[8772] in Info-AFS_Redistribution
Re: Openssh on solaris 2.5.1
daemon@ATHENA.MIT.EDU (Harald Barth)
Thu Dec 13 03:36:03 2001
Date: Thu, 13 Dec 2001 09:26:52 +0100 (CET)
Message-Id: <20011213.092652.51142953.haba@stacken.kth.se>
To: mdw@umich.edu, Peter Scott <Peter.J.Scott@jpl.nasa.gov>
Cc: info-afs@transarc.com
From: Harald Barth <haba@pdc.kth.se>
In-Reply-To: <200112130415.XAA12566@quince.ifs.umich.edu>
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
> The error message you saw, "code = 8:", is coming from kaserver in
> the routine "err_packet", in AFS source in the file kauth/krb_udp.c.
> kaserver does support the MIT udp protocol, but the stock transarc
> one gets confused about error codes.
That's why I was asking what version of servers you were running.
There are serveral kaservers versions shipped by IBM (both 3.5 and
3.6) that are broken in the krb4 protocol corner since someone
unsuccessfully tried to fix a buffer overrun problem some years ago.
As the Win* client is the only client by IBM that uses the krb4 stuff
(all others use ka) and "it compiles - it ships" has been more the
rule than the exception, this bug has been laying around for a long
time. I'd suggest you use one of the other KDC solutions instead.
Harald.
PS: Some context (which might be found in some mailing list archive, too):
From earlier mails on this list:
Transarc:
> >RE: TR-60627: AFS: 3.5-3.51 does not authenticate krb_udp requests
> >correctly
> >Our Development team has created a defect for this problem:
> >
> > madhuri-12541-afs3.5-buffer-overflow-problem, revision 1.1
> >
> >and it will be included in the upcoming 3.5, patch 6 release.
A Customer:
>> We tried the AFS 3.5 patch 6 binaries after I sent out the request
>> for info/help... the new code still has not resolved the problem.
From the bug report KTH->IBM
#> To: afshelp@transarc.com
#> Date: Fri, 29 Sep 2000 08:27:22 +0200 (MET DST)
#>
#> The kaserver 3.5-3.51 shipped with 3.5 patchlevel 5 does not
#> authenticte krb_udp requests from kerberos 4 clients correctly. It is
#> possible to get TGTs but not application tickets. This defect appeared
#> after 3.5-3.32 which still is OK. The trouble are a number of buffer
#> overrun "fixes" which have lobotomized functionality.
#>
#> When attaching a debugger to the kaserver process and setting the
#> krb_udp_debug variable and authenticating with a krb4 client the
#> following output shows the problem:
#>
#> Processing APPL Request
#> UGetTicket: got ticket from 'haba'.''@''
#> Sending error packet to 'haba'.''@'' containing code = 180504: Unknown code ka 24 (180504)
#>
#> It should read: UGetTicket: got ticket from 'haba'.''@'MYREALM.COM'
#>
#> This is due to the if clause in file kauth/krb_udp.c RCSID 2.78 line
#> 641 in function UDP_GetTicket which never can evaluate to true, so
#> lrealm will not be copied to cell when needed. See even line 489 and
#> 490 of the same file for more questionable c-code.
