From owner-freebsd-stable Thu Mar 23 8:26:53 2000 Delivered-To: freebsd-stable@freebsd.org Received: from dragonfire.penguinpowered.com (dragonfire.reno.nv.us [207.228.2.94]) by hub.freebsd.org (Postfix) with SMTP id D5D9F37B66B for ; Thu, 23 Mar 2000 08:26:40 -0800 (PST) (envelope-from gibbons@dragonfire.penguinpowered.com) Received: (qmail 91974 invoked by uid 0); 23 Mar 2000 16:26:38 -0000 Received: from localhost (127.0.0.1) by localhost with SMTP; 23 Mar 2000 16:26:38 -0000 To: freebsd-stable@freebsd.org Subject: No KERBEROS4 support in rshd & rlogind (4.0S) X-Mailer: Mew version 1.94.1 on XEmacs 21.1 (Canyonlands) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20000323082638X.gibbons@dragonfire.penguinpowered.com> Date: Thu, 23 Mar 2000 08:26:38 -0800 From: Christopher J.Gibbons X-Dispatcher: imput version 20000228(IM140) Lines: 91 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I think I found a problem with the Kerberos4 builds of rshd and rlogind in 4.0-Stable (cvsup'd early this morning too). When I enable MAKE_KERBEROS4=yes in /etc/make.conf, it builds the kerberos4 binaries: ksrvutil, kerberos, kadmind, etc. However, the rshd and rlogind binaries are still the non-kerberized versions. NOTE, that rsh and rlogin themselves have kerberos support, it is simply their daemon counterparts that are lacking kerberos. Here is the output of doing a rsh and rlogin into my master server from itself with valid tickets. [gibbons@hercules gibbons]$ rsh hercules date rsh: kcmd: connection unexpectedly closed. rsh: warning, using standard rsh: can't provide Kerberos auth data The corresponding /var/log/messages entry: Mar 23 08:12:52 hercules rshd[91934]: usage: rshd [-alnDL] Mar 23 08:12:52 hercules rshd[91935]: auth_pam: Permission denied Mar 23 08:12:52 hercules rshd[91935]: PAM authentication failed Notice the usage output--it is not accepting the kerberos flag (-k) from inetd.conf. Hence, I believe the PAM errors are simply a condition of the rshd command spitting out a usage message. ldd's of the binaries show they do not have the kerberos or crypto libraries compiled in either: /usr/libexec/rshd: libpam.so.1 => /usr/lib/libpam.so.1 (0x28066000) libutil.so.3 => /usr/lib/libutil.so.3 (0x2806f000) libc.so.4 => /usr/lib/libc.so.4 (0x28079000) /usr/libexec/rlogind: libutil.so.3 => /usr/lib/libutil.so.3 (0x28066000) libpam.so.1 => /usr/lib/libpam.so.1 (0x28070000) libc.so.4 => /usr/lib/libc.so.4 (0x28079000) However, kerberized telnet works just fine: [gibbons@hercules gibbons]$ telnet -a hercules Trying 192.168.0.1... Connected to hercules.dragonfire.penguinpowered.com. Escape character is '^]'. [ Trying KERBEROS4 ... ] [ Kerberos V4 accepts you ] [ Kerberos V4 challenge successful ] Last login: Thu Mar 23 08:18:35 from hercules Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 4.0-STABLE (HERCULES) #0: Wed Mar 22 15:38:10 PST 2000 Welcome to FreeBSD! Secondly, "passwd" generates the following errors when a user tries to change their kerberos password, yet it may be related to rsh and rlogin not working properly: [gibbons@hercules gibbons]$ passwd realm DRAGONFIRE.PENGUINPOWERED.COM Old password for gibbons: New Password for gibbons: Verifying password - New Password for gibbons: Verify failure Error reading new password, password unchanged. [gibbons@hercules gibbons]$ passwd realm DRAGONFIRE.PENGUINPOWERED.COM Old password for gibbons: New Password for gibbons: Verifying password - New Password for gibbons: passwd in free(): warning: junk pointer, too high to make sense. kpasswd: Couldn't access ticket file attempting to change password. Password NOT changed. Kerberos logs the attempt to change a password, but there is nothing else in the log files to indicate anything failed for the passwd change. I wish I could have provided a fix or patch diffs, rather than simply pointing out what looks like a bug. Thanks!!! /----------------------------------------------------------------------- | Christopher J. Gibbons UNIX Systems Admin. gibbons@cs.unr.edu |----------------------------------------------------------------------- | "Discovered that neither the Mossad nor Cuba were willing to pay a | living wage for computer espionage. Fell into System Administration." \----------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message