So much for kerberos in Ultrix 4.0 (outside the USA)y

[Eric the Young]

In article <1322 at surf.sics.bu.oz>, eay at surf.sics.bu.oz (Eric the Young (me)) wri
tes:
>(For those that don't know, DEC claimed that kerberos with full encryption
>(in binary form only) was being sent will all versions with ultrix 4,

This statement (as was most of the article) was harsh on Digital
and I should not have written it.
I apologize for any discredit I may have brought on Digital's name.
I fully appreciate the efforts Digital have made in trying to export
a complete working version of kerberos (with des) and that the restrictions
are due to U.S. export controls.  (And it is those export controls that
I am frustrated with not Digital).

My reason for posting was caused by my misunderstanding of the definitions
of object code.  I am a system programmer and my interest in kerberos
is writing applications that can use kerberos authentication.
I have been using Bones (kerberos without the libdes.a routines) and when
I hear the word kerberos I think of authenticated logins etc.
Kerberos is an authentication system, so the use of the kerberos in
user applications is (IMHO) a major part of kerberos.
When I found that the kerberos package in the export version of Ultrix could not
be used to develop new applications _I_ felt that an integral part of
the kerberos package was missing.

The kerberos (or Bones) package as distributed by MIT provides the
kerberos server, development libraries and some application programs.
>From what I have seen so far, the export Ultrix version provides the
server, development libraries (minus des encryption) and some
applications (I am not sure which ones, but not rlogin).
Since kerberos is an authentication system, I fell that leaving out
some parts of the library (so that is is not usable), does not conform with
my personal image of what kerberos is.  It appears that all I have to
do is write my own versions of des (which I have done), but how can
I be sure it will be compatible with the (non export) Ultrix version.
The way kerberos operates would make it possible for me, in Australia
to login to MIT (when I am IP connected) with kerberos authentication,
but only if my des routines were exactly the same as MIT's.

I find it so annoying that when there are several different versions
of libdes.a available outside the US, that the US is IP connected to
the rest of the world (Oh, look what we have here, the kerberos distribution,
lets just ftp it back to Australia/Finland/Eastern Europe, or lets just
have some-one email it to me).

I have modified Bones so that it now uses encryption but I will never
be able to say the libraries are a replacement for MIT's until I can test
them against a working USA version.  It was my hope that the Ultrix version
would let me test my routines and then be able to say my version would let
people with kerberos on ultrix machines authenticate with people with my version
of kerberos.

eric

None of the above is a reflection of the opinion or of the policies
of Bond University, it is just the grumbling of an annoyed
system programmer (me)

--
Eric Young
System Programmer, SICS Bond Uni.
ACSnet: eay at surf.sics.bu.oz.au