> We're trying to set up a simplistic pop3 mail server that makes
> a call to the AFS kaserver to verify a user and their password
> instead of checking the local password file. We potentionally
> have multiple pop3 clients to take care and thus can't customize
> at the pop3 client end.
I know we have a pop3 server around somewhere that does this sort of
thing. We run a standard MIT kerberos server, so this doesn't use
the AFS code at all.
> Thus far I've tried Kerberos V4 working with the 'kinit' command
> for testing things out. The kinit command will talk the
> AFS kaserver just fine in terms of exchanging info, but is
> unable to decrypt the returned key properly (I speculate). I've
> not been able to find a simple hack to the kerberos code to
> resolve the string_to_key function differences.
That's not surprising; MIT kinit knows only the MIT string-to-key, and
the Transarc kpasswd only knows the Andrew one.
> 1) A hack to Kerberos V.4 for the right string to key conversion. I
> don't want to run a kerberos server process either. Just pop client->
> AFS kaserver.
We've made changes on this order to our kerberos distribution. Anything
linked against the new libraries will understand multiple S2K functions,
and try them in order. There are three files that are changed:
lib/des/string_to_key.c
lib/krb/g_in_tkt.c
lib/krb/g_pw_in_tkt.c
Look in /afs/cs.cmu.edu/misc/kerberos/src/kerberos/src/src; as far as I
know, the Andrew string-to-key function there is freely redistributable
(someone please correct me if this is not the case).
> 2) Some other transarc call that can take care of the work without
> the client code being present.
I'm not entirely sure what you mean by "client code". For example, you
could have your pop3 server talk to the kaserver to verify the key;
that would require that the pop3 server be linked against a variety of
AFS libraries, but would not require that you run a cache manager or
even have the kernel module loaded. To do this, you would do something
like this:
1) Get password over link
2) Call ka_Init to initialize
3) Call ka_StringToKey to turn the password into a key
4) Call ka_AuthServerConn to get a connection to the kaserver
5) Call ka_Authenticate to attempt authentication
Alternately, you might be able to do something useful with kas gettickets.
Either of these approaches would require you to have some semblance of
a config directory (in particular, a CellServDB and a ThisCell file),
but shouldn't require afsd or the kernel module.
-- Jeffrey T. Hutzelman (N3NHS) <[EMAIL PROTECTED]>
Systems Programmer, CMU SCS Research Facility
Please send requests and problem reports to [EMAIL PROTECTED]
