Coda File System

Re: Coda and KrbV && PPC

From: Peter J Braam <braam_at_cs.cmu.edu>
Date: Wed, 10 Feb 1999 14:22:31 -0500
Hi Troy,

If you are in a position to maintain this that would be super.  There are a
number of trivial bugs with the kerberos stuff that need fixing and you can
find these on 

www.coda.cs.cmu.edu/bugs.

The requirements for making crypto packages available are not very
complicated, and perhaps you could put them up for ftp and we put a link on
our pages.

Would it be worth to have you write a short section for the HOWTO about how
you got this going?

If I can download the PPC rpms somewhere then we can put those on the web too. 

- Peter -





At 07:40 PM 2/7/99 -0600, you wrote:
>I have just successfully gotten Coda 5.0.1 to work with MIT Kerberos5
>1.0.5 (after figureing out the coda server needs a Krb5 host
>key/principal)
>
>I built RPMS of coda and kerberos, and included the Krb5 PAM module to
>allow logins, etc. If anyone wants these, let me know. Q: Can I send an
>rpm spec file outside of the US and not violate export regs?. (If not, I
>could snail-mail a diff or the spec to someone)
>
>I'd like to offer to help with the KrbV and PAM modules, since I would
>find them very usefull. ;)
>
>I also have a couple of feasability questions, now that I have a better
>idea what's going on. How hard would it be to:
>
>1) use Kerberos as the authentication/encryption mechanism all the way
>though Coda? (This might be a way to get around encryption export stuff,
>since krb5 can be gotten from replay.com and there is a free krb4 clone in
>Europe somewhere)
>
>2) make direct use of kerberos principals so that say, anyone with a
>joeuser/admin principal can be a member of the System:Adminstrators group
>while the regular joeuser principal is not. (along these lines, this would
>allow a joeuser/cron or joeuser/daemon principal to get coda tokens for
>cron jobs or such from a kerberos ticket the user has left for that
>purpose, via a ticket with an extremely long lifetime)
>This might also solve the "how do I authenticate the web server" type
>problems. (Correct me if I'm wrong, but could having a host key/principal 
>for the webserver machine allow this?)
>
>3)
>   a) automatically get coda tokens from kerberos tickets if they exist
>	or
>   b) use kerberos facilities to replace coda tokens (this sorta goes with
>      (1) above)
>
>4) This is more of a kerberos thing, but krb5 has the DES3 code
>   modularized, so what would it take to update the krb5 encryption code
>   to use something like blowfish and friends?
> 
>
>On Sun, 7 Feb 1999, Robert Watson wrote:
>
>[snip] 
>> However, I am in the process of finishing up a set of patches and
>> additional source files that add:
>> 
>> a) HMAC-MD5-based integrity checking in all verisions of Coda (hash is
>> configurable, and pluggable)
>> 
>> b) Support for strong encryption (HMAC,3DES) (US-only) as well as weak but
>> exportable (XOR) and none (none) (exportable).  The default state for
>> connections is set as a global policy for the client. New algorithms may
>> easily be added.
>> 
>> c) Improved support for KrbIV and KrbV in the environment.
>> 
>> I'm also looking at writing PAM modules to support Coda + Kerberos, but
>> because of the heavy-weight nature of the threading/rpc system, my
>> tendency is to move the token-acquisition into a seperate authentication
>> daemon on the client.  This would also allow for less-coda-like
>> authentication that some have been looking for during transitions to
>> distributed authentication.
>> 
>> So far most of this work is done--encryption/authentication all appear to
>> work quite nicely; I'm working on a new binding currently to replace the
>> requirement for encryption during the binding, as it is used for a key
>> exchange and is as weak as the encryption (and hence the exportable
>> version would suck).
>> 
>> I hope to have the new binding ready for testing sometime in the next day
>> or two.
>> 
>>   Robert N Watson 
>> 
>> robert@fledge.watson.org              http://www.watson.org/~robert/
>> PGP key fingerprint: 03 01 DD 8E 15 67 48 73  25 6D 10 FC EC 68 C1 1C
>> 
>> Carnegie Mellon University            http://www.cmu.edu/
>> TIS Labs at Network Associates, Inc.  http://www.tis.com/
>> SafePort Network Services             http://www.safeport.com/
>> 
>> 
>
>--------------------------------------------------------------------------
>| Troy Benjegerdes    |       troy_at_microux.com     |    hozer_at_drgw.net   |
>|    Unix is user friendly... You just have to be friendly to it first.  |
>| This message composed with 100% free software.    http://www.gnu.org   |
>--------------------------------------------------------------------------
>
Received on 1999-02-10 14:23:43