> I am trying to get Merit RADIUS to work with AFS Kerberos. The RADIUS
> distribution includes a file named afs_stringtokey.c which includes an
> empty function afs_passwd_to_key(). The file has a comment:
>
> /* Replace this file with the real file from the licensed source. */
>
> How can I get a copy of just this file/function? Is it publicly available?
> If not, who should I contact about it? Do I need to purchase an AFS source
> license?
Hmm... Implement it yourself, or call the appropriate AFS library
function. The function to call is ka_StringToKey, which takes 3
arguments: the input string, the cell name, and a pointer to
the place to put the key (i.e. a des_cblock). Yes, the cell name
is a parameter to the key-generation function.
The algorithm is as follows:
First, convert the cell name to the corresponding Kerberos realm, and
that to lowercase. This operation typically consists of downcasing
the cell name, if it's not lowercase already (which it should be).
The remaining operation depend on the length of the password.
If the password is 8 CHARACTERS OR LESS...
1) XOR the password with the first N bytes of the cell name. If the
cell name is shorter than the password, pad the cell name on the
end with 0 bytes. If the resulting string is shorter than 8
characters (i.e. the password was shorter than 8), add enough
'X''s on the right to make it 8 characters.
2) Encrypt the string generated in step 1 using the UNIX crypt(3)
function (part of libc), using a salt of "p1". Beware if your
crypt(3) is not the standard UNIX one.
3) Construct a DES key from the first 8 characters returned by
crypt. Shift each byte left one bit, so that all bits are
preserved. Call des_fixup_key_parity() to compute the parity
bits.
If the password is LONGER THAN 8 CHARACTERS..
1) Concatenate the password and cell name. If the result is longer
than 1024 characters, chop off whatever's at the end.
2) Compute a checksum on the string generated in step 1 using
des_cbc_cksum, with the word "kerberos" as the initial vector,
and a key computed by calling des_fixup_key_parity on the word
"kerberos".
3) Compute a checksum on the password ONLY, using des_cbc_cksum.
Use the checksum generated in step 2 as the initial vector, and
a key computed by calling des_fixup_key_parity on the checksum
generated in step 2.
4) Call des_fixup_key_parity on the checksum generated in step 3
to get teh user's DES key.
-- Jeffrey T. Hutzelman (N3NHS) <[EMAIL PROTECTED]>
Systems Programmer, CMU SCS Research Facility
Please send requests and problem reports to [EMAIL PROTECTED]
