port-mac68k: Re: Problems with kerberos and andrew.

Subject: Re: Problems with kerberos and andrew.
To: Chris Mason <cmason@ros.res.cmu.edu>
From: Bill Studenmund <wrstuden@loki.stanford.edu>
List: port-mac68k
Date: 10/21/1996 11:01:48
> I have tried using the kerb distribution in secr.tar.gz but it get errors
> like:
> 
>  kinit: Can't send request (send_to_kdc)
> 
> whenever I try to kinit.  Is this similar to what you saw??

I think that probelm went away when I got kerberos set up right. I've
forgotten what I had to do, but I had to set up files in (I think)
/etc/kerberos. I think the can't send request means kinit can't find
the kerberos server.

> Also, is it possible to only sup /src/domestic.  I don't have the full
> source tree supped right now.  And I don't have a whole lot of space to
> spare.

To be honest, I'd just ftp it every now and then. The domestic stuff is
not changing much, so it shouldn't be a big deal. I don't know if you can
sup just the domestic part, but I'd bet you can (since we'd get in
trouble if supping the source gave non-U.S.-citizens the domestic code).

> > Our distribution doesn't have kerberized ftp, so I'm not familiar with
> > its needs. The only inconvenience I have is that kerberosIV doesn't
> > forward tickets; I have to kftgt the tickets to the desired machine.
> > You might need to do the same.
> 
> FTP would be nice, but all I really need is telnet (both the userland
> program and the daemon) that does kerberos.  Does NetBSD telnet have support
> for kerberos (I don't think so).

The telnet in /src/domestic does support kerberos, the non-domestic
one doesn't. There's also a telnetd in domestic too. To log in, I:

kinit
(type in name and password)
kftgt -l wrstuden macro   (I'm normally root on my machine)
telnet -ax -l wrstuden macro 1750 (the 1750 is just because I have the
			(kerberos telnetd on a non-standard port; people
			(complained about it on the normal port)

the -ax tells telnet to log you in, and to encrypt transmissions.
The -l wrstuden reflects the fact that accoount names are different
on the different machines.

> I'd be very interested in your changes.  As would be the people who wrote
> this disribution.

Someone else's asked about them too. They're simple. In krb_get_in_tkt
(I think that's the one), where we call des_string_to_key, we need
to call the andrew/Transarc string_to_key routines instead, and we need
to ask for a password if we weren't passed one.

In the andrew/Transarc string_to_key (the password len <=8 routine),
there's a call to crypt with a salt of "#~". It needs to be changed to be
"p1" instead.

I'll send-pr them at some point. :-)

Take care,

Bill