Subject: Re: Status of Kerberos IV or 5
To: John C. Hayward <>
From: Chris Jones <>
List: current-users
Date: 01/22/1998 09:42:44
On Wed, 21 Jan 1998, John C. Hayward wrote:
>    What is the current status of Kerberos on NetBSD 1.3?  Here is what
> I found for something like passwd.
>    - in /usr/src/domestic/usr.bin/passwd you can make a version of
> password which seems to be kerberos IV

Yup.  Krb4 is distributed with NetBSD's domestic package.

>    - in /usr/src/usr.bin/passwd there seems to be some facilities in
> the Makefile and krb5_passwd.c with a october time frame but if you
> uncomment /usr/share/mk/ KERBEROS5=yes and issue make
> does compile krb5_passwd.c and doing a make -D KERBEROS5 does compile
> krb5_passwd.c but results in a lot of compiler errors about missing
> includes among other things.

Yup.  Krb5 is not part of NetBSD, so you have to download and compile it
separately.  Then you have to modify the Makefile so it has the proper -I
and -L flags, unless you intend to install krb5 in /usr instead of
/usr/local or somesuch.  It works fine for me, though, if I edit the
Makefile appropriately and just issue a "KERBEROS5='' make".

(Side note:  Maybe we should have KRB5LIBDIR and KRB5INCDIR variables
added to the files in /usr/share/mk.  Then people like me, who actually
*use* krb5, could just change /etc/mk.conf, instead of having to manually
edit Makefiles every time we want to recompile something.)

>    Is kerberosIV fully supported if you build things in /usr/src/domestic?
> Is the KerberosV implementations under development?

I wish it were, but I have a hunch it's not.  There's a fair amount of
functionality that's apparently still not implemented, such as setting
tickets to be forwardable in the krb5.conf file.

>     I have made some changed to xdm in X11 from XFree which will allow 
> logging in to get a kerberos ticket and have a different set for
> kerberosIV and kerberosV.  I'd prefer to work with KerberosV but will
> settel for KerberosIV if it is fully functional (I notice that register
> seems to be missing).

I also have a set of patches for krb5 in xdm that I got from somebody, I
think on comp.protocols.kerberos.  I also remember corresponding with
somebody who said he had a set of patches for the X server and xhost.
That would just be the cat's meow, but it seems like there was some major
logistical problem with it.  I *think* the problem was that the patch was
written for krb5-1.0beta6, and the API changed from that release to
krb5-1.0 and its successors.  At the time, I didn't have a copy of the
newer API, so I was in no position to modify the patch for the current
version of krb5, and I couldn't find an old version of krb5 out there


Chris Jones                            
           Mad scientist in training...
"Is this going to be a stand-up programming session, sir, or another bug hunt?"