Hello!
Over a month ago I asked a question regarding using Kerberos V as the
authentication mechanism for the system daemons via an SIA layer. The
original question is included after my sig.
First, my apologies for the delay in responding! I received a number of
very excellent responses, and I'm happy to say that the Kerberos / SIA
situation is not nearly as bleeding edge as I had feared. Respondents
included:
Love <lha_at_e.kth.se>
Mohan <mkannapa_at_ford.com>
Jim Williams <jim.williams_at_alaska.edu>
Keith Piepho <kap_at_uakron.edu>
David Lindner <lindner_at_zk3.dec.com>
Jim and Keith are also both very interested in pursuing the same approach,
and Keith even suggested that if my search didn't turn up anything he and
I could develop the solution collaboratively ourselves.
Mohan pointed out that the Compaq DCE product has the necessary components
to do Kerberos V authentication, possibly even without the need to set up
a DCE cell. This may be the preferable way for many sites to go, especially
if you think DCE may be part of your future anyway.
Love sent me the first response, and even if that had been the only response,
the news would have been good. It turns out that there is a very complete
SIA module (including a matrix.conf!) that's included with "Heimdal", a
"less-encumbered" Kerberos V clone being developed overseas. I've been
on the Kerberos Developers list for months and hadn't even heard of Heimdal,
so Love's email was very good news. You can ftp Heimdal from
ftp://ftp.pdc.kth.se/pub/heimdal/src/
I've downloaded it, and although Heimdal isn't as mature as Kerberos V, I've
been impressed with the parts I've looked at, including the SIA bits. It
looks like one could probably pull the SIA parts of Heimdal out and build
them (by hand) against Kerberos 1.0.6. I haven't tried this yet, and
the recent release of Kerberos 1.1 may have changed APIs enough so that some
additional work would be needed to build against that, but I intend to
investigate this option as time permits.
The most intriguing response came from David Linder of Compaq. A very kind
coworker of his forwarded my initial question to him, and he emailed me
right away to let me know that he had Kerberos SIA code that he had developed
as part of a project that he would be willing to share. Even more intriguing
was the fact that his code also has hooks into LDAP, which is something we've
been doing too -- hooking Kerberos and LDAP together for various components
of the user information/authentication puzzle.
He's not currently able to share the LDAP components of the code, so using
this solution would require filling in some stub sections that he removed.
He also can't officially support the code, but he's stated multiple times that
if I find a bug in his code he wants to hear about it so he can fix it.
That's better than "official support" any day, IMHO. ;-)
Best of all, he's OpenSource-friendly! He indicated that if there's
enough interest in the Kerberos components of what he's done, he would
investigate what kind of red tape he would have to deal with to get the
code released under a more public license.
If you're interested in getting access to the Kerberos components he released
to me, get in touch with him at the email address listed above. He's
interested in finding out how many people would be interested in the code he
developed. If it's popular enough, he may pursue the OpenSource route.
Because we're already using Kerberos & LDAP on our Linux hosts, David's
Kerberos + LDAP hooks + SIA would be our best bet, and that's what I'll
be investigating. The Heimdal SIA code is probably a better bet for most
sites that are doing Kerberos but not LDAP, and the code is useful SIA
example code if nothing else.
My thanks to all the respondents, especially David!
Tim
--
Tim Mooney mooney_at_dogbert.cc.ndsu.NoDak.edu
Information Technology Services (701) 231-1076 (Voice)
Room 242-J1, IACC Building (701) 231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164
Original question:
Hello!
We've been using Kerberos V 1.0.5 (and now 1.0.6) in a heterogeneous Unix
environment for more than a year. We've enabled Kerberized services (kshd,
klogind, K5 telnetd, etc) in addition to the standard system services, so
currently people can authenticate via K5 and then connect to the kerberized
version of a particular service *or* they can connect to the standard version
of a service (telnetd, for example) and authenticate via the SIA mechanism
in place (C2 security).
What I would like to add is the ability for someone to connect to a standard
system service (like telnetd) and have telnetd check their password against
the K5 database instead of (or even better, "in preference to") some
local method. I have similar functionality working on some of our Solaris
boxes using a Krb5 PAM module available on the net. Now I need the SIA
equivalent of that for Tru64 Unix (for 4.0f and soon 5.0).
Has anyone else already done the legwork and developed such a beast, that
they would be willing to share? If such a thing doesn't already exist I'm
willing to invent it myself, but it might then be helpful to have some
additional documentation/examples to supplement the information in the
"Security" guide for Digital Unix (I have the "Security" guide from March of
1996, i.e. the early 4.0 days). Anyone have some good examples of SIA
code that they would be willing to share?
Thanks,
Tim
Received on Tue Oct 19 1999 - 04:22:07 NZDT