1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
|
KERBEROS and DCE INTEROPERABILITY ROUTINES
WHAT'S NEW
When k5dcecon was examining the ticket caches looking to
update one with a newer TGT, it might update the wrong
one for the correct user. This problem was reported by PNNL,
and is now fixed.
Any Kerberized application can now use a forwarded TGT to establish a
DCE context, or can use a previously established DCE context. This is
both a functional improvement and a performance improvement.
BACKGROUND
The MIT Kerberos 5 Release 1.x and DCE 1.1 can interoperate in a
number of ways. This is possible because:
o DCE used Kerberos 5 internally. Based on the MIT code as of beta 4
or so, with additional changes.
o The DCE security server can act as a K5 KDC, as defined in RFC 1510
and responds on port 88.
o On the clients, DCE and Kerberos use the same format for the ticket
cache, and then can share it. The KRB5CCNAME environment variable points
at the cache.
o On the clients, DCE and Kerberos use the same format for the srvtab
file. DCE refers to is a /krb5/v5srvtab and Kerberos as
/etc/krb5.keytab. They can be symlinked.
o MIT has added many options to the krb5.conf configuration file
which allows newer features of Release 1.0 to be turned off to match
the earlier version of Kerberos upon which DCE is based.
o DCE will accept a externally obtained Kerberos TGT in place of a
password when establishing a DCE context.
There are some areas where they differ, including the following:
o Administration of the database and the keytab files is done by the
DCE routines, rather the the Kerberos kadmin.
o User password changes must be done using the DCE commands. Kpasswd
does not work. (But there are mods to Kerberos to use the v5passwd
with DCE.
o DCE goes beyond authentication only, and provides authorization via
the PAC, and the dce-ptgt tickets stored in the cache. Thus a
Kerberos KDC can not act as a DCE security server.
o A DCE cell and Kerberos realm can cross-realm authenticate, but
there can be no intermediate realms. (There are other problems
in this area as well. But directly connected realms/cells do work.)
o You can't link a module with the DCE library and the Kerberos
library. They have conflicting routines, static data and structures.
One of the main features of DCE is the Distributed File System
DFS. Access to DFS requires authentication and authorization, and when
one uses a Kerberized network utility such as telnet, a forwarded
Kerberos ticket can be used to establish the DCE context to allow
access to DFS.
NEW TO THIS RELEASE
This release introduces sharing of a DCE context, and PAG, and allows
any Kerberized application to establish or share the context. This is
made possible by using an undocumented feature of DCE which is on at
least the Transarc and IBM releases of DCE 1.1.
I am in the process of trying to get this contributed to the general
DCE 1.2.2 release as a patch, so it could be included in other vendors
products. HP has expressed interest in doing this, as well as the
OpenGroup if the modification is contributed. You can help by
requesting Transarc and/or IBM to submit this modification to the
OpenGroup and ask your vendor to adopt this modification.
The feature is a modification to the setpag() system call which will
allow an authorized process to set the PAG to a specific value, and
thus allow unrelated processes to share the same PAG.
This then allows the Kerberized daemons such as kshd, to exec a DCE
module which established the DCE context. Kshd then sets the
KRB5CCNAME environment variable and then issues the setpag() to use
this context. This solves the linking problem. This is done via the
k5dfspag.c routine.
The k5dfspag.c code is compiled with the lib/krb5/os routines and
included in the libkrb5. A daemon calls krb5_dfs_pag after the
krb5_kuserok has determined that the Kerberos principal and local
userid pair are acceptable. This should be done early so as to give
the daemon access to the home directory which may be located on DFS.
If the .k5login file is used by krb5_kuserok it will need to be
accessed by the daemon and will need special ACL handling.
The krb5_dfs_pag routine will exec the k5dcecon module to do all the
real work. Upon return, if a PAG is obtained, krb5_dfs_pag with set
the PAG for the current process to the returned PAG value. It will
also set the KRB5CCNAME environment as well. Under DCE the PAG value
is the nnnnnnn part of the name of the cache:
FILE:/opt/dcelocal/var/security/creds/dcecred_nnnnnnnn.
The k5dcecon routine will attempt to use TGT which may have been
forwarded, to convert it to a DCE context. If there is no TGT, an
attempt will be made to join an existing PAG for the local userid, and
Kerberos principal. If there are existing PAGs, and a forwarded TGT,
k5dcecon will check the lifetime of the forwarded TGT, and if it is
less than the lifetime of the PAG, it will just join the PAG. If it
is greater, it will refresh the PAG using the forwarded TGT.
