[647] in Kerberos-V5-bugs
Seven Suggestions/Bug fixes for Kerberos 5.4.2
daemon@ATHENA.MIT.EDU (Doug Engert)
Tue Aug 16 12:39:52 1994
Date: Tue, 16 Aug 94 11:39:36 CDT
From: "Doug Engert" <DEEngert@anl.gov>
To: <krb5-bugs@MIT.EDU>
Cc: <auth-pilot@es.net>
Here is a list of ALL of my changes so far for 5.4.2.
I thought it might be easier to send one big note rather then
many small ones. Many of these changes I have reported before
with 5.4.1 but they were not included in 5.4.2.
A context diff file for ALL these changes can be found at:
/afs/anl.gov/appl/kerb-5.4.2/build/other/k542.cdiff.940816
or via FTP at achilles.ctd.anl.gov:pub/kerberos.v5/k542.cdiff.940816
I have 5.4.2 running on SunOS 4.1.3 and can cross realm authenticate
between 5.4.1 realms, and a 5.4.2 realm. I can also forward
credentials between these realms using rlogin.
Suggestions/fixes:
1.) 5.4.2 does not cross authenticate with 5.4.1
Saturday, I reported a problem with cross realm
authentication between kerberos 5.4.2 and 5.4.1. I have tracked
it down to the failure of 5.4.1 to update the msg_type field of
the KDC_REQ and the tighter checking done in 5.4.2 in
asn1/asn1_decode_k.c and asn1/krb5_decode.c.
This tighter checking of the msg_type field may cause
compatibility problems with other versions as well.
For at least testing, I would like to suggest changes to
asn1/asn1_decode_k.c and asn1/krb5_decode.c to allow a msg_type
of zero to mean set the msg_type to appropriate msg_type as would
be expected.
2.) Fix appl/bsd/forward.c and appl/telnet/libtelnet/forward.c
to allow credentials to be forward between realms.
3.) Fix srvname_match in lib/krb5/ccache/file/,fcc_retrv.c
so it tests only the server name and not the realm name
to allow credentials to be forward between realms.
4.) appl/bsd/Makefile.in has manny problems, including make clean
deletes forward.c, and does not cleanup all the objects.
It also define login.krb rather then login.krb5.
(I have only changes some of these. It still needs the KRB4
compatability mods.)
5.) Allow a specific kvno and key to be stuffed into the database.
This can be used to add the afs@realm key for better AFS
compatability.
6.) Add debug_decl.c and krb_err_txt.c from Krb4 to the krb425
libs.
7.) Add the changes to walk_rtree.c which I have renamed to
CONFIGURABLE_AUTHENTICATION_PATH as suggested by C. Neuman.
This in effect implements the "database" as refered to in
RFC1510 Section 1.1 Cross-Realm Operation Paragraph 4.
The default name of this file would be /krb5/krb.capaths.
Comments for the diff file:
./admin/edit/kdb5_edit.c
o Allow a v4 key and knvo to be stuffed into the database.
This is used to add the afs@realm entry.
./appl/bsd/forward.c
o Fix a problem with forwarding credentials between realms.
o Put the forwarded credentials in /tmp with a name based on
the process number, first step in session credentials.
./appl/bsd/Makefile.in
o Fix a problem with make clean deleting forward.c
o Add $(SETENVOBJ) to any module which uses forward.o since it
now does a setenv()
o Fix DEFINES to use login.krb5 rather then login.krb
./appl/telnet/libtelnet/forward.c
o Fix a problem with forwarding credentials between realms.
./include/kerberosIV/,krb.h
o Define ANL.GOV as the V4 realm, etc.
./include/krb5/stock/osconf.h
o Define DEFAULT_CONFIGURABLE_AUTHENTICATION_PATH as
@KRB5ROOT/krb.capaths This is the old shortcuts file.
./include/krb5/ext-proto.h
o Comment out strdup since it is defined everywhere
./krb524/Makefile
o Local changes to get it to complie from AFS
./lib/krb425/Makefile.in
o Add entries for debug_decl.c and krb_err_txt.c
./lib/krb425/debug_decl.c
o Copied from Krb4
./lib/krb425/krb_err_txt.c
o Copied from Krb4
./lib/krb5/asn.1/asn1_decode_k.c
o Allow msg_type == 0 to pass. Needed to get k5.4.2 to work
with k5.4.1
./lib/krb5/asn.1/krb5_decode.c
o If msg_type == 0 then set the expected msg_types
./lib/krb5/ccache/file/fcc_retrv.c
o Fix the srvname_match so relam is not compared. Needed to
get forwarding of credentials across realms to work.
./lib/krb5/ccache/file/fcc_maybe.c
o On SunOS fcntl fails if the credentials are in /tmp in swap.
This is a crude fix, which just returns without locking. It
should probably try the old flock instead.
./lib/krb5/krb/walk_rtree.c
o Fix tests if realm names are single names, i.e. no "." in
names.
o The old "shortcuts" code renamed to
CONFIGURABLE_AUTHENTICATION_PATH as suggested by Cliff
Neuman. Many of the variable names have been changed to
remove references to short.
Douglas E. Engert
Systems Programming
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(708) 252-5444
Internet: DEEngert@anl.gov
