1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
|
Copyright 1993 by Geer Zolot Associates. All Rights Reserved.
Export of this software from the United States of America is assumed
to require a specific license from the United States Government. It
is the responsibility of any person or organization contemplating
export to obtain such a license before exporting.
WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
distribute this software and its documentation for any purpose and
without fee is hereby granted, provided that the above copyright
notice appear in all copies and that both that copyright notice and
this permission notice appear in supporting documentation, and that
the name of Geer Zolot Associates not be used in advertising or
publicity pertaining to distribution of the software without specific,
written prior permission. Geer Zolot Associates makes no
representations about the suitability of this software for any
purpose. It is provided "as is" without express or implied warranty.
$Id$
Kerberos V5 to Kerberos V4 Credentials Converting Service, ALPHA RELEASE
========================================================================
krb524 is a service that converts Kerberos V5 credentials into
Kerberos V4 credentials suitable for use with applications that for
whatever reason do not use V5 directly. The service consists of a
server that has access to the secret key of the Kerberos service for
which credentials will be converted, and a library for use by client
programs that wish to use the server.
The protocol is simple. Suppose that a client C wishes to obtain V4
credentials for a V5 service S by using the krb524 server. The
notation {C,S}_n represents a Vn service ticket for S for use by C.
(1) C obtains V5 credentials, including a ticket {C,S}_5, for S by the
normal V5 means.
(2) C transmits {C,S}_5 to KRB524.
(3) KRB524 converts {C,S}_5 into {C,S}_4.
(4) KRB524 transmits {C,S}_4 to C.
(5) C creates a V4 credentials strucuture from the plaintext
information in the V5 credential and {C,S}_4.
Steps (2) through (4) are encapsulated in a single function call in
the krb524 library.
Obviously, not all V5 credentials can be completely converted to V4
credentials, since the former is a superset of the latter. The
precise semantics of the conversion function are still undecided.
UTSL.
Programs contained in this release
======================================================================
krb524d [-m[aster]] [-k[eytab]]
The krb524 server. It accepts UDP requests on the krb524 service
port, specified in /etc/services, or on port 4444 by default. (A
request for an official port assignment is underway.) The -m argument
causes krb524d to access the KDC master database directly; the -k
argument causes krb524d to use the default keytab (and therefore only
be able to convert tickets for services in the keytab). Only one of
-m or -k can be specified.
test -remote server client service
A test program that obtains a V5 credential for {client,service},
converts it to a V4 credential, and prints out the entire contents of
both versions. It prompts for service's secret key, which it needs to
decrypt both tickets in order to print them out. Enter it as an eight
digit ASCII hex number.
k524init [-n] [-p principal]
Convert a V5 credential into a V4 credential and store it in a V4
ticket file. The client is 'principal', or krbtgt at the V5 ccache's
default principal's realm if not specified. The -n argument causes
the new ticket to be added to the existing ticket file; otherwise, the
ticket file is initialized.
Using libkrb524.a
======================================================================
To use libkrb524.a, #include <krb524.h>, link against libkrb524.a,
call krb524_init_ets() at the beginning of your program, and call one
of the following two functions:
int krb524_convert_creds_addr(krb5_creds *v5creds, CREDENTIALS *v4creds,
struct sockaddr *saddr)
int krb524_convert_creds_kdc(krb5_creds *v5creds, CREDENTIALS *v4creds)
Both convert the V5 credential in v5creds into a V4 credential in
v4creds. One assumes krb524d is running on the KDC, the other uses an
explicit host. You only need to specify the address for saddr; the
port is filled in automatically.
Unresolved issues / Bugs
======================================================================
o krb524d requires access to the secret key of any service to be
converted. Should krb524d run on the KDC or on individual server
machines? The latter is more paranoid, since it prevents bugs in
krb524d from provided unauthorized access to the master database.
However, it also requires the client to provide the address of the
server to be used. The client will usually have this information
(since presumably it will be sending the converted V4 credentials to
the same server) but it may not be in a convenient form. It seems
"cleaner" to have krb524d run on the KDC.
o Even if krb524d uses keytabs on server machines, it needs to be more
flexible. You only want to run one krb524d per host, so it has to be
able to scan multiple keytabs. This might get logistically messy.
o This code is of alpha quality. Bugs, omissions, memory leaks, and
perhaps security holes still remain. Do not use it (yet) in a
production environment.
|
