S/Key - copyright question - coordination with other packages
-----BEGIN PGP SIGNED MESSAGE-----
I will start debianising S/Key.
In this mail (skip the sections you are not interested in):
1. what is S/Key?
2. plans for integration with other packages
3. copyright & export restrictions, patents
1. What is S/Key?
- -----------------
S/Key is a one-time password authentication library. Several programs
that need to do authentication, can be linked with this library (some
source modifications are necessary, however). It doesn't require any
devices to compute the passwords: with the accompanying utilities you
can generate a postscript file with a list of one-time passwords, that
you can carry with you.
from the README:
One of the nice things of S/Key is that it still leaves you the option
to use regular UNIX passwords. In fact, the presence of S/Key support
can be completely invisible for a user until she has set up a password
with the keyinit command. You can permit regular UNIX passwords for
local logins, while at the same time insisting on S/Key passwords for
logins from outside or for logins into specific accounts.
2. Integration with other packages
- ----------------------------------
I have taken the S/Key sources from the logdaemon package of Wietse
Venema. This logdaemon package provides several security enhanced
system programs (login, rlogind, rshd, ftpd, telnetd, keysu, ...),
some of which support S/Key.
Rather than increasing the complexity of the Debian distribution by
debianising the whole logdaemon package (which would provide
alternative versions of many daemons), I have decided to limit myself
to debianising only the S/Key library with its utilities.
In a later stage I will try to provide source level patches for S/Key
support, cleanly contained in #ifdef constructs, for some other
utilities (i.e. for those programs where I need the S/Key support
myself). The maintainers of these other packages might or might not
integrate these patches into their source tree, or I could distribute
the patches with the S/Key library. Anyway, enabling support for the
S/Key library for some package, will require the user to recompile
that package (with some other options specified).
At all cost I want to avoid the situation I had previously with a
commercial Unix, where I had to replace many system utilities, every
time again for each OS upgrade, and never feeling quite sure that this
intervention wouldn't cause any problems.
3. Copyright, export restrictions, patents
- ------------------------------------------
Included below: the copyright for the logdaemon package, and md{4,5}
files. I believe that this imposes no restrictions for
redistribution.
I also think, but please correct me if I'm wrong, that the US export
restrictions do not apply, as this code serves for authentication
purposes only.
Perhaps that some US patents inhibit the use of this code, except for
fun and education?
Copyright logdaemon 5.0 package of Wietse Venema
/************************************************************************
* Copyright 1995 by Wietse Venema. All rights reserved. Individual files
* may be covered by other copyrights (as noted in the file itself.)
*
* This material was originally written and compiled by Wietse Venema at
* Eindhoven University of Technology, The Netherlands, in 1990, 1991,
* 1992, 1993, 1994 and 1995.
*
* Redistribution and use in source and binary forms are permitted
* provided that this entire copyright notice is duplicated in all such
* copies.
*
* This software is provided "as is" and without any expressed or implied
* warranties, including, without limitation, the implied warranties of
* merchantibility and fitness for any particular purpose.
************************************************************************/
And for the MD4 & MD5 source code:
/* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
rights reserved.
License to copy and use this software is granted provided that it
is identified as the "RSA Data Security, Inc. MD4 Message-Digest
Algorithm" in all material mentioning or referencing this software
or this function.
License is also granted to make and use derivative works provided
that such works are identified as "derived from the RSA Data
Security, Inc. MD4 Message-Digest Algorithm" in all material
mentioning or referencing the derived work.
RSA Data Security, Inc. makes no representations concerning either
the merchantability of this software or the suitability of this
software for any particular purpose. It is provided "as is"
without express or implied warranty of any kind.
These notices must be retained in any copies of any part of this
documentation and/or software.
*/
Export restrictions not applicable because not encryption, but
authentication.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.i
iQB1AgUBMQDDXk2af5ce696RAQEi0QL/eUXbajRUDiSz4jw41tNPQl4+l9X1Xwa+
UzDU9oDD3P6ATbdMeUGCBOZX+kWmXhbiNewFx/88tjUtxm3S3eAaKtB/jlMdq7Pb
bAxo6HmbdAevr8Kwfrd2vvgL9zrF1nS8
=0JZq
-----END PGP SIGNATURE-----
Reply to: