[4548] in Kerberos
Re: Kerberos V4 under Solaris 2.4
daemon@ATHENA.MIT.EDU (Asokan)
Thu Feb 2 06:04:51 1995
To: kerberos@MIT.EDU
Date: Wed, 1 Feb 1995 14:04:20 GMT
From: nasokan@math.uwaterloo.ca (Asokan)
In article <1995Jan31.015316.15844@princeton.edu>,
Lawrence R. Rogers <lrr@Princeton.EDU> wrote:
>Folks:
>
>I am having trouble getting Kerberos V4 to work correctly
>under Solaris 2.4. Specifically, either I compile the Cygnus
>code or use the Cygnus binaries, when I try to krlogin to
>the Solaris 2.4 machine, I get the following:
>
>% krlogin solman
>Kerberos rlogin failed: Can't decode authenticator (krb_rd_req)
>Password:
>
>
>Is there some catch? The Cygnus folks say it runs under 2.3
>which is well may, but it does not work under 2.4.
>
>The krsh program works fine.
>
>Thanks for the tips.
[...]
When we moved to Solaris 2.3, we ran into a problem with similar
symptoms. I wonder if you are running into the same problem. Our
symptoms were as follows: krsh and everything else works fine every
time. krlogin fails with the above message _sometimes_ (it depended
on the contents of the ticket file -- so if it happened, the workaround
was to "kdestroy; kinit" and try again). We guessed that the problem must
be related to the pty driver and eventually located it and fixed
in rlogind.c. Here is what our comments say:
/*
* The effect here is to do the equivalent of
* "stty raw", so that login has a chance of
* decrypting the ticket/authenticator without
* the pty driver getting in the way.
* Solaris 2.3 turns on IEXTEN by default.
* Therefore it had to be added here. There may
* be other similar things to disable here if
* we ever find that login has trouble decrypting
* otherwise valid tickets.
*/
The fix then is to add IEXTEN to the set of things disabled
in the c_lflag field of the new_termio struct (in rlogind.c).
In the stock MIT v4 pl10 rlogind.c, this line looked thus:
new_termio.c_lflag &= ~(ICANON|ECHO|ISIG);
You'll have to make the corresponding addition in login.c to re-enable
IEXTEN before exec-ing the shell.
If this description is not helpful, I can mail you our copies
of rlogind.c and login.c. But they have had substantial local
changes made to them.
We don't run the Cygnus version. But my re-collection was that
Cygnus didn't handle IEXTEN either -- I may be wrong.
Until we solved it, our problem was particularly irritating.
We found that the problem occured if the client credentials
(encrypted of course) had a byte with value decimal 22 in
it. The pty driver ate it and the login.krb server at the
remote end couldn't decrypt the mangled credentials. If we
were lucky, getting a new ticket avoided byte 22 and everything
worked fine.
Hope this helps.
- Asokan
