[1872] in Kerberos-V5-bugs
Re: K5B5 on AIX 4.1.4
daemon@ATHENA.MIT.EDU (Sam Hartman)
Mon Apr 15 17:10:46 1996
To: Doug Engert <DEEngert@anl.gov>
Cc: "Theodore Ts'o" <tytso@MIT.EDU>, krb5-bugs@MIT.EDU
From: Sam Hartman <hartmans@MIT.EDU>
Date: 15 Apr 1996 17:10:23 -0400
In-Reply-To: Doug Engert's message of Mon, 15 Apr 1996 13:30:31 -0500
>>>>> "Doug" == Doug Engert <DEEngert@anl.gov> writes:
Doug> Ted,
Doug> The kinit, klist and rlogin work. (You changed the names of
Doug> the krlogin to rlogin which was a surprise!)
I believe this change was made before Beta5. At least, it installs as rlogin not krlogin.
Doug> The name of the krlogind was also changed, as well as its
Doug> options.I can see changing krlogin to rlogin but why
Doug> krlogind to klogind???
There was discussion of the options change on
comp.protocols.kerberos a while back. The reasonthe r was removed
from the name has to do with what klogind does if you don't give it
any options. It takes the letters before logind in the name, and
treats them as options. Thus, if you call it 5elogind, it will be a
Kerberos5 only klogind that requires encryption. If you look at the
-r option, it allows for address-based berkeley-rhost authentication;
this is not something we want to enable by default in Kerberos. So,
the name was change to get a reasonable default behavior if you
include no options.
Doug> I tested the klogind and it *HUNG* the machine, requiring a
Doug> reboot!
Yes, I'm hoping Chris Cowan at IBM (I believe you have deal
with him on some DCE issues) will be able to provide resolution on
this problem.
Doug> This is the same problem I had with the ss-962301 snapshot,
Doug> it appears that on AIX 4.1.4 the login.krb5 has a problem.
Doug> The solution I used on the AIX 4.1.4 and HPUX 10.0 for this
Doug> problem with ss-962301 was to use the vendor's login
Doug> program, by adding the USE_LOGIN_F and modifying the
Doug> krlogind.c code. I sent these modification in on March 15,
Doug> "ss-962301 - krlogind and other fixes"
I was not able to get it to work by using the vendor login on
AIX4 after applying some of your patches. I am almost certain that
the problem is in the libpty code or in klogind/telnetd not in the
login.
>> ./src/appl/bsd/krlogind.c - The AIX 4.1.4 system would crash
>> somewhere in login.krb5. Rather then debuging login.krb5, I
>> would rather see the vendor's login used if possible.
>> The AIX and HP systems both support "login -f -p", and so
>> ifdefs were added for USE_LOGIN_F (which was manually added
>> during the configure) to use the vendor's login. This requires
>> passing the terminal type as an environment variable, rather
>> then via the input stream, and skipping a number of changes to
>> the terminal.
Doug> Depending on when you plan on releasing the K5.6 (You said
Doug> in your note, possibly one or two weeks), if these changes
Doug> could be included I will get you new versions ASAP. If not,
Doug> I will wait for the K5.6 to add these mods.
Doug> Let me know what you would like.
I believe we will be handling this by replacing login.krb5
with a more functional version, instead of using the vendor login by
default. However, I don't think we would have any problem with
patches that caused the code to work reasonably when
DO_NOT_USE_K_LOGIN was undefined.
I recall one problem you ran into was that our code currently
disables IEXTN; feel free to enable IEXTN in krlogind--nothing depends
on it being disabled any more, and I will not be disabling it in the
future.
Doug> The other main set of changes which I made and were not
Doug> included were in the krb524 files. There were some change to
Doug> use a newer version of the sendmsg.c which was copied from
Doug> the send_to_kdc.c code. This works on multi-homed servers
Doug> and allows for replicated krb524ds. This required changes to
Doug> a number of other routines since sendmsg.c now loops thru
Doug> all the possible addresses to try. You should consider
Doug> adding these changes.
I believe we still are.
Doug> The other change to krb524 was to map a K5 ticket for
Doug> "afsx/afs.cell.name@K5.realm" to "afs@afs.cell.name" and
Doug> encrypt it in the key from a copy of the AFS KeyFile. This
Doug> is used with the modified aklog, which is called from the
Doug> k5afslogin above.
We certainly intend to support krb524 being used to get AFS
tickets, although I believe the approach we will take is slightly
different. I am not sure, so I can't really comment effectively.
THanks very much for your continued helpful commentary
explaining the problems you've been running into. I realize we aren't
moving as fast as you might like, but we will eventually get there.
Doug> Douglas E. Engert Systems Programming Argonne
Doug> National Laboratory 9700 South Cass Avenue Argonne, Illinois
Doug> 60439 (708) 252-5444
Doug> Internet: DEEngert@anl.gov
