1KERBEROS and DCE INTEROPERABILITY ROUTINES 2 3WHAT'S NEW 4 5When k5dcecon was examining the ticket caches looking to 6update one with a newer TGT, it might update the wrong 7one for the correct user. This problem was reported by PNNL, 8and is now fixed. 9 10Any Kerberized application can now use a forwarded TGT to establish a 11DCE context, or can use a previously established DCE context. This is 12both a functional improvement and a performance improvement. 13 14BACKGROUND 15 16The MIT Kerberos 5 Release 1.x and DCE 1.1 can interoperate in a 17number of ways. This is possible because: 18 19 o DCE used Kerberos 5 internally. Based on the MIT code as of beta 4 20 or so, with additional changes. 21 22 o The DCE security server can act as a K5 KDC, as defined in RFC 1510 23 and responds on port 88. 24 25 o On the clients, DCE and Kerberos use the same format for the ticket 26 cache, and then can share it. The KRB5CCNAME environment variable points 27 at the cache. 28 29 o On the clients, DCE and Kerberos use the same format for the srvtab 30 file. DCE refers to is a /krb5/v5srvtab and Kerberos as 31 /etc/krb5.keytab. They can be symlinked. 32 33 o MIT has added many options to the krb5.conf configuration file 34 which allows newer features of Release 1.0 to be turned off to match 35 the earlier version of Kerberos upon which DCE is based. 36 37 o DCE will accept a externally obtained Kerberos TGT in place of a 38 password when establishing a DCE context. 39 40There are some areas where they differ, including the following: 41 42 o Administration of the database and the keytab files is done by the 43 DCE routines, rather the the Kerberos kadmin. 44 45 o User password changes must be done using the DCE commands. Kpasswd 46 does not work. (But there are mods to Kerberos to use the v5passwd 47 with DCE. 48 49 o DCE goes beyond authentication only, and provides authorization via 50 the PAC, and the dce-ptgt tickets stored in the cache. Thus a 51 Kerberos KDC can not act as a DCE security server. 52 53 o A DCE cell and Kerberos realm can cross-realm authenticate, but 54 there can be no intermediate realms. (There are other problems 55 in this area as well. But directly connected realms/cells do work.) 56 57 o You can't link a module with the DCE library and the Kerberos 58 library. They have conflicting routines, static data and structures. 59 60One of the main features of DCE is the Distributed File System 61DFS. Access to DFS requires authentication and authorization, and when 62one uses a Kerberized network utility such as telnet, a forwarded 63Kerberos ticket can be used to establish the DCE context to allow 64access to DFS. 65 66 67NEW TO THIS RELEASE 68 69This release introduces sharing of a DCE context, and PAG, and allows 70any Kerberized application to establish or share the context. This is 71made possible by using an undocumented feature of DCE which is on at 72least the Transarc and IBM releases of DCE 1.1. 73 74I am in the process of trying to get this contributed to the general 75DCE 1.2.2 release as a patch, so it could be included in other vendors 76products. HP has expressed interest in doing this, as well as the 77OpenGroup if the modification is contributed. You can help by 78requesting Transarc and/or IBM to submit this modification to the 79OpenGroup and ask your vendor to adopt this modification. 80 81The feature is a modification to the setpag() system call which will 82allow an authorized process to set the PAG to a specific value, and 83thus allow unrelated processes to share the same PAG. 84 85This then allows the Kerberized daemons such as kshd, to exec a DCE 86module which established the DCE context. Kshd then sets the 87KRB5CCNAME environment variable and then issues the setpag() to use 88this context. This solves the linking problem. This is done via the 89k5dfspag.c routine. 90 91The k5dfspag.c code is compiled with the lib/krb5/os routines and 92included in the libkrb5. A daemon calls krb5_dfs_pag after the 93krb5_kuserok has determined that the Kerberos principal and local 94userid pair are acceptable. This should be done early so as to give 95the daemon access to the home directory which may be located on DFS. 96If the .k5login file is used by krb5_kuserok it will need to be 97accessed by the daemon and will need special ACL handling. 98 99The krb5_dfs_pag routine will exec the k5dcecon module to do all the 100real work. Upon return, if a PAG is obtained, krb5_dfs_pag with set 101the PAG for the current process to the returned PAG value. It will 102also set the KRB5CCNAME environment as well. Under DCE the PAG value 103is the nnnnnnn part of the name of the cache: 104FILE:/opt/dcelocal/var/security/creds/dcecred_nnnnnnnn. 