[2633] in Kerberos-V5-bugs

home help back first fref pref prev next nref lref last post

pending/344: Re: bug in telnet client?

daemon@ATHENA.MIT.EDU (schemers@stanford.edu)
Wed Jan 15 19:15:34 1997

Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: gnats-admin@rt-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, schemers@stanford.edu
Date: Wed, 15 Jan 1997 16:14:00 -0800 (PST)
From: schemers@stanford.edu
To: krb5-bugs@MIT.EDU
Cc: schemers@slapshot.stanford.edu
In-Reply-To: <199701152255.OAA13656@slapshot.stanford.edu>


>Number:         344
>Category:       pending
>Synopsis:       Re: bug in telnet client?
>Confidential:   yes
>Severity:       serious
>Priority:       medium
>Responsible:    gnats-admin
>State:          open
>Class:          sw-bug
>Submitter-Id:   unknown
>Arrival-Date:   Wed Jan 15 19:15:01 EST 1997
>Last-Modified:
>Originator:
>Organization:
>Release:
>Environment:
>Description:
>How-To-Repeat:
>Fix:
>Audit-Trail:
>Unformatted:
Me again. Let me refresh your memory... I have two K5/DCE realms
(stanford.edu, and test.stanford.edu), and Stanford has a flat domain
name space (everything is FOO.Stanford.EDU), thus the host
dcecrash1.stanford.edu might in the test.stanford.edu realm, and 
slapshot.stanford.edu might be in the stanford.edu realm. When I 
want to telnet (and forward my test.stanford.edu credentials) from
slapshot to dcecrash1, and I specify a realm on the command line:

telnet ... -k test.stanford.edu dcecrash1

The telnet works ok (i.e., authentication works), but credential 
forwarding doesn't, because the kerberos5_forward function 
(in appl/telnet/libtelnet) calls krb5_sname_to_principal on
the server's hostname:

    if ((r = krb5_sname_to_principal(telnet_context, RemoteHostName, "host",
				     KRB5_NT_SRV_HST, &server))) {
	if (auth_debug_mode) 
	    printf("Kerberos V5: could not make server principal - %s\r\n",
		   error_message(r));
	goto cleanup;
    }

Thus, the "server" variable ends up with the realm "stanford.edu" (which it
should, according to the rules in krb5.conf). This causes the 
krb5_fwd_tgt_creds call to fail:


    if ((r = krb5_fwd_tgt_creds(telnet_context, auth_context, 0, client,
				server, ccache,
				forward_flags & OPTS_FORWARDABLE_CREDS,
				&forw_creds))) {
	if (auth_debug_mode) 
	    printf("Kerberos V5: error getting forwarded creds - %s\r\n",
	  	   error_message(r));
	goto cleanup;
    }

My question is, should the realm of the server principal be explicitly
set to telnet_krb5_realm (the value of the "-k" option) if it is 
set? i.e., set the realm of the server principal to telnet_krb5_realm
after the call to krb5_sname_to_principal.

Since authentication correctly uses the value telnet_krb5_realm to connect
to the server I would assume that krb5_fwd_tgt_creds should be using
the same realm.

thanks, roland


home help back first fref pref prev next nref lref last post