|
|
| Previous | Table of Contents | Next |
Transarc Kerberos
A second distribution of Kerberos version 4 is available as a commercial product from Transarc. Years ago, the designers of AFS decided to implement their own security system based on the Kerberos specification rather than using MIT Kerberos version 4, which then was not publicly available. Consequently, Transarc’s AFS Kerberos speaks a slightly different protocol but also understands the MIT Kerberos version 4 protocol. They can, in principal, talk to each other. Enough annoying incompatible details, however, make it impractical.
DEC Ultrix Kerberos
A third distribution of Kerberos version 4 is available from Digital Equipment Corporation. Aside from a few changes, DEC’s commercial version essentially matches MIT Kerberos version 4.
Version 5 of Kerberos is the most recent version. Changes in the protocol have solved a number of security problems from version 4.
MIT Kerberos Version 5
MIT Kerberos version 5 is freely available and is available from the same site as MIT version 4 via anonymous FTP from athena-dist.mit.edu (18.71.0.38).
OSF DCE Security
The Open Systems Foundation (OSF) has defined a Distributed Computing Environment (DCE) with security based on Kerberos version 5, and using the same wire protocol. However, applications from two systems use the protocol in different ways, so the actual interoperability between Kerberos and DCE is limited. Because DCE is defined as an open standard, it is up to manufacturers to provide products that fit into that standard. More and more manufacturers are providing DCE-compliant products, and it is now possible to assemble a complete DCE-compliant security environment by selecting DCE-compliant vendors.
Kerberos is a network security system that relies on cryptographic methods for its security. Because Kerberos’ encryption system, DES, cannot be exported, Kerberos itself cannot be exported or used outside the United States and Canada in its original form. Bones is a system that provides the Kerberos API without using encryption and without providing any form of security—it’s a fake that enables the use of software that expects Kerberos to be present when it cannot be.
Note: Bones possesses the property of there being absolutely no question about its legality concerning transportation of its source code across national boundaries. It neither has any encryption routines nor any calls to encryption routines.
You can obtain a working copy of Bones through anonymous FTP from ftp.funet.fi (128.214.6.100) in pub/unix/security/kerberos. A DES library is available at the same location.
SESAME
SESAME is an initiative of the European community to produce a compatible product to Kerberos version 5. SESAME-compatible systems are accessible through Kerberos and vice versa. SESAME makes use of DES software developed outside North America, and is not subject to export restrictions. Information on SESAME is available from http://www.esat.kuleuven.ac.be/cosic/sesame3.html.
The following vendors currently have Kerberos offerings:
When looking for a vendor, you need to consider more than just software offerings. Because Kerberos installations tend to require a considerable amount of customization, you should inspect consulting support. In a typical Kerberos installation, you can expect to run into compatibility problems with the underlying operating systems of the servers, and possibly with the applications you want to protect. A good consultant who has experience installing Kerberos can greatly improve your chance of completing the project on time and within budget.
Not all vendors have implemented Kerberos in the same manner. The result is that products from different vendors do not always talk to each other. This is less of a problem with version 5 than version 4, but it remains an issue of concern for any organization considering a Kerberos installation.
DEC ULTRIX contains Kerberos for a single reason, namely, to provide authenticated name service for the ULTRIX enhanced security option. It does not support Kerberos user-level authentication.
DEC’s version essentially is the same as, and is derived from, MIT Kerberos version 5, except for a few changes. The most significant change is that the capability to perform any kind of end-to-end user data encryption has been eliminated to comply with export restrictions. Minor changes include the placement of ticket files (/var/dss/kerberos/tkt versus /tmp) and the principal names used by some standard Kerberos services (for example, kprop versus rcmd). Some other minor changes probably have been made as well.
Although you can use DEC ULTRIX Kerberos in the normal way, no reason to do so exists, because the MIT distribution supports ULTRIX directly.
Transarc’s Kerberos uses a different string-to-key function (the algorithm that turns a password into a DES key) than MIT Kerberos. The AFS version uses the realm name as part of the computation, whereas the MIT version does not. A program that uses a password to acquire a ticket (for example, kinit or login) works only with one version, unless modified to try both string-to-key algorithms.
Transarc also uses a different method of finding Kerberos servers. MIT Kerberos uses krb.conf and krb.realms to map hostnames to realms and realms to Kerberos servers. AFS servers for a realm are located on the AFS database servers and can be located using /usr/vice/etc/CellServDB. This means that a program built using the MIT Kerberos libraries looks in one place for the information while a program built using the AFS Kerberos libraries looks in another. You can set up all three files and use both libraries, but be sure that everything is consistent among the different files.
The two versions have a different password-changing protocol, so you must use the correct “kpasswd” program for the server with which you connect. In general, AFS clients that talk directly to the kaserver use an Rx-based protocol, instead of UDP with MIT Kerberos, so those AFS clients cannot talk to an MIT server.
In summary, AFS Kerberos and MIT Kerberos can interoperate after you acquire a Ticket Granting Ticket, which you can do with kinit (MIT) or klog (AFS). With a Ticket Granting Ticket, Kerberos applications such as rlogin can talk to an MIT or AFS Kerberos server and achieve correct results. However, it is probably best to pick one implementation and use it exclusively. It will reduce the administration problems.
| Previous | Table of Contents | Next |