[964] in Kerberos-V5-bugs
Re: v4 rlogin clients won't work with V5 rlogin servers,
daemon@ATHENA.MIT.EDU (Theodore Ts'o)
Tue Nov 15 23:58:10 1994
Date: Tue, 15 Nov 1994 23:58:06 +0500
From: Theodore Ts'o <tytso@MIT.EDU>
To: Jonathan Stone <jonathan@DSG.Stanford.EDU>
Cc: krb5-bugs@MIT.EDU, kjd@DSG.Stanford.EDU
In-Reply-To: Jonathan Stone's message of Tue, 15 Nov 1994 20:33:27 -0800,
<199411160433.UAA27915@Pescadero.Stanford.EDU>
Date: Tue, 15 Nov 1994 20:33:27 -0800
From: Jonathan Stone <jonathan@DSG.Stanford.EDU>
We've banged hard on getting the CNS rlogin to work with the V5
rlogind, and it just _doesn't_. We've double-checked that the v4
clients is getting a plausible ticket for rcmd.<host>, and tried with
and without setting a v4 key for that instance. A packet trace of a v4
client talking to a v5 rlogind shows the v4 client is sending a v4
auth request ("AUTHV1.0" and "KCMDV1.0") over the wire. Further
investigation shows that src/lib/krb5/lib/compat_recv.c is being
compiled *WITHOUT* KRB5_KRB4_COMPAT being defined. (I double-checked
this; adding a call syslog inside the #ifdef COMPAT_KRB5_KRB4_COMPAT
doesn't produce the syslog string in the recv_compat.o file). So the
code to demarshal that request is being simply #ifdef'ed out.
The sendauth request gets treated as a v5 sendauth request,
and naturally it's not a valid v5 sendauth request.
Yes, that's a bug/oversight in the configure scripts of the last patch
level. I know about it, and it should be fixed in the next version.
Manually defining the #ifdef should do the right thing.
I've tried re-compiling compat_recv.c with KRB5_KRB4_COMPAT manually
defined, and relinking krlogind. I'm not sure which version of
krb_rd_req() should be supplied for compat_recv.c:krb_v4_recvauth().
The KerberosIV library seems to be in the wrong place on the link
phase of the Makefile -- or at least it defines functions that are
referenced by the recv_sendauth compatibility glue. . Even if I move
it, there's still undefined references, (i.e.,, des_string_to_key and
des_key_sched.) I've tried supplying those from the CNS v4 libraries;
and the resulting krlogind logs a ``decrypt integrity check failed''.
(This is with the jtkohl port of 4.3BSD syslogd.)
The krb_rd_req which should be used is the one that's in the V4 Kerberos
library. You'll also need to use the V4 DES library, or the des425
library, which provides the V4 des library interfaces while using the V5
DES core. Using the V4 des library doesn't hurt --- it just means that
two versions of the DES code will be pulled in.
I thought I got the library order right in the last patchlevel, but
it'll certainly be right for the next patch release.
- Ted
