last modified: 11 April, 1995
MIT Kerberos V4 for DOS, Windows, and OS/2 is significantly different from the Kerberos V4 distribution for Unix-based systems. Many changes have been made for the new platform's different capabilities/restrictions, and this document is meant as an aid for developers using this library and the sources.
You can send questions to pckerberos@mit.edu for questions specific to the MIT implementations for DOS, Windows, OS/2 and NT. To subscribe to the mailing list send mail to pckerberos-request@mit.edu . An archive of the mailing list is maintained with discuss. The 2nd transaction of the meeting shows where we were in April of '94.
For more general information on Kerberos you can obtain some papers from ACS's virtual documentation rack. The Leash help file for MS Windows also provide similar information.
There is also a news group about Kerberos. It's FAQ contains the answers to a lot of questions. There is also an of the archive MIT Kerberos mailing this that dates back to 1987.
Finally, you may be interested in general security issues not specific to Kerberos.
ITAR Restrictions
We used the Microsoft Visual C++ 1.0 compiler to compile Kerberos
under DOS and Windows, but it will also work with MSC 7.0 (with
the known bugfix patches installed) and MSVC++ 1.5. Under OS/2
we used IBM's C/Set++ FirstStep compiler. In this section, \KRB
will be used to refer to the top directory of the kerberos
tree, as unzipped from the KRBV4MIT.ZIP
archive file.
We do not currently have a version that is native to Windows NT but we expect to start work on this shortly.
Not all of the code required to build the distribution is contained
in the KRBV4MIT.ZIP
file. The Kerberos distribution
uses some code that is common to a number of other projects from
MIT's DOSDEV team. The other source from DOSDEV is available on
The first step in building the Kerberos libraries is building DES. If you already have working DES libraries or are attempting to build Kerberos without encryption, you may skip this section.
To build DES for any of the supported operating systems, the steps
to follow are pretty much the same. At the DOS or OS/2 prompt,
change directory to \KRB\LIB\DES
and type
NMAKE /F DES
os.MAK
,
where os depends on the operating system you are building for.
DOS
DES.LIB
, the large
memory model version of DES for static linking with DOS programs.
To build the DES libraries for other memory models, use the command
NMAKE /F DESDOS.MAK MODEL=S
In this example, the library is built in the small memory model.
Also available is the DEBUG=1
command line option,
to build the library with debug information included.
WIN
WDES.LIB
, the large
model statically linked version of DES with Windows support code.
This library is typically only statically linked into the KRBV4WIN.DLL
library and called through that. The MODEL
and DEBUG
command line options from the DOS makefile are available
also in this makefile.
OS2
Use this makefile to generate DESOS2.LIB
, the statically linked OS/2 version of the DES library.
This library is typically only statically linked into the KRBV4OS2.DLL
library and called through that. The DEBUG
command
line option from the DOS and Windows makefiles is also supported
in this makefile.
There are also pseudotargets defined in the makefiles to perform certain actions. If you attempt to make the target "clean" it should clean the directory of object files and other files created by the process of building the DES libraries.
To install the end user files there several things that you must
do. The first is to install the KRB.CON
and KRBREALM.CON
files in your C:\NET\KERB
directory. If you
don't like this setup take a look at the
Site Customizations section of this document.
The next step is to decide what method you wish to use to store your Kerberos tickets. There are two methods available to you if you are using DOS and Windows. If you are using OS/2 or Windows/NT then you only have one choice.
If you are using DOS and Windows then we recommend that you run
the program KERBMEM.EXE
before using any Kerberized
applications. Usually this should be run in your autoexec.bat
file. The use of kerbmem is especially recommended if your computer
is not physically secure from other users. On the MIT campus users
should always assume that their computer is not physically secure.
Kerbmem is a small TSR program which reserves 1K of memory for ticket storage by default. By using Kerbmem your tickets will never be stored on the local disk. If you reboot your machine without destroying your tickets no other user will be able to recover your tickets no matter what disk recovery tools they may have access to.
Kerbmem has a few command line arguments.
If you do not use Kerbmem then Kerberized applications will store the Kerberos tickets in a normal file. This is the same as most UNIX implementations but is less secure since DOS and Windows do not require a user to log into the computer to gain access to the local file system.
By default the tickets will be stored in ?:\temp\?
unless
an environment variable, KRBTKTFILE
, is set. Users
may set the environment variable for multiple simultaneous ticket
storage. This is the same behaivior as most UNIX implementations.
Our normal installation assumes a default directory structure
on the C: drive. We assume that the directory \net\kerb exists.
This can be overriden by setting an environment variable, NDIR.
Let's assume that you want your Kerberos configuration information installed on drive D and you have a directory on D named \etc. Then you would put the following line in your autoexec.bat file or some other file that intiallizes the network on your PC.
SET NDIR=D:\etc
This assumes that you have a directory named kerb under the \etc
directory. In this directory you should place the KRB.CON
and KRBREALM.CON
files. These files should
be copies of the \etc\krb.conf and \etc\krbrealm.conf files that
are installed on your local UNIX workstations. Your local system
adminstrator should be able to help you with this.
Other APIs available for Kerberos
Kerberized Applications
Obtaining Source and Binaries
What about Kerberos version 5 and DCE security?