Authentication Manager - version 1.0.8 - May 11, 1994
by Robert John Churchill - rjc@umich.edu
Compiler: Symantec C version 7.0
Comments? Send mail to: authman-comments@ccs.itd.umich.edu
Problems? Send mail to: authman-problems@ccs.itd.umich.edu
To join the comments list? Send mail to: authman-comments-request@ccs.itd.umich.edu
To join the problems list? Send mail to: authman-problems-request@ccs.itd.umich.edu
NOTE: No warranty/guarantee is expressed or implied. Your mileage may vary. I'm providing this release so that those individuals with an interest in using Kerberos on the Mac will have a sampling of what is being done with Kerberos on the Mac here at the University of Michigan.
Export of this software from the United States of America is assumed to require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting.
Building Authentication Manager - (Full optimization recommended.)
1) Open "INIT Project" and build the code resource. This will merge "INIT 12" into the file "DRVR Project.rsrc". "INIT 12" loads in the ".AuthMan 1" driver at startup.
2) Open "DRVR Project" and build the driver. This will build a base "Authentication Manager" file containing all the resources from "DRVR Project.rsrc" as well as the ".AuthMan 1" driver (DRVR 12).
3) Open "cdev Project" and build the control panel interface code. This will merge "cdev -4064" into AuthMan.
4) Open "DES Project" and build the DES code. This will merge "DES -4064" into AuthMan. The DES code is from MIT's v4 implementation of Kerberos; to make the DES code work, the "DES Project" *M*U*S*T* be compiled with the "4-byte long" option in Think C so that an 'int' equals a 'long'. (The "DES Project" is new in AuthMan 1.0.8)
5) Open "AUTH Project" and build the interface/MacTCP/kerberos code. This will merge "AUTH -4064" into AuthMan. The "AUTH Project" *M*U*S*T* be compiled with the "4-byte long" option in Think C so that an 'int' equals a 'long'.
6) Open "bootAuth Project" and build the (configurable) login-at-startup code. This will merge "INIT 128" into AuthMan. (Refer to note on INIT loading order.)
7) Open "bootTime Project" and build the (configurable) boot-time code. This will merge "INIT 129" into AuthMan. (Refer to note on INIT loading order.)
Building Sample Applications - (Full optimization recommended.)
I've included some crude sample applications that demonstrate using "authLibrary.c" which is the small glue file you would compile into any application you might write that you wanted to work with AuthMan.
1) AuthenticateNow pops up the authentication dialog box.
2) getUniqName gets the "name" the user last authenticated as. The "name" returned is whatever the user typed into the authentication dialog box; it might be qualified. Examples include "rjc" (which implies no instance and the default realm), "rjc@umich.edu", and "rjc.root@ccs.itd.umich.edu" (note the Kerberos "instance", specified by a period.)
3) expireTickets expires tickets held in AuthMan's ticket cache (located in the Mac's system heap.)
4) getTicketCache enumerates the kerberos ticket cache.
5) getRealmCache enumerates the kerberos realms and servers.
6) getAuthManVersion returns the versions of AuthMan's API as well as the version registered with Gestalt.
7) sampleEncryption shows a sample encryption of data with DES. You will probably have to request a ticket for a service in your own kerberos realm. Asking for a "rcmd" service ticket for a particular unix machine is a good example.
8) callbackMonitor is a faceless applications (System 7 required) which shows how to register/deregister callbacks with AuthMan. To use the app, run it. It will launch into the background and register itself into AuthMan's menu in the menubar (unless that option has been disabled). Now, use other apps (such as the AuthMan DA) to request and delete tickets. CallbackMonitor will bring up notification dialogs as tickets are added or deleted. To quit callbackMonitor, select its menu item in AuthMan's menu in the menubar.
9) In the folder "AuthMan XCMD" you'll find (along with all the xcmd source) a sample stack which will use the XCMD to communicate with AuthMan.
10) In the folder "AuthMan DA" you'll find a desk accessory which lists all available tickets and allows re-authentication, password changing, and ticket expiration.
AuthMan Resource Customization
__________________________
You might notice after using AuthMan a bit that it is somewhat "customized" for the University of Michigan. I've put virtually all interface details in resources that can be tailored using ResEdit. A list of resources you might want to change include:
(DLOG) DITL -4044 - the UM logo is 'PICT 128'; info at the bottom is PICT 129. The mention of "Campus Computing Sites" is a string that can be edited. Note dialog item #9, the small hot-rect re: the "Help/About" .
