Relase notes for Kerberized NCSA/Telnet, Brown/TN3270, Kdriver, and KConfig. Please direct comments and questions to: Rick Watson The University of Texas at Austin Computation Center / Networking Services Austin TX 78712 R.Watson@utexas.edu. --------------------------------------------------------------------------- Release K11 11/2/93 ¥ Telnet: Fix a problem with recovering the screen pointer in netwrite. ¥ Telnet/tn3270/krb: Dynamically allocate encryption data when needed. ¥ Telnet: Fix memory leaks and pointer bugs. --------------------------------------------------------------------------- Release K10 ¥ Fixed some MPW-version specific bugs including garbled strings. --------------------------------------------------------------------------- Release K9 10/14/93 ¥ Telnet: fixed crashes when using Finger. ¥ KConfig: added password changing code. ¥ KConfig: updated icons. ¥ KConfig: remember window position. ¥ KConfig: make sure that DeviceLoop is available before using it. ¥ kDriver: added more functions to cKrbGetDesPointers. fixed a bug in cKrbSetPassword. WARNING: Do not mix different versions of the K8 and K9 clients and kDriver. There are incompatible changes. If you mix them, you will probably crash. --------------------------------------------------------------------------- Release K8 10/08/93 The changes to support Kerberos authentication and DES encryption for Telnet and TN3270 were both made to beta versions of those programs. I hope that the authors of each will take back these changes for the release versions of these applications. For NCSA/Telnet, I have rewritten the Kerberos changes that you may have seen in releases K1-K7 of NCSA/Telnet. Both applications now use Cornell's Kdriver package for Kerberos and encryption support routines. I have written KConfig, an application to configure settings for Kdriver. I have made some additions to Kdriver and fixed some bugs, so you should probably use the version that I have included in this test package. If you use an unmodified Cornell driver, encryption will not be supported, some settings changes made by KConfig won't be saved in the preferences file, and the ticket display may show garbage for the user realm. Kdriver supports Kerberos V4. Kdriver requires that each Kerberos server host also be running a UDP daytime server. NCSA/Telnet and TN3270 support the Telnet Authentication and Encryption options described in RFC1411/1416 and IETF drafts dated July 1991. Future versions may support the IETF draft AUTH_ENCRYPT option described in the draft dated April 1993. Kerberos support for TN3270 has not been tested for 3270 sessions yet since we don't currently have a Kerberized tn3270 server running. I don't expect any problems related to 3270 sessions. ¥ INSTALLATION / KConfig Kdriver must be installed in your System Folder to work. Drag the file "Kerberos Client" file to your closed System Folder. On System 7 machines, you will be asked to verify that the file will be placed into your Extensions folder. Reboot your Macintosh and use KConfig to configure settings for your Kerberos envrionment. Ê Domain/Hostname to Realm maps are useful if you are supporting more than one Kerberos realm. The map will attempt to match up a Kerberos realm with IP domain names. Enter Kerberos server IP addresses or hostnames for each Kerberos realm that you are using. After you have entered your Kerberos servers, you can pick your local realm using the popup menu at the top of the configuration dialog. The "Login" button will allow you to authenticate to a Kerberos server and obtain an initial ticket granting ticket for other services. You don't have to login using KConfig -- the individual client applications will prompt you when a password is needed. The "Logout" button destroys all tickets. Use the "File/Show Credentials" menu item to display all your Kerberos tickets. The "Change Password" button allows you to change your Kerberos password. You may (or may not) have to reboot after making initial settings. ¥ NCSA/Telnet Options to Authenticate and/or Encrypt a session occur in two places in Telnet. This is the session configuration dialog. Ê Select the appropriate options for each session that you configure, including the Default session. Options for the default session will be presented in the Open Connection dialog box. Ê You may select the Authenticate and Encrypt options when opening a session. The Authenticate options is required for Encryption. Ftp sessions cannot currently be authenticated or encrypted. ¥ TN3270 The authenticate and encrypt options are for TN3270 are in the "Special" dialog box, entered from the Open Connection dialog. Ê Authenticate is required to Encrypt. ¥ Encryption Active Indicators. Padlock indicators serve as a visual indicator that a session is encrypted. For Telnet, this is displayed next to the zoom box in the window's titlebar. Ê For TN3270, the indicator is displayed in the bottom status line, adjacent to the date and time. Ê If anything other than the padlock is displayed, the session is not two-way encrypted. An arrow indicates that the session is encryted in one direction only. This is probably evidence of a bug in the Telnet/TN3270 code or your Telnet server. The absence of any indicator means that no encryption is taking place.