Subject: Re: Encrypted logins, configuration, The Chooser, etc.
From: jeff (jeff@univrel.pr.uconn.edu)
Date: Mon Mar 12 2001 - 05:04:03 EST
"Bruce A. Burdick, Jr." wrote:
>
> I'm reposting this. It got zero response on the list last month when traffic
> was lower. But the participants who have increased the list traffic this
> month have demonstrated an ability to answer some difficult questions. So my
> hopes are up for some good answers this time around. And in the intervening
> month I've managed to verify that if there is a third-party UAM for the Mac,
> it's languishing in obscurity somewhere where Google and the other major
> engines can't see it.
>
> Don't be daunted by the size and scope of this list of questions. Break off
> whatever you can manage.
>
> -B...
>
> ___________________________________________________
> From: Bruce A. Burdick, Jr. <bucky@interaccess.com>
> Date: Tue, 06 Feb 2001 02:47:05 -0600
>
> I've perused the archives, but have mostly seen quick jots and morsels, all
> assuming quite a bit of pre-existing context. Let's assemble the full story
> on encrypted logins and netatalk. I'd like to see a robust how-to that
> leaves nothing unsaid. How about you?
>
> What are the various methods for encrypted logins supported by netatalk? In
> which versions? What are the advantages/disadvantages of these? Which of
> them are older/newer technologies? Which are weak/fading? Which are robust?
Randnum and DHX are the two ones that are supported by netatalk which
are supported by stock AppleShare clients.
Randnum (2-way encryption) is a little better security wise, but the
tradeoff is that you have to keep a seperate afppasswd file, which can
be a pain for a large number of users.
> What are the various methods for encrypted logins supported by The Chooser?
> In which versions?
Apple has a page up at
http://til.info.apple.com/techinfo.nsf/artnum/n60792?OpenDocument&software
which explains the latest recommended versions of AppleShare Client for
each version of Mac OS. The latest versions all support DHX and randnum.
> How does netatalk need to be compiled to support the various methods? How
> does this differ among the versions?
It compiles the uams by default in the 1.5 series, if you have SSL
support, which it tries to detect if you haven't specified a path for
it.
> How does netatalk need to be configured to support the various methods? How
> does this differ among the versions?
In your configuration directory (normally set in the build process,
usually /etc/atalk or /usr/local/atalk/etc or something similar), there
is a file called netatalk.conf which allows you to set the UAMS that the
sysv scripts ask for. Add the UAMs you want to the list in that file,
and you should be ready to go.
> What is netatalk 1.5 promising in this regard? What remains to be
> implemented or fixed? What is not slated for development before the next
> version? (1.6?)
The biggest thing that has to be done before 1.6 is a DID database.
Other than that, we only have to worry about fixing small bugs in the
code.
> Any other questions I missed?
>
> I know some of the answers to these. But perhaps you know and can explain
> them better. Or perhaps you have additional insights.
>
> My reason for asking all this: I want to be able to login (with full
> encryption, of course) from a Macintosh to a netatalk server over TCP/IP.
> I'm running netatalk-1.4b2+asun2.1.3-8 on LinuxPPC 2000 (2.2.15pre3) and
> netatalk-1.4b2+asun2.1.3-7 on LinuxPPC 2000 Q4 (2.2.18), and the shipping
> version on OpenBSD 2.8 i386 (netatalk-990130.tgz). I've tried a few times to
> get encrypted logins working, all to no avail. I'm not looking for a quick
> fix. I'd really like to get a solid picture of the options and issues in my
> head. I think a set of the best answers to the above questions will make my
> life a lot easier, and probably many of yours as well. Anyone want to take a
> crack at these?
As far as I know, the 1.5pre5 release should work with encrypted
passwords on OpenBSD and LinuxPPC 2000. If you use the pam modules
(--enable-pam on the ./configure line) you can even use a single LDAP or
NIS authentication server for passwords across all the boxen.
Make sure to update your AppleShare Clients, though. Many old ones don't
support DHX.
jeff
This archive was generated by hypermail 2b28 : Sun Oct 14 2001 - 03:04:34 EDT