KERBEROS and DCE INTEROPERABILITY ROUTINES

WHAT'S NEW

When k5dcecon was examining the ticket caches looking to 
update one with a newer TGT, it might update the wrong
one for the correct user.  This problem was reported by PNNL,
and is now fixed.

Any Kerberized application can now use a forwarded TGT to establish a
DCE context, or can use a previously established DCE context. This is
both a functional improvement and a performance improvement.

BACKGROUND

The MIT Kerberos 5 Release 1.x and DCE 1.1 can interoperate in a
number of ways. This is possible because:

 o DCE used Kerberos 5 internally. Based on the MIT code as of beta 4
   or so, with additional changes. 

 o The DCE security server can act as a K5 KDC, as defined in RFC 1510
   and responds on port 88. 

 o On the clients, DCE and Kerberos use the same format for the ticket
   cache, and then can share it. The KRB5CCNAME environment variable points
   at the cache.   
 
 o On the clients, DCE and Kerberos use the same format for the srvtab
   file. DCE refers to is a /krb5/v5srvtab and Kerberos as
   /etc/krb5.keytab. They can be symlinked.  

 o MIT has added many options to the krb5.conf configuration file
   which allows newer features of Release 1.0 to be turned off to match
   the earlier version of Kerberos upon which DCE is based. 

 o DCE will accept a externally obtained Kerberos TGT in place of a
   password when establishing a DCE context. 

There are some areas where they differ, including the following:
 
 o Administration of the database and the keytab files is done by the
   DCE routines, rather the the Kerberos kadmin.

 o User password changes must be done using the DCE commands. Kpasswd
   does not work. (But there are mods to Kerberos to use the v5passwd 
   with DCE.  

 o DCE goes beyond authentication only, and provides authorization via
   the PAC, and the dce-ptgt tickets stored in the cache. Thus a
   Kerberos KDC can not act as a DCE security server. 

 o A DCE cell and Kerberos realm can cross-realm authenticate, but 
   there can be no intermediate realms. (There are other problems
   in this area as well. But directly connected realms/cells do work.)

 o You can't link a module with the DCE library and the Kerberos
   library. They have conflicting routines, static data and structures.  
 
One of the main features of DCE is the Distributed File System
DFS. Access to DFS requires authentication and authorization, and when
one uses a Kerberized network utility such as telnet, a forwarded
Kerberos ticket can be used to establish the DCE context to allow
access to DFS.  


NEW TO THIS RELEASE

This release introduces sharing of a DCE context, and PAG, and allows
any Kerberized application to establish or share the context. This is
made possible by using an undocumented feature of DCE which is on at
least the Transarc and IBM releases of DCE 1.1.

I am in the process of trying to get this contributed to the general
DCE 1.2.2 release as a patch, so it could be included in other vendors
products.  HP has expressed interest in doing this, as well as the
OpenGroup if the modification is contributed. You can help by
requesting Transarc and/or IBM to submit this modification to the
OpenGroup and ask your vendor to adopt this modification.

The feature is a modification to the setpag() system call which will
allow an authorized process to set the PAG to a specific value, and
thus allow unrelated processes to share the same PAG.

This then allows the Kerberized daemons such as kshd, to exec a DCE
module which established the DCE context. Kshd then sets the
KRB5CCNAME environment variable and then issues the setpag() to use
this context. This solves the linking problem. This is done via the
k5dfspag.c routine.

The k5dfspag.c code is compiled with the lib/krb5/os routines and
included in the libkrb5. A daemon calls krb5_dfs_pag after the
krb5_kuserok has determined that the Kerberos principal and local
userid pair are acceptable. This should be done early so as to give
the daemon access to the home directory which may be located on DFS.  
If the .k5login file is used by krb5_kuserok it will need to be
accessed by the daemon and will need special ACL handling.  

The krb5_dfs_pag routine will exec the k5dcecon module to do all the
real work. Upon return, if a PAG is obtained, krb5_dfs_pag with set
the PAG for the current process to the returned PAG value. It will
also set the KRB5CCNAME environment as well. Under DCE the PAG value
is the nnnnnnn part of the name of the cache:
FILE:/opt/dcelocal/var/security/creds/dcecred_nnnnnnnn. 

