From owner-freebsd-security  Sun Mar 24 23:51:36 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id XAA27000
          for security-outgoing; Sun, 24 Mar 1996 23:51:36 -0800 (PST)
Received: from relay.philips.nl (ns.philips.nl [130.144.65.1])
          by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id XAA26994
          for <freebsd-security@freebsd.org>; Sun, 24 Mar 1996 23:51:32 -0800 (PST)
Received: (from smap@localhost) by relay.philips.nl (8.6.9/8.6.9-950414) id IAA02190 for <freebsd-security@freebsd.org>; Mon, 25 Mar 1996 08:50:56 +0100
Received: from unknown(192.26.173.32) by ns.philips.nl via smap (V1.3+ESMTP) with ESMTP
	id sma002082; Mon Mar 25 08:50:07 1996
Received: from spooky.lss.cp.philips.com (spooky.lss.cp.philips.com [130.144.199.105]) by smtp.nl.cis.philips.com (8.6.10/8.6.10-0.9z-02May95) with ESMTP id IAA08001 for <freebsd-security@freebsd.org>; Mon, 25 Mar 1996 08:51:22 +0100
Received: (from guido@localhost) 
	by spooky.lss.cp.philips.com (8.6.10/8.6.10-0.991c-08Nov95) id IAA01192
	for freebsd-security@freebsd.org; Mon, 25 Mar 1996 08:50:05 +0100
From: Guido van Rooij <Guido.vanRooij@nl.cis.philips.com>
Message-Id: <199603250750.IAA01192@spooky.lss.cp.philips.com>
Subject: BoS: Long key secure RPC&NFS is available (fwd) FYI
To: freebsd-security@freebsd.org
Date: Mon, 25 Mar 1996 08:50:05 +0100 (MET)
Reply-To: Guido.vanRooij@nl.cis.philips.com (Guido van Rooij)
X-Mailer: ELM [version 2.4 PL21]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

A.N.Kuznetsov wrote:
> From owner-best-of-security@suburbia.net  Sat Mar 23 09:42:54 1996
> X-Authentication-Warning: suburbia.net: majordom set sender to owner-best-of-security using -f
> Message-Id: <199603221440.RAA27829@ms2.inr.ac.ru>
> Subject: BoS: Long key secure RPC&NFS is available
> To: linux-kernel@vger.rutgers.edu
> Date: 	Fri, 22 Mar 1996 17:40:04 +0300 (MSK)
> From: inr-linux-kernel@ms2.inr.ac.ru (A.N.Kuznetsov)
> X-Mailer: ELM [version 2.4 PL24]
> Mime-Version: 1.0
> Sender: owner-best-of-security@suburbia.net
> Errors-to: nobody@mail.uu.net
> Precedence: bulk
> Reply-To: nobody@mail.uu.net
> 
> Hello!
> 
> I finished secure RPC package using arbitrary size keys.
> This version should be really secure.
> 
> I have Linux version (tested for almost 2 weeks)
> and Solaris 2.3 version (tested for 3 days).
> It should work for Solaris > 2.3, but I am not sure.
> I believe Linux version can be painlessly compiled 
> for SunOS 4.x.x.
> 
> How to get it?
> 
> I am somewhat offended by absence of any feedback to
> my secure RPC NFS, so that:
> 
> 1. ftp.inr.ac.ru:/secure_nfs.tar.gz  contains kernel patches
> 	(they should fit to any kernel 1.3.71 - 1.3.77)
> 	and upgrades for mount, nfsd, amd.
> 
> 	secure_rpc directory contains not secure 192-bit version
> 	of secure RPC utilities. Do not use it!
> 	Do not use NATIVE Sun secure RPC too! It is not
> 	only not secure, it may be major security hole.
> 	I suspect, that any curious person can easily crack Sun style
> 	publickey database and evaluate all user's passwords.
> 
> 2. To get long key secure RPC package, please, send your requests
> 	for Linux and/or Solaris versions to me.
> 
> 	They are not free 8)8) I will require any feedback 8)8)
> 	
> 	More seriously, this package cannot be fully compatible with
> 	standard Sun secure RPC. I believe, that all clients (f.e. NFS)
> 	and major servers (f.e. NFSD) are compatible. But all the tools:
> 	keyserv, keylogin, chkey, newkey (and login, passwd, yppasswd, if they
> 	are aware of secure RPC) should be replaced on ALL your network.
> 	So that I am obliged to provide wide compatibility, and
> 	I'd like that you help me.
> 
> 	I expect that somebody will help to test it:
> 
> 	a) for solaris2.x. I do not use NIS+ on my Sparc with
> 	   Solaris-2.3, I use plain YP, so that I am sure that
> 	   it works only when publickey database is served by YP.
> 
> 	b) I do not use NYS package on my Linux hosts and I do not
> 	   know how this package will interfere with NYS.
> 
> 	c) It is interesting, whether this package will work for SunOS4.x.x
> 
> 	d) And for another platforms?
> 
> Alexey Kuznetsov.
> kuznet@ms2.inr.ac.ru
> 
> 
> 


