Kerberos
This is in response to notes from Derrick J. Brasher and Hope
Goering.
I have made changes to the MIT version of Kerberos V4 to try both
string_to_key functions in all the user commands. This is similar
to the code in klog which will try both of them as well.
We are using the Kaserver as the KDC.
We are using the MIT kpasswd command, which tries both
string_to_key functions when testing the old password, but uses
the MIT string_to_key for the new key.
Kpssword then contacts an MIT kadmind running on the AFS server.
This version of kadmind has a dummy database, and when it
receives a change request, will fork and exec a "kas setkey"
command to store the new key in the Kaserver database.
This combination of using Kaserver with new passwords being
stored using the MIT string_to_key allows us to use unmodified
Kerberos clients on other machines, including their kpasswd.
We are starting to use PC/TCP from FTP Software on PCs with
windows version 2.2 and are pleased with it. (You need to do a
"SET TZ=CST6CDT" or whatever in the AUTOEXEC.BAT which is not
documented.) We also have a version of OCSG for the Mac and PC.
(We have not gotten the PC version working yet, but have not
spent much time on it either since it requires an off brand
network package.)
We also have Multinet running on a VMS system which accepts
kerberized rlogins.
And to complete the picture, We are using the MIT versions of the
rcommand rather then the AFS versions, although the AFS versions
should work.
Old AFS users whose key were generated using AFS string_to_key,
need to change their password once using the modified kpasswd.
After that they can use any Kerberos clients on any machines.
If you are interested in these modifications, drop me a note.
Douglas E. Engert
Systems Programming
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(708) 252-5444
Internet: [EMAIL PROTECTED]
P.S. There are two other approachs to solving the incompatability
problems between AFS Kerberos and MIT Kerberos.
(1) Get Transarc to finish the job, and change their kpassword
and other commands to try both string to keys,
accept kadmin cpw requests, and to give
an option as to which version of string_to_key would be
used when storing a password.
(2) Get the other vendors to try both string to key functions
in their products. This does not solve the kpasswd problem,
since you would still need a kadmind to interface
