[2618] in Kerberos
Re: Mixing V4 & V5
daemon@ATHENA.MIT.EDU (Joe Ramus)
Mon Mar 8 18:23:24 1993
Date: Mon, 8 Mar 93 15:04:46 PST
From: ramus@nersc.gov (Joe Ramus)
To: kerberos@Athena.MIT.EDU
Thanks to Glenn Machin at Sandia for this information.
I am forwarding this note with his permission.
Joe Ramus
----- Begin Included Message -----
Date: Mon, 8 Mar 93 10:00:49 MST
From: gmachin@somnet.sandia.gov (Glenn NoI Machin)
In our environment a system is either v4 or v5. Some systems are
supporting both which mean that they still run v4 daemons.
( a version4 telnetd, version4 ftp, nfs_authd etc). Here is some
explanation of what is taking place......
Services in a mixed v4 and v5 realm:
Ksrvutil will translate a version 5 v5srvtab to version 4 and vice
versa. See ksrvutil xlate4to5 (xlate5to4). Note if a ksrvutil
change is perfomed you should perform ksrvutil xlate5to4 immediately
afterwards, so that v4 services still function. The KDC distinquishes
between services and users. If a change of a key comes in for a user
(v5 kpasswd) then the version 5 key and version 4 key are created using the
appropriate string to key function. Services however get their keys
set the same. This means a workstation can run version 4 servers
but only only need v5 adminstration tools, i.e. ksrvutil. Also when
moving a system from version 4 to version5 a simple ksrvutil xlate4to5
is done to establish v5srvtab, and version 5 applications are off and
running......
Users in a mixed v4 and v5 realm:
User accounts in the KDC, as explained above, have "different"
version4 and version5 keys within the KDC database. This allows
them, to use a v4 or v5 kinit. If their account was created with
kdb5_edit, then this happens at that time. If like in our situation
we have a number of version 4 users whos account was created before
version 5 was a reality, then those users need to perform a v5 kpasswd
inorder to set their version5 key.
Users who move from version4 workstation to version5 cannot use
the version4 kpasswd to change their password. They must use version5
kpasswd, so that a version 5 and version4 key are generated in the
KDC database. If they use version4 kpasswd then the version4 kinit will
be the only "kinit" which will work. If they change their password
again with v5 kpasswd then all returns as it was......
Applications in a mixed v4 and v5 realm:
The telnet/telnetd programs may be compiled turning on version 4
authentication. To do this define KRB4 for the appl_telnet_defines
in the config/site.def files (you will need to remake the makefiles
in appl/telnet) or set the define into the appl/telnet/(lib,telnet,telnetd)
Makefiles. The version 4 libraries should be available..
Now the telnet and telnetd will negotiate which type of authentication
to perform v4 or v5. I think v5 takes precedence over v4 if both the
client and server can do both. I have done this and the telnet and telnetd
will do v4 type authentication. We just don't build it that way because
we would want to see the transition to v5 totally.
The rsuite, and ftp programs do not negotiate the type of kerberos
authentication (v4 or v5), therefore the client who is trying to
communicate with them must be of the same type.
Hope this helps..... Glenn
----- End Included Message ------