This approach has the advantage of not requiring many new tickets from
having to be obtained, and allows one to refresh a DCE context, or use
an already established context.
If the system also has AFS, the AFS krb5_afs_pag should be called
after the krb5_dfs_pag, since cache pointed at via the KRB5CCNAME may
have changed, such as if a DFS PAG has been joined. The AFS code does
not have the capability to join an existing AFS PAG, but can use the
same cache which might already had a
afsx/<afs.cell.name>@<k5.realm.name> service ticket.
WHAT'S IN THIS RELEASE
The k5prelogin, k5dcelogin, k5afslogin (with ak5log) were designed to
be slipped in between telnetd or klogind and login.krb5. They would
use a forwarded Kerberos ticket to establish a DCE context. They are
the older programs which are included here. They work on all DCE
platforms, and don't take advantage of the undocumented setpag
feature. (A version of k5dcelogin is being included with DCE 1.2.2)
K5dcecon is the new program which can be used to create, update or
join a DCE context. k5dcecon returns KRB5CCNAME string which contains
the PAG.
k5dfspag.c is to be built in the MIT Kerberos 5 release 1.0 patchlevel
1 and added to the libkrb5. It will exec k5dcecon and upon return set
the KRB5CCNAME and PAG. Mods to Kerberized klogind, rshd, telnetd,
ftpd are available to use the k5dfspag.
Testpag.c is a test programs to see if the PAG can be set.
The cpwkey.c routine can be used to change a key in the DCE registry,
by adding the key directly, or by setting the salt/pepper and password
or by providing the key and the pepper. This could be useful when
coping keys from a K4 or AFS database to DCE. It can also be used when
setting a DCE to K5 cross-cell key. This program is a test program
For mass inserts, it should be rewritten to read from stdin.
K5dcelogin can also be called directly, much like dce_login.
I use the following commands in effect do the same thing as dce_login
and get a forwardable ticket, DCE context and an AFS token:
#!/bin/csh
# simulate a dce_login using krb5 kinit and k5dcelogin
#
setenv KRB5CCNAME FILE:/tmp/krb5cc_p$$
/krb5/bin/kinit -f
exec /krb5/sbin/k5dcelogin /krb5/sbin/k5afslogin /bin/csh
#exec /krb5/sbin/k5dcelogin /bin/csh
This could be useful in a mixed cell where "AS_REQ" messages are
handled by a K5 KDC, but DCE RPCs are handled by the DCE security
server.
TESTING THE SETPAG
The krb5_dfs_pag routine relies on an undocumented feature which is
in the AIX and Transarc Solaris ports of DCE and has been recently
added to the SGI version. To test if this feature is present
on some other DFS implementation use the testpag routine.
The testpag routine attempts to set a PAG value to one you supply. It
uses the afs_syscall with the afs_setpag, and passes the supplied
PAG value as the next parameter. On an unmodifed system, this
will be ignored, and a new will be set. You should also check that
if run as a user, you cannot join a PAG owned by another user.
When run as root, any PAG should be usable.
On a machine with DFS running, do a dce_login to get a DCE context and
PAG. ECHO the KRB5CCNAME and look at the nnnnnnnn at the end. It
should look like an 8 char hex value, which may be 41ffxxxx on some
systems.
Su to root and unsetenv KRB5CCNAME. Do a testpag -n nnnnnnnn where
nnnnnnnn is the PAG obtained for the above name.
It should look like this example on an AIX 4.1.4 system:
pembroke# ./testpag -n 63dc9997
calling k5dcepag newpag=63dc9997
PAG returned = 63dc9997
You will be running under a new shell with the PAG and KRB5CCNAME set.
If the PAG returned is the same as the newpag, then it worked. You can
further verify this by doing a DCE klist, cd to DFS and a DCE klist
again. The klist should show some tickets for DFS servers.
If the PAG returned is not the same, and repeated attempts show a
returned PAG decremented by 1 from the previous returned PAG, then
this system does not have the modification For example:
# ./testpag -n 41fffff9
calling k5dcepag newpag=41fffff9
PAG returned = 41fffff8
# ./testpag -n 41fffff9
calling k5dcepag newpag=41fffff9
PAG returned = 41fffff7
In this case the syscall is ignoring the newpag parameter.
