eay@surf.sics.bu.oz (Eric the Young) (10/05/90)
With eager anticipation I installed Ultrix 4.0 with the expectation that a complete version of kerberos would be included, boy was I wrong. (For those that don't know, DEC claimed that kerberos with full encryption (in binary form only) was being sent will all versions with ultrix 4, including sites outside of the USA) What do I find, NO DES ENCRYPTION ROUTINES IN THE DES LIBRARY !!! a simple ar t of /usr/lib/libdes.a __________ELEL_ key_sched.o debug_decl.o quad_cksum.o random_key.o read_password.o string_to_key.o weak_key.o key_parity.o new_rnd_key.o util.o (and a strings - -9 of the library reveals no des_*_encrypt routines). To top it off the des_*_encrypt sections of the man page has been commented out of /usr/man/man/des_encrypt.3krb. The only interesting things is that there are files with names like pcbc_inline.c and des_inline.c compiled into files like /usr/etc/kerberos. So, des is in the kerberos application binaries, but since there is no des in the libraries and there are no user level kerberos application i.e. kerberised rlogin and rcp, this (IMHO) is a total waste of time and appears to be a bit of missinformation of DECs behalf. I will concede that Ultrix is only calmed to have binary versions of des encryption in the export version, but I take this to mean no source code, not no object files. Have other non US sites found this with their ultrix 4.0 installations or am I making a fool of my self :-). I feels a bit cheated :-( (I should also not that the kerberos library looks as thought it has been fiddled with as well :-( Non of the above is a reflection of the opinion or of the policies of Bond University, it is just the grumbling of an annoyed system programmer (me). -- Eric Young | "It is always best to start running System Programmer, SICS Bond Uni.| away early, before the rush. That way ACSnet: eay@surf.sics.bu.oz.au | there are fewer bodies to trip over."
eay@surf.bu.oz.au (Eric the Young) (10/08/90)
In article <1322@surf.sics.bu.oz>, eay@surf.sics.bu.oz (Eric the Young (me)) wri tes: >(For those that don't know, DEC claimed that kerberos with full encryption >(in binary form only) was being sent will all versions with ultrix 4, This statement (as was most of the article) was harsh on Digital and I should not have written it. I apologize for any discredit I may have brought on Digital's name. I fully appreciate the efforts Digital have made in trying to export a complete working version of kerberos (with des) and that the restrictions are due to U.S. export controls. (And it is those export controls that I am frustrated with not Digital). My reason for posting was caused by my misunderstanding of the definitions of object code. I am a system programmer and my interest in kerberos is writing applications that can use kerberos authentication. I have been using Bones (kerberos without the libdes.a routines) and when I hear the word kerberos I think of authenticated logins etc. Kerberos is an authentication system, so the use of the kerberos in user applications is (IMHO) a major part of kerberos. When I found that the kerberos package in the export version of Ultrix could not be used to develop new applications _I_ felt that an integral part of the kerberos package was missing. The kerberos (or Bones) package as distributed by MIT provides the kerberos server, development libraries and some application programs. From what I have seen so far, the export Ultrix version provides the server, development libraries (minus des encryption) and some applications (I am not sure which ones, but not rlogin). Since kerberos is an authentication system, I fell that leaving out some parts of the library (so that is is not usable), does not conform with my personal image of what kerberos is. It appears that all I have to do is write my own versions of des (which I have done), but how can I be sure it will be compatible with the (non export) Ultrix version. The way kerberos operates would make it possible for me, in Australia to login to MIT (when I am IP connected) with kerberos authentication, but only if my des routines were exactly the same as MIT's. I find it so annoying that when there are several different versions of libdes.a available outside the US, that the US is IP connected to the rest of the world (Oh, look what we have here, the kerberos distribution, lets just ftp it back to Australia/Finland/Eastern Europe, or lets just have some-one email it to me). I have modified Bones so that it now uses encryption but I will never be able to say the libraries are a replacement for MIT's until I can test them against a working USA version. It was my hope that the Ultrix version would let me test my routines and then be able to say my version would let people with kerberos on ultrix machines authenticate with people with my version of kerberos. eric None of the above is a reflection of the opinion or of the policies of Bond University, it is just the grumbling of an annoyed system programmer (me) -- Eric Young System Programmer, SICS Bond Uni. ACSnet: eay@surf.sics.bu.oz.au