Hi Troy,
If you are in a position to maintain this that would be super. There are a
number of trivial bugs with the kerberos stuff that need fixing and you can
find these on
www.coda.cs.cmu.edu/bugs.
The requirements for making crypto packages available are not very
complicated, and perhaps you could put them up for ftp and we put a link on
our pages.
Would it be worth to have you write a short section for the HOWTO about how
you got this going?
If I can download the PPC rpms somewhere then we can put those on the web too.
- Peter -
At 07:40 PM 2/7/99 -0600, you wrote:
>I have just successfully gotten Coda 5.0.1 to work with MIT Kerberos5
>1.0.5 (after figureing out the coda server needs a Krb5 host
>key/principal)
>
>I built RPMS of coda and kerberos, and included the Krb5 PAM module to
>allow logins, etc. If anyone wants these, let me know. Q: Can I send an
>rpm spec file outside of the US and not violate export regs?. (If not, I
>could snail-mail a diff or the spec to someone)
>
>I'd like to offer to help with the KrbV and PAM modules, since I would
>find them very usefull. ;)
>
>I also have a couple of feasability questions, now that I have a better
>idea what's going on. How hard would it be to:
>
>1) use Kerberos as the authentication/encryption mechanism all the way
>though Coda? (This might be a way to get around encryption export stuff,
>since krb5 can be gotten from replay.com and there is a free krb4 clone in
>Europe somewhere)
>
>2) make direct use of kerberos principals so that say, anyone with a
>joeuser/admin principal can be a member of the System:Adminstrators group
>while the regular joeuser principal is not. (along these lines, this would
>allow a joeuser/cron or joeuser/daemon principal to get coda tokens for
>cron jobs or such from a kerberos ticket the user has left for that
>purpose, via a ticket with an extremely long lifetime)
>This might also solve the "how do I authenticate the web server" type
>problems. (Correct me if I'm wrong, but could having a host key/principal
>for the webserver machine allow this?)
>
>3)
> a) automatically get coda tokens from kerberos tickets if they exist
> or
> b) use kerberos facilities to replace coda tokens (this sorta goes with
> (1) above)
>
>4) This is more of a kerberos thing, but krb5 has the DES3 code
> modularized, so what would it take to update the krb5 encryption code
> to use something like blowfish and friends?
>
>
>On Sun, 7 Feb 1999, Robert Watson wrote:
>
>[snip]
>> However, I am in the process of finishing up a set of patches and
>> additional source files that add:
>>
>> a) HMAC-MD5-based integrity checking in all verisions of Coda (hash is
>> configurable, and pluggable)
>>
>> b) Support for strong encryption (HMAC,3DES) (US-only) as well as weak but
>> exportable (XOR) and none (none) (exportable). The default state for
>> connections is set as a global policy for the client. New algorithms may
>> easily be added.
>>
>> c) Improved support for KrbIV and KrbV in the environment.
>>
>> I'm also looking at writing PAM modules to support Coda + Kerberos, but
>> because of the heavy-weight nature of the threading/rpc system, my
>> tendency is to move the token-acquisition into a seperate authentication
>> daemon on the client. This would also allow for less-coda-like
>> authentication that some have been looking for during transitions to
>> distributed authentication.
>>
>> So far most of this work is done--encryption/authentication all appear to
>> work quite nicely; I'm working on a new binding currently to replace the
>> requirement for encryption during the binding, as it is used for a key
>> exchange and is as weak as the encryption (and hence the exportable
>> version would suck).
>>
>> I hope to have the new binding ready for testing sometime in the next day
>> or two.
>>
>> Robert N Watson
>>
>> [EMAIL PROTECTED] http://www.watson.org/~robert/
>> PGP key fingerprint: 03 01 DD 8E 15 67 48 73 25 6D 10 FC EC 68 C1 1C
>>
>> Carnegie Mellon University http://www.cmu.edu/
>> TIS Labs at Network Associates, Inc. http://www.tis.com/
>> SafePort Network Services http://www.safeport.com/
>>
>>
>
>--------------------------------------------------------------------------
>| Troy Benjegerdes | [EMAIL PROTECTED] | [EMAIL PROTECTED] |
>| Unix is user friendly... You just have to be friendly to it first. |
>| This message composed with 100% free software. http://www.gnu.org |
>--------------------------------------------------------------------------
>
