Kerberos 5 beta 6 can be combined with OSF/DCE by using the DCE security server as the KDC. This allows for single sign on using the DCE userid and password. You can thus get the best features of both: DCE applications such as DFS; kerberized clients such as rlogin, telnet or FTP. These kerberized clients can be run on machines with or without DCE, and can be used to establish encrypted terminal sessions. This is very useful when the cell admin needs to login to a server to do system maintenance work without exposing his password or the root password. DCE 1.2.2 is expected to have some of this capability, builtin. But if you need it now, it is available. Kerberos 5 also has the ability to forward tickets during an rlogin connection for example. These forwarded tickets can be used to establish a DCE context. Thus you can be on a non DCE client, establish a connection to a DCE client and get you DCE context. Very useful for DFS access. We have developed modifications which will do this automaticly during the remote login. AFS is probably the most wide spread Kerberos 4 application in production. We have also developed modifications which will allow you to get a Kerberos 5 ticket from the DCE security server and/or K5 KDC and convert it to a AFS token. This do can be done automaticly during login as well. Note that this AFS modification does not rely on DCE, and can be used in a Kerberos only environment. But if you have DCE, it can also be used to get an AFS token from your DCE context. Thus both of these modifications can be combined, and get both a DCE context and/or a AFS token from a forwarded ticket. It also works with the Transarc AFS/DFS migration package too. Kerberos 5 beta 6 was released from MIT on 6/6/96, and is much improved over the Kerberos 5 beta 5. MIT have been very responsive to our needs and has included in this release many of the features which allow it to inter-operate with DCE. This release can be built directly without any modifications to the source and use a DCE security server as the KDC. See their documentation and man pages. This can then be combined with DCE to address the problem of clear-text password over the network. But, the changes to get a DCE context and/or a AFS token from a forwarded ticket are not included in Kerberos 5 beta 6. Over the past few years, many of us in the DOE ESnet community (and others) have been active in the Kerberos DCE integration effort. In addition to cross-realm authentication, we have been active in the use of the forwarded ticket to get a DCE context and/or an AFS token. A complete set of changes for these modifications can be found at: ftp://achilles.ctd.anl.gov/pub/kerberos.v5. The README, explains what is at the FTP site. Two other files: afs524.notes and anldce.notes contain comments about the two main set of changes: AFS tokens, and DCE interactions including changing your DCE password using the unmodified K5b6 kpasswd. If you have visited this ftp site before you will note the modifications to previous versions of Kerberos have been moved to the "old" directory. Every thing you need to get started is in the pub/kerberos.v5 directory accept the base MIT Kerberos 5 beta 6 code. You must get that from MIT at ftp://athena-dist.mit.edu. Basically there is diff file with all the changes, k56.cdiff.960709, which can be applied with patch to the MIT base. The aklog program (now called /krb5/sbin/ak5log) is in ak5log.960708.tar along with the k5afslogin program. Previously you need to get both the tar file and a diff file. The k5dce.960708.tar contains the k5dcelogin program. This was redesigned to match the specifications as defined in OSF RFC 92.0, so it can be easily replaced in the future. A special note is needed for those using the AIX 4.1.4 system. As shipped from IBM, the libdce.a does not have all the external symbols exported for use as a shared library. IBM negatively responded to our suggestion that these additional entry points be exported. To "fix" the problem, there is a fix.aix.libdce.mk makefile included with the k5dce source. Transarc on the other hand, responded positively when asked how to determine the obfuscated names of these same entry points in their products. There were no problems with the HP code either, as these entry points were already exported. I have built this in AIX 4.1.4, HPUX 10.10, Solaris 2.4, SunOS 4.1.3, SGI 5.3 and Windows 3.1. And have used HPUX, Transarc 1.0.3a, and Transarc 1.1 DCE security servers as the KDCs. Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (708) 252-5444 PGP Key fingerprint = 20 2B 0C 78 43 8A 9C A6 29 F7 A3 6D 5E 30 A6 7F
