Krb5 Beta Notes

Notes of the Krb5 beta

Last modified: 19 April, 1995

Testing Binaries:

CNS - The initial testing of the binaries indicates success on some machines and failure on others. The failure mode seen is the inability to get a ticket granting ticket. The error message displayed by CNS is 'Clock skew to great in KDC while loggin in' However the clock appears to match that of the Kerberos servers within 1.5 minutes. This error has occured under Windows and NT. I have not yet tested it under OS/2.

This bug can be fixed by setting the TZ environment variable. CNS should have a menu to set this variable. The DLL should have a resource that sets the default TZ if it has not been set in the environment.

NCSA Telnet - Assume you don't have an account on tsx-11. Try to login. The application will get a service ticket but will not be able to complete the login process. Instead of providing this feedback it will put up a login prompt but will not accept any keyboard input. It appears to the user as if the application has hung except that the menus still function. The only useful choice at this point is to exit.

Configuration:

Tickets are stored in the windows directory in the filename krb5cc. I think this should be configurable. A security hole is presented if the windows directory is on a remote file system.

>> Done, in the version about to be checked in you can set the ccache location via the options dialog.

There should be code to determine if the user is trying to store the tickets on a network drive.

Some configuration information is stored in windowskerberos.ini. If we agree that an ini file is to be used we should have a specification which states what information should be stored in it.

If an ini file is to be used for configuration information there should be a way to configure the location of the information. This will be useful for multiple users of a single machine.

>> Ah, multi-principal ccaches. I believe this is a problem on all platforms. As a work-around hack, what you can do is use the soon-to-be-checked-in cns program to maintain several ccache files, one for each principle. When you run telnet, the principle from the active ccache (as shown by cns) will be the principle used.

What are the configuration issues on the Mac?

Compilation:

The Windows zip file does not compile on NT when using a FAT file system and the 32 bit compiler.

Does it work under NT using NTFS and the 32 bit compiler? No.

Does it work under NT using FAT and the 16 bit complier? No.

Porting:

It appears that Cygnus is developing a single DLL that encompasses the Krb5 and GSS APIs. However there is a IETF draft that is trying to define the DLL interface for the GSS API. We need this work to conform to the draft as close a possible. There needs to be two DLLs.

Deliverables:

Microsoft Windows:

Kerberos client protocol libraries will be provided as a Dynamic Link Library, including the krb5 and gssapi libraries from Unix Kerberos.

A library will provide access to encryption facilities, including the crypto library.

These libraries will use the WinSock 1.1 interface for TCP/IP communications.

A telnet client program will be provided for testing the libraries.

These programs will be compiled by the Microsoft Visual C++ compiler.

A Security Manager application will be provided for user administrative actions such as initial ticket creation, ticket destruction, and change of password.

The libraries will store and manage the Kerberos credentials such that they can be shared by multiple applications.

Cygnus will write a user's manual for Microsoft Windows Kerberos 5, modifications to the API document to describe any Microsoft Windows variations on the interface, and instructions for building Kerberos 5 from sources on Microsoft Windows.

Cygnus will also port Software to the Apple Macintosh computer running MacOS:

Kerberos client protocol libraries will be provided as a driver including the krb5 and gssapi libraries.

A driver interface will provide access to encryption, including the crypto library.

These libraries will use MacTCP 2.0 (or later) facilities for TCP/IP communications.

A telnet client program will be provided for testing the libraries.

These programs will compile with both MPW and Think C 6.0 compilers; both compilers will be required.

A Security Manager control panel will be provided for user administrative actions such as initial ticket creation, ticket destruction, and change of password.

The driver will store and manage the Kerberos credentials such that they can be shared by multiple applications.

