Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!decwrl!shelby!abyss.MIT.EDU!bbrown From: bbrown@abyss.MIT.EDU Newsgroups: comp.protocols.kerberos Subject: Re: So much for kerberos in Ultrix 4.0 (outside the USA) Message-ID: <9010081918.AA27743@abyss.zk3.dec.com> Date: 8 Oct 90 19:18:03 GMT References: <1322@surf.sics.bu.oz> Sender: news@shelby.stanford.edu (USENET News System) Organization: Internet-USENET Gateway at Stanford University Lines: 53 In article <1322@surf.sics.bu.oz>, eay@surf.sics.bu.oz (Eric the Young (me)) wri tes: >(For those that don't know, DEC claimed that kerberos with full encryption >(in binary form only) was being sent will all versions with ultrix 4, Hi, I am the engineer who, as you put it, fiddled with the kerberos libraries. In the future you should first get all of your facts straight before loudly and publicly complaining about the product. After you understand what you have you may not be as upset. In order to ship the kerberos libraries overseas, any ability that the MIT kerberos libraries had to serve as a general purpose encryption facility was stripped. A general purpose encryption facility is anything which allows the user to encrypt text of his/her choosing and decrypt the same. This means, for example, that the krb_mk_priv and krb_rd_priv routines were not included in the Ultrix version of libkrb.d. This does not mean that the libraries do not perform DES encryption and decryption. They do DES encrypt and decrypt data, but, only data which is choosen by the libraries in order to allow for the authentication of a principle A to a principle B. So, an application built with the ULTRIX kerberos libraries supports the same on the wire protocol as an application built with the U.S. distribution of the MIT Athena Kerberos V4 libraries. This is the most functionality from the kerberos libraries you could possibly hope for from any vendor shipping product from the U.S given the current export laws. DEC is the first and only vendor who supplies it. Yes, kerberos was not integrated into login and the "r*" commands in ULTRIX 4.0. If you need this sort of functionality immediately you can build it using the tools you already have, an ULTRIX source license, the ULTRIX 4.0 libraries, and the International distribution of MIT Athena Kerberos 4.0 source code. Add the MIT Kerberos changes to the "r*" commands to the ULTRIX source making sure that any use made of the libraries would not allow the user of the "r*" tools to use the libraries to encrypt or decrypt data of his/her choosing. This implies that, for example, the MIT's rlogin program must be stripped of its abililty to provide an encrypted session. Compile the new code with the ULTRIX libraries. If any routines or options are missing from the libraries then you have not completely stripped the "r*" commands of their ability to encrypt generic data. Once you get the package to work correctly you will have a set of binaries that could be run at MIT and would successfully interoperate with the rest of the Athena environment. Bill Brown p.s. Just so you don't feel discriminated against, you should know that there is no U.S. specific distribution of ULTRIX kerberos. Nobody gets the source code, nobody gets to use the libraries as a general encryption service. Since we have no internal method to ship a different kit to the U.S., we opted to eliminate the possibility of sending the fully functioning libraries to the U.S. in order to provide authentication abilities to our overseas customers. Your business is very important to DEC.