[1098] in Kerberos_V5_Development
Current k5 problems...
daemon@ATHENA.MIT.EDU (Richard Basch)
Fri May 3 11:58:15 1996
Date: Fri, 3 May 1996 11:55:14 -0400
To: krbdev@MIT.EDU
From: "Richard Basch" <basch@lehman.com>
Most of these should probably be dealt with before beta 6...
1. The replay cachename is inconsistently chosen (rc_default vs. rc_host).
2. FTP produces several "severe/major" errors if the ftp/* principal is
not found, even though it is going to fallback. It should be
a little less dramatic in its presentation to the user.
3. The V5 admin server requires the use of a keytab file in order to work
with 3des (and possibly other mechanisms). It does not manage to
handle the stash and decoding the database correctly without it.
[ Document for Beta 6, if we don't fix it. ]
4. The V5 admin server has several limitations with respect to handling
principals with multiple keys.
[ Document for Beta 6, if we don't fix it. ]
5. Service keys with kvno=0 create problems (eg. host/*). This needs to
be supported to maintain compatibility with V4. The V4 mechanisms
properly handle this case, but V5 complains about the key not being
found in the keytab.
6. v4kadmind should probably preserve the original V5 lifetime if a lifetime
of 255 is specified and the equivalent in the V5 database is longer.
I am noticing that everyone using a v4 kpasswd have their entries
reset to only having a max. lifetime of 21:15.
[ btw, I have been exercising all features of v4kadmind except
get-srvtab... everything else appears to work... ]
7. krb524init takes a long time to fallback, and does not efficiently try
to obtain credentials from the slave kdc's. Additionally, there is
a bug where it is not falling back to the slave kdc's (I have a fix
for that which I will be checking in shortly).
8. If a credential request is made within one second of the TGT request,
the returned credential does not have a valid lifetime. Cygnus
kludged it by doing a sleep() in their code. I fixed it by hacking
the KDC to always return an "authtime", instead of leaving it
empty in the optional ASN.1 encoding. (Someone needs to look
into why the ASN.1 decoding did not fill in a missing authtime
with the correct value).
9. The FTP client does not properly cleanup state when a "close" command is
issued; another "open" does not work...
10. The following compiler warnings still exist
(I haven't checked into these warnings yet...)
lib/krb5/krb/preauth.c:415: warning:
assignment discards `const' from pointer target type
lib/kdb/keytab.c:113: warning:
passing arg 2 of `krb5_dbm_db_get_mkey' from incompatible
pointer type
kadmin/v5server/srv_net.c:232: warning:
passing arg 2 of `waitpid' from incompatible pointer type
appl/bsd/kcmd.c:473: warning:
assignment discards `const' from pointer target type
appl/bsd/krlogin.c:954: warning:
passing arg 2 of `waitpid' from incompatible pointer type
appl/gssftp/ftp/ftp.c:1944: warning:
passing arg 3 of `gss_import_name' discards `const'
from pointer target type
appl/gssftp/ftpd/ftpd.c:1954: warning:
passing arg 3 of `gss_import_name' discards `const'
from pointer target type
appl/popper/pop_send.c:115: warning:
assignment makes pointer from integer without a cast
appl/movemail/movemail.c:786: warning:
assignment makes pointer from integer without a cast
11. 3des random number generator... see the mail discussion...
--
Richard Basch
Sr. Developer/Analyst URL: http://web.mit.edu/basch/www/home.html
Lehman Brothers, Inc. Email: basch@lehman.com, basch@mit.edu
101 Hudson St., 33rd Floor Fax: +1-201-524-5828
Jersey City, NJ 07302-3988 Voice: +1-201-524-5049