The k5dcecon routine will attempt to use TGT which may have been
forwarded, to convert it to a DCE context. If there is no TGT, an
attempt will be made to join an existing PAG for the local userid, and
Kerberos principal. If there are existing PAGs, and a forwarded TGT,
k5dcecon will check the lifetime of the forwarded TGT, and if it is
less than the lifetime of the PAG, it will just join the PAG. If it
is greater, it will refresh the PAG using the forwarded TGT. 
This approach has the advantage of not requiring many new tickets from
having to be obtained, and allows one to refresh a DCE context, or use
an already established context. 

If the system also has AFS, the AFS krb5_afs_pag should be called
after the krb5_dfs_pag, since cache pointed at via the KRB5CCNAME may
have changed, such as if a DFS PAG has been joined. The AFS code does
not have the capability to join an existing AFS PAG, but can use the
same cache which might already had a
afsx/<afs.cell.name>@<k5.realm.name> service ticket.


WHAT'S IN THIS RELEASE

The k5prelogin, k5dcelogin, k5afslogin (with ak5log) were designed to
be slipped in between telnetd or klogind and login.krb5. They would
use a forwarded Kerberos ticket to establish a DCE context.  They are
the older programs which are included here. They work on all DCE
platforms, and don't take advantage of the undocumented setpag
feature. (A version of k5dcelogin is being included with DCE 1.2.2)
 
K5dcecon is the new program which can be used to create, update or
join a DCE context. k5dcecon returns KRB5CCNAME string which contains
the PAG.

k5dfspag.c is to be built in the MIT Kerberos 5 release 1.0 patchlevel
1 and added to the libkrb5. It will exec k5dcecon and upon return set
the KRB5CCNAME and PAG. Mods to Kerberized klogind, rshd, telnetd,
ftpd are available to use the k5dfspag. 

Testpag.c is a test programs to see if the PAG can be set.

The cpwkey.c routine can be used to change a key in the DCE registry,
by adding the key directly, or by setting the salt/pepper and password
or by providing the key and the pepper. This could be useful when
coping keys from a K4 or AFS database to DCE. It can also be used when
setting a DCE to K5 cross-cell key.  This program is a test program
For mass inserts, it should be rewritten to read from stdin.

K5dcelogin can also be called directly, much like dce_login.
I use the following commands in effect do the same thing as dce_login
and get a forwardable ticket, DCE context and an AFS token:

  #!/bin/csh
  # simulate a dce_login using krb5 kinit and k5dcelogin
  #
  setenv KRB5CCNAME FILE:/tmp/krb5cc_p$$
  /krb5/bin/kinit -f
  exec /krb5/sbin/k5dcelogin /krb5/sbin/k5afslogin /bin/csh
  #exec /krb5/sbin/k5dcelogin  /bin/csh

This could be useful in a mixed cell where "AS_REQ" messages are
handled by a K5 KDC, but DCE RPCs are handled by the DCE security
server.

TESTING THE SETPAG

The krb5_dfs_pag routine relies on an undocumented feature which is
in the AIX and Transarc Solaris ports of DCE and has been recently
added to the SGI version.  To test if this feature is present 
on some other DFS implementation use the testpag routine. 

The testpag routine attempts to set a PAG value to one you supply. It
uses the afs_syscall with the afs_setpag, and passes the supplied 
PAG value as the next parameter. On an unmodifed system, this 
will be ignored, and a new will be set. You should also check that
if run as a user, you cannot join a PAG owned by another user. 
When run as root, any PAG should be usable. 

On a machine with DFS running, do a dce_login to get a DCE context and
PAG. ECHO the KRB5CCNAME and look at the nnnnnnnn at the end. It
should look like an 8 char hex value, which may be 41ffxxxx on some
systems. 

Su to root and unsetenv KRB5CCNAME. Do a testpag -n nnnnnnnn where
nnnnnnnn is the PAG obtained for the above name. 

It should look like this example on an AIX 4.1.4 system:

   pembroke# ./testpag -n 63dc9997
   calling k5dcepag newpag=63dc9997
   PAG returned = 63dc9997

You will be running under a new shell with the PAG and KRB5CCNAME set.
If the PAG returned is the same as the newpag, then it worked. You can
further verify this by doing a DCE klist, cd to DFS and a DCE klist
again. The klist should show some tickets for DFS servers.

If the PAG returned is not the same, and repeated attempts show a
returned PAG decremented by 1 from the previous returned PAG, then
this system does not have the modification For example: 
 
   # ./testpag -n 41fffff9
   calling k5dcepag newpag=41fffff9
   PAG returned = 41fffff8
   # ./testpag -n 41fffff9
   calling k5dcepag newpag=41fffff9
   PAG returned = 41fffff7

In this case the syscall is ignoring the newpag parameter. 

