[674] in Kerberos-V5-bugs
choice of realm appended in krb5_425_conv_principal()
daemon@ATHENA.MIT.EDU (Paul Pomes)
Tue Aug 23 15:27:17 1994
To: krb5-bugs@MIT.EDU
Date: Tue, 23 Aug 1994 14:27:03 -0500
From: "Paul Pomes" <P-Pomes@uiuc.edu>
Greetings,
I've come across a problem with V4/V5 compatibility that I hope can be
resolved in a straightforward manner. First a bit of background.
At UIUC we use three part domain names, e.g., mirage.cso.uiuc.edu.
For V5 telnet use I've added the principal host/mirage.cso.uiuc.edu@UIUC.EDU,
gave it a random key, and used xst to create a /krb5/v5srvtab file
(hard linked to /etc/v5srvtab) on mirage.
For V4 I added the principal rcmd/mirage@UIUC.EDU, used cv4k to set the
password, then xst4 to create the /krb4/srvtab file (hard linked to
/etc/srvtab) also on mirage.
The V5 telnet client from another UNIX host works just fine. I can even
use encryption. Btw, it would be very helpful to have an option that
requires encryption and prevents it from being turned off.
V4 telnet clients, such as NCSA telnet for the Macintosh or FTP Software's
V3.0 telnet for DOS, are not able to obtain their rcmd tickets. A trace
through krb5kdc provided the answer.
V4 telnet clients ask for a rcmd.mirage@UIUC.EDU ticket. krb5kdc takes
this request and in krb5_425_conv_principal() (src/lib/krb5/krb/conv_princ.c)
the name is changed from "rcmd" to "host" via a lookup table, and the
instance is changed from "mirage" to "mirage.uiuc.edu" by appending the
down-cased realm. I don't believe this is the correct behavior for a
number of reasons.
1) It's built on the assumption that the requested host's domain is the
same as the realm. For the University of Illinois at least, we have
to have departmental domains to handle the 21,000 hosts under uiuc.edu.
At the same time we need a University-wide authentication realm for
applications such as the registration system and library. Thus the
realm (UIUC.EDU) is not going to match any of the 300+ sub-domains here.
2) It requires three principals be added to the KDC for every host.
In this case
rcmd/mirage@UIUC.EDU for extraction to /etc/srvtab
host/mirage.uiuc.edu@UIUC.EDU to match the converted request
host/mirage.cso.uiuc.edu@UIUC.EDU for V5 use
3) The first two principals must also have the same key. Kerberos is
mysterious enough without adding a non-obvious complication.
My solution is to change krb5_425_conv_principal() to not modify the
principal or instance in the case of rcmd. As long as I always remember
to use cv4k or av4k when adding principals, telnetd works for both V4 and V5
clients.
/pbp