Running it with -n 0 should get the next PAG value with or without
this modification.
If the DFS kernel extensions are not installed, you would get
something like this:
caliban.ctd.anl.gov% ./testpag -n 012345678
calling k5dcepag newpag=012345678
Setpag failed with a system error
PAG returned = ffffffff
Not a good pag value
If you DFS implementation does not have this modification, you could
attempt to install it yourself. But this requires source and requires
modifications to the kernel extensions. At the end of this note is an
untested sample using the DCE 1.2.2 source code. You can also contact
your system vendor and ask for this modification.
UNICOS has a similar function setppag(newpag) which can be used to set
the PAG of the parent. Contact me if you are interested.
HOW TO INSTALL
Examine the k5dfspag.c file to make sure the DFS syscalls are correct
for your platform. See the /opt/dcelocal/share/include/dcedfs/syscall.h
on Solaris for example.
You should build the testpag routine and make sure it works before
adding all the other mods. If it fails you can still use the klogind
and telnetd with the k5prelogin and k5dcelogin code.
If you intend to install with a prefix other than /krb5, change:
DPAGAIX and K5DCECON in k5dfspag.c; the three references in
k5prelogin.c; and the DESTDIR in the Makefile.
Get k5101.cdiff.xxxxxx.tar file and install the mods for ANL_DFS_PAG
and ANL_DCE to the MIT Kerberos 5 source. These mods turn on some DCE
related changes and the calls to krb5_dfs_pag.
Symlink or copy the k5dfspag.c to the src/lib/krb5/os directory.
Add the -DANL_DFS_PAG and -DANL_DCE flags to the configuration.
Configure and Build the Kerberos v5.
Modify the k5dce Makefile for your system.
Build the k5dcecon and related programs.
Install both the MIT Kerberos v5 and the k5dcecon and dpagaix if AIX.
The makefile can also build k5dcelogin and k5prelogin. The install
can install k5dcelogin, k5prelogin and update the links for login.krb5
-> k5prelogin and moving login.krb5 to login.k5. If you will be using
the k5dcecon/k5dfspag with the Kerberos mods, you don't need
k5prelogin, or the links changed, and may not need k5dcelogin.
Note that Transarc has obfuscated the entries to the lib, and
the 1.0.3a is different from the 1.1. You may need to build two
versions of the k5dcelogin and/or k5dcecon one for each.
AIX ONLY
The dpagaix routine is needed for AIX because of the way they do the
syscalls.
The following fix.aix.libdce.mk is not needed if dce 2.1.0.21
has been installed. This PTF exposed the needed entrypoints.
The fix.aix.libdce.mk is a Makefile for AIX 4.x to add the required
external entry points to the libdce.a. These are needed by k5dcecon
and k5dcelogin. A bug report was submitted to IBM on this, and it was
rejected. But since DCE 1.2.2 will have a k5dcelogin, this should not
be needed with 1.2.2
Copy /usr/lib/libdce.a to /usr/libdce.a.orig before starting. Copy the
makefile to its own directory. It will create a new libdce.a which you
need to copy back to /usr/lib/libdce.a You will need to reboot the
machine. See the /usr/lpp/dce/examples/inst/README.AIX for a similar
procedure. IBM was not responsive in a request to have these added.
UNTESTED KERNEL EXTENSION FOR SETPAG
*** src/file/osi/,osi_pag.c Wed Oct 2 13:03:05 1996
--- src/file/osi/osi_pag.c Mon Jul 28 13:53:13 1997
***************
*** 293,298 ****
--- 293,302 ----
int code;
osi_MakePreemptionRight();
+ /* allow sharing of a PAG by non child processes DEE- 6/6/97 */
+ if (unused && osi_GetUID(osi_getucred()) == 0) {
+ newpag = unused;
+ } else {
osi_mutex_enter(&osi_pagLock);
now = osi_Time();
soonest = osi_firstPagTime +
***************
*** 309,314 ****
--- 313,319 ----
}
osi_mutex_exit(&osi_pagLock);
newpag = osi_genpag();
+ }
osi_pcred_lock(p);
credp = crcopy(osi_getucred());
code = osi_SetPagInCred(credp, newpag);
Created 07/08/96
Modified 09/30/96
Modified 11/19/96
Modified 12/19/96
Modified 06/20/97
Modified 07/28/97
Modified 02/18/98
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
|