Kerberos is an authentication protocol used to prove your identity to remote services over a network. It is capable of providing:
More information about Kerberos may be obtained from:
The primary motivation for developing this software is to provide secure and convenient access to the servers run by the RISC OS Packaging Project. It may be useful to others who run a mix of RISC OS and UNIX-based systems.
Shishi is the GNU Project implementation of Kerberos 5. It is not the only implementation of Kerberos: others include MIT Kerberos and Heimdal. The reason for using Shishi at present is that so far it is the only one which I have been successfully able to port.
Depending on your point of view, one advantage or disadvantage of Shishi is that it is released under the terms of the GNU General Public License. This means that it cannot be linked with software that uses a licence which is incompatible with the GPL, including packages such as !Nettle which would otherwise be natural candidates for kerberization. This is the reason for the development of !RiscTerm (a more detailed account of which can be found in the !RiscTerm README file).
One clear disadvantage of Shishi is that it is currently the least mature and least complete of the three Kerberos implementations considered. According to the Shishi home page, “Shishi has received very little real-world testing and should be considered alpha quality”.
In view of this warning you should consider carefully whether it is suitable for whatever purpose you intend to use it.
Having said that, my experience with it so far has been very positive, and while there are some features missing, the ones which have been written appear to be well-implemented.
Simply porting an implementation of Kerberos to RISC OS is, by itself, of very limited value. To make full use of Kerberos it must be incorporated into other programs which are involved in authentication (either because they themselves need to identify the user, or because they must prove the identity of the user to a third party).
The table below lists the work that has so far been released, or which is in progress or planned.
| Package | Component | Description | Status |
|---|---|---|---|
| Shishi | The GNU Project implementation of Kerberos 5 | ||
| Shishi | Library | A library which may be used by other programs to support Kerberos | Released |
| Shishi | GSSAPI | A library which may be used by other programs to support Kerberos as a GSSAPI authentication method | In progress |
| Shishi | CLI tool | A command-line tool for acquiring and managing Kerberos tickets | Released |
| Shishi | Config | Configuration system plugin for Shishi | Not started |
| Logon | A program to perform authenticated logon when RISC OS is started | ||
| Logon | Kerberos | Authentication using Kerberos | Released |
| Logon | Local-Auth | Local authentication using a password file | Not started |
| Logon | Hesiod | Account information obtained using Hesiod | In progress |
| Logon | LDAP | Account information obtained using LDAP | Not started |
| Logon | Config | Configuration system plugin for managing users | Not started |
| RiscTerm | A terminal emulator with Kerberos support | ||
| RiscTerm | Telnet | Telnet (with Kerberos authentication) | Part released |
| RiscTerm | SSH | SSH (with Kerberos authentication) | In progress |
| RiscTerm | VT52 | VT-52 terminal emulation | Released |
| RiscTerm | VT100 | VT-100 terminal emulation | Not started |
| AFS | The Andrew Filing System | ||
| AFS | RX | The RX remote procedure call protocol | In progress |
| AFS | Filesystem | The AFS filesystem module | Not started |
| AFS | Tokens | AFS authentication (using Kerberos) | Not started |
| Netsurf | SPNEGO | SPNEGO authentication for Netsurf | Not started |
| Subversion | SPNEGO | SPNEGO authentication for Subversion | Not started |
(There are many other programs which could be written or adapted for RISC OS to use Kerberos. These are simply the ones which have a reasonable prospect of happening in the short to medium term. Other useful additions would include POP3/IMAP, NFSv4 and CIFS/SMB clients. If you have a RISC OS program which you would like to kerberize using the released library
The recommended way to install the above Kerberos software is using RiscPkg. It is also possible to download and install the packages manually. The ones which have been released so far may be obtained from:
LibGCrypt-Dev (version 1.4.0-0)
Shishi-Common (version 0.0.35-3)
LibShishi-Dev (version 0.0.35-3)
Source code for everything should be available from the source code repositories of the RISC OS Packaging Project. (If you find anything missing then please contact me and I will take appropriate action.)
There is a mailing list for discussing Kerberos in relation to RISC OS. To subscribe, send an empty message to:
mailto:kerberos-request@lists.riscpkg.org
with a subject of “subscribe”.
This is a public authentication and directory service provided for the benefit of RISC OS users. Its primary use at present is to provide authentication services for the RISC OS Packaging Project, however it is now possible to authenticate directly against its Kerberos service and use the resulting keys however you wish.
More information about this service can be found here. Please note the important caveats about its security and availability. A backup KDC will be installed in the near future which will allow some of these warnings to be relaxed.