Subject: Re: Status of Kerberos IV or 5
To: Ken Hornstein <>
From: Chris Jones <>
List: current-users
Date: 01/22/1998 18:58:09
On Thu, 22 Jan 1998, Ken Hornstein wrote:

[patches to kerberize xhost, Xserver, etc.]

> I _did_ look at this code, because I was mildly curious about this.
> Fixing this code isn't actually impossible ... it might be pretty easy,
> because while the API has changed, it hasn't changed _that_ much
> (all that really needs to be done is a Kerberos context needs to be
> created and added to various function calls at some points).  The
> question is, "is it worth it"?  The big downside to this is that is
> requires mods to both the client libraries and the server, which is
> easy enough when you're running NetBSD everywhere (except for Netscape,
> but hey, that's going to change :-) ), but it's hard if you want to
> display apps from random system X, which is the whole point of having
> authenticated X connections in the first place :-)

I think it would be completely worth it.  I even tried to do the work
myself before I had the API, but it didn't work.  I wouldn't have time to
do it now, though; all I had time for was
/usr/src/usr.bin/login/k5login.c, and that was simple.  :)

About portability:  Can't you just do something like "xhost krb5", to
allow kerberos-authenticated connections, and "xhost" to do
the normal host-based authentication thing?  So, if your site has lots of
kerberized-X machines, you gain some security.  If you have to deal with
non-kerberized X machines, you haven't really lost anything by having krb5
on yours, have you?

> As Johan has pointed out, it doesn't help out on the integrity or
> confidentiality side; it just authenticates at connection time.
> Although I personally think this still has some merit; it raises the
> bar and breaks most of the cracker breakin kits, which IMHO isn't so
> bad :-)



Chris Jones                            
           Mad scientist in training...
"Is this going to be a stand-up programming session, sir, or another bug hunt?"