Kerberos T2.0 field test kit for hp OpenVMS now available

Kerberos T2.0 field test kit for hp OpenVMS now available

Post by Leo Demer » Wed, 12 Feb 2003 06:19:55



Dear OpenVMS Customer,

HP is pleased to announce the availability of the Kerberos T2.0 field test
kit for hp OpenVMS Alpha,

based on MIT Kerberos V5 Release 1.2.6. This new kit is available for
download from

http://www.openvms.compaq.com/openvms/products/kerberos/.

MIT has issued a CRITICAL Security Advisory for KDC vulnerabilities in all
releases of

 MIT Kerberos V5 prior to Release 1.2.5.

For more information, see
http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-001-multip....

Kerberos Version 1.0 for OpenVMS is based on MIT Kerberos V5 Release 1.0.5,

and is affected by these security vulnerabilities.

HP strongly advises all of our Kerberos customers to upgrade to Kerberos
T2.0 for hp OpenVMS.

 The Kerberos T2.0 field test kit is available for your testing now, and the
final Version 2.0 will be

made available as soon as possible.

Please note that the T2.0 kit is experiencing a problem using the Kerberized
Telnet server in hp

TCP/IP Services V5.3 for hp OpenVMS. We are working on resolving this
problem and will

 provide updates on the Kerberos for hp OpenVMS web page.

Thank you for your continued interest in OpenVMS Security.

Regards,

Leo Demers

OpenVMS Security Product Manager


 
 
 

Kerberos T2.0 field test kit for hp OpenVMS now available

Post by Jakob Erbe » Thu, 13 Feb 2003 04:55:34



Quote:> Dear OpenVMS Customer,

> HP is pleased to announce the availability of the Kerberos T2.0 field test
> kit for hp OpenVMS Alpha,

Hello Leo,

thanks for this Info. May I ask a question:
How is this Kerberos product related to the Kerberos features, which come
with DCE for VMS?

best regards

Jakob

 
 
 

Kerberos T2.0 field test kit for hp OpenVMS now available

Post by Wayne Morriso » Thu, 13 Feb 2003 07:12:46





> > Dear OpenVMS Customer,

> > HP is pleased to announce the availability of the Kerberos T2.0 field test
> > kit for hp OpenVMS Alpha,

> Hello Leo,

> thanks for this Info. May I ask a question:
> How is this Kerberos product related to the Kerberos features, which come
> with DCE for VMS?

> best regards

> Jakob

The Kerberos T2.0 kit is a new port of a very recent version of MIT Kerberos 5
(1.2.6).  It contains all of the basic functionality of MIT Kerberos, and
future versions of Kerberos and TCP/IP Services for OpenVMS will add the
extended functionality (Kerberized TCP/IP services, OpenVMS equivalent of the
UNIX krb5.login, etc.).

The Kerberos in DCE is based on a very old version of MIT Kerberos 5, which is
rather tightly integrated into DCE, and limited in capabilities.  You can't set
up a regular KDC with DCE, for example, although you can interoperate Kerberos
clients with a DCE cell.  DCE doesn't support the KRB5 API, although it does
have a specialized version of GSS-API that links to the DCE security services.
The bottom line is that the Kerberos in DCE is not designed to be used as a
generic Kerberos, but as part of the overall DCE security architecture.

What features are you looking for in DCE and/or Kerberos?  The preliminary
Kerberos for OpenVMS documentation at:

http://www.openvms.compaq.com/openvms/products/kerberos/kerberos_doc....

should be of some help.  The KRB5 API is not yet documented, but I'm working on
that now.

        Wayne Morrison
        Kerberos for OpenVMS project leader
        (ex-DCE for OpenVMS project leader)

 
 
 

Kerberos T2.0 field test kit for hp OpenVMS now available

Post by Jakob Erbe » Thu, 13 Feb 2003 17:11:29


Quote:> What features are you looking for in DCE and/or Kerberos?  The preliminary
> Kerberos for OpenVMS documentation at:

Thanks Wayne, for this information,

one idea I have is, that non DCE appliacations could use kerberos (GSSAPI ?)
to pass a security context to a DCE RPC Client (lets say via a CORBA
communication), which then passes this context on to the DCE RPC Server and
Security Server for DCE authentication (and authorization)?
Could such a configuration work?

best regards

Jakob

 
 
 

Kerberos T2.0 field test kit for hp OpenVMS now available

Post by Brian Tillma » Fri, 14 Feb 2003 01:41:31


Quote:>HP is pleased to announce the availability of the Kerberos T2.0 field test
>kit for hp OpenVMS Alpha,

And this is not available for OpenVMS VAX because...?
--
Brian Tillman         Internet: Brian.Tillman at smiths-aerospace dot com
Smiths Aerospace  Addresses modified to prevent SPAM.

