Projects Which need to be
Kerberized/Hesioded for Macintosh...


Here lies the my list/ramblings on projects which need to be developed/ finished to have a complete "athena" environment for the Macintosh. These are in no particular order. If your software is listed please do not be offened. This is a simple wish list with ramblings on how it might be accomplished before I forget :-). If you are interested in tackling one of these projects email me.

Internet Config needs to be extended to get info from hesiod.

This way all programs which use IC can become hesiod applicatons. If a site had an entry in hesiod say ftp.sloc HS TXT "ftp.ncsu.edu" then the prefered ftp.server for NCSU could be looked up and made as a config. Might also be good to add a lookup for the folder the IC prefs is stored in like ega.icpref HS TXT "Home:MacLeland:Prefs" or some such.

MacDNS, Mind, or some mac bind port needs to support type HS

So its just another type. Part of the Bind spec for some time now. TXT is already supported just look for entries with HS instead of IN and a mac hesiod server is born. Short and sweet.

A kerberos server needs to be ported to mac under OT.

Its posix, it has unix libs, it has sockets, its XOpen. Theory says it could be a faceless app with a administration app which runs encrypted over the net or at console to feed the config files. The new arns server for OT demo is exactally this without a config app. A couple of config apps are already available commercially for mac to admin a unix kerb server... The mbone stuff which works with qt are ports of unix sd and the like + some HI...

Netscape needs to have a plug-in which will work to authenticate to kerberos.

Right now kerberos authentication in NCSA httpd is done by trial and fail with a certain protocol for returning request from server (See NCSA documentation of client/server message trace). The document sent by server is basically:
//////////////////////////////////////////////////////////////////////////////
// the server sees that Kerberos auth is required, so it sends a 401
///////////////////////////////////////////////////////////////////////////////

HTTP/1.0 401 Unauthorized
Date: Friday, 03-Feb-95 18:45:13 GMT
Server: NCSA/1.3
MIME-version: 1.0
Content-type: text/html
WWW-Authenticate: KerberosV4

<HEAD><TITLE>Authorization Required</TITLE></HEAD>
<BODY><H1>Authorization Required</H1>
Browser not authentication-capable or
authentication failed.
</BODY>

The browser can either handle this and send back the credentials or fail to and show the page above.
Now we have two choices for a netscape plugin. Since the netscape api switches on Content-type in the mime header (if I understand it) we could a) change the server message so it would return Content-type:text/khtml or b) figure out a way to check all documents for extra mime header WWW-Authenticate:KerberosV4 . If exsists then send authentication as now or else passthru to netscape...
Neither is easy but a) is easiest because it requires just a change in server code and to write the plugin to process and return the correct document. In my world, plugin would call MacLeland API or kClient 1.5 API and authenticate and be off...


Keyserver already works with kClient 2.x API, needs add hesiod groups for program access privs and the kerberos plugin for the keyserver client needs to be made compatable with kClientLeland.

This is the worlds only kerberized Macintosh server (yes Virginia this license server has a place to type in the server password just like having an srvtab entry). IMHO, great software but I can not make it work with kClientLeland that I need for Commercial Eudora. I need one kerberos stack, one hesiod stack and one point of configuration for the "MacAthena" environment. Would be excellent if keyserver could check against the acl/nacl list and groups in hesiod.


MacMosaic 3.0bx needs to be switched to kclient 1.5 API.


Look Authman is a good kerberos stack but there are no conversion stubs to allow Authman API calls to be mapped to kClient or MacLeland and there is no hesiod api in Authman. I need one point of configuration. Tom Redman has offered the code to anyone who is willing to make the port and make it available to the net. Ok so kClientman and kClientLeland already exsist and are mostly at the kClient 1.5 API so why not do this once and everybody can use it. SSL and all that yea, yea... this port would function today, right now, period, so we can get people using secured services. Then let the whole SSL/DCE/RSA/DES thing clear out and we can convert once servers are common place. For the next year or so we need V4.

MacLeland Athena libs need to be ported to Code Warrior.

Most of the sample code comming out for OpenTransport, Netscape,etc is now in Code Warrior. MacLeland Athena libs are in Symantec's C/C++. It would be very convienent if someone could make a set of CW libs so any developer could just drop and drag to use these calls.

Hesinfo needs to be ported to the mac with a GUI.


Well it would be really nice to be able to query hesiod from a mac gui. MIT did some work last summer porting their hesiod routines to CW and ended up with a command line Human Interface...
Almost there. For me, making an application out of the early work Stanford did and removed from MacLeland would be perfect. This code had a window with 2 text-edit fields one for "principal" and the other for "instance" the 2 args to hesinfo. It also allowed * as a wildcard which would look at some resedit resources and make multiple queries to hesiod for those strings with the other specified field. Example * for principal and sloc for instance would return listing of all hesiod entries of for sloc so one would get pop sloc, zephyr sloc, kerberos sloc, etc entries. This was pumped into a TEStyledit record and displayed in a copy-able but not editable window.


ARNS needs to be kerberized/hesioded

ARNS is a way to tunnel AT thru ip so CAP or netatalk volumes can be mounted over any old ip only ISP. Right now it has a hardcoded password. What we need is a kerberized server and a kerberized client. Would also help if client could determin its servers from hesiod instead of having to be hardcoded like maybe an arns.sloc entry in hesiod.


MacDump needs to be kerberized/hesioded

MacDump is currently in alpha to run with netatalk and of course works with CAP. No Virginia MacDump is not a movement from Redmond to have all macintosh computers thrown in the ocean. MacDump is an over the network backup system for individual mac workstations to backup and restore (to the file level) off a Unix-based server. MacDump server needs to be kerberized and learn which cluster of macs it is allowed to backup from hesiod. MacDump client needs to be kerberized.

MacZephyr needs to uses hesiod api in MacLeland and be upgraded.

MacZephyr is great but I am not into hacking resedit resources just to list hesiod servers when MacLeland is already configed. The text edit calls could be TEStylEdits and the code from Whisper could be put in to get fonts, colors, etc like the unix zephyr. Setting a folder to get zsubs, znol, and other configs as a preference stored in dir looked up in hesiod -- userid.zprf HS TXT "Home:myzephrys" would be a nice option.

One of the Chooser drivers for LPR needs to be kerberized/hesioded.

Ok this has been done. Look to buy it from a comercial vendor real soon now...
Got a cluster of Macs in hesiod and a list of printers for them to print to and they just show up. Uses printer.pcap hesiod entry to get info about printer name and server. Works with MIT's quota server all over ip...

Eudora needs to use hesiod in addition to kerberos.

Stanford did this with the old 1.3.x but it was not mime.
Rumor has it that if you type the string "user@hesiod" into the public beta of 3.x commercial while MacLeland is installed the results may suprise you. In fact one might consider changing the name of all their mail clients to "hesiod".

Wonder what would happen if Netscape mail spoke kpop??

Well, Cygnus imap would be better...but it would be a start.

Since I am rambling...

This is not kerb/hes but why is there not the following:
afp://afpserver:afpzone//volume_name/path
So I could reference my netatalk server in a browers and have a user connect over appletalk to
afp://macserver:backbone/Home/Mail
just by clicking a url.
And further more why can't I:
file:/Macintosh HD/Applications/Claris/ ClarisWorks:launch
to run a local app from a url??
Tell me why?