Subject: Re: Strategy for completion of Kerberos IV integration?
To: None <current-users@NetBSD.ORG>
From: Tom I Helbekkmo <tih@stop.email.ads.now>
List: current-users
Date: 03/22/1997 01:02:20
On Fri, 21 Mar 1997, Thor Lancelot Simon wrote:

> Register, registerd, and the r-commands suffer from a common
> problem: they need to be reworked to use libkstream instead of the
> ancient des_rw.c, but I haven't had time to do it.

Sounds fun.  I'll see what I can find time for over easter.

> I have a mostly-working rlogin client which should serve as a decent
> example [...]

That's the one in the non-domestic source tree, I guess?

> Register and registerd, while very useful, would require a bit more
> attention than the others, I think, since AFAIK Cygnus never touched
> them.

These wouldn't be a priority for me -- I'll be generating initial
passwords of all my (several thousand) users.

> [We supply:]
>
> 	kerberos and kadmind

Except that they need a bit of modernizing.  kadmind doesn't work the
way -current is shipped now, because it dies when /etc/rc terminates.
I just threw in a quick and dirty daemon(0,1); in both kerberos and
kadmind, and changed the /etc/rc.local code to redirect their stderr
as well as stdout to the log file -- looks prettier at boot that way.

> 	Kerberos support in login

But it doesn't work the way it's shipped.  You can put KERBEROS=t in
your /etc/mk.conf all you like, but since <bsd.prog.mk> is included
_after_ the .if defined(KERBEROS) stuff, it's read too late.  The one
in the domestic tree will do the trick, of course, if you enable the
building of it in /usr/src/domestic/usr.bin/Makefile first.

Should the KERBEROS (and KERBEROS5) stuff in the Makefiles just be
thrown out, since you do domestic tree versions that don't ifdef it?

There should be a good way to make sure /etc/mk.conf gets read early
and is still allowed to override whatever it wants.  Impossible?

> Since we have libkstream, I'd like to see someone merge Cygnus'
> Kerberos IV support for FTP into our ftp and ftpd.  That's a
> protocol, not a hack ("rlogin isn not a protocol, it's a hack") and
> then we'd have a Kerberized means of file transfer, which is all
> we're really missing.

I'm one of those horrible godless commie bastards in the NATO
countries, so of course I can't possibly get hold of Cygnus code.  We
can store your nuclear weapons for you in case you should need to
deploy them from here, but God forbid that we should learn the arcane
and sacred secrets of DES encryption!  Someone should explain to your
congress how stupid your current laws on this stuff are -- but I guess
it's hard to do that well in single syllable words.

> I'd also like to see Kerberized versions of the r-commands, since so
> many people could use them, and as I indicated I'd be glad to help
> anyone who wants to do that, subject to my rather severe time
> constraints.

More than anything, I want kerberized rdist.  Any pointers to existing
work on that front?

> Of course, Kerb 5 looms as always on the horizon, but...

That's what I'm running at work.  Too much hassle with the PC and
Macintosh end of it, which is why I've decided to step back to IV now,
before I get all my users started with it.

-tih (proudly running NetBSD in production on several architectures)
-- 
The illegal address in the From: field is a last ditch attempt at being
able to participate on USENET and on mailing lists in spite of all the
shit-for-brains bastards who make a living selling garbage to morons.
May those who abuse email for marketing suffer slow and painful deaths!