[2633] in Kerberos-V5-bugs
pending/344: Re: bug in telnet client?
daemon@ATHENA.MIT.EDU (schemers@stanford.edu)
Wed Jan 15 19:15:34 1997
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: gnats-admin@rt-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, schemers@stanford.edu
Date: Wed, 15 Jan 1997 16:14:00 -0800 (PST)
From: schemers@stanford.edu
To: krb5-bugs@MIT.EDU
Cc: schemers@slapshot.stanford.edu
In-Reply-To: <199701152255.OAA13656@slapshot.stanford.edu>
>Number: 344
>Category: pending
>Synopsis: Re: bug in telnet client?
>Confidential: yes
>Severity: serious
>Priority: medium
>Responsible: gnats-admin
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Wed Jan 15 19:15:01 EST 1997
>Last-Modified:
>Originator:
>Organization:
>Release:
>Environment:
>Description:
>How-To-Repeat:
>Fix:
>Audit-Trail:
>Unformatted:
Me again. Let me refresh your memory... I have two K5/DCE realms
(stanford.edu, and test.stanford.edu), and Stanford has a flat domain
name space (everything is FOO.Stanford.EDU), thus the host
dcecrash1.stanford.edu might in the test.stanford.edu realm, and
slapshot.stanford.edu might be in the stanford.edu realm. When I
want to telnet (and forward my test.stanford.edu credentials) from
slapshot to dcecrash1, and I specify a realm on the command line:
telnet ... -k test.stanford.edu dcecrash1
The telnet works ok (i.e., authentication works), but credential
forwarding doesn't, because the kerberos5_forward function
(in appl/telnet/libtelnet) calls krb5_sname_to_principal on
the server's hostname:
if ((r = krb5_sname_to_principal(telnet_context, RemoteHostName, "host",
KRB5_NT_SRV_HST, &server))) {
if (auth_debug_mode)
printf("Kerberos V5: could not make server principal - %s\r\n",
error_message(r));
goto cleanup;
}
Thus, the "server" variable ends up with the realm "stanford.edu" (which it
should, according to the rules in krb5.conf). This causes the
krb5_fwd_tgt_creds call to fail:
if ((r = krb5_fwd_tgt_creds(telnet_context, auth_context, 0, client,
server, ccache,
forward_flags & OPTS_FORWARDABLE_CREDS,
&forw_creds))) {
if (auth_debug_mode)
printf("Kerberos V5: error getting forwarded creds - %s\r\n",
error_message(r));
goto cleanup;
}
My question is, should the realm of the server principal be explicitly
set to telnet_krb5_realm (the value of the "-k" option) if it is
set? i.e., set the realm of the server principal to telnet_krb5_realm
after the call to krb5_sname_to_principal.
Since authentication correctly uses the value telnet_krb5_realm to connect
to the server I would assume that krb5_fwd_tgt_creds should be using
the same realm.
thanks, roland