[1913] in Kerberos-V5-bugs
Krb5 rlogin -f interoperability problem
daemon@ATHENA.MIT.EDU (Sean Mullan)
Thu May 9 16:14:24 1996
To: tytso@MIT.EDU
Cc: mullan_s@apollo.hp.com (Sean Mullan), krb5-bugs@MIT.EDU,
sommerfeld@apollo.hp.com (Bill Sommerfeld)
Date: Thu, 09 May 1996 16:13:47 -0400
From: Sean Mullan <mullan_s@apollo.hp.com>
Hi Ted,
I would like your opinion on how to resolve an interoperability
problem between pre-beta 5 rlogin clients and beta 5 rlogind
servers.
Our testing has revealed that ticket forwarding from a pre-beta
5 rlogin to a beta 5 rlogind always fails with the following
syslog message:
May 9 14:15:02 foo rlogind[7480]: Can't get forwarded credentials: \
Incorrect net address
May 9 14:15:02 foo rlogind[7480]: Authentication failed from \
bar.ch.apollo.hp.com: Incorrect net address
The problem is due to the fact that the kerberos beta 4 rlogin
initializes the sender's address to NULL for the KRB_CRED message.
Kerberos beta 5 rlogind calls getpeername() on the socket to find
out the client's address and expects the sender address in the KRB_CRED
message to match this. Since it is NULL, the match always fails.
How do you recommend fixing this? We can think of 3 choices:
a) Don't do anything. Advise kerberos vendors/users to patch
their kerberos pre-beta5 clients to fill in the s-address of
a KRB_CRED message.
b) Fix rlogind to ignore the sender address in the KRB_CRED
message. This can be fixed by not filling in the remote
address of the auth_context structure.
c) Patch krb5_rd_cred to only ignore sender addresses if they
are NULL.
We are leaning towards c, but would like to know if you have any opinions
or if you have addressed this in beta 6.
Thanks,
Sean
************************************************************
Sean Mullan Phone: (508) 436-4129
Hewlett-Packard Co. Internet: mullan_s@apollo.hp.com
300 Apollo Drive Fax: (508) 436-5140
Chelmsford, MA 01824
************************************************************
