At 8:21 PM -0700 9/8/99, Herb Singleton wrote:
>I've enabled Kerberos in /etc/rc.conf, and have configured krb.conf and
>krb.realms in /etc/kerberos. Following the tutorials in various websites,
>I've created a masterkey, a couple of accounts and I can kinit/kdestroy
>from my NetBSD shell.  I've commented out login and shell in inetd.conf and
>enabled all of the kerberos services. I've also edited telnetd to use the
>-s switch.

I did this a while ago so let's see now.

I did the obvious in rc.conf.  I used the FAQ for the swedish kth-krb
implementation as a checklist for what to set up.

I had some problem which I never did resolve with kadmind.  It always died
on startup so I couldn't use the normal services to change passwords.  Also
I mostly used it to control access to a Solaris machine with the kth-krb
telnet daemon installed.  I just upgraded NetBSD to 1.4.1 and it doesn't
seem to work anymore.

I was able to get encrypted telnet going with NiftyTelnet 1.1 and
Authentication Manager 1.0.9a to both NetBSD 1.3.2 and Solaris 2.5/kth-krb.

>
>On the Mac side I'm using Nifty Telnet, and Authentication Manager 1.2.0.

Where did you get AM 1.2?

The inetd.conf command in solaris is "telnetd -a valid" (in.telnetd is the
original daemon, this is the kth-krb version).  The command in NetBSD is
just "telnetd" with no options.  I may have screwed that up in the upgrade,
but I'm not sure.

>When I try to telnet from my Mac to the NetBSD box, Authentication Manager
>prompts me for my Kerberos username and password.  This appears to be
>working correctly; if I input the wrong password or username Authentication
>Manager gives me an error, and the correct values appear to grant a ticket.
>
>At this point, NiftyTelnet appears to establish an unencrypted session (the
>little lock is still open).

You might try playing with some of the options on telnetd based on the man
pages, like -edebug and -a debug.  In fact I might do that too if I can get
some time.  As I said it basically worked before my upgrade.

My impression is that the kerberos stuff isn't well used.  Obviously you
installed the security tarball.  In order to really make it work you may
need to recompile a lot of NetBSD yourself.  I had some problems which
*might* be fixed that way.  (The login command uses the password in the
/etc/master.passwd file while the passwd command tries to change the
kerberos password.  Ftpd needs to be recompiled with some special option
before it supports kerberos . . .)

Were you connected to JPL or Oxy like 20 years ago?  Your name seems familiar.

Signature failed Preliminary Design Review.
Feasibility of a new signature is currently being evaluated.
h.b.hotz@jpl.nasa.gov, or hbhotz@oxy.edu