Network Computingwww.networkcomputing.com

With its latest release of KerbNet, Cygnus Solutions offers a comprehensive, commercially supported version of MIT's Kerberos 5 and adds Windows NT to the list of Kerberos-supported platforms (which includes IBM Corp.'s AIX, Digital Equipment Corp.'s Unix, Linux, Silicon Graphics' IRIX, SunSoft's Solaris and Sun Microsystems' SunOS).

In addition to providing a fully functional Kerberos Key Distribution Center (KDC--the Kerberos server), Cygnus integrates the Kerberos authentication process into the Windows NT logon, making it invisible to the user. And a graphical interface to the kadmin administration utility (written in portable TCL/TK script) eliminates the cryptic text-based utilities found in the original distribution.

Although the base version of KerbNet works perfectly well on its own--it takes advantage of a DB2-style database management system to store principals, keys and flat text files for event logging--Cygnus offers an option to tie the Kerberos server directly into an Oracle database. Not only are principals stored and retrieved directly from the back-end database, but all logging information is transmitted to the database for permanent storage. This capability enables automatic security log querying via SQL, where reports of authentication activity can be automatically queried.

KerbNet at Work We tested three versions of KerbNet's Kerberos 5 server in our Syracuse University labs. We installed Solaris, Linux and Windows NT Kerberos servers and clients, as well as the integrated logon package for Windows NT. With an MIT Kerberos 5 solution already in place, our testing concentrated on creating a new realm (Kerberos domain) and incorporating our existing Kerberos database. Likewise, we evaluated client and server applications on the Unix side (telnet and FTP, among others), as well as the Win32 Kerberos ticket manager and telnet clients for Windows95 and NT.

KerbNet performed flawlessly with our existing MIT Kerberos 5 clients on Windows NT, Linux and Solaris. Next, we replaced our production MIT Kerberos 5 server with the Linux version of KerbNet, and we used the included kdb5_util to load a copy of our production Kerberos 5 principal database. Once up and running, we tested database replication through kpropd between the Linux and Solaris KerbNet servers.

We also tested the tkadmin, the GUI-based administrative utility for adding or deleting user accounts (principals), changing passwords and managing password policies. Although the early version we tested is somewhat primitive, it works as promised, creating a friendlier interface to the otherwise cryptic kadmin utility. Based on the TCL/TK scripting language, tkadmin runs on X Windows under various flavors of Unix (as long as X Windows and the TCL/TK interpreter are installed), as well as Windows NT (with the correct interpreter). A Windows NT TCL/TK interpreter is available for free on the Internet at ftp://ftp.sunlabs.com/pub/tcl/win76p2.exe.

The Windows NT s erver code is of primary interest in this release of KerbNet. We installed Cygnus' Kerberos server on a Windows NT 4.0 server and repeated the previous testing done on the Unix side (importing existing Kerberos 5 databases and testing client compatibility). We were imp ressed by the relatively seamless port. However, at the time of testing, an automated installation program was not yet available. Installation meant manually replicating a small registry tree. All three server executables (krb5kdc, kadmind and kpropd) are fully implemented NT services, so that each executable correctly installs itself into the service registry. In this case, we ran each server executable with the "-install" option. The Windows NT version of KerbNet behaved predictably, matching the functionality of the Unix-based servers. However, we did encounter some problems with kadmind, where the service failed to start and did not generate a useful error message. After some investigation, Cygnus traced the problem to installation problems (our fault) and an unexpected error condition (its fault). However, once the registry entry was corrected, KerbNet worked flawlessly. Cygnus has since corrected the error-handling function, and the final release will automate the installation of the NT registry entries.

Single Sign-On The Kerberos 5 protocol adds a particularly useful feature: credential forwarding. Credentials (tickets) obtained at a user's workstation can automatically pass to a remote host when you log in through a kerberized utility (like the included telnet and rlogin replacements). By fully enabling credential forwarding, you need only log on to the network once, instead of repeatedly logging on to each server you want to access. Cygnus takes the single sign-on paradigm--already a part of MIT's Kerberos 5--to a new level in its Windows NT client.

Instead of requiring a user to first log into Windows NT, and then run a Kerberos ticket manager application to obtain credentials, KerbNet includes a module, called General Interface for NT Authentication (GINA), that plugs directly into NT's authentication system. Once installed, the GINA wrapper is transparently integrated into NT's authentication system. When a user logs onto the NT workstation or server, KerbNet uses the user ID and passwo rd to obtain Kerberos credentials. By using the enclosed kerberized telnet utility, you can automatically log into Kerberos-enabled Unix hosts throughout the network without entering a password. Although this feature was not available at the time of testing, Cygnus says it will integrate NT's password updating code to automatically synchronize a user's Kerberos password when the password has changed.

Unfortunately, because of the differences in the Windows NT and Windows95 authentication systems, the automated logon utility is not compatible with Windows95. However, Cygnus says it is at work porting the kerberized logon to Windows95.

Dan Backman can be reached at dbackman@nwc.com.