Xref: utzoo comp.protocols.kerberos:459 comp.unix.ultrix:4831 Path: utzoo!attcan!uunet!samsung!munnari.oz.au!brolga!bunyip.cc.uq.oz.au!lance!surf!eay From: eay@surf.bu.oz.au (Eric the Young) Newsgroups: comp.protocols.kerberos,comp.unix.ultrix Subject: Re: So much for kerberos in Ultrix 4.0 (outside the USA)y Keywords: kerberos des Message-ID: <1990Oct8.105825@surf.bu.oz.au> Date: 8 Oct 90 00:58:25 GMT References: <1322@surf.sics.bu.oz> Sender: eay@surf.sics.bu.oz Reply-To: eay@surf.bu.oz.au (Eric the Young) Organization: SICS, Bond University, Australia. Lines: 61 In article <1322@surf.sics.bu.oz>, eay@surf.sics.bu.oz (Eric the Young (me)) wri tes: >(For those that don't know, DEC claimed that kerberos with full encryption >(in binary form only) was being sent will all versions with ultrix 4, This statement (as was most of the article) was harsh on Digital and I should not have written it. I apologize for any discredit I may have brought on Digital's name. I fully appreciate the efforts Digital have made in trying to export a complete working version of kerberos (with des) and that the restrictions are due to U.S. export controls. (And it is those export controls that I am frustrated with not Digital). My reason for posting was caused by my misunderstanding of the definitions of object code. I am a system programmer and my interest in kerberos is writing applications that can use kerberos authentication. I have been using Bones (kerberos without the libdes.a routines) and when I hear the word kerberos I think of authenticated logins etc. Kerberos is an authentication system, so the use of the kerberos in user applications is (IMHO) a major part of kerberos. When I found that the kerberos package in the export version of Ultrix could not be used to develop new applications _I_ felt that an integral part of the kerberos package was missing. The kerberos (or Bones) package as distributed by MIT provides the kerberos server, development libraries and some application programs. From what I have seen so far, the export Ultrix version provides the server, development libraries (minus des encryption) and some applications (I am not sure which ones, but not rlogin). Since kerberos is an authentication system, I fell that leaving out some parts of the library (so that is is not usable), does not conform with my personal image of what kerberos is. It appears that all I have to do is write my own versions of des (which I have done), but how can I be sure it will be compatible with the (non export) Ultrix version. The way kerberos operates would make it possible for me, in Australia to login to MIT (when I am IP connected) with kerberos authentication, but only if my des routines were exactly the same as MIT's. I find it so annoying that when there are several different versions of libdes.a available outside the US, that the US is IP connected to the rest of the world (Oh, look what we have here, the kerberos distribution, lets just ftp it back to Australia/Finland/Eastern Europe, or lets just have some-one email it to me). I have modified Bones so that it now uses encryption but I will never be able to say the libraries are a replacement for MIT's until I can test them against a working USA version. It was my hope that the Ultrix version would let me test my routines and then be able to say my version would let people with kerberos on ultrix machines authenticate with people with my version of kerberos. eric None of the above is a reflection of the opinion or of the policies of Bond University, it is just the grumbling of an annoyed system programmer (me) -- Eric Young System Programmer, SICS Bond Uni. ACSnet: eay@surf.sics.bu.oz.au