[669] in SIPB_Linux_Development
Re: login.krb
daemon@ATHENA.MIT.EDU (Greg Hudson)
Thu Aug 25 14:18:24 1994
To: Gilbert Leung <gleung@MIT.EDU>
Cc: ghudson@MIT.EDU, linux-dev@MIT.EDU
In-Reply-To: Your message of "Wed, 24 Aug 1994 20:44:34 EDT."
<m0qdSvn-000DoHC@rubato>
Date: Thu, 25 Aug 1994 14:17:55 EDT
From: Greg Hudson <ghudson@MIT.EDU>
> Could you also and fix the 8-char passwd limitation in login.krb? I
> haven't heard of any fix yet since I posted the problem to
> linux-help.
A look at the source code doesn't indicate any 8-character password
limitation. The code reads the password into a 128-byte buffer. It
does copy the password string into an 8-byte buffer before calling
crypt() to check against the /etc/passwd password, but that is correct
behavior. For checking the Kerberos password, though, the code uses
the 128-byte password buffer.
However, I've noticed that the login.krb we appear to use has the
following code segment:
/* Policy: If local password is good, user is good.
We really can't trust the Kerberos password,
because somebody on the net could spoof the
Kerberos server (not easy, but possible).
Some sites might want to use it anyways, in
which case they should change this line
to:
if (kpass_ok)
*/
if (lpass_ok)
break;
This explains why I can't log in using login.krb with an /etc/passwd
entry of "*".
A simple solution is to change the test, but this probably isn't
completely what we want for the Linux-Athena port. Currently, we
have in the linux-athena locker:
kerberos/appl/bsd/{login.c,logutil.c} -> login.krb
login/{athena.c,login.c,linux/...} -> ???
login.krb/{login.c,logutil.c} -> login.krb
I have no idea how this is all supposed to work. I think the answer
is to copy the Release 7.7 login sources to project.sipb-athena and
get them to work with both Linux and NetBSD. I'm attempting to start
doing this now.