Cygnus will write a user's manual for Macintosh Kerberos 5, modifications to the API document to describe any Macintosh variations on the interface, and instructions for building Kerberos 5 from sources on MacOS.

acceptance criteria:

The Kerberos and GSSAPI libraries must conform to the relevant

RFC's:

RFC-1510 (The Kerberos Network Authentication Service (V5))

RFC-1508 (Generic Security Service Application Program Interface)

RFC-1509 (Generic Security Service API: C Bindings)

customer acknowledges that the current UNIX implementation of the Software which will be provided to cygnus does not fully conform with RFC-1510. customer will continue to work to bring the UNIX version into conformance. cygnus agrees to deliver to customer a PC/MS-Windows version and Macintosh version of the Software which conforms to RFC-1510 to the same extent, at least, as the then-current UNIX version.

The Kerberos and GSSAPI libraries must interoperate with the Kerberos V5 implementation then current at customer:

The Kerberos libraries will be tested by using the V5 telnet client supplied by cygnus. The Windows or Macintosh client must be able to successfully authenticate to a Unix telnet server, as supplied by customer in its Kerberos V5 distribution.

The GSSAPI libraries will be tested by using the ``gss-sample'' application, as supplied by customer in its Kerberos V5 distribution. cygnus will supply a test client for Windows or the Macintosh, which must successfully be able to authenticate to a Unix gss-sample server.

The ``Security Manager'' application must be demonstrated to be able to correctly obtain tickets, destroy tickets, and change a user's password.

The parties agree that the software as provided by customer does not currently provide a robust protocol for changing users' passwords, and agree that the criterion will be that the MS-Windows and Macintosh software uses the same protocol as the then-current UNIX version. If the then-current UNIX software does not support changing users' passwords, the MS-Windows and Macintosh software will not be required to do so.

The Software shall run under the following Operating Systems and networking environments:

Windows -- version 3.1,

using the following networking stacks: NetManage, and Novell's LAN Workplace for DOS.

Windows for Workgroups -- version 3.11, using the FTP-able Microsoft WinSock implementation.

68K Macintosh -- System 7.0.1, System 7.1, and System 7.5, using MacTCP 2.0.4 and 2.0.6.

Power Macintosh -- System 7.5 (using the included TCP/IP)

The parties agree that in the Beta deliverable, acceptable documentation may be incomplete and need not be professionally formatted.

Windows/Macintosh Kerberos Planning/timeline

March 28th --- Windows Beta from Cygnus was delivered

April 28th --- Windows Beta acceptance deadline

June 1st --- Windows final delivery

WINDOWS

=======To Do List==========

1. Do/coordinate acceptance test for Windows beta (pbh/tytso)

-- underway

2. Do/coordinate final acceptance test (pbh/tytso)

-- someone needs to try compiling the source release (done, pbh)

3. Port to Windows NT (pbh)

4. Kerberos 5 FTP support (GSSAPI) (resources not yet assigned)

5. Add K5 support to Leash (resoures not yet assigned)

-- we like the Leash UI more; users are familiar with it already and Leash will support both V4 and V5

Acceptance criteria for accepting the Windows beta

==================================================

1. Does it work at all? (Yes)

2. Does it work on "most" machines?

Greatest problem --- time skew problem; now understood

3. Can we compile the snapshot of the release to create working binaries? (Yes)

Remaining issue --- delivery of GSSAPI sample application?

Test Plan for final acceptance

==============================

1) Things to test

- Use the CNS security manager to obtain Kerberos V5 tickets

- Use the CNS kerberized telnet to authenticate to a Kerberos

V5 telnet server running on a Unix workstation

- Use the CNS supplied gss-api sample client against a gssapi

sampler server running on a Unix workstation

2) Machines to test against

- Ask all dosdev students to try these tests on their dorm

machines (half are using the Lan Workplace networking

stack; half are using the Microsoft stack)

- All the DOS machines on 3rd floor E40.

MACINTOSH

=========What do we need to do on the Macintosh

======================================

1. Draft the Macintosh-specific library interface for GSSAPI

--- SAP requires this within 6-8 weeks (i.e., beginning to mid June)

--- Probably using ASLM

2. Do/coordinate acceptance test for Mac beta

-- someone needs to try compiling the source release

3. Do/coordinate final acceptance test for Mac

Acceptance criteria for accepting the Macintosh beta

====================================================

1. Does it work at all?