Jeffrey Hutzelman - Projects

In addition to the projects listed below, I also have a number of ongoing responsibilities.

Irix 6.5

We are in the process of porting the standard SCS environment to Irix 6.5. The platform is presently in the beta-test stage.

Solaris 7

We are in the process of porting the standard SCS environment to Solaris 7. The platform is presently in the beta-test stage.

Host Table / DHCP Generation

DNS zone files, DHCP configuration, and other information about hosts was previously maintained manually in a variety of separate places. These are now all derived automatically from the main host database, by a job which runs every day. While the transition is mostly complete, there are still a few changes and improvements to be made.

AFS Backups Upgrade

The AFS backup system, stage, provides backups of nearly all AFS volumes on a regular schedule. Except for those volumes explicitly configured not to receive backups, all volumes are backed up on a daily basis, and monthly backups are kept indefinitely.

Unfortunately, the current system has grown old, and has some limitations which make it unable to provide service for large volumes. In addition, it runs on an Ultrix system and uses 8mm tape drives, which are growing difficult to maintain.

Therefore, we are in the process of upgrading and improving the stage system: moving it to a new platform, switching to DLT tape drives, and removing several limitations. When the upgrades are complete, the new-and-improved system will be able to handle larger volumes and a larger total amount of data. It will also eventually provide backups for IMAP mailboxe and various other types of data.

Lightweight AFS Fileserver

HostAFS is a lightweight AFS fileserver designed to run on every workstation, serving the files on that workstation's local disk. It is intended to serve as a secure replacement for NFS in certain situations, and as an effective long-term replacement for RFS. The server maps Kerberos tickets onto local UID's for users with accounts, and to an anonymous ID for other local-realm principals. Access by unauthenticated users is normally prohibited, though eventually it will be possible to designate directories for anonymous AFS access by any client. This project is presently on hold, though I hope to return to it soon.

Kerberized One-Time Passwords

We are in the process of developing a number of alternative authentication mechanisms for users and staff members who must log in to untrusted systems or over insecure communications links. These mechanisms are designed to combine the convenience and ease of administration of Kerberos with the secuirty of one-time passwords. Currently, we have two systems under development:

KOPIE is an OPIE-compatible authentication system which allows users to authenticate using a one-time passphrase derived from their Kerberos key. The system uses modified versions of login, kinit, and other authentication programs to allow users to get Kerberos tickets by typing a one-time password instead of their usual Kerberos password. The modified tools talk to an auxillary service (kopied) which runs alongside the standard Kerberos V5 KDC. A modified version of kadmind automatically generates a one-time password sequence whenever a user changes his password. This project is presently on hold.

KOTP is a mechanism which allows staff members to log in to untrusted systems by typing a one-time password, rather than the usual Kerberos password for a privileged principal. When a staff member wishes to log in to an untrusted machine, he uses a special login sequence to indicate that KOTP should be used. The machine responds with a challenge, rather than a password prompt. The staff member then uses a Kerberos-authenticated service (kotpd) from a trusted machine to compute the correct response. The kotpd program runs alongside a standard Kerberos V5 KDC, with no modifications required to the Kerberos software. This project is presently on hold.

Jeffrey Hutzelman <>
Last updated: 01-Oct-2000