From owner-freebsd-stable@FreeBSD.ORG Thu Apr 24 05:07:27 2003 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9EDFE37B401 for ; Thu, 24 Apr 2003 05:07:27 -0700 (PDT) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id B1DBE43F93 for ; Thu, 24 Apr 2003 05:07:26 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.nectar.cc (Postfix) with ESMTP id 2C9934A; Thu, 24 Apr 2003 07:07:26 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id 7815578C66; Thu, 24 Apr 2003 07:07:25 -0500 (CDT) Date: Thu, 24 Apr 2003 07:07:25 -0500 From: "Jacques A. Vidrine" To: Tim Kientzle Message-ID: <20030424120725.GA76274@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Tim Kientzle , freebsd-stable@freebsd.org References: <3EA78791.6030009@acm.org> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="HlL+5n6rz5pIUxbD" Content-Disposition: inline In-Reply-To: <3EA78791.6030009@acm.org> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.3i-ja.1 cc: freebsd-stable@freebsd.org Subject: Re: Kerberized Telnet Badly Broken (Patch enclosed) X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Apr 2003 12:07:28 -0000 --HlL+5n6rz5pIUxbD Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Apr 23, 2003 at 11:43:29PM -0700, Tim Kientzle wrote: > Ugh. > > With MAKE_KERBEROS5=yes, on a recent STABLE, > I get the following trying to use Kerberized telnet: This was fixed in -CURRENT in early March. 1.7 src/crypto/telnet/libtelnet/kerberos5.c 1.17 src/kerberos5/lib/libtelnet/Makefile 1.16 src/kerberos5/libexec/telnetd/Makefile 1.17 src/kerberos5/usr.bin/telnet/Makefile If you would be so kind as to try the attached patch, I will MFC. Cheers, -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se --HlL+5n6rz5pIUxbD Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="ktelnet.patch" Index: crypto/telnet/libtelnet/kerberos5.c =================================================================== RCS file: /home/ncvs/src/crypto/telnet/libtelnet/kerberos5.c,v retrieving revision 1.6 retrieving revision 1.7 diff -c -c -r1.6 -r1.7 *** crypto/telnet/libtelnet/kerberos5.c 19 Feb 2002 15:53:30 -0000 1.6 --- crypto/telnet/libtelnet/kerberos5.c 6 Mar 2003 13:41:53 -0000 1.7 *************** *** 192,197 **** --- 192,198 ---- ap_opts = AP_OPTS_MUTUAL_REQUIRED; else ap_opts = 0; + ap_opts |= AP_OPTS_USE_SUBKEY; ret = krb5_auth_con_init (context, &auth_context); if (ret) { *************** *** 406,411 **** --- 407,435 ---- printf("Kerberos V5: " "krb5_auth_con_getremotesubkey failed (%s)\r\n", krb5_get_err_text(context, ret)); + return; + } + + if (key_block == NULL) { + ret = krb5_auth_con_getkey(context, + auth_context, + &key_block); + } + if (ret) { + Data(ap, KRB_REJECT, "krb5_auth_con_getkey failed", -1); + auth_finished(ap, AUTH_REJECT); + if (auth_debug_mode) + printf("Kerberos V5: " + "krb5_auth_con_getkey failed (%s)\r\n", + krb5_get_err_text(context, ret)); + return; + } + if (key_block == NULL) { + Data(ap, KRB_REJECT, "no subkey received", -1); + auth_finished(ap, AUTH_REJECT); + if (auth_debug_mode) + printf("Kerberos V5: " + "krb5_auth_con_getremotesubkey returned NULL key\r\n"); return; } Index: kerberos5/lib/libtelnet/Makefile =================================================================== RCS file: /home/ncvs/src/kerberos5/lib/libtelnet/Makefile,v retrieving revision 1.16 retrieving revision 1.17 diff -c -c -r1.16 -r1.17 *** kerberos5/lib/libtelnet/Makefile 13 May 2002 11:09:04 -0000 1.16 --- kerberos5/lib/libtelnet/Makefile 6 Mar 2003 13:41:52 -0000 1.17 *************** *** 16,21 **** --- 16,22 ---- CFLAGS+= -DENCRYPTION -DAUTHENTICATION -DSRA -I${TELNETDIR} CFLAGS+= -DKRB5 -I${KRB5DIR}/lib/krb5 -I${KRB5OBJDIR} -I${ASN1OBJDIR} + CFLAGS+= -DFORWARD -Dnet_write=telnet_net_write INCS= ${TELNETDIR}/arpa/telnet.h INCSDIR= ${INCLUDEDIR}/arpa Index: kerberos5/usr.bin/telnet/Makefile =================================================================== RCS file: /home/ncvs/src/kerberos5/usr.bin/telnet/Makefile,v retrieving revision 1.16 retrieving revision 1.17 diff -c -c -r1.16 -r1.17 *** kerberos5/usr.bin/telnet/Makefile 17 Dec 2001 01:33:20 -0000 1.16 --- kerberos5/usr.bin/telnet/Makefile 6 Mar 2003 13:41:52 -0000 1.17 *************** *** 9,15 **** -DENCRYPTION -DAUTHENTICATION -DIPSEC -DINET6 \ -I${TELNETDIR} -I${TELNETDIR}/libtelnet/ ! CFLAGS+= -DKRB5 WARNS?= 2 --- 9,15 ---- -DENCRYPTION -DAUTHENTICATION -DIPSEC -DINET6 \ -I${TELNETDIR} -I${TELNETDIR}/libtelnet/ ! CFLAGS+= -DKRB5 -DFORWARD -Dnet_write=telnet_net_write WARNS?= 2 Index: kerberos5/libexec/telnetd/Makefile =================================================================== RCS file: /home/ncvs/src/kerberos5/libexec/telnetd/Makefile,v retrieving revision 1.15 retrieving revision 1.16 diff -c -c -r1.15 -r1.16 *** kerberos5/libexec/telnetd/Makefile 17 Dec 2001 01:33:20 -0000 1.15 --- kerberos5/libexec/telnetd/Makefile 6 Mar 2003 13:41:52 -0000 1.16 *************** *** 12,18 **** CFLAGS+= -DLINEMODE -DUSE_TERMIO -DDIAGNOSTICS -DOLD_ENVIRON \ -DENV_HACK -DAUTHENTICATION -DENCRYPTION \ -I${TELNETDIR} -DINET6 ! CFLAGS+= -DKRB5 WARNS?= 2 --- 12,18 ---- CFLAGS+= -DLINEMODE -DUSE_TERMIO -DDIAGNOSTICS -DOLD_ENVIRON \ -DENV_HACK -DAUTHENTICATION -DENCRYPTION \ -I${TELNETDIR} -DINET6 ! CFLAGS+= -DKRB5 -DFORWARD -Dnet_write=telnet_net_write WARNS?= 2 --HlL+5n6rz5pIUxbD--