 Nov 1995 17:34:51 +0000
Received: from traveller.la.locus.com by orchard.la.locus.com (AIX 3.2/UCB 5.64/4.03)
id AA36288; Thu, 2 Nov 1995 14:31:41 -0800
Received: by troy.la.locus.com (AIX 3.2/UCB 5.64/4.03)
id AA75616; Thu, 2 Nov 1995 14:37:12 -0800
From: hyc@locus.com (Howard Chu)
Message-Id: <9511022237.AA75616@troy.la.locus.com>
To: Sam Hartman <hartmans@MIT.EDU>
Cc: tytso@MIT.EDU
Subject: Windows Kerberos library
In-Reply-To: (Your message of Wed, 01 Nov 95 16:22:08 EST.)
<199511012122.QAA06606@tertius.mit.edu>
Date: Thu, 02 Nov 95 14:37:11 -0800
Just wanted to give you an update on what we've got cooked up... First of all,
here's a sample of the combined INI file I'm using:
This file was machine generated. Any comments added here will go away.
[defaults]
k4_realm = LA.LOCUS.COM
k5_realm = pci.locus.com
protocol = k4
ticket_lifetime = 600
sync_clock = YES
ignore_pwd = NO
[k4_domain_realm]
.la.locus.com = LA.LOCUS.COM
la.locus.com = LA.LOCUS.COM
[k4_realms]
LA.LOCUS.COM = {
admin_server = borchard.la.locus.com
default_domain = la.locus.com
kdc = borchard.la.locus.com
user = hyc
auto_auth = YES
}
BOGUS.K4.REALM = {
kdc = just.checking
}
[k5_domain_realm]
.la.locus.com = pci.locus.com
la.locus.com = pci.locus.com
[k5_realms]
pci.locus.com = {
admin_server = hendrix.la.locus.com
default_domain = la.locus.com
kdc = hendrix.la.locus.com
user = hyc
auto_auth = YES
}
BOGUS.K5.REALM = {
kdc = not.on.either.net
}
I've added 3 new functions to the profile library, profile_set_string,
profile_add_string, and profile_write_file. profile_set_string will replace
the value of the first matching key with the given value. It's mainly used
by the set_default_user functions. profile_add_string will add a key/value
pair, if the identical pair doesn't already exist. All changes are in memory
only; profile_write_file must be called to replace the actual file on disk.
We are still developing our Kerberos Manager app; it acts as both a ticket
manager and a configuration editor. It installs as an autostart application -
as soon as Windows starts, it runs.
At startup, the manager checks the default protocol, and the default realm for
that protocol. If the sync_clock option is enabled, the manager will call
krb_kdc_time or krb5_kdc_time to obtain the time from a KDC in the default
realm, and set the PC's clock. Next, it iterates through all of the defined
realms, both K4 and K5, checking for an auto_auth option. If it is set for any
realm, it will attempt to authenticate the default user in that realm.
The ticket manager itself is just a listbox showing the expiration time, type
(K4 or K5), and service for each ticket. It has an Add button for obtaining
new TGTs and a Delete button for deleting selected tickets.
The configuration editor is still in progress, but it will eventually allow
control over every element of the INI file.
The ignore_pwd option is particular to our wrapper library. We have a GetAuth
function for obtaining service tickets. Unlike GetTicketForService, if the user
is not currently authenticated, it will put up a login dialog box and get a TGT
first, and then get the desired service ticket. This GetAuth function allows
the user's password to be passed in, such that if a password is needed, the
authentication can proceed silently, without using the login dialog. If the
ignore_pwd option is set, then the login dialog is always used to obtain the
password, instead of using any passed-in password.
The login dialog has two drop-down lists, one for selecting the protocol
to use, and one for selecting a realm of the selected type. The dialog is
initialized with the default protocol, and the default realm of that protocol
is the default selection in the realm list. These defaults can be overriden
by passed in parameters to GetAuth as well.
On other topics, I encountered a bug using the pcbc_encrypt code in the des425
library. I've rewritten my krb4 library code to call the crypto/des functions
directly, since they seemed to work. I'm not sure how I'm going to reintegrate
my Windows source tree with my Unix source tree, since I'm not sure it's such
a good idea to have the krb4 and krb5 libraries so interdependent on Unix. But
for Windows, it's very convenient. My krb4 library also uses the krb5 profile
routines, (obviously) and they both call a single change_cache function. (It
still uses two distinct Windows messages, but I needed a single place to keep
track of when it's OK to unload the DLL. This was required for the memory
caching...)
I'll be sending my K5 memory cache code in a separate message.
Howard Chu Principal Member of Technical Staff
hyc@locus.com Locus Computing Corporation
------- End of Forwarded Message