Grand Rapids, MI 49512-1991
       This opinion doesn't represent that of my company
 
 
 

Kerberos T2.0 field test kit for hp OpenVMS now available

Post by Larry Kilgall » Fri, 14 Feb 2003 02:41:45



>>HP is pleased to announce the availability of the Kerberos T2.0 field test
>>kit for hp OpenVMS Alpha,

> And this is not available for OpenVMS VAX because...?

Because VAX advocates flunked the grammar test ? :-)
 
 
 

Kerberos T2.0 field test kit for hp OpenVMS now available

Post by Bob Koehl » Fri, 14 Feb 2003 06:31:58



>>HP is pleased to announce the availability of the Kerberos T2.0 field test
>>kit for hp OpenVMS Alpha,

> And this is not available for OpenVMS VAX because...?

   It take too long to compile?
 
 
 

Kerberos T2.0 field test kit for hp OpenVMS now available

Post by Wayne Morriso » Fri, 14 Feb 2003 07:31:36



> > What features are you looking for in DCE and/or Kerberos?  The preliminary
> > Kerberos for OpenVMS documentation at:

> Thanks Wayne, for this information,

> one idea I have is, that non DCE appliacations could use kerberos (GSSAPI ?)
> to pass a security context to a DCE RPC Client (lets say via a CORBA
> communication), which then passes this context on to the DCE RPC Server and
> Security Server for DCE authentication (and authorization)?
> Could such a configuration work?

> best regards

> Jakob

This is an interesting idea.  There is a lot of detail that would need to be
worked out to make this happen.  Depending on exactly what you're trying to
accomplish, it may or may not be feasible, but it would almost certainly not be
easy.  DCE was designed to do more than Kerberos in some areas (e.g., Cell
Directory Service), and Kerberos has more functionality in others.  There is
certainly overlap, but the areas of difference are much larger than the
similarities.

        Wayne

 
 
 

Kerberos T2.0 field test kit for hp OpenVMS now available

Post by Wayne Morriso » Fri, 14 Feb 2003 07:44:36



> >HP is pleased to announce the availability of the Kerberos T2.0 field test
> >kit for hp OpenVMS Alpha,

> And this is not available for OpenVMS VAX because...?

We haven't finished it yet.  :-)

Seriously, we knew that we needed to have Kerberos for Alpha ready first, since
it is scheduled to ship with OpenVMS V7.3-2 (an Alpha-only release) later this
year.  The next OpenVMS VAX release is further out, so we concentrated on the
Alpha version first.

We're working on the VAX port, and we'll let you know as soon as it's ready for
field test.

And yes... we'll also be porting it to Itanium as well.  In fact, the earlier
version of Kerberos for OpenVMS has already been run through the cross
compiler, and had very few issues to resolve.  We expect similar results for
Kerberos V2.

So that's the order you can expect Keberos V2 to be released in:  Alpha, then
VAX, then Itanium.

Of course, the MIT security advisory caused us to advance our schedule a bit,
and so we're field testing the Alpha version prior to OpenVMS V7.3-2 field
test.  This way, we can give something to customers who need to plug those
holes in the earlier versions of Kerberos.

        Wayne

 
 
 

Kerberos T2.0 field test kit for hp OpenVMS now available

Post by Leo Demer » Fri, 14 Feb 2003 08:21:53


Quote:> >>HP is pleased to announce the availability of the Kerberos T2.0 field
test
> >>kit for hp OpenVMS Alpha,

> > And this is not available for OpenVMS VAX because...?

>    It take too long to compile?

It'll only take too long if we try and compile it on VAXBAR. :^)
http://www.lpl.arizona.edu/~vance/www/vaxbar.html

Seriously, the engineering team is working on the OpenVMS VAX Kerberos 2.0
build environment now.

Our original goal for Kerberos for OpenVMS V2.0 was to align it with the
release of OpenVMS 7.3-2
and to have a VAX port done by the time 7.3-2 ships.
 The MIT advisory has forced us to accelerate our plans for getting Kerberos
2.0 out the door.
  We bundled Kerberos V1.0 with OpenVMS Alpha 7.3-1 so as a result we
prioritized the Alpha 2.0
kit ahead of the VAX port. For Kerberos for OpenVMS VAX 1.0  you needed to
download the
Kerberos kit as you didn't get it by default in 7.3.  Now that the T2.0
field test kit for Alpha is out
there the team can work on the VAX release.  We have a small window of time
for the VAX port
as the Itanimum port of  Kerberos will occupy the team in the very near
future.

