[2066] in Kerberos-V5-bugs
Re: possible rsh/kshd problem?
daemon@ATHENA.MIT.EDU (Mark Eichin)
Tue Jul 2 20:33:13 1996
To: Sam Hartman <hartmans@MIT.EDU>
Cc: Mark Eichin <eichin@cygnus.com>,
Dave McGuire <mcguire@rocinante.digex.net>, kerberos@MIT.EDU,
krb5-bugs@MIT.EDU, rdist-bugs@usc.edu
From: Mark Eichin <eichin@cygnus.com>
Date: 02 Jul 1996 20:21:18 -0400
In-Reply-To: Sam Hartman's message of 02 Jul 1996 19:57:16 -0400
> It looks like the krb5 kshd only uses pipes if it has to
> encrypt or if a stderr connection is supplied. I guess this does end
> up almost always using a pipe.
*Almost* always? I've *never* seen rsh not use a stderr
connection... with non-kerberized and with v4, there's no way to ask
to not have one...
> Is it worth our trouble to use socketpair() instead of pipes
> on operating systems where that is available?
No, because the inconsistency would be even worse. It's not hard to
fix programs like rdist... and it wouldn't help with getpeername /
getsockname problem at all (I've just made kshd pass the IP addresses
down in the environment, because the v4rcp back end needs them to do
the mutual authentication.)
Really, the current rsh should be disposed of -- the easy way would be
to replace it with a simple gssapi-based app that uses a single
connection (and quotes the packets, or at least inserts "stream
change" tokens... but whatever happens, it must have *extensible*
negotiation.) Sigh.
