[1598] in Kerberos-V5-bugs
krlogind doesn't support krb4 w/o rhosts
daemon@ATHENA.MIT.EDU (Sam Hartman)
Sun Aug 13 21:54:35 1995
Date: Sun, 13 Aug 1995 21:53:18 -0400
From: Sam Hartman <hartmans@MIT.EDU>
To: krb5-bugs@MIT.EDU
Kerberos 5 krlogind doesn't support using krb4 authentication
without also enabling .rhosts. This is a bug in two regards:
1) It makes debugging difficult as the normal krlogin program doesn't
come in on a reserved port.
2) It's a security hole.
Unfortunately, any solution is going to have to change the
meaning of the options, so I don't want to go off and implement this
without getting ideas on how to be non-destructive.
Here is the current meaning of options, taken from the source
code:
* The configuration is done either by command-line arguments passed by
* inetd, or by the name of the daemon. If command-line arguments are
* present, they take priority. The options are:
* -k and -K means check .k5login (using krb5_kuserok).
* -r and -R means check .rhosts (using ruserok).
* -p and -P means prompt for password.
* The difference between upper and lower case is as follows:
* If lower case -r or -k, then as long as one of krb5_kuserok or
* ruserok passes, allow login without password. If the -p option is
* passed with -r or -k, then if both checks fail, allow login but
* only after password verification.
* If uppercase -R or -K, then those checks must be passed,
* regardless of other checks, else no login with or without password.
* If the -P option is passed, then the password is verified in
* addition to all other checks. If -p is not passed with -k or -r,
* and both checks fail, then login permission is denied.
* -x and -e means use encryption.
*
* If no command-line arguments are present, then the presence of the
* letters kKrRexpP in the program-name before "logind" determine the
* behaviour of the program exactly as with the command-line arguments.
I'm not particularly sure how to fix this.
--Sam
