Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Generating a kerberos session key

23 views
Skip to first unread message

ar...@hal.com

unread,
Feb 24, 1994, 4:26:25 PM2/24/94
to

**************** Please email replies to ar...@hal.com **********
Hello:

I tried to look for a FAQ list for this newsgroup, but did not have
any luck. Therefore I am forced to post the following query.


I have to ship a passwd from a client to a service. I would like to
use kerberos to generate a session key to encrypt this password.

Given that an instance of the kerberos service needs to be up (so
that the client can contact the kerberos service to start the transaction).


I have a few questions:

1. I have access to the keberos api. But I am not familiar with the api.
Are there any public examples of code that could guide me through the process of
generating a session key.

2. Does the kerberos server run on a well known port number. (udp/88 ?)


Thanks for your assistance.

-Arjun Khanna
HaL Computer Systems
Austin, TX.


Asokan

unread,
Feb 24, 1994, 5:48:55 PM2/24/94
to

To: ar...@hal.com
Cc: comp.protocols.kerberos


In article <2kj621$7...@hal.com> you write:

> **************** Please email replies to ar...@hal.com **********
>Hello:

>I tried to look for a FAQ list for this newsgroup, but did not have
>any luck. Therefore I am forced to post the following query.

>I have to ship a passwd from a client to a service. I would like to
>use kerberos to generate a session key to encrypt this password.

Sending a password over the net, encrypted or otherwise, is something to be
avoided whenever possible. If you have the luxury of being able to
write/change the server that needs to perform the authentication,
then you can easily avoid the need to send passwords over the net
by using alternate means of authentication.

Having said that, I'll point you to the ftp site
math.uwaterloo.ca:pub/security
We had had to develop a means of securely transporting passwords
because we have to live with programs that we cannot change.
Our first solution was kesc (Kerberos ESCort service), which
uses a session encrypt passwords before transmitting them. kesc
is present in kerberos/ktools.tar.Z in the above ftp site. You
can look at the code to see how we use the session key. It was
written for Kerberos 4.

Later we implemented an alternate solution using Diffie-Hellman
exchange (because not everyone on campus wants to run Kerberos).
You can find this in the directory "secure-comm" on the same site.

[...]

Asokan
University of Waterloo

Axel-Stephane C. Smørgrav

unread,
Feb 26, 1994, 5:48:53 AM2/26/94
to

In article <2kj621$7...@hal.com>, ar...@hal.com writes:
>
> **************** Please email replies to ar...@hal.com **********
> Hello:
>
> I tried to look for a FAQ list for this newsgroup, but did not have
> any luck. Therefore I am forced to post the following query.
>
>
> I have to ship a passwd from a client to a service. I would like to
> use kerberos to generate a session key to encrypt this password.
>
> Given that an instance of the kerberos service needs to be up (so
> that the client can contact the kerberos service to start the transaction).
>
>
> I have a few questions:
>
> 1. I have access to the keberos api. But I am not familiar with the api.
> Are there any public examples of code that could guide me through the process of
> generating a session key.

The Ultrix manual pages contains code of a sample client-server pair.
However, some of the functions provided by the Ultrix Kerberos library
are not provided by the original MIT libraries.

Since you are in the US, you might download the MIT Kerberos sources
from athena-dist.mit.edu. You should find a sample client-server pair
in the package.

You might also take a look at the BSD4.3 login program, or the kinit
program shipped with Kerberos.

Furthermore, there are a plenty of articles describing the Kerberos
protocol, that might be useful for understanding the API. Some of these
articles are available at athena-dist.mit.edu.

> 2. Does the kerberos server run on a well known port number. (udp/88 ?)

The official service port assigned to Kerberos is tcp/udp/88, but the
services databases I have seen all assign ports tcp/udp 750 for
Kerberos authentication server.

> -Arjun Khanna
> HaL Computer Systems
> Austin, TX.


Axel-Stephane Smørgrav (axel...@ifi.uio.no)
University of Oslo
Norway

0 new messages