So stay tuned.

 - Leo
--
Leo Demers
OpenVMS Security Product Manager
Leo_dot_Demers_at_HP_dot_COM

 
 
 

Kerberos T2.0 field test kit for hp OpenVMS now available

Post by Brian Tillma » Sat, 15 Feb 2003 04:08:33


Quote:>Our original goal for Kerberos for OpenVMS V2.0 was to align it with the
>release of OpenVMS 7.3-2
>and to have a VAX port done by the time 7.3-2 ships.

I simply don't understand this.  If you write it in, say, C, then if you
haven't DELIBERATELY added things to it that are Alpha-specific, it will
just compile and run on VAX as well as Alpha.  The "build environment" is
identical on ANY VMS platform.  All have CMS/MMS.  All have C compilers.
All have Bliss.  I just don't understand why HP people insist it's a
"different" environment.
--
Brian Tillman         Internet: Brian.Tillman at smiths-aerospace dot com
Smiths Aerospace  Addresses modified to prevent SPAM.

Grand Rapids, MI 49512-1991
       This opinion doesn't represent that of my company
 
 
 

Kerberos T2.0 field test kit for hp OpenVMS now available

Post by Brian Tillma » Sat, 15 Feb 2003 04:10:00


Quote:>We're working on the VAX port, and we'll let you know as soon as it's ready
for
>field test.

???   Port it to one, and you've automatically ported it to the other.  It's
OpenVMS.  Just recompile it.
--
Brian Tillman         Internet: Brian.Tillman at smiths-aerospace dot com
Smiths Aerospace  Addresses modified to prevent SPAM.

Grand Rapids, MI 49512-1991
       This opinion doesn't represent that of my company
 
 
 

Kerberos T2.0 field test kit for hp OpenVMS now available

Post by Larry Kilgall » Sat, 15 Feb 2003 05:28:01



>>Our original goal for Kerberos for OpenVMS V2.0 was to align it with the
>>release of OpenVMS 7.3-2
>>and to have a VAX port done by the time 7.3-2 ships.

> I simply don't understand this.  If you write it in, say, C, then if you
> haven't DELIBERATELY added things to it that are Alpha-specific, it will
> just compile and run on VAX as well as Alpha.  The "build environment" is
> identical on ANY VMS platform.  All have CMS/MMS.  All have C compilers.
> All have Bliss.  I just don't understand why HP people insist it's a
> "different" environment.

I think you underestimate the amount of testing in which VMS Development
gets involved.
 
 
 

Kerberos T2.0 field test kit for hp OpenVMS now available

Post by Leo Demer » Sun, 16 Feb 2003 02:34:34


What you say has some truth to it however the VAX doesn't take kindly to the
64-bit interfaces fo example so we need to change the
Kerberos build for VAX to go around them. There are a couple of similar type
issues that we need to work around as well.
Thinks are looking good on engineering development/porting side of the house
then we flip it over to the testing group and let them bang on it some
before releasing it.  Already the testing has yielded some interesting
problems in 1.0 that we have resolved in 2.0 that we didn't
hear about from customers so the better the testing suite that better the
quality of the product for our customers overall.
 - Leo
I'll be sure and drop you a line Brian as soon as it's done.
--
Leo Demers
OpenVMS Security Product Manager
Leo_dot_Demers_at_HP_dot_COM

> >Our original goal for Kerberos for OpenVMS V2.0 was to align it with the
> >release of OpenVMS 7.3-2
> >and to have a VAX port done by the time 7.3-2 ships.

> I simply don't understand this.  If you write it in, say, C, then if you
> haven't DELIBERATELY added things to it that are Alpha-specific, it will
> just compile and run on VAX as well as Alpha.  The "build environment" is
> identical on ANY VMS platform.  All have CMS/MMS.  All have C compilers.
> All have Bliss.  I just don't understand why HP people insist it's a
> "different" environment.
> --
> Brian Tillman         Internet: Brian.Tillman at smiths-aerospace dot com
> Smiths Aerospace  Addresses modified to prevent SPAM.

> Grand Rapids, MI 49512-1991
>        This opinion doesn't represent that of my company

 
 
 

Kerberos T2.0 field test kit for hp OpenVMS now available

Post by Wayne Morriso » Sun, 16 Feb 2003 05:57:58



> >We're working on the VAX port, and we'll let you know as soon as it's ready
> for
> >field test.