105 106The k5dcecon routine will attempt to use TGT which may have been 107forwarded, to convert it to a DCE context. If there is no TGT, an 108attempt will be made to join an existing PAG for the local userid, and 109Kerberos principal. If there are existing PAGs, and a forwarded TGT, 110k5dcecon will check the lifetime of the forwarded TGT, and if it is 111less than the lifetime of the PAG, it will just join the PAG. If it 112is greater, it will refresh the PAG using the forwarded TGT. 113This approach has the advantage of not requiring many new tickets from 114having to be obtained, and allows one to refresh a DCE context, or use 115an already established context. 116 117If the system also has AFS, the AFS krb5_afs_pag should be called 118after the krb5_dfs_pag, since cache pointed at via the KRB5CCNAME may 119have changed, such as if a DFS PAG has been joined. The AFS code does 120not have the capability to join an existing AFS PAG, but can use the 121same cache which might already had a 122afsx/<afs.cell.name>@<k5.realm.name> service ticket. 123 124 125WHAT'S IN THIS RELEASE 126 127The k5prelogin, k5dcelogin, k5afslogin (with ak5log) were designed to 128be slipped in between telnetd or klogind and login.krb5. They would 129use a forwarded Kerberos ticket to establish a DCE context. They are 130the older programs which are included here. They work on all DCE 131platforms, and don't take advantage of the undocumented setpag 132feature. (A version of k5dcelogin is being included with DCE 1.2.2) 133 134K5dcecon is the new program which can be used to create, update or 135join a DCE context. k5dcecon returns KRB5CCNAME string which contains 136the PAG. 137 138k5dfspag.c is to be built in the MIT Kerberos 5 release 1.0 patchlevel 1391 and added to the libkrb5. It will exec k5dcecon and upon return set 140the KRB5CCNAME and PAG. Mods to Kerberized klogind, rshd, telnetd, 141ftpd are available to use the k5dfspag. 142 143Testpag.c is a test programs to see if the PAG can be set. 144 145The cpwkey.c routine can be used to change a key in the DCE registry, 146by adding the key directly, or by setting the salt/pepper and password 147or by providing the key and the pepper. This could be useful when 148coping keys from a K4 or AFS database to DCE. It can also be used when 149setting a DCE to K5 cross-cell key. This program is a test program 150For mass inserts, it should be rewritten to read from stdin. 151 152K5dcelogin can also be called directly, much like dce_login. 153I use the following commands in effect do the same thing as dce_login 154and get a forwardable ticket, DCE context and an AFS token: 155 156 #!/bin/csh 157 # simulate a dce_login using krb5 kinit and k5dcelogin 158 # 159 setenv KRB5CCNAME FILE:/tmp/krb5cc_p$$ 160 /krb5/bin/kinit -f 161 exec /krb5/sbin/k5dcelogin /krb5/sbin/k5afslogin /bin/csh 162 #exec /krb5/sbin/k5dcelogin /bin/csh 163 164This could be useful in a mixed cell where "AS_REQ" messages are 165handled by a K5 KDC, but DCE RPCs are handled by the DCE security 166server. 167 168TESTING THE SETPAG 169 170The krb5_dfs_pag routine relies on an undocumented feature which is 171in the AIX and Transarc Solaris ports of DCE and has been recently 172added to the SGI version. To test if this feature is present 173on some other DFS implementation use the testpag routine. 174 175The testpag routine attempts to set a PAG value to one you supply. It 176uses the afs_syscall with the afs_setpag, and passes the supplied 177PAG value as the next parameter. On an unmodifed system, this 178will be ignored, and a new will be set. You should also check that 179if run as a user, you cannot join a PAG owned by another user. 180When run as root, any PAG should be usable. 181 182On a machine with DFS running, do a dce_login to get a DCE context and 183PAG. ECHO the KRB5CCNAME and look at the nnnnnnnn at the end. It 184should look like an 8 char hex value, which may be 41ffxxxx on some 185systems. 186 187Su to root and unsetenv KRB5CCNAME. Do a testpag -n nnnnnnnn where 188nnnnnnnn is the PAG obtained for the above name. 189 190It should look like this example on an AIX 4.1.4 system: 191 192 pembroke# ./testpag -n 63dc9997 193 calling k5dcepag newpag=63dc9997 194 PAG returned = 63dc9997 195 196You will be running under a new shell with the PAG and KRB5CCNAME set. 197If the PAG returned is the same as the newpag, then it worked. You can 198further verify this by doing a DCE klist, cd to DFS and a DCE klist 199again. The klist should show some tickets for DFS servers. 