Native Mac OSX Kerberos clients and SecurID

[Alexandra Ellwood]

>   While researching getting Fetch to work with the HPCMP-flavor of
>Kerberos5, I found that the Kerberos5 tools included with OS X 10.2 appear
>to work just fine for getting tickets and doing kerberized telnet and ftp
>connections to ARSC systems.  However, the bundled bsd-style r-services
>failed to connect (rlogin gave an 'Error 0.').  In fact, once I had gotten
>the tickets using the bundled kinit, Fetch was able to use that ticket to
>make kerberized-ftp connections.

Apple provides their own versions of the BSD-style login services.  I 
believe that in Mac OS X 10.2 only the telnet client supports 
Kerberos.  Please send any feature requests related to these programs 
to Apple.  You can file them in Apple's Bug Reporter 
<https://bugreport.apple.com/>.

>  The main problem that I ran into (other than the r-services) was that the
>MIT Kerberos GUI (included with the krb-extras kit for 10.2) got very
>confused by the extra SecurID Passcode step/prompt and locked up.  Also, I
>could not seem to find where the bundled kinit stores its ticket cache.

How does it fail?  Does it manage to put up the prompter dialog 
asking for the SecurID code?  Does it hang or put up an error sheet? 
If it hangs, it would be very useful if you could attach to the 
KerberosLoginServer process with gdb and send me a backtrace.

Have you been able to get SecurID tickets with a krb5-1.2.6 kinit on 
a UNIX machine? The Kerberos for Macintosh in Mac OS X 10.2 is based 
on krb5-1.2.6.

We try to test hardware pre-authentication before each release of 
Kerberos for Macintosh.  Unfortunately, we don't have a SecurID setup 
here at MIT, so we end up testing with a configuration which doesn't 
quite work the same.  For many uncommon configurations we have to 
depend on the testing efforts of fellow institutions which receive OS 
betas from Apple.

>-- Given that the bundled OS X kerberos tools create tickets using the
>SecurID card (including setting the hardware pre-auth flag in the ticket),
>is it acceptable to use the already bundled tools in OS X?  Or are there
>other issues that would require us to stick with just the tools distributed
>on kirby?

You can get tickets with SecurID using the stock /usr/bin/kinit but 
not the dialog presented when you click on "Get Tickets" from the 
Kerberos application?

Can you send me output of the kinit behaving correctly (ie: what 
kinit prints to your Terminal window).

>-- (for the MIT folks): Would y'all be willing to update the krb5-extras
>GUI so that it can support the extra SecurID 'Passcode' prompt?

Kerberos for Macintosh Extras for 10.2 only installs the CFM bridge 
libraries, a preference file and a symlink from the Apple installed 
Kerberos application in /System/Library/CoreServices to 
/Applications.  The Extras installer does not install the libraries 
or Kerberos application, so we would not be able to update the 
necessary components with a new version of the Extras.

All releases of Kerberos for Macintosh are provided via Apple, so if 
you want this problem resolved, you need to talk to Apple.  You 
should start by filing this as a bug on Apple's Bug Reporter 
<https://bugreport.apple.com/>.  If Apple doesn't know that users are 
encountering a bug, they're unlikely to feel any pressure to fix it.

>-- Where does the OS X version store it's krb5 cache?

Inside the CCacheServer process, which is part of our implementation 
of the in-memory Credentials Cache (CCAPI).  Client processes access 
the ticket cache either via the krb5_cc_* APIs or the CCAPI.


Hope this helps,

--lxs
-- 
-----------------------------------------------------------------------------
Alexandra Ellwood                                               <lxs at mit.edu>
MIT Information Systems                               http://mit.edu/lxs/www/
-----------------------------------------------------------------------------
--