Running it with -n 0 should get the next PAG value with or without
this modification. 

If the DFS kernel extensions are not installed, you would get
something like this:

  caliban.ctd.anl.gov% ./testpag -n 012345678
  calling k5dcepag newpag=012345678
  Setpag failed with a system error
  PAG returned = ffffffff
  Not a good pag value

If you DFS implementation does not have this modification, you could
attempt to install it yourself. But this requires source and requires
modifications to the kernel extensions. At the end of this note is an
untested sample using the DCE 1.2.2 source code. You can also contact
your system vendor and ask for this modification.

UNICOS has a similar function setppag(newpag) which can be used to set
the PAG of the parent. Contact me if you are interested. 

HOW TO INSTALL

Examine the k5dfspag.c file to make sure the DFS syscalls are correct
for your platform. See the /opt/dcelocal/share/include/dcedfs/syscall.h
on Solaris for example. 

You should build the testpag routine and make sure it works before 
adding all the other mods. If it fails you can still use the klogind
and telnetd with the k5prelogin and k5dcelogin code. 

If you intend to install with a prefix other than /krb5, change:
DPAGAIX and K5DCECON in k5dfspag.c; the three references in
k5prelogin.c; and the DESTDIR in the Makefile.

Get k5101.cdiff.xxxxxx.tar file and install the mods for ANL_DFS_PAG
and ANL_DCE to the MIT Kerberos 5 source. These mods turn on some DCE
related changes and the calls to krb5_dfs_pag. 

Symlink or copy the k5dfspag.c to the src/lib/krb5/os directory. 

Add the -DANL_DFS_PAG and -DANL_DCE flags to the configuration. 

Configure and Build the Kerberos v5. 

Modify the k5dce Makefile for your system. 

Build the k5dcecon and related programs. 

Install both the MIT Kerberos v5 and the k5dcecon and dpagaix if AIX.    

The makefile can also build k5dcelogin and k5prelogin.  The install
can install k5dcelogin, k5prelogin and update the links for login.krb5
-> k5prelogin and moving login.krb5 to login.k5. If you will be using
the k5dcecon/k5dfspag with the Kerberos mods, you don't need
k5prelogin, or the links changed, and may not need k5dcelogin.

Note that Transarc has obfuscated the entries to the lib, and 
the 1.0.3a is different from the 1.1. You may need to build two
versions of the k5dcelogin and/or k5dcecon one for each. 

AIX ONLY

The dpagaix routine is needed for AIX because of the way they do the 
syscalls. 

The following fix.aix.libdce.mk is not needed if dce 2.1.0.21
has been installed. This PTF exposed the needed entrypoints. 

The fix.aix.libdce.mk is a Makefile for AIX 4.x to add the required
external entry points to the libdce.a.  These are needed by k5dcecon
and k5dcelogin.  A bug report was submitted to IBM on this, and it was
rejected. But since DCE 1.2.2 will have a k5dcelogin, this should not
be needed with 1.2.2

Copy /usr/lib/libdce.a to /usr/libdce.a.orig before starting. Copy the
makefile to its own directory. It will create a new libdce.a which you
need to copy back to /usr/lib/libdce.a You will need to reboot the
machine.  See the /usr/lpp/dce/examples/inst/README.AIX for a similar
procedure.  IBM was not responsive in a request to have these added.

UNTESTED KERNEL EXTENSION FOR SETPAG

*** src/file/osi/,osi_pag.c  Wed Oct  2 13:03:05 1996
--- src/file/osi/osi_pag.c   Mon Jul 28 13:53:13 1997
***************
*** 293,298 ****
--- 293,302 ----
      int code;
  
      osi_MakePreemptionRight();
+    /* allow sharing of a PAG by non child processes DEE- 6/6/97 */
+    if (unused && osi_GetUID(osi_getucred()) == 0) {
+     newpag = unused;
+    } else {
      osi_mutex_enter(&osi_pagLock);
      now = osi_Time();
      soonest = osi_firstPagTime +
***************
*** 309,314 ****
--- 313,319 ----
      }
      osi_mutex_exit(&osi_pagLock);
      newpag = osi_genpag();
+    }
      osi_pcred_lock(p);
      credp = crcopy(osi_getucred());
      code = osi_SetPagInCred(credp, newpag);

Created     07/08/96
Modified    09/30/96
Modified    11/19/96
Modified    12/19/96
Modified    06/20/97
Modified    07/28/97
Modified    02/18/98

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444