200 201If the PAG returned is not the same, and repeated attempts show a 202returned PAG decremented by 1 from the previous returned PAG, then 203this system does not have the modification For example: 204 205 # ./testpag -n 41fffff9 206 calling k5dcepag newpag=41fffff9 207 PAG returned = 41fffff8 208 # ./testpag -n 41fffff9 209 calling k5dcepag newpag=41fffff9 210 PAG returned = 41fffff7 211 212In this case the syscall is ignoring the newpag parameter. 213 214Running it with -n 0 should get the next PAG value with or without 215this modification. 216 217If the DFS kernel extensions are not installed, you would get 218something like this: 219 220 caliban.ctd.anl.gov% ./testpag -n 012345678 221 calling k5dcepag newpag=012345678 222 Setpag failed with a system error 223 PAG returned = ffffffff 224 Not a good pag value 225 226If you DFS implementation does not have this modification, you could 227attempt to install it yourself. But this requires source and requires 228modifications to the kernel extensions. At the end of this note is an 229untested sample using the DCE 1.2.2 source code. You can also contact 230your system vendor and ask for this modification. 231 232UNICOS has a similar function setppag(newpag) which can be used to set 233the PAG of the parent. Contact me if you are interested. 234 235HOW TO INSTALL 236 237Examine the k5dfspag.c file to make sure the DFS syscalls are correct 238for your platform. See the /opt/dcelocal/share/include/dcedfs/syscall.h 239on Solaris for example. 240 241You should build the testpag routine and make sure it works before 242adding all the other mods. If it fails you can still use the klogind 243and telnetd with the k5prelogin and k5dcelogin code. 244 245If you intend to install with a prefix other than /krb5, change: 246DPAGAIX and K5DCECON in k5dfspag.c; the three references in 247k5prelogin.c; and the DESTDIR in the Makefile. 248 249Get k5101.cdiff.xxxxxx.tar file and install the mods for ANL_DFS_PAG 250and ANL_DCE to the MIT Kerberos 5 source. These mods turn on some DCE 251related changes and the calls to krb5_dfs_pag. 252 253Symlink or copy the k5dfspag.c to the src/lib/krb5/os directory. 254 255Add the -DANL_DFS_PAG and -DANL_DCE flags to the configuration. 256 257Configure and Build the Kerberos v5. 258 259Modify the k5dce Makefile for your system. 260 261Build the k5dcecon and related programs. 262 263Install both the MIT Kerberos v5 and the k5dcecon and dpagaix if AIX. 264 265The makefile can also build k5dcelogin and k5prelogin. The install 266can install k5dcelogin, k5prelogin and update the links for login.krb5 267-> k5prelogin and moving login.krb5 to login.k5. If you will be using 268the k5dcecon/k5dfspag with the Kerberos mods, you don't need 269k5prelogin, or the links changed, and may not need k5dcelogin. 270 271Note that Transarc has obfuscated the entries to the lib, and 272the 1.0.3a is different from the 1.1. You may need to build two 273versions of the k5dcelogin and/or k5dcecon one for each. 274 275AIX ONLY 276 277The dpagaix routine is needed for AIX because of the way they do the 278syscalls. 279 280The following fix.aix.libdce.mk is not needed if dce 2.1.0.21 281has been installed. This PTF exposed the needed entrypoints. 282 283The fix.aix.libdce.mk is a Makefile for AIX 4.x to add the required 284external entry points to the libdce.a. These are needed by k5dcecon 285and k5dcelogin. A bug report was submitted to IBM on this, and it was 286rejected. But since DCE 1.2.2 will have a k5dcelogin, this should not 287be needed with 1.2.2 288 289Copy /usr/lib/libdce.a to /usr/libdce.a.orig before starting. Copy the 290makefile to its own directory. It will create a new libdce.a which you 291need to copy back to /usr/lib/libdce.a You will need to reboot the 292machine. See the /usr/lpp/dce/examples/inst/README.AIX for a similar 293procedure. IBM was not responsive in a request to have these added. 294 295UNTESTED KERNEL EXTENSION FOR SETPAG 296 297*** src/file/osi/,osi_pag.c Wed Oct 2 13:03:05 1996 298--- src/file/osi/osi_pag.c Mon Jul 28 13:53:13 1997 299*************** 300*** 293,298 **** 301--- 293,302 ---- 302 int code; 303 304 osi_MakePreemptionRight(); 305+ /* allow sharing of a PAG by non child processes DEE- 6/6/97 */ 306+ if (unused && osi_GetUID(osi_getucred()) == 0) { 307+ newpag = unused; 308+ } else { 309 osi_mutex_enter(&osi_pagLock); 310 now = osi_Time(); 311 soonest = osi_firstPagTime + 312*************** 313*** 309,314 **** 314--- 313,319 ---- 315 } 316 osi_mutex_exit(&osi_pagLock); 317 newpag = osi_genpag(); 318+ } 319 osi_pcred_lock(p); 320 credp = crcopy(osi_getucred()); 321 code = osi_SetPagInCred(credp, newpag); 322 323Created 07/08/96 324Modified 09/30/96 325Modified 11/19/96 326Modified 12/19/96 327Modified 06/20/97 328Modified 07/28/97 329Modified 02/18/98 330 331 Douglas E. Engert <DEEngert@anl.gov> 332 Argonne National Laboratory 333 9700 South Cass Avenue 334 Argonne, Illinois 60439 335 (630) 252-5444 336