Subject: Re: Strategy for completion of Kerberos IV integration?
To: None <current-users@NetBSD.ORG>
From: Thor Lancelot Simon <tls@panix.com>
List: current-users
Date: 03/21/1997 17:30:34
OpenBSD's Kerberos IV is certainly *not* exportable. In fact, numerous
OpenBSD developers and users regularly violate U.S. export regulations by
re-importing and -exporting their Kerberos code with an ultimate destination
which they know to be outside the U.S. and Canada.
As regards programs which have directories both in and outside of the
-domestic tree, that's deliberate. The most notable such example is telnet,
for which the exportable version is generated by running unifdef on the
domestic version.
4.4 Kerberized programs which are *not* currently shipped with NetBSD are
(from memory):
register, registerd, r* (rlogin, rsh, etc.)
mountd, mount_nfs, maybe nfsd and nfsiod.
Register, registerd, and the r-commands suffer from a common problem: they
need to be reworked to use libkstream instead of the ancient des_rw.c, but
I haven't had time to do it. I have a mostly-working rlogin client which
should serve as a decent example (I hacked it up in a tremendous hurry and
the part of it which does *not* work, fallback to non-kerberized rlogin,
is sufficiently inscrutable that I kinda shudder at the thought of revisiting
it.) and the Cygnus code for the rest of these programs as another. Register
and registerd, while very useful, would require a bit more attention than the
others, I think, since AFAIK Cygnus never touched them. Shouldn't be too
hard.
mount_nfs and the Kerberized NFS code in the kernel are a particular problem.
I tried to merge back in the code from 4.4-Lite about two years ago and came to
the conclusion that it had probably never worked. If anyone wants to work on
*that* I can offer at least some vague recollections. Unfortunately, it isn't
enormously secure either; it just uses Kerberos to secure the initialization
of the TCP connection to the server, not the data transfer itself. Doing more
would be... complex.
What we *do* ship is enough to run your NetBSD box as a KDC or a fairly simple
client the way most people use Kerberos today; also enough to use Kerberos to
secure login to your machine. We ship:
All the libs, including libkstream, a general-purpose library for
securing network streams with Kerberos.
All the build tools: compile_et, make_cmds, etc.
kerberos and kadmind
telnet client and server
Kerberos support in passwd (kadmin protocol, *not* the old BSD kpasswd
hack)
Kerberos support in login
kinit, kdestroy, etc.
Since we have libkstream, I'd like to see someone merge Cygnus' Kerberos IV
support for FTP into our ftp and ftpd. That's a protocol, not a hack ("rlogin
isn not a protocol, it's a hack") and then we'd have a Kerberized means of
file transfer, which is all we're really missing. I'd also like to see
Kerberized versions of the r-commands, since so many people could use them,
and as I indicated I'd be glad to help anyone who wants to do that, subject to
my rather severe time constraints.
Register and registerd are very useful for bootstrapping Kerberos on an
existing system, so those too would be nice, but I'd think they're a lesser
priority.
Of course, Kerb 5 looms as always on the horizon, but... well, I go to
half-time at work in June; there are myriad issues surrounding Kerb 5
integration but then at least I may be able to look at them.
Thor
P.S. The Kerberos 5 support in passwd is very old, presently of dubious
value, and should possibly be removed. It is a remnant of a very
early stab at Kerberos integration from long long ago.