[3061] in Kerberos
Kerberos 5.3 Ticket forwarding, K4 with rlogin with K5 rlogind
daemon@ATHENA.MIT.EDU (Doug Engert)
Fri Apr 1 13:01:29 1994
Date: Fri, 01 Apr 94 11:41:44 CST
From: "Doug Engert" <DEEngert@anl.gov>
To: <kerberos@MIT.EDU>
In response to Derrick J. Brashear's db74+@andrew.cmu.edu note:
> 1) has anyone got TGT forwarding to work with the Kerberized telnet
> found as telnet.94.02.07? It's supposed to support TGT forwarding, and
> while I got K5 autologin to work, it fails forwarding credentials with
> this error:
> [ Kerberos V5 refuses forwarded credentials because Read forwarded creds
> failed: isode (ps):End of file ]
I have been trying the rlogin version of this, and have put on
the fix to kcrep2crep.c as listed in a note last week. I am
now getting a failure in krlogind with a code of -1898291682
which is ISODE_50_LOCAL_ERR_BADCOMBO which looks like it is comming
from crep2kcrep.c Looks like there should be coresponding
change to crep2kcrep.c. This may be your telnet problem as well.
> 2) Does anyone have K5 krshd/krlogind working with K4 rsh/rlogin/rcp? I
> have rcmd.hostname set up with the K4 string-to-key and in the
> /etc/v5srvtab on the kr{sh,login}d side. I get the following:
> krshd[24621]: krshd: Authentication failed: Decrypt integrity check failed
> krlogind[23535]: Authentication failed from alycia.andrew.cmu.edu:
> Decrypt integrity check failed
> krlogind[23535]: Kerberos authentication failed
> The client succeeds in getting rcmd.alycia tickets, but the server I
> guess does something bogus....
I have the krlogind running which will accept either K4 or K5
client requests. Our v4 realm is using our AFS KDC , where as the
V5.3 realm is using a test 5.3 KDC on a different system.
I needed to add the following to krlogind:
*** ,krlogind.c Mon Mar 7 14:51:04 1994
--- krlogind.c Fri Apr 1 10:25:47 1994
***************
*** 98,103 ****
--- 98,107 ----
* remote realms.
* Note: Root logins are always logged.
*/
+ /* ANL - get the definitions of Krb4Compat from defines */
+ #ifdef Krb4Compat
+ #define KRB5_KRB4_COMPAT
+ #endif
/*
* This is usually done in the Makefile. Actually, these sources may
***************
*** 1062,1069 ****
/* OK we have authenticated this user - now check authorization. */
/* The Kerberos authenticated programs must use krb5_kuserok or kuserok*/
!
! #ifdef SERVE_V4
if (auth_sys == KRB5_RECVAUTH_V4) {
fatal(netf, "This server does not support Kerberos V4");
}
--- 1066,1073 ----
/* OK we have authenticated this user - now check authorization. */
/* The Kerberos authenticated programs must use krb5_kuserok or kuserok*/
! /* ANL - looks like this should be ifndef rather then ifdef */
! #ifndef SERVE_V4
if (auth_sys == KRB5_RECVAUTH_V4) {
fatal(netf, "This server does not support Kerberos V4");
}
***************
*** 1514,1519 ****
--- 1518,1524 ----
if (inbuf.length) { /* Forwarding being done, read creds */
if (status = rd_and_store_for_creds(&inbuf, ticket, lusername))
+ syslog(LOG_INFO,"RD_ANL_ST %d",status);
fatal(netf, "Can't get forwarded credentials");
}
return 0;
-----------------------------------------------------------------
Note the main changes are to change the #ifdef to a #ifndef,
define KRB5_KRB4_COMPAT, and do a syslog to find the problem with (1).
Douglas E. Engert
Systems Programming
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(708) 252-5444
Internet: DEEngert@anl.gov
