[2383] in Kerberos-V5-bugs
telnet/77: alternate patch
daemon@ATHENA.MIT.EDU (Sam Hartman)
Thu Oct 31 18:34:21 1996
Date: Thu, 31 Oct 1996 18:33:44 -0500
From: Sam Hartman <hartmans@MIT.EDU>
To: jhawk@bbnplanet.com
Cc: krb5-bugs@MIT.EDU, krb5-bugs-redist@MIT.EDU
Your original patch included a few bugs because it attributed
some telnet messages to telnetd.
Index: ChangeLog
===================================================================
RCS file: /mit/krbdev/.cvsroot/src/appl/telnet/libtelnet/ChangeLog,v
retrieving revision 5.51
diff -c -r5.51 ChangeLog
*** ChangeLog 1996/10/14 04:58:14 5.51
--- ChangeLog 1996/10/31 23:30:43
***************
*** 1,3 ****
--- 1,9 ----
+ Thu Oct 31 18:29:08 1996 Sam Hartman <hartmans@mit.edu>
+
+ * kerberos5.c : Clarify what errors come from what programs
+ (telnetd|telnet); patch by John Hawkinson <jhawk@bbnplanet.com>
+ [77]
+
Mon Oct 14 00:21:08 1996 Sam Hartman <hartmans@mit.edu>
* Makefile.in (OBJS): Remove rsaencpwd aned krb4encpwd stuff as
Index: kerberos5.c
===================================================================
RCS file: /mit/krbdev/.cvsroot/src/appl/telnet/libtelnet/kerberos5.c,v
retrieving revision 5.41
diff -c -r5.41 kerberos5.c
*** kerberos5.c 1996/05/09 15:59:11 5.41
--- kerberos5.c 1996/10/31 23:30:44
***************
*** 65,70 ****
--- 65,71 ----
#include "com_err.h"
#include <netdb.h>
#include <ctype.h>
+ #include <syslog.h>
#ifdef HAVE_STDLIB_H
#include <stdlib.h>
***************
*** 219,232 ****
if (!UserNameRequested) {
if (auth_debug_mode) {
! printf("Kerberos V5: no user name supplied\r\n");
}
return(0);
}
if ((r = krb5_cc_default(telnet_context, &ccache))) {
if (auth_debug_mode) {
! printf("Kerberos V5: could not get default ccache\r\n");
}
return(0);
}
--- 220,235 ----
if (!UserNameRequested) {
if (auth_debug_mode) {
! printf(
! "telnet: Kerberos V5: no user name supplied\r\n");
}
return(0);
}
if ((r = krb5_cc_default(telnet_context, &ccache))) {
if (auth_debug_mode) {
! printf(
! "telnet: Kerberos V5: could not get default ccache\r\n");
}
return(0);
}
***************
*** 236,242 ****
"host", KRB5_NT_SRV_HST,
&creds.server))) {
if (auth_debug_mode)
! printf("Kerberos V5: error while constructing service name: %s\r\n", error_message(r));
return(0);
}
--- 239,245 ----
"host", KRB5_NT_SRV_HST,
&creds.server))) {
if (auth_debug_mode)
! printf("telnet: Kerberos V5: error while constructing service name: %s\r\n", error_message(r));
return(0);
}
***************
*** 256,262 ****
if ((r = krb5_cc_get_principal(telnet_context, ccache,
&creds.client))) {
if (auth_debug_mode) {
! printf("Kerberos V5: failure on principal (%s)\r\n",
error_message(r));
}
krb5_free_cred_contents(telnet_context, &creds);
--- 259,266 ----
if ((r = krb5_cc_get_principal(telnet_context, ccache,
&creds.client))) {
if (auth_debug_mode) {
! printf(
! "telnet: Kerberos V5: failure on principal (%s)\r\n",
error_message(r));
}
krb5_free_cred_contents(telnet_context, &creds);
***************
*** 267,273 ****
if ((r = krb5_get_credentials(telnet_context, 0,
ccache, &creds, &new_creds))) {
if (auth_debug_mode) {
! printf("Kerberos V5: failure on credentials(%s)\r\n",
error_message(r));
}
krb5_free_cred_contents(telnet_context, &creds);
--- 271,278 ----
if ((r = krb5_get_credentials(telnet_context, 0,
ccache, &creds, &new_creds))) {
if (auth_debug_mode) {
! printf(
! "telnet: Kerberos V5: failure on credentials(%s)\r\n",
error_message(r));
}
krb5_free_cred_contents(telnet_context, &creds);
***************
*** 336,342 ****
krb5_free_creds(telnet_context, new_creds);
