Re: [netatalk-admins] Need very technical info/pointers/etc on AFS/KRB4 implementations

Subject: Re: [netatalk-admins] Need very technical info/pointers/etc on AFS/KRB4 implementations
From: Everette G Allen (Everette_Allen@ncsu.edu)
Date: Fri Aug 08 1997 - 10:19:50 EDT

• Next message: a sun: "Re: [netatalk-admins] Re: os8, finder info yuckiness, and a fix"
• Previous message: Jamie Unwin: "Re: [netatalk-admins] Mac OS 8 and netatalk volumes--jumpy Finder windows"
• In reply to: Mario L. Gonzales: "[netatalk-admins] Need very technical info/pointers/etc on AFS/KRB4 implementations"
• Reply: Everette G Allen: "Re: [netatalk-admins] Need very technical info/pointers/etc on AFS/KRB4 implementations"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,
For netatalk 1.3.3 there exsists two schemes for kerberos authentication
and AFS authorization:

1) Via the Authman User Authentication Method (UAM) which is to my
knowledge not documented except to read the source code (even the document
from apple about UAM's in general is obscure and not available unless you
beg one of the developers inside apple). For AFP Spec 2.2 one the
AppleShare IP developers (Leland Wallace) is working on a UAM SDK and there
is a proposed afp url scheme (see http://www.opendoors.com/asip/ for
details). See the technical docs at http://appleshareip.apple.com for
details on AFP 2.2 and how to join the appleshare ip 5.0 list to get info
on implemention and testing. There used to be source for the mac part of
the UAM on ftp://terminator.rs.itd.umich.edu but I have not been able to
find it and Wes Craig has not to my knowledge had time to document it or
make the code available. What about it Wes??

2) The folks at Stanford did a project called netatalk 1.3.3su which is
available as source and sunos binary from
ftp://networking.stanford.edu/pub/andy/Macleland. This mod impements a
callback routine over appletalk (in version 1 and 2) initially and latter
(version 3) over tcp/ip using the S/Ident protocol RFC (now expire in ietf,
check with Bob Morgan at Stanford) and a generalized call back routine
detailed at http://www-leland.stanford.edu/~torg/WWW-security.doc.html.
This latter version is still in developement at Stanford and is not in the
binary or source in the ftp site listed above. Look at
http://www-leland.stanford.edu/~maas/macleland/ and
http://www-dccs.stanford.edu/macleland/ for details. Feel free to have a
look at http://www4.ncsu.edu/~ega/macleland/netatalk.html for setup and
install documentation details for the setup we use here at ncsu. This mod
requires that a listener be running on every mac client (MacLeland). Some
folks at Duke already run macleland (see
http://www.duke.edu/~jwk3/kerberos/ if you didn't already know :-).

So the difference in the two:
a) UAM is plugin (file://System Folder/AppleShare Folder) to the AppleShare
connection scheme which is (now, again) supported by Apple. Currently UAMs
are supported only over appletalk with tcp/ip RSN.
Authman is required to be installed(ftp://monet.ccs.itd.umich.edu/pub/).
The callback is a Stanford home grown which they are using for web
authentication as well.
b) UAM should work with 1.4.x netatalk. To my knowledge no one has ported
the Stanford mods to the netatalk 1.4.x beta yet. Anyone game??
c) Neither support kerberos V5 native and neither are interoperatable. So
the UAM can not be used with MacLeland nor Kclient and the Callback can not
be used with Kclient nor Authman. (its much worse with samba on pc).

If anyone else has additional or better information please post or send to
me and I will summarize.

>Hello Folks,
>
>I am trying to find some resources to help me understand how the
>Kerberos and AFS support are implemented in netatalk.
>
>I am very concerned about security and the possible violation of the
>Kerberos/AFS security models (ie trusting a non-trusted source,
>clear text passwords, unauthenticated acccess to afs file systems,
>key theft, ticket theft, etc).
>
>Does anyone have any information on what Security model netatalk uses?
>What steps are taken to not allow unauthenticated access to afs data?
>
>Is netatalk a proxy for the client to talk to the afs servers?
>Does netatalk authenticate for you and how?
>
>I guess I am paranoid and cannot seem to find any information
>via the FAQ's. Also went so far as to AltaVista Search for tidbits
>and could not find anything.
>
>Thanks again,
>
> Mario
>
>---------------------------------------------------------------------------
> | Systems Administration Group, O.I.T.
> phone://919.660.7037/ | Duke University, 412 North Building
> fax://919.660.7029/ | Durham, NC 27708
> mailto:mario@oit.duke.edu | http://www.oit.duke.edu/~mario/
>---------------------------------------------------------------------------
> FOR MY PGP PUBLIC KEY: "finger -m mario@acpub.duke.edu | pgp -fka"

Everette Gray Allen Consultant IV
Box 7109 NCState Campus Computing Services
Raleigh, NC 27695-7109 919-515-2517

• Next message: a sun: "Re: [netatalk-admins] Re: os8, finder info yuckiness, and a fix"
• Previous message: Jamie Unwin: "Re: [netatalk-admins] Mac OS 8 and netatalk volumes--jumpy Finder windows"
• In reply to: Mario L. Gonzales: "[netatalk-admins] Need very technical info/pointers/etc on AFS/KRB4 implementations"
• Reply: Everette G Allen: "Re: [netatalk-admins] Need very technical info/pointers/etc on AFS/KRB4 implementations"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b28 : Sat Dec 18 1999 - 16:26:04 EST