[8773] in Info-AFS_Redistribution
Re: Openssh on solaris 2.5.1
daemon@ATHENA.MIT.EDU (Peter Scott)
Mon Dec 17 14:54:46 2001
Message-Id: <4.3.2.7.2.20011217114532.00b31bf0@mail2a.jpl.nasa.gov>
Date: Mon, 17 Dec 2001 11:46:42 -0800
To: Harald Barth <haba@pdc.kth.se>, mdw@umich.edu
From: Peter Scott <Peter.J.Scott@jpl.nasa.gov>
Cc: info-afs@transarc.com
In-Reply-To: <20011213.092652.51142953.haba@stacken.kth.se>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
At 09:26 AM 12/13/01 +0100, Harald Barth wrote:
> > The error message you saw, "code = 8:", is coming from kaserver in
> > the routine "err_packet", in AFS source in the file kauth/krb_udp.c.
> > kaserver does support the MIT udp protocol, but the stock transarc
> > one gets confused about error codes.
>
>That's why I was asking what version of servers you were running.
>There are serveral kaservers versions shipped by IBM (both 3.5 and
>3.6) that are broken in the krb4 protocol corner since someone
>unsuccessfully tried to fix a buffer overrun problem some years ago.
>As the Win* client is the only client by IBM that uses the krb4 stuff
>(all others use ka) and "it compiles - it ships" has been more the
>rule than the exception, this bug has been laying around for a long
>time. I'd suggest you use one of the other KDC solutions instead.
I have discovered that the way the old client worked was that a humungous
patch from Doug Song at MIT was applied; it includes a AFS_KERBEROS
def. I'm trying to mine it for just the part I need...
>Harald.
>
>PS: Some context (which might be found in some mailing list archive, too):
>
> From earlier mails on this list:
>
>Transarc:
> > >RE: TR-60627: AFS: 3.5-3.51 does not authenticate krb_udp requests
> > >correctly
> > >Our Development team has created a defect for this problem:
> > >
> > > madhuri-12541-afs3.5-buffer-overflow-problem, revision 1.1
> > >
> > >and it will be included in the upcoming 3.5, patch 6 release.
>
>A Customer:
>
> >> We tried the AFS 3.5 patch 6 binaries after I sent out the request
> >> for info/help... the new code still has not resolved the problem.
>
> From the bug report KTH->IBM
>
>#> To: afshelp@transarc.com
>#> Date: Fri, 29 Sep 2000 08:27:22 +0200 (MET DST)
>#>
>#> The kaserver 3.5-3.51 shipped with 3.5 patchlevel 5 does not
>#> authenticte krb_udp requests from kerberos 4 clients correctly. It is
>#> possible to get TGTs but not application tickets. This defect appeared
>#> after 3.5-3.32 which still is OK. The trouble are a number of buffer
>#> overrun "fixes" which have lobotomized functionality.
>#>
>#> When attaching a debugger to the kaserver process and setting the
>#> krb_udp_debug variable and authenticating with a krb4 client the
>#> following output shows the problem:
>#>
>#> Processing APPL Request
>#> UGetTicket: got ticket from 'haba'.''@''
>#> Sending error packet to 'haba'.''@'' containing code = 180504: Unknown
>code ka 24 (180504)
>#>
>#> It should read: UGetTicket: got ticket from 'haba'.''@'MYREALM.COM'
>#>
>#> This is due to the if clause in file kauth/krb_udp.c RCSID 2.78 line
>#> 641 in function UDP_GetTicket which never can evaluate to true, so
>#> lrealm will not be copied to cell when needed. See even line 489 and
>#> 490 of the same file for more questionable c-code.
--
Peter Scott
Peter.J.Scott@jpl.nasa.gov
