[963] in Kerberos-V5-bugs
v4 rlogin clients won't work with V5 rlogin servers,
daemon@ATHENA.MIT.EDU (Jonathan Stone)
Tue Nov 15 23:33:49 1994
To: krb5-bugs@MIT.EDU
Cc: kjd@DSG.Stanford.EDU (Ken Duda)
Date: Tue, 15 Nov 1994 20:33:27 -0800
From: Jonathan Stone <jonathan@DSG.Stanford.EDU>
--------
The research group I'm has obtained CNS and built it on Ultrix
4.2A/mips and AIX 3.2.5. WE've got KRb5-b4-pl3. We've configured
krb5 to use the CNS KerberosIV libraries and include files. We've
populated a kdc and got krb5 rlogin/rlogind working (modulo a bug in
Ultrix tty handling that requires a Ctrl-d to start a session).
We really want to be able to use unmodified KerberosIV clients (e.g.,
from macs) to connect to eithe rlogind or telnetd. We've been
trying to use the CNS rlogin client as a demonstrator for
doing this.
We've banged hard on getting the CNS rlogin to work with the V5
rlogind, and it just _doesn't_. We've double-checked that the v4
clients is getting a plausible ticket for rcmd.<host>, and tried with
and without setting a v4 key for that instance. A packet trace of a v4
client talking to a v5 rlogind shows the v4 client is sending a v4
auth request ("AUTHV1.0" and "KCMDV1.0") over the wire. Further
investigation shows that src/lib/krb5/lib/compat_recv.c is being
compiled *WITHOUT* KRB5_KRB4_COMPAT being defined. (I double-checked
this; adding a call syslog inside the #ifdef COMPAT_KRB5_KRB4_COMPAT
doesn't produce the syslog string in the recv_compat.o file). So the
code to demarshal that request is being simply #ifdef'ed out.
The sendauth request gets treated as a v5 sendauth request,
and naturally it's not a valid v5 sendauth request.
I don't see a lot of point defining KRB5_KRB4_COMPAT in the Makefile
for the appl/bsd directory if the underlying libraries don't have the
required functionality built in. Surely the v4 client is sending a V4
sendauth request and a KRB5 library needs to have KRB5_KRB4_COMPAT
#define'd at compile time, if it's to be able to demarshal that? Am I
missing something here?
I've tried re-compiling compat_recv.c with KRB5_KRB4_COMPAT manually
defined, and relinking krlogind. I'm not sure which version of
krb_rd_req() should be supplied for compat_recv.c:krb_v4_recvauth().
The KerberosIV library seems to be in the wrong place on the link
phase of the Makefile -- or at least it defines functions that are
referenced by the recv_sendauth compatibility glue. . Even if I move
it, there's still undefined references, (i.e.,, des_string_to_key and
des_key_sched.) I've tried supplying those from the CNS v4 libraries;
and the resulting krlogind logs a ``decrypt integrity check failed''.
(This is with the jtkohl port of 4.3BSD syslogd.)
I've also looked at the Configure.in and I don't see how either
KRB5_KRB4_COMPAT is being set, or how Krb4Compat would be getting set
in include/krb/config.h. Is this some oversight? Or, perhaps, does
the library v4-glue code as shipped simply not work, so it's not
compiled? If this is the intent then I guess there's no ``bug'',
just missing functionality.
If there's something really dumb I'm missing in all this, I'd be glad
to hear it.
