From owner-freebsd-security@FreeBSD.ORG Wed Sep 8 05:07:48 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A964610656DD for ; Wed, 8 Sep 2010 05:07:48 +0000 (UTC) (envelope-from jcw@speakeasy.net) Received: from mail2.sea5.speakeasy.net (mail2.sea5.speakeasy.net [69.17.117.41]) by mx1.freebsd.org (Postfix) with ESMTP id 88E6A8FC0C for ; Wed, 8 Sep 2010 05:07:48 +0000 (UTC) Received: (qmail 24460 invoked from network); 8 Sep 2010 04:41:07 -0000 Received: from s4.stradamotorsports.com (HELO g2.stradamotorsports.com) (jcw@[64.81.163.122]) (envelope-sender ) by mail2.sea5.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 8 Sep 2010 04:41:07 -0000 Message-ID: <4C87143A.5080909@speakeasy.net> Date: Tue, 07 Sep 2010 21:42:34 -0700 From: "Jason C. Wells" User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.1.10) Gecko/20100808 Lightning/1.0b1 Thunderbird/3.0.5 MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: KDC Dumps Core and Other Problems X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Sep 2010 05:07:48 -0000 I did a lot of poking at heimdal tonight trying to discover why I get the error "ASN.1 encoding ended unexpectedly" after upgrading to 8.1-R. Never did find that out. So much pain in such a short period of time... I've discovered a way to get the KDC to dump core. I've also discovered that ktutil will list keys for a keytab that has been deleted unless given the -k option. I had errors about not supporting keytypes when I'm pretty darn sure a keytype is supported. I'm willing to accept that this might be PEBKAC, but I'm fairly sure I've found bugs. At minimum, a user should not be able to get a daemon to core dump. Is Heimdal in 8.1-R at version 1.0? (it is according to some symbols I grepped while trying to understand these errors.) The heimdal world is at 1.3 now. I saw a recently archived discussion where some people were challenging each other to be "counted on" to work on heimdal. Are PRs useful at this point? Maybe newer better heimdal is right around the corner which would negate the usefulness of reporting this evening's problems. I also noted in that discussion some talk of dropping heimdal. I request that we keep heimdal as a part of FreeBSD. I hated secure auth in freebsd before heimdal was included. I hate the way that debian has dueling auth libraries. I like that heimdal and pam and the passwd auth all co-exist peacefully on freebsd. As we are so fond of saying: FreeBSD is an operating system, not a kernel plus packages. A first class auth system that includes kerberos is a good thing. I have etypes leaking out my ears. Regards, Jason C. Wells