oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

more text on kaserver compatability from lha@stacken.kth.se

Browse Source 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@9544 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Assar Westerlund
2001-01-28 21:59:17 +00:00
parent c26fe37eaa
commit 8bec800fd8
1 changed files with 40 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
doc/kerberos4.texi
View File

@@ -5,9 +5,13 @@
If compiled with version 4 support, the KDC can serve requests from a If compiled with version 4 support, the KDC can serve requests from a
Kerberos 4 client. There are a few things you must do for this to work. Kerberos 4 client. There are a few things you must do for this to work.
You might also want use the built in kaserver emulation in the kdc
when you have AFS-clients that use @code{klog}.
@menu @menu
* Principal conversion issues:: * Principal conversion issues::
* Converting a version 4 database:: * Converting a version 4 database::
* kaserver::
@end menu @end menu
@node Principal conversion issues, Converting a version 4 database, Kerberos 4 issues, Kerberos 4 issues @node Principal conversion issues, Converting a version 4 database, Kerberos 4 issues, Kerberos 4 issues
@@ -51,7 +55,7 @@ principal exists in the database. The KDC will use
@code{krb5_425_conv_principal_ext} to convert principals when handling @code{krb5_425_conv_principal_ext} to convert principals when handling
to version 4 requests. to version 4 requests.
@node Converting a version 4 database, , Principal conversion issues, Kerberos 4 issues @node Converting a version 4 database, kaserver , Principal conversion issues, Kerberos 4 issues
@section Converting a version 4 database @section Converting a version 4 database
If you want to convert an existing version 4 database, the principal If you want to convert an existing version 4 database, the principal
@@ -176,3 +180,38 @@ version 4 uses port 751, not 749).
@emph{And then there are a many more things you can do; more on this in @emph{And then there are a many more things you can do; more on this in
a later version of this manual. Until then, UTSL.} a later version of this manual. Until then, UTSL.}
@node kaserver, , Converting a version 4 database, Kerberos 4 issues
@section kaserver
@subsection kaserver emulation
The Heimdal kdc can emulate a kaserver. The kaserver is a Kerberos 4
server with pre-authentication using Rx as the on-wire protocol. The kdc
contains a minimalistic Rx implementation.
There are three parts of the kaserver; KAA (Authentication), KAT (Ticket
Granting), and KAM (Maintenance). The KAA interface and KAT interface
both passes over DES encrypted data-blobs (just like the
Kerberos-protocol) and thus o not need any other protection. The KAM
interface uses @code{rxkad} (Kerberos authentication layer for Rx) for
security and data protection, and is used for example for changing
passwords. This part is not implemented in the kdc.
Another difference between the ka-protocol and the Kerberos 4 protocol
is that the pass-phrase is salted with the cellname in the @code{string to
key} function in the ka-protocol, while in the Kerberos 4 protocol there
is no salting of the password at all. To make sure AFS-compatible keys
are added to each principals when they are created or their password are
changed, @samp{afs3-salt} should be added to
@samp{[kadmin]default_keys}.
@subsection Transarc AFS Windows client
The Transarc Windows client uses Kerberos 4 to obtain tokens, and thus
does not need a kaserver. The Windows client assumes that the Kerberos
server is on the same machine as the AFS-database server. If you do not
like to do that you can add a small program that runs on the database
servers that forward all kerberos requests to the real kerberos
server. A program that does this is @code{krb-forward}
(@url{ftp://ftp.stacken.kth.se/pub/projekts/krb-forward}).