Subject: Re: US crypto export resctrictions 'unconstitutional'
To: Andrew Gillham <>
From: Jonathan Stone <jonathan@DSG.Stanford.EDU>
List: current-users
Date: 05/07/1999 15:28:08
In message <>,
Andrew Gillham writes:

>Perry E. Metzger writes:
>> 2) Domestic is worthless anyway. Who wants 1DES based Kerb IV anyway?
>> Perry
>So why is this "broken" implementation still in the tree then?  

Our intree krb4 works well with both AFS and MIT v4 KDCs, Since krb5
has v4 backward compatiblity) it works with krb , our krb4 also
interoperates with krb5.

That means its's not worthless, far from it. It is very useful to
people in Kerberos-based environments.  (which, note well, includes
most AFS installations.) Until we have a suitable (krb5) replacement
it should stay in the tree.

>claims to be "supported", but doesn't appear to work except with a
>couple clients.  

We only have one real client in the tree, AFAIK: telnet.  The
kerberised rsh/rlogin clients were removed for reasons I didnt
understand and which sounded more religious than technical.
Tho' to be completely fair, they may have some real grounds in setuid
arguments. Even so, that should be left up to the discretion of the
individual site.

>The kerberos samples in inetd.conf show '-k' options to both rshd and
>rlogind that don't exist, and I haven't been able to get telnetd to
>do anything with kerberos.

As I said, we dont have kerberos-aware rsh or rlogin.  Telnet works
perfectly for me, and has done for years.  Are you sure you installed
the krb-aware version of all of the requisite `non-exportable'
libraries (libtelnet, libcrypt) and (on a.out) reran ldconfig?
Are you sure you have the local srvtab set up properly?

>All in all, it seems like it doesn't work, and I haven't heard anyone
>refuting the claims that it is "worthless."  

Its not worthless.  Far from it.  Perry is just having some temporary
difficultly distinguishing *his* security needs from the security
needs of our entire user base.

>Is anyone working on Kerberos 5 packages?

There is work being done on `integrating' krb5, yes.
I'll leave it for them to answer.