mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-12-25 12:02:01 +01:00
…
|
||
---|---|---|
.. | ||
bin | ||
demo | ||
des | ||
doc | ||
keyserv | ||
man | ||
rpc | ||
README |
Export restriction prohibit us from including DES encryption routines in RPCSRC 4.0. The main RPCSRC 4.0 hierarchy does not include DES Authentication, however this directory contains the documentation and code used to build secure rpc. THIS DISTRIBUTION OF SECURE RPC NEEDS EXTENSIVE WORK BEFORE IT CAN BE USED. PLEASE READ THE PORTING GUIDLINES BELOW. HIERARCHY bin/ This directory contains chkey and keylogin. These are user programs used to establish the credentials of an RPC user. demo/ The 'whoami' service is found here. It can be used to test secure RPC. rpcgen is used to build the client and server. des/ des_crypt.h defines the interfaces to cbc_crypt() and ecb_crypt(), the DES routines used by DES Authentication. des.h defines the desparams structure that is used internally by these routines. Secure RPC expects it to be installed in /usr/include/sys. des_crypt.c defines the cbc_crypt() and ecb_crypt() routines. These eventually call the routine _des_crypt(), which is *not* provided. des_soft.c contains the des_setparity() routine. doc/ The document "nfs.secure.ms" is found here. It describes Secure RPC and Secure NFS. keyserv/ This is an RPC based program that stores the private keys for users that are using secure RPC. man/ Manual pages for the programs and library routines are found here. rpc/ The routines in this directory should be integrated with the default rpc directory to make a single RPC library. The Makefile found in this directory replaces the one in ../rpc. Note: the file svc_auth.c in this directory replaces the one in ../rpc. Also, the file ../rpc/rpc.h should be edited to include the file <rpc/des_auth.h> (it presently is commented out). PORTING GUIDELINES You will need to provide a DES encryption routine. man/des_crypt.3 describes the interface to ecb_crypt() and cbc_crypt() (secure RPC uses both modes). The des/ directory has the "front-end" for these routines in the des_crypt.c file. Since public key authentication systems require a network global data lookup facility, this implementation uses Sun's Yellow Pages. If your site does not have Yellow Pages, you will have to modify the routines in rpc/publickey.c and bin/chkey.c. One possible approach is to replace the YP calls with code to read the file /etc/publickey; this file would presumably be shared by all secure RPC sites via NFS or some equivalent file sharing facility. If you wish to implement YP yourself, the RPCL (.x) protocol description file can be found in ../rpcsvc/yp.x. The routines in rpc/ and keyserv/ assume that the file des/des_crypt.h is installed in /usr/include (they include <des_crypt.h>). The file des/des_crypt.c assumes that des.h is installed in /usr/include/sys (it include <sys/des.h>). The des/ directory does not have a Makefile that would install these header files, so you will either have to do this by hand, or modify the routines to include the header files in a way suitable for your site. While the programs in bin/ and keyserv/ can be built in place (assuming the header files they include and the RPC library are available), the files in rpc/ must be moved into ../rpc/, the main RPC library. The Makefile and svc_auth.c found in rpc/ will replace those found in ../rpc/. You must also edit ../rpc/rpc.h to include <rpc/des_auth.h>. OPERATION Please read the documentation and manual pages for information on how to administer secure RPC. In the demo/ directory you'll find the 'whoami' service. This service uses DES Authentication, and can be used to check out secure RPC. The client program, 'rme' takes a host as an argument. This host must be running the keyserv daemon and the 'whoami_svc' server. The service returns the identity of the client-user as known to the system on which the server is running. This information is only returned, however, if the client request has proper DES credentials.