[664] in Kerberos-V5-bugs
Re: Seven Suggestions/Bug fixes for Kerberos 5.4.2
daemon@ATHENA.MIT.EDU (Theodore Ts'o)
Thu Aug 18 18:39:30 1994
Date: Thu, 18 Aug 94 18:39:03 EDT
From: tytso@MIT.EDU (Theodore Ts'o)
To: "Doug Engert" <DEEngert@anl.gov>
Cc: <krb5-bugs@MIT.EDU>, <auth-pilot@es.net>
In-Reply-To: Doug Engert's message of Tue, 16 Aug 94 11:39:36 CDT,
<9408161639.AA12590@MIT.EDU>
Date: Tue, 16 Aug 94 11:39:36 CDT
From: "Doug Engert" <DEEngert@anl.gov>
Suggestions/fixes:
1.) 5.4.2 does not cross authenticate with 5.4.1
Fixed, you have the changes I've done already.
2.) Fix appl/bsd/forward.c and appl/telnet/libtelnet/forward.c
to allow credentials to be forward between realms.
Fixed, using substantially your changes.
3.) Fix srvname_match in lib/krb5/ccache/file/,fcc_retrv.c
so it tests only the server name and not the realm name
to allow credentials to be forward between realms.
Fixed, using the following patch:
--- fcc_retrv.c 1993/09/01 03:12:30 5.21
+++ fcc_retrv.c 1994/08/18 20:34:20
@@ -180,10 +180,18 @@
register const krb5_creds *mcreds, *creds;
{
krb5_boolean retval;
+ krb5_principal_data p1, p2;
+
retval = krb5_principal_compare(mcreds->client,creds->client);
if (retval != TRUE)
return retval;
- return krb5_principal_compare(mcreds->server, creds->server);
+ /*
+ * Hack to ignore the server realm for the purposes of the compare.
+ */
+ p1 = *mcreds->server;
+ p2 = *creds->server;
+ p1.realm = p2.realm;
+ return krb5_principal_compare(&p1, &p2);
}
static krb5_boolean
4.) appl/bsd/Makefile.in has manny problems, including make clean
deletes forward.c, and does not cleanup all the objects.
It also define login.krb rather then login.krb5.
(I have only changes some of these. It still needs the KRB4
compatability mods.)
Fixed.
5.) Allow a specific kvno and key to be stuffed into the database.
This can be used to add the afs@realm key for better AFS
compatability.
Patches not applied, due lack of cleanliness of the patch. Using your
words: "This is a REAL kludge".
If you'd like to propose patches for a new kdb5_edit command
"add_raw_des_key" which takes three arguments: the principal name, the key
version number, and the hex key, I'll accept those changes.
Otherwise, your feature request is noted, and we'll add in that feature
as we have time. (kdb5_edit is due for some serious overhauling,
though, so we probably won't be adding it for a while unless someone
submits us a clean patch that we're willing to integrate).
6.) Add debug_decl.c and krb_err_txt.c from Krb4 to the krb425
libs.
.... not until you tell me why you need them, and why you're using
krb425. As I said before, the use of the krb425 library is deprecated.
7.) Add the changes to walk_rtree.c which I have renamed to
CONFIGURABLE_AUTHENTICATION_PATH as suggested by C. Neuman.
This in effect implements the "database" as refered to in
RFC1510 Section 1.1 Cross-Realm Operation Paragraph 4.
The default name of this file would be /krb5/krb.capaths.
Cliff will be responding to you. It turns out there may be some very
serious security concerns, not just with your proposal, but with
cross-realm authentication in general, due to the fact that the
transited path in the ticket is currently not being verified. (One of
the reasons why I'm still calling this package Beta!)
So I'm going to hold off on this one for a while.
- Ted