if (r) {
if (auth_debug_mode) {
! printf("Kerberos V5: mk_req failed (%s)\r\n",
error_message(r));
}
return(0);
--- 341,347 ----
krb5_free_creds(telnet_context, new_creds);
if (r) {
if (auth_debug_mode) {
! printf("telnet: Kerberos V5: mk_req failed (%s)\r\n",
error_message(r));
}
return(0);
***************
*** 344,359 ****
if (!auth_sendname(UserNameRequested, strlen(UserNameRequested))) {
if (auth_debug_mode)
! printf("Not enough room for user name\r\n");
return(0);
}
if (!Data(ap, KRB_AUTH, auth.data, auth.length)) {
if (auth_debug_mode)
! printf("Not enough room for authentication data\r\n");
return(0);
}
if (auth_debug_mode) {
! printf("Sent Kerberos V5 credentials to server\r\n");
}
return(1);
}
--- 349,365 ----
if (!auth_sendname(UserNameRequested, strlen(UserNameRequested))) {
if (auth_debug_mode)
! printf("telnet: Not enough room for user name\r\n");
return(0);
}
if (!Data(ap, KRB_AUTH, auth.data, auth.length)) {
if (auth_debug_mode)
! printf(
! "telnet: Not enough room for authentication data\r\n");
return(0);
}
if (auth_debug_mode) {
! printf("telnet: Sent Kerberos V5 credentials to server\r\n");
}
return(1);
}
***************
*** 452,457 ****
--- 458,472 ----
cksum->checksum_type, cksum,
&type_check, 2, key->contents,
key->length);
+ /*
+ * Note that krb5_verify_checksum() will fail if a pre-
+ * MIT Kerberos Beta 5 client is attempting to connect
+ * to this server (Beta 6 or later). There is not way to
+ * fix this without compromising encryption. It would be
+ * reasonable to add a -i option to telnetd to ignore
+ * checksums (like in klogind). Such an option is not
+ * present at this time.
+ */
if (r) {
(void) strcpy(errbuf,
"checksum verification failed: ");
***************
*** 478,484 ****
name = 0;
Data(ap, KRB_ACCEPT, name, name ? -1 : 0);
if (auth_debug_mode) {
! printf("Kerberos5 identifies him as ``%s''\r\n",
name ? name : "");
}
auth_finished(ap, AUTH_USER);
--- 493,500 ----
name = 0;
Data(ap, KRB_ACCEPT, name, name ? -1 : 0);
if (auth_debug_mode) {
! printf(
! "telnetd: Kerberos5 identifies him as ``%s''\r\n",
name ? name : "");
}
auth_finished(ap, AUTH_USER);
***************
*** 522,547 ****
(void) strcat(errbuf, error_message(r));
Data(ap, KRB_FORWARD_REJECT, errbuf, -1);
if (auth_debug_mode)
! printf("Could not read forwarded credentials\r\n");
}
else
Data(ap, KRB_FORWARD_ACCEPT, 0, 0);
if (auth_debug_mode)
! printf("Forwarded credentials obtained\r\n");
break;
#endif /* FORWARD */
default:
if (auth_debug_mode)
! printf("Unknown Kerberos option %d\r\n", data[-1]);
Data(ap, KRB_REJECT, 0, 0);
break;
}
return;
errout:
! Data(ap, KRB_REJECT, errbuf, -1);
if (auth_debug_mode)
! printf("%s\r\n", errbuf);
if (auth_context) {
krb5_auth_con_free(telnet_context, auth_context);
auth_context = 0;
--- 538,572 ----
(void) strcat(errbuf, error_message(r));
Data(ap, KRB_FORWARD_REJECT, errbuf, -1);
if (auth_debug_mode)
! printf(
! "telnetd: Could not read forwarded credentials\r\n");
}
else
Data(ap, KRB_FORWARD_ACCEPT, 0, 0);
if (auth_debug_mode)
! printf("telnetd: Forwarded credentials obtained\r\n");
break;
#endif /* FORWARD */
default:
if (auth_debug_mode)
! printf("telnetd: Unknown Kerberos option %d\r\n",
! data[-1]);
Data(ap, KRB_REJECT, 0, 0);
break;
}
return;
errout:
! {
! char eerrbuf[128+9];
!
! strcpy(eerrbuf, "telnetd: ");
! strcat(eerrbuf, errbuf);
! Data(ap, KRB_REJECT, eerrbuf, -1);
! }
if (auth_debug_mode)
! printf("telnetd: %s\r\n", errbuf);
! syslog(LOG_ERR, "%s", errbuf);
if (auth_context) {
krb5_auth_con_free(telnet_context, auth_context);
auth_context = 0;
