Date: Sun, 17 Sep 1995 09:25:06 -0700 (PDT) From: Bill Paul <wpaul> To: mark@grondar.za (Mark Murray) Cc: CVS-commiters@freefall.freebsd.org, cvs-user@freefall.freebsd.org Subject: Re: cvs commit: src/eBones/usr.sbin/kerberos kerberos.c Message-ID: <199509171625.JAA19317@freefall.freebsd.org> In-Reply-To: <199509170711.JAA16606@grumble.grondar.za> from "Mark Murray" at Sep 17, 95 09:11:14 am
next in thread | previous in thread | raw e-mail | index | archive | help
> > ]:-> I will be bringing in the new DES library (hopefully today), and in > the next few days I want to repair Secure RPC. > > M > -- > Mark Murray Be advised that I've already gotten Secure RPC from the RPC 4.0 distribution to work in FreeBSD (more or less anyway: for some reason the keyserv daemon doesn't always seem to load root's key from the /etc/.rootkey file properly when I restart it, but I haven't been hacking on it in a while due to work intruding). I have an RPC library with auth_des support, plys working binaries for all the commands and demos in the Secure RPC distribution, except for the newkey and chkey commands which compile but do not link due to the absence of yp_update() and friends. I wanted to get Secure RPC working so that I could use it in place of the kludged-up 'check for privileged ports' trick I use to make FreeBSD's NIS shadow password system work. (This is actually kind of tricky because the publickey database is accessed through NIS, which means ypserv might have to call itself in order to authenticate a query, and ypserv isn't exactly fully re-entrant at this point.) I also started working on ypupdated and a yp_update() library function. The RPC part is really quite easy. The tough part is working out a consistent way to update an arbitrary NIS map. (Actually, updating the map would be the easy part: the hard part is that you have to update the source files too. Bleah.) You have to be mindful of the following things: - If you look at the des_crypt.c file in the Secure RPC distribution, you'll see that it has ecb_crypt() and cbc_crypt() functions that call into Sun's libc to do the actual encryption. I made my own des_crypt.c that contains wrapper functions for the equivalent routines in libdes. One difficulty is that the RPC code expects the encrytion to be done in-place, whereas libdes expects to be passed two buffers, one for input, and another into which it places the encrypted output. I kludged this up by having the wrappers define their own output buffers and then copying the results back into the input buffers before returning. There are also some clashes between the #defines in des.h and des_crypt.h, but these are not too hard to work out. - The keyserv program wants libmp, which is not part of 4.4BSD-Lite. It _is_ part of 4.4BSD-Encumbered though; from what I've been able to learn, the copyright header says that the code is 'believed to contain' AT&T source. Foo. I had to resort to using the GNU mp library, which works fine, but I'm not thrilled with the notion of importing yet another GNU package into the tree. - There is no keylogout program, though it's fairly easy to write one. I have a naive one that I wrote for my testing. There is a keylogout program in the tirpcsrc distribution, but it needs minor hacking to work with RPC 4.0. Note that the tirpcsrc distribution also has new rpcgen program which might be worth importing as either a companion or a replacement for the existing rpcgen, which is quite crufty. (The new rpcgen can generate server stubs that work in standalone mode or with inetd, plus it can generate sample client and server skeleton code that uses the generated clnt and svc functions.) One caveat is that it generates ti-rpc code by default: you need to specify the -b (backwards compatible flag) to make it generate RPC 4.0-style code. The default could be reversed though. - Again, Secure RPC and ypupdate sort of go hand in hand. One problem in this area is that the ypupdate_prot.x protocol definition is not included with the public domain RPC 4.0 distribution. You can get the protocol definition file from any SunOS machine, but I'm not sure copying it that way is permitted. (It has a Sun copyright line in it, but says nothing about redistribution restrictions.) The file from 4.1.3 also contains an error (look closely and you'll see the functions are defined to accept things like 'ypupdateargs' but the structure definitions say 'ypupdate_args'). - Last, but certainly not least, if we can't distribute the DES library with the OS, there needs to be some dummy DES that can handle the calls to ecb_crypt() and cbc_crypt(), otherwise the programs that are setup to use Secure RPC will fall apart. I haven't yet thought of a way to resolve this. A dummy library will prevent FreeBSD's Secure RPC from interacting with anyone else's. It isn't quite like crypt() where you can get away with the MD5 hash replacement. -Bill
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199509171625.JAA19317>