> ???   Port it to one, and you've automatically ported it to the other.  It's
> OpenVMS.  Just recompile it.
> --
> Brian Tillman         Internet: Brian.Tillman at smiths-aerospace dot com
> Smiths Aerospace  Addresses modified to prevent SPAM.

> Grand Rapids, MI 49512-1991
>        This opinion doesn't represent that of my company

Leo already commented on the tweaking we need to do to the build system to make
it ignore the 64 bit interfaces for VAX.  In addition, we're using the VMS
build system, which is DIFFERENT for Alpha and VAX, so there's more work there.

But the real issue with why we didn't do both at once is testing.  It takes
TIME to do thorough testing.  Before the MIT announcement, we thought we
wouldn't need a VAX version of Kerberos until much later this year, and planned
accordingly.  We have to prioritize our work, and it was clearly more important
to get the Alpha port done first.  Now that we've accomplished that, VAX is
next on our list, even before Itanium.  I don't see how we could have done
otherwise, with the resources we have.

Now, if people hadn't wanted documentation to go with the product, it might
have been somewhat different - I've spent the past few months working with our
documentation writer to create a new Kerberos manual that our customers
strongly told us they needed.  I think you'll like the end result.  The EFT
version is only about 2/3 of what will be the final copy, but even that is a
long way from just shipping the MIT docs.  Did it take me away from helping
with the engineering work?  Yes, but I still believe that it was the right
thing to do, given the feedback we'd received from customers.

        Wayne

 
 
 

1. DCPS F2.3 field test kit now available

From:   Anderson, Paul (OpenVMS)  
Sent:   Friday, June 27, 2003 10:27 AM
To:     Akiyoshi, Masamichi; Bahn, Terry; Braam, Robert; Cote, Mike;
Downing, Gilbert (Gold Support); Finney, John (Gold Support); Fiore,
Anthony (Tony); Hanley, William; Hockett, John; Kamath, Harish
(Digital GlobalSoft); Klingelberger, Roy; Labadie, Gerard; Lucre,
Paul; Meier, Al; Muralidharan, Sundaram (Digital GlobalSoft); Novey,
Judy; Overmeyer, Robert; Richardson, Rich; Russell, Lynda; Skonetski,
Susan; Stefanelli, Marc; Webb, Mike (GOLD VMS); Wilson, Howard;
Youngwirth, Barbara; Zimprich, Bob; nacgs cssc bcesysmgt all
Subject:        DCPS F2.3 field test kit available

All,

OpenVMS Engineering is pleased to announce that a field test of
DECprint Supervisor (DCPS) V2.3, called DCPS F2.3, is now available.

The major feature of this release is the addition of LPD support.
Printing via LPD allows printing to printers that don't support
bi-directional IP communications.  DCPS F2.3 adds support for the
following printers:

HP Color LaserJet 8500, 8550 (LPD and AppleTalk only)
HP LaserJet 2300 (supported in V2.2 but not documented)

Additional printer support will be added in later field test versions,
and the final release, of DCPS V2.3.

Anyone interested in printing DCPS jobs via LPD is encouraged to
install the field test.

DCPS F2.3 includes the changes made for the earlier DCPS T2.2-STP4
test kit.

Please see the F2.3 Release Notes for a full list of enhancements and
bug fixes and instructions for setting up LPD queues.  The SPD,
Software Installation Guide, System Manager's Guide and User's Guide
have not been changed for this release, but will be available later.

DCPS F2.3 will expire on April 1, 2004.  DCPS V2.3 is expected to ship
in October 2003.  Comments, questions or problems with DCPS F2.3
should be entered in the POSTSCRIPT_PRINTING Notes conference on

Paul

 Paul Anderson
  OpenVMS Engineering
  Hewlett-Packard Company

2. Info wanted on MicroProse's "Special Services"

3. Field test V5.00-1 of CXML for OpenVMS Alpha available

4. Query for the number of processors

5. (ANNOUNCEMENT) hp Secure Web Server for OpenVMS (Alpha) version 2.0 beta kit available

6. disk space usage cost accounting tool?

7. DCPS V2.2 field test available

8. download bank transactions

9. DCPS V2.1 field test available

10. DCPS V1.8 field test available

11. DCPS F2.3 field test available

12. DECdtm V2.0 for OpenVMS Field Test Announcement !!

13. Announcing OpenVMS V7.2 Field Test SDK...