Projects Which need to be
Kerberized/Hesioded for Macintosh...
Here lies the my list/ramblings on projects which need to be developed/
finished to have a complete "athena" environment for the Macintosh.
These are in no particular order. If your software is listed please do not
be offened. This is a simple wish list with ramblings on how it might be
accomplished before I forget :-). If you are interested in tackling one
of these projects email me.
Internet Config needs to be extended to get info from hesiod.
This way all programs which use IC can become hesiod applicatons. If a site
had an entry in hesiod say ftp.sloc HS TXT "ftp.ncsu.edu" then
the prefered ftp.server for NCSU could be looked up and made as a config.
Might also be good to add a lookup for the folder the IC prefs is stored
in like ega.icpref HS TXT "Home:MacLeland:Prefs" or some such.
MacDNS, Mind, or some mac bind port needs to support type HS
So its just another type. Part of the Bind spec for some time now. TXT
is already supported just look for entries with HS instead of IN and a mac
hesiod server is born. Short and sweet.
A kerberos server needs to be ported to mac under OT.
Its posix, it has unix libs, it has sockets, its XOpen. Theory says it
could be a faceless app with a administration app which runs encrypted
over the net or at console to feed the config files. The new arns server
for OT demo is exactally this without a config app. A couple of config
apps are already available commercially for mac to admin a unix kerb server...
The mbone stuff which works with qt are ports of unix sd and the like +
some HI...
Netscape needs to have a plug-in which will work to authenticate to
kerberos.
Right now kerberos authentication in NCSA httpd is done by trial and fail
with a certain protocol for returning request from server (See
NCSA documentation of client/server message trace). The document sent
by server is basically:
//////////////////////////////////////////////////////////////////////////////
// the server sees that Kerberos auth is required, so it sends a 401
///////////////////////////////////////////////////////////////////////////////
HTTP/1.0 401 Unauthorized
Date: Friday, 03-Feb-95 18:45:13 GMT
Server: NCSA/1.3
MIME-version: 1.0
Content-type: text/html
WWW-Authenticate: KerberosV4
<HEAD><TITLE>Authorization Required</TITLE></HEAD>
<BODY><H1>Authorization Required</H1>
Browser not authentication-capable or
authentication failed.
</BODY>
The browser can either handle this and send back the credentials or fail
to and show the page above.
Now we have two choices for a netscape plugin. Since the netscape api switches
on Content-type in the mime header (if I understand it) we could a) change
the server message so it would return Content-type:text/khtml or b) figure
out a way to check all documents for extra mime header WWW-Authenticate:KerberosV4
. If exsists then send authentication as now or else passthru to netscape...
Neither is easy but a) is easiest because it requires just a change in server
code and to write the plugin to process and return the correct document.
In my world, plugin would call MacLeland API or kClient 1.5 API and authenticate
and be off...
Keyserver already works with kClient 2.x API, needs add hesiod groups
for program access privs and the kerberos plugin for the keyserver client
needs to be made compatable with kClientLeland.
This is the worlds only kerberized Macintosh server (yes Virginia this license
server has a place to type in the server password just like having an srvtab
entry). IMHO, great software but I can not make it work with kClientLeland
that I need for Commercial Eudora. I need one kerberos stack, one hesiod
stack and one point of configuration for the "MacAthena" environment.
Would be excellent if keyserver could check against the acl/nacl list and
groups in hesiod.
MacMosaic 3.0bx needs to be switched to kclient 1.5 API.
Look Authman is a good kerberos stack but there are no conversion stubs
to allow Authman API calls to be mapped to kClient or MacLeland and there
is no hesiod api in Authman. I need one point of configuration. Tom Redman
has offered the code to anyone who is willing to make the port and make
it available to the net. Ok so kClientman and kClientLeland already exsist
and are mostly at the kClient 1.5 API so why not do this once and everybody
can use it. SSL and all that yea, yea... this port would function today,
right now, period, so we can get people using secured services. Then let
the whole SSL/DCE/RSA/DES thing clear out and we can convert once servers
are common place. For the next year or so we need V4.
MacLeland Athena libs need to be ported to Code Warrior.
Most of the sample code comming out for OpenTransport, Netscape,etc is now
in Code Warrior. MacLeland Athena libs are in Symantec's C/C++. It would
be very convienent if someone could make a set of CW libs so any developer
could just drop and drag to use these calls.
Hesinfo needs to be ported to the mac with a GUI.
Well it would be really nice to be able to query hesiod from a mac gui.
MIT did some work last summer porting their hesiod routines to CW and ended
up with a command line Human Interface...
Almost there. For me, making an application out of the early work Stanford
did and removed from MacLeland would be perfect. This code had a window
with 2 text-edit fields one for "principal" and the other for
"instance" the 2 args to hesinfo. It also allowed * as a wildcard
which would look at some resedit resources and make multiple queries to
hesiod for those strings with the other specified field. Example * for principal
and sloc for instance would return listing of all hesiod entries of for
sloc so one would get pop sloc, zephyr sloc, kerberos sloc, etc entries.
This was pumped into a TEStyledit record and displayed in a copy-able but
not editable window.
ARNS needs to be kerberized/hesioded
ARNS is a way to tunnel AT thru ip so CAP or netatalk volumes can be mounted
over any old ip only ISP. Right now it has a hardcoded password. What
we need is a kerberized server and a kerberized client. Would also help
if client could determin its servers from hesiod instead of having to be
hardcoded like maybe an arns.sloc entry in hesiod.
MacDump needs to be kerberized/hesioded
MacDump is currently in alpha to run with netatalk and of course works with
CAP. No Virginia MacDump is not a movement from Redmond to have all macintosh
computers thrown in the ocean. MacDump is an over the network backup system
for individual mac workstations to backup and restore (to the file level)
off a Unix-based server. MacDump server needs to be kerberized and learn
which cluster of macs it is allowed to backup from hesiod. MacDump client
needs to be kerberized.
MacZephyr needs to uses hesiod api in MacLeland and be upgraded.
MacZephyr is great but I am not into hacking resedit resources just to list
hesiod servers when MacLeland is already configed. The text edit calls
could be TEStylEdits and the code from Whisper could be put in to get fonts,
colors, etc like the unix zephyr. Setting a folder to get zsubs, znol, and
other configs as a preference stored in dir looked up in hesiod -- userid.zprf
HS TXT "Home:myzephrys" would be a nice option.
One of the Chooser drivers for LPR needs to be kerberized/hesioded.
Ok this has been done. Look to buy it from a comercial vendor real soon
now...
Got a cluster of Macs in hesiod and a list of printers for them to print
to and they just show up. Uses printer.pcap hesiod entry to get info about
printer name and server. Works with MIT's quota server all over ip...
Eudora needs to use hesiod in addition to kerberos.
Stanford did this with the old 1.3.x but it was not mime.
Rumor has it that if you type the string "user@hesiod" into the
public beta of 3.x commercial while MacLeland is installed the results may
suprise you. In fact one might consider changing the name of all their
mail clients to "hesiod".
Wonder what would happen if Netscape mail spoke kpop??
Well, Cygnus imap would be better...but it would be a start.
Since I am rambling...
This is not kerb/hes but why is there not the following:
afp://afpserver:afpzone//volume_name/path
So I could reference my netatalk server in a browers and have a user connect
over appletalk to
afp://macserver:backbone/Home/Mail
just by clicking a url.
And further more why can't I:
file:/Macintosh HD/Applications/Claris/ ClarisWorks:launch
to run a local app from a url??
Tell me why?