[1878] in Kerberos
No subject found in mail header
daemon@ATHENA.MIT.EDU (hussien@masi.ibp.fr)
Thu Apr 30 10:49:17 1992
Date: Thu, 30 Apr 92 15:54:26 +0200
From: hussien@masi.ibp.fr
To: kerberos@Athena.MIT.EDU
>
> Hello to all;
>
> I have a couple of problems operating kerberos V4 :
>
> - The system does'nt verify or does'nt verify correctly
> the passwords of principales. For instance, a principal "hua"
> can 'change' his password by supplying a false 'old password".
> Moreover, an adminstrator (in kerberos sense) can modify the
> database without necessarily giving the correct
> "admin password"(it can even press just <RETURN>).
>
> - Executing the command "get principale_name" (in kadmin) as
> an administrator (instance "admin") gives the following error
> message : "kadm error: Insufficient access to perform requeste> d operation."
>
> If not for this two problems, things work fine so far :
> the sample cl/srv program, the remote services (rlogin, rsh
> rcp) all work good. For your information, as I don't have
> export licence for the DES library of MIT, I used the one
> written by Eric Young in Australia.
>
> any suggestion is apprectiated ...
>
>
I received suggestions from the following email addresses for the
above two questions; I thank all of you.
DFSHEN@ralvmm.vnet.ibm.com
jonathan@isor.vuw.ac.nz
tytso@athena.mit.edu (Theodore Ts'o)
nasokan@maytag.waterloo.edu
nelson@bolyard.wpd.sgi.com (Nelson Bolyard)
eay@grunt.psy.uq.oz.au (Eric Young)
The problem with the second question above was, as you suggested, due to the fact that I did'nt respect the right syntax when I put principals in the admin_acl.* files. I don't no more have a problem from this side.
For the second question, however, I think that I missed an important point. Let me first quote to you what Nelson Bolyard send me on this
subject :
>>Isn't the observed behavior what one would expect if one used the
>>so-called "bones" version of Kerberos?
>>
>>It's my (possibly flawed) understanding that bones has had (1) all t>>he DES code, _AND_ (2) all the _calls_ to the DES code, completely r>>ipped out. If this is so, then one would expect that having the bes>>t DES library in the world would still not check passwords correctly>>, unless the calls to the library had been reinserted into the right>>places.
>>
>> Nelson Bolyard
I did bring the "bones" version of Kerberos (V4) and I supposed that
only the DES code is ripped out while keeping the _calls_ to the DES code (some kind of identity 'functions'- I supposed). But it seems thateven the _calls_ to the DES code are ripped out as Nelson thought it. In this case, I must look for the right places to reinsert the (DES) calls.
Could someone who had passed by the same process help me save time ? or else is there already a "complete" kerberos source somewhere (with the DES code already inserted)?
Waiting for your responses...
----------
Ahmed H.
Laboratoire MASI
Pierre/Marie Curie Universite
Paris - France