(ALRT) DITL -4042 - a message optionally displayed when users have problems
TEXT/styl -4064 - "Help/About" text - if you don't want to provide help text, use ResEdit to remove the 'TEXT' and 'styl' ID -4064 resources from AuthMan.
TEXT/styl -4063 - "Password" text - if you don't want to provide password text, use ResEdit to remove the 'TEXT' and 'styl' ID -4063 resources from AuthMan.
What do to if you want to use AuthMan on a 68000 Mac:
The amount of available stack space on a 68000 Mac is extremely low at times and System 28 errors (stack/heap collision) can occur. 68000 Macs by default only have 8K of stack while newer Macs have at least 24K. To compensate, I currently recommend increasing the amount of stack space in an application planning on calling Authman with the following routine:
void
increaseStackSize(long extraBytes)
{
SetApplLimit(GetApplLimit() - extraBytes);
}
Things Still To Do Include:
_____________________
1) "Accelerate for Power" (i.e. go native) (AuthMan gets "fat")
2) Kerberos 5
3) need to have a call to add tickets from external callers; pretty simple
4) provide a routine to return a realm name given a host name
5) mk_priv: is there interest in this? mk_priv would allow for encrypted data sessions given a sessionKey
6) Detecting cmd-period isn't done 100% efficiently anywhere yet, and not 100% accurately in the control panel yet I believe
7) implement a subnet checking/comparison routine for the control panel option. I'd like this to work something like this: if the control panel contained "ccs.itd.umich.edu", a Mac who's domain name when resolved ended in that string would be allowed on if there was no response for any kerberos servers. Also, if the control panel contained "141.211" then if the Mac's IP address began with that string, it would be allowed in. Wildcard characters (*,?) are another option but probably not worth the time.
8) the cdev sends a message to the driver when the cdev is about to closed. The driver should reload and cache all the realms, hosts, and get IP addresses for everything at once. Currently it doesn't work that way - things are done on the fly which is less efficient.
9) help balloons: frivalous but useful, especially when configuring the control panel
10) asynchronous cursor activity as well as <ESC> and cmd-period checking (already have the code - it merely needs to be integrated into the AuthMan package)
11) Integrate fast-DES code
12) Integrate code to allow other code modules such as INITs to be called after a user authenticates (I have a methodology where even INITs that load in before AuthMan can tell AuthMan to call a routine provided by the INIT... slick)
Changes made from release 1.0.7 (of Feb. 14, 1994) to release 1.0.8
1) AuthMan now inserts an authentication menu into System 7's menubar. It has options to authenticate, change passwords, and expire tickets. When tickets are available, the icon in the menubar looks like a keychain. When no tickets are available, the icon looks like a locked keychain. Yes, its cool. (The menu is a configuration option.)
2) Adding code to change passwords. TCP is used for MIT Kerberos (actually, UDP to get the "changepw" ticket, then TCP for the kadmind transaction) while Rx is used for AFS Kerberos. If you are using MIT Kerberos, you should be all set; it'll just work (wink). If you are using AFS Kerberos, you'll have to run a "kpasswdd" on your AFS Kerberos servers which understands MIT Kerberos-style password changing. Send mail to "authman-comments" if you are interested in obtaining this daemon and your request will be forwarded to the proper people who are actually doing the work.
3) the ticket lifetime conversion table in lifetime.c was incomplete! (How did that happen?)
The table is now at its proper size... ticket lifetimes should always be calculated correctly.
4) Reworked the DES code from MIT into its own chunk of code. AuthMan will now cache the DES code (therefore AuthMan's control panel won't have to be opened every time encryption takes place) and automatically flush it and reload it if memory is tight. Applications which implement data stream encryption (such as kerberized NCSA Telnet) should get a big boost from this. (I suggest checking for AuthMan's API version being equal or greater than 3 if full DES implementation required.)
5) Added support for a callback mechanism. Applications, code, etc. can be notified when tickets are added into or deleted from AuthMan's ticket store. (as of AuthMan API version 3)
6) Fixed a few small bugs in the Authentication Manager DA: you could click on disabled buttons, hit detection wasn't working 100% correctly for list scrolling, and the growbox didn't always enable/disable properly. Oops. The DA is now at version 1.0.1.
7) Authentication Manager DA v1.0.1 will now register for callbacks with AuthMan v.1.0.8. This means that, if open, the DA will update its list of tickets as they are added/expired.
8) AuthMan can now be configured to expire all tickets after N minutes of inactivity... useful for public labs, insecure environments, etc.
9) AuthMan's control panel (when opened) selects the default realm in the realm list
Changes made from release 1.0.5a5 (of Nov. 11, 1992) to release 1.0.7
1) when the "Protect" option is set in control panel, on close the 'cdev' -4064 resource (interface code) is now removed from AuthMan as well as having the filetype changed to 'INIT'.
2) bug fix: code which checked to see if a ticket expired was calling TickCount instead of GetDateTime (oops)
3) bug fix: needed to #include <Devices.h> in bootTime.c (was bootP.c)
4) bug fix: in drvr.c, wasn't getting actual vRefNum on which AuthMan resides - result was that apps using AuthMan would fail if on a different volume
5) bug fix(es): a few problems were noticed regarding byte-swapping. As far as I know, no one has yet verified that AuthMan will work with a little-endian Kerberos server. We're trying though, folks. Remember, this should only affect MIT Kerberos servers as AFS Kerberos servers are network-byte order at all times (we hope).
6) added support for directed-BOOTP packets (only broadcast-BOOTP was being used before) as well as support for TIMED (before, TIMED support was imbedded into BOOTP) as well as NTP support. Directed BOOTP packets may be useful for those who use static IP addresses but would like their Mac's clock/Map settings to always be correct; also, Macs on localtalk could use TIMED to at least set the time and date correctly... they'll still need to update the time zone and dst values when daylight savings changes.
7) when using BOOTP, now we try and get an ethernet address from .ENET as well as an IP address from MacTCP when forming the BOOTP packet
8) there is now an option to "lock" the name field when authenticating (potentially useful if you have your own private Mac; probably not very useful for a shared Mac)
9) a few cosmetic changes were made -- to the control panel settings dialog as well as the authentication dialog [ GetGray() is used if available for true grays ]
10) I've tossed together a sample XCMD for those individuals who are using Hypercard and would like to play around with AuthMan. The XCMD could do more... such as put an actual ticket into a container, I suppose. It you want to see more functionality in the XCMD, let me know.
11) Now, you can specify AFS or MIT after a realm name in AuthMan's control panel. If neither is specified, when authenticating both methods will be attempted (notice that the realm type will indicate UNKNOWN_REALM_TYPE when getting info on a realm). If either MIT or AFS is specified, only that method with be attempted. (The case of MIT or AFS is now insignificant)
12) NewPtrSys is now used to get various large blocks of temporary memory (such as tickets - which are approx. 1250 bytes). This may help with stack problems a bit.
13) The API was extending with a DES call to DES/unDES buffers.
14) AuthMan now registers itself with Gestalt. The response given back is AuthMan's version number (as indicated in the 'vers' resources) (different than the API version code returned with the openAuthMan call.) See the 'test V2 routines.c" file for how to break apart the version code response.
15) Displays more informative error msgs when authenticating (ID bad, PW bad, check time). It is a shame MIT and AFS kerberos handle "errors" differently (sigh).
16) System 7 Pro has defined a bit in the machineLocation structure as a "Daylight Savings" flag. This bit is set / reset via BOOTP code if T131 flag exists and is non-zero. Shame that System 7 Pro doesn't just do universal time, understand all time zones (not all of which are exactly one hour off, so I'm told) and general local time when a GetDateTime call is made. Unix does it right, why can't the Mac?
17) a few DLOGs and ALRTs were renumbered to take them out of the applications positive ID range
18) included a new DA to list/expire tickets - check it out. Password changing will be added into AuthMan's driver which the DA will use... expect it in the next release.
19) When the control panel closes it tries to send a control message to the driver telling it to reinitialize. If AuthMan isn't installed yet, the driver isn't available. Unfortunately, the Mac thinks the driver can be loaded as it is sitting in the current resource fork. That's a problem. The workaround was to set the current resource fork to that of the System file before trying to send a control message to AuthMan's driver. If AuthMan isn't installed, the Mac won't see the driver sitting in the control panel's resource fork so won't screw up.
Thanks to everyone who has looked at, worked with, and made changes to AuthMan so far.