From owner-freebsd-security  Tue Mar 26 06:35:37 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id GAA08020
          for security-outgoing; Tue, 26 Mar 1996 06:35:37 -0800 (PST)
Received: from itsdsv1.enc.edu (itsdsv1.enc.edu [199.93.252.241])
          by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id GAA07999
          Tue, 26 Mar 1996 06:35:30 -0800 (PST)
Received: (from owensc@localhost) by itsdsv1.enc.edu (8.6.11/8.6.9) id JAA20023; Tue, 26 Mar 1996 09:34:55 -0500
Date: Tue, 26 Mar 1996 09:34:55 -0500 (EST)
From: Charles Owens <owensc@enc.edu>
To: freebsd-security@freebsd.org
cc: questions list FreeBSD <freebsd-questions@freebsd.org>
Subject: NIS and Kerberos interaction
Message-ID: <Pine.BSF.3.91.960326085908.19393E-100000@itsdsv1.enc.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

I expect to begin playing with Kerberos soon and have some questions 
regarding how it relates to NIS.  I'm currently using NIS to distribute 
password info between FreeBSD servers.

o What of NIS's functions can be handled by Kerberos?  What can't?

o Related to the above, if program X is used to using the system password 
	database (which may or may not be NIS-based), how does Kerberos change 
	the picture?  With Kerberos present, will program X automagically
	access the Kerberos system, or is this functionality best 
	achieved with some sort of NIS/Kerberos coexistance?  (I've found
	a vague reference that hinted that this is what is necessary.)

o In answering these issues, what things must I think about if I'm concerned
	with the prospect of scaling this system to 1000 users and beyond.
	(I'm quite serious about this!)

o Are there and good, comprehensive books about Kerberos?  I've found
	some papers, but they are mostly conceptual and don't get into
	the actual implementation details.

Thanks,
---
-------------------------------------------------------------------------
  Charles Owens					 Email:  owensc@enc.edu
                                       "I read somewhere to learn is to
  Information Technology Services     remember... and I've learned that
  Eastern Nazarene College            we've all forgot..."   - King's X
-------------------------------------------------------------------------


From owner-freebsd-security  Tue Mar 26 12:34:21 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id MAA14465
          for security-outgoing; Tue, 26 Mar 1996 12:34:21 -0800 (PST)
Received: from cheops.anu.edu.au (avalon@cheops.anu.edu.au [150.203.76.24])
          by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id MAA14432
          Tue, 26 Mar 1996 12:34:14 -0800 (PST)
Message-Id: <199603262034.MAA14432@freefall.freebsd.org>
Received: by cheops.anu.edu.au
	(1.37.109.16/16.2) id AA282752568; Wed, 27 Mar 1996 07:36:08 +1100
From: Darren Reed <avalon@coombs.anu.edu.au>
Subject: Re: NIS and Kerberos interaction
To: owensc@enc.edu (Charles Owens)
Date: Wed, 27 Mar 1996 07:36:08 +1100 (EDT)
Cc: freebsd-security@freebsd.org, freebsd-questions@freebsd.org
In-Reply-To: <Pine.BSF.3.91.960326085908.19393E-100000@itsdsv1.enc.edu> from "Charles Owens" at Mar 26, 96 09:34:55 am
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

In some mail from Charles Owens, sie said:
> 
> I expect to begin playing with Kerberos soon and have some questions 
> regarding how it relates to NIS.  I'm currently using NIS to distribute 
> password info between FreeBSD servers.
> 
> o What of NIS's functions can be handled by Kerberos?  What can't?

The passwd map, or more specifically, the passwd map password entries.
Everything else can't.  Kerberos is about authentication, not providing
directory services.

> o Related to the above, if program X is used to using the system password 
> 	database (which may or may not be NIS-based), how does Kerberos change 
> 	the picture?  With Kerberos present, will program X automagically
> 	access the Kerberos system, or is this functionality best 
> 	achieved with some sort of NIS/Kerberos coexistance?  (I've found
> 	a vague reference that hinted that this is what is necessary.)

Programs need to be Kerberos aware (ie use the GSS API) before they can
take advantage of its presense.  You need a new version of login (klogin),
passwd (kpasswd) and all of telnet, rsh, rlogin along with their daemons.
These are usually packaged as part of a standard kit to make your network
safer.

> o In answering these issues, what things must I think about if I'm concerned
> 	with the prospect of scaling this system to 1000 users and beyond.
> 	(I'm quite serious about this!)

You may find that over a certain point, the hash tables used for Kerberos
are inefficient.  In using a commercial product under Solaris, we had the
option of moving to what they call the "c-tree" release.

You may also want to setup a slave security server.

> o Are there and good, comprehensive books about Kerberos?  I've found
> 	some papers, but they are mostly conceptual and don't get into
> 	the actual implementation details.

What version ?  Kerberos 4 & 5 are quite different, and you want to be
using 5 and not 4.  I've found the RFC sufficiently detailed (RFC1510),
but there are errata waiting for a new RFC and the GSS API is documented
elsewhere.