[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

using Heimdal Krb5 for DCE RPC Security




Hello all.. I'm new to your mailing list.

I'd like to ask a few questions to get my knowledge ball
rolling about your project. 

What lead me to find this project was a desire to find 
an off-shore (non-USA) implementation of the Kerberos V5
wire protocol and libraries to help create a 
freely-redistributable, interoperable DCE RPC that supports
authentication.

As some of you may know, we've ported the entire DCE 1.2.2
to Linux. However, because the crypto components of 1.2.2 
are export controlled from the United States, many of our
European colleagues are left stranded.

I've also re-ported the freely redistributable DCE 1.1 RPC
to Linux as well. This works very well, however, it only
implements the unauthenticated RPC.  However, the hooks are in
place to implement Secure RPC. Further, the interfaces and
encodings are well documented in published, available literature.
It should not be entirely hard for someone to study the literature,
understand the internal interfaces, and go force and implement.

A large number of people are interested in a rendition of DCE
RPC that can use GSSAPI. In theory, it is quite possible to add
support to the freely redistributeable 1.1 RPC using Kerberos V5
and GSSAPI such that one could operate with commercial DCE products.
Heimdahl could help solve the problem of worldwide availability of
a high-performance and fairly secure RPC middleware. This would be
useful for a number of projects ranging from supercomputing applications,
to distributed systems management tools, to a free port of DFS similar
to the ARLA project.

Some questions about Heimdahl:

- What is the status on the GSSAPI library implementation?
- Are the Heimdahl V5 libraries thread safe?
- Have Heimdahl V5 clients been interoperability tested against
  a DCE Security Server. (that is, can Heimdahl decode TGTs 
  issued by a DCE SEC server like the MIT v5 kit can ? )

For more information on our DCE 1.1 kit:

	http://www.bu.edu/~jrd

-- Jim



+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Jim Doyle                         Boston University   Information Technology
Systems Analyst/Programmer        email: jrd@bu.edu   Distributed Systems
http://www.bu.edu/~jrd/ 			      tel. (617)-353-8248
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++--+-+-+-+-+-+-