[111] in pc-kerberos
Re: Upcoming potential changes in KRBV4*.DLL
daemon@ATHENA.MIT.EDU (John Gardiner Myers)
Wed Jul 26 16:10:05 1995
Date: Wed, 26 Jul 1995 16:02:33 -0400 (EDT)
From: John Gardiner Myers <jgm+@CMU.EDU>
To: pc-kerberos@MIT.EDU
In-Reply-To: <8k5btU_0ts6C07idM0@alw.nih.gov>
"Jessica B. Kelley" <jbk@alw.nih.gov> writes:
> I also will like to see the addition of support for Transarc
> string-to-key function. At this point, we have using the Transarc
> Kaserver but in the future we plan to transition to DCE. With we make
> the transition to DCE, we'll need to use the Transarc Kaserver.
The above statement makes absolutely no sense. It appears to be based
on a complete misunderstanding of the issues involved.
The Transarc Kaserver does not support the DCE security service.
Transarc appears to have no intention of extending the Kaserver to
support the DCE security service--that would be a major undertaking.
The clients of the DCE security service do not support the Transarc
string-to-key function. Transarc's plan for transitioning from the
Kaserver to the DCE security server is for your users to have a flag
day. Each user will have to somehow run a program which puts their
old password through the Transarc string-to-key and prints the result
in hexadecimal. The user then has to type in that hexadecimal number
as their password when authenticating to the DCE security service.
Keeping your keys encoded with the Transarc string-to-key will not
lead to a smooth transition to DCE. In fact, I believe that being so
divergent from common Kerberos V4 practice will in fact hinder smooth
transition.
The string-to-key algorithm used is independent of which Kerberos V4
server implementation your realm runs. Kerberos V4 servers do not
know and do not care which string-to-key algorithm, if any, is used to
create any given key. It is the *clients* who care. It is perfectly
legitimate (and a good idea) to run a Transarc Kaserver holding keys
encoded with the MIT V4 string-to-key algorithm.
--
_.John G. Myers Internet: jgm+@CMU.EDU
LoseNet: ...!seismo!ihnp4!wiscvm.wisc.edu!give!up
