Coda File System

Re: Coda and KrbV && PPC

From: Peter J Braam <>
Date: Wed, 10 Feb 1999 14:22:31 -0500
Hi Troy,

If you are in a position to maintain this that would be super.  There are a
number of trivial bugs with the kerberos stuff that need fixing and you can
find these on

The requirements for making crypto packages available are not very
complicated, and perhaps you could put them up for ftp and we put a link on
our pages.

Would it be worth to have you write a short section for the HOWTO about how
you got this going?

If I can download the PPC rpms somewhere then we can put those on the web too. 

- Peter -

At 07:40 PM 2/7/99 -0600, you wrote:
>I have just successfully gotten Coda 5.0.1 to work with MIT Kerberos5
>1.0.5 (after figureing out the coda server needs a Krb5 host
>I built RPMS of coda and kerberos, and included the Krb5 PAM module to
>allow logins, etc. If anyone wants these, let me know. Q: Can I send an
>rpm spec file outside of the US and not violate export regs?. (If not, I
>could snail-mail a diff or the spec to someone)
>I'd like to offer to help with the KrbV and PAM modules, since I would
>find them very usefull. ;)
>I also have a couple of feasability questions, now that I have a better
>idea what's going on. How hard would it be to:
>1) use Kerberos as the authentication/encryption mechanism all the way
>though Coda? (This might be a way to get around encryption export stuff,
>since krb5 can be gotten from and there is a free krb4 clone in
>Europe somewhere)
>2) make direct use of kerberos principals so that say, anyone with a
>joeuser/admin principal can be a member of the System:Adminstrators group
>while the regular joeuser principal is not. (along these lines, this would
>allow a joeuser/cron or joeuser/daemon principal to get coda tokens for
>cron jobs or such from a kerberos ticket the user has left for that
>purpose, via a ticket with an extremely long lifetime)
>This might also solve the "how do I authenticate the web server" type
>problems. (Correct me if I'm wrong, but could having a host key/principal 
>for the webserver machine allow this?)
>   a) automatically get coda tokens from kerberos tickets if they exist
>	or
>   b) use kerberos facilities to replace coda tokens (this sorta goes with
>      (1) above)
>4) This is more of a kerberos thing, but krb5 has the DES3 code
>   modularized, so what would it take to update the krb5 encryption code
>   to use something like blowfish and friends?
>On Sun, 7 Feb 1999, Robert Watson wrote:
>> However, I am in the process of finishing up a set of patches and
>> additional source files that add:
>> a) HMAC-MD5-based integrity checking in all verisions of Coda (hash is
>> configurable, and pluggable)
>> b) Support for strong encryption (HMAC,3DES) (US-only) as well as weak but
>> exportable (XOR) and none (none) (exportable).  The default state for
>> connections is set as a global policy for the client. New algorithms may
>> easily be added.
>> c) Improved support for KrbIV and KrbV in the environment.
>> I'm also looking at writing PAM modules to support Coda + Kerberos, but
>> because of the heavy-weight nature of the threading/rpc system, my
>> tendency is to move the token-acquisition into a seperate authentication
>> daemon on the client.  This would also allow for less-coda-like
>> authentication that some have been looking for during transitions to
>> distributed authentication.
>> So far most of this work is done--encryption/authentication all appear to
>> work quite nicely; I'm working on a new binding currently to replace the
>> requirement for encryption during the binding, as it is used for a key
>> exchange and is as weak as the encryption (and hence the exportable
>> version would suck).
>> I hope to have the new binding ready for testing sometime in the next day
>> or two.
>>   Robert N Watson 
>> PGP key fingerprint: 03 01 DD 8E 15 67 48 73  25 6D 10 FC EC 68 C1 1C
>> Carnegie Mellon University  
>> TIS Labs at Network Associates, Inc.
>> SafePort Network Services   
>| Troy Benjegerdes    |     |   |
>|    Unix is user friendly... You just have to be friendly to it first.  |
>| This message composed with 100% free software.   |
Received on 1999-02-10 14:23:43