From owner-freebsd-stable@FreeBSD.ORG Thu Apr 24 11:27:04 2003 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4993F37B401; Thu, 24 Apr 2003 11:27:04 -0700 (PDT) Received: from kientzle.com (h-66-166-149-50.SNVACAID.covad.net [66.166.149.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5757343F3F; Thu, 24 Apr 2003 11:27:03 -0700 (PDT) (envelope-from kientzle@acm.org) Received: from acm.org (ugly.x.kientzle.com [66.166.149.51]) by kientzle.com (8.11.3/8.11.3) with ESMTP id h3OIR2v38280; Thu, 24 Apr 2003 11:27:02 -0700 (PDT) (envelope-from kientzle@acm.org) Message-ID: <3EA82CBF.3060506@acm.org> Date: Thu, 24 Apr 2003 11:28:15 -0700 From: Tim Kientzle User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.6) Gecko/20011206 X-Accept-Language: en-us, en MIME-Version: 1.0 To: "Jacques A. Vidrine" References: <3EA78791.6030009@acm.org> <20030424120725.GA76274@madman.celabo.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-stable@FreeBSD.org Subject: Re: Kerberized Telnet Badly Broken (Patch enclosed) X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: kientzle@acm.org List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Apr 2003 18:27:04 -0000 That seems to fix it. Thanks! Tim Jacques A. Vidrine wrote: > On Wed, Apr 23, 2003 at 11:43:29PM -0700, Tim Kientzle wrote: > >>Ugh. >> >>With MAKE_KERBEROS5=yes, on a recent STABLE, >>I get the following trying to use Kerberized telnet: >> > > This was fixed in -CURRENT in early March. > > 1.7 src/crypto/telnet/libtelnet/kerberos5.c > 1.17 src/kerberos5/lib/libtelnet/Makefile > 1.16 src/kerberos5/libexec/telnetd/Makefile > 1.17 src/kerberos5/usr.bin/telnet/Makefile > > If you would be so kind as to try the attached patch, I will > MFC. > > Cheers, > > > ------------------------------------------------------------------------ > > Index: crypto/telnet/libtelnet/kerberos5.c > =================================================================== > RCS file: /home/ncvs/src/crypto/telnet/libtelnet/kerberos5.c,v > retrieving revision 1.6 > retrieving revision 1.7 > diff -c -c -r1.6 -r1.7 > *** crypto/telnet/libtelnet/kerberos5.c 19 Feb 2002 15:53:30 -0000 1.6 > --- crypto/telnet/libtelnet/kerberos5.c 6 Mar 2003 13:41:53 -0000 1.7 > *************** > *** 192,197 **** > --- 192,198 ---- > ap_opts = AP_OPTS_MUTUAL_REQUIRED; > else > ap_opts = 0; > + ap_opts |= AP_OPTS_USE_SUBKEY; > > ret = krb5_auth_con_init (context, &auth_context); > if (ret) { > *************** > *** 406,411 **** > --- 407,435 ---- > printf("Kerberos V5: " > "krb5_auth_con_getremotesubkey failed (%s)\r\n", > krb5_get_err_text(context, ret)); > + return; > + } > + > + if (key_block == NULL) { > + ret = krb5_auth_con_getkey(context, > + auth_context, > + &key_block); > + } > + if (ret) { > + Data(ap, KRB_REJECT, "krb5_auth_con_getkey failed", -1); > + auth_finished(ap, AUTH_REJECT); > + if (auth_debug_mode) > + printf("Kerberos V5: " > + "krb5_auth_con_getkey failed (%s)\r\n", > + krb5_get_err_text(context, ret)); > + return; > + } > + if (key_block == NULL) { > + Data(ap, KRB_REJECT, "no subkey received", -1); > + auth_finished(ap, AUTH_REJECT); > + if (auth_debug_mode) > + printf("Kerberos V5: " > + "krb5_auth_con_getremotesubkey returned NULL key\r\n"); > return; > } > > Index: kerberos5/lib/libtelnet/Makefile > =================================================================== > RCS file: /home/ncvs/src/kerberos5/lib/libtelnet/Makefile,v > retrieving revision 1.16 > retrieving revision 1.17 > diff -c -c -r1.16 -r1.17 > *** kerberos5/lib/libtelnet/Makefile 13 May 2002 11:09:04 -0000 1.16 > --- kerberos5/lib/libtelnet/Makefile 6 Mar 2003 13:41:52 -0000 1.17 > *************** > *** 16,21 **** > --- 16,22 ---- > > CFLAGS+= -DENCRYPTION -DAUTHENTICATION -DSRA -I${TELNETDIR} > CFLAGS+= -DKRB5 -I${KRB5DIR}/lib/krb5 -I${KRB5OBJDIR} -I${ASN1OBJDIR} > + CFLAGS+= -DFORWARD -Dnet_write=telnet_net_write > > INCS= ${TELNETDIR}/arpa/telnet.h > INCSDIR= ${INCLUDEDIR}/arpa > Index: kerberos5/usr.bin/telnet/Makefile > =================================================================== > RCS file: /home/ncvs/src/kerberos5/usr.bin/telnet/Makefile,v > retrieving revision 1.16 > retrieving revision 1.17 > diff -c -c -r1.16 -r1.17 > *** kerberos5/usr.bin/telnet/Makefile 17 Dec 2001 01:33:20 -0000 1.16 > --- kerberos5/usr.bin/telnet/Makefile 6 Mar 2003 13:41:52 -0000 1.17 > *************** > *** 9,15 **** > -DENCRYPTION -DAUTHENTICATION -DIPSEC -DINET6 \ > -I${TELNETDIR} -I${TELNETDIR}/libtelnet/ > > ! CFLAGS+= -DKRB5 > > WARNS?= 2 > > --- 9,15 ---- > -DENCRYPTION -DAUTHENTICATION -DIPSEC -DINET6 \ > -I${TELNETDIR} -I${TELNETDIR}/libtelnet/ > > ! CFLAGS+= -DKRB5 -DFORWARD -Dnet_write=telnet_net_write > > WARNS?= 2 > > Index: kerberos5/libexec/telnetd/Makefile > =================================================================== > RCS file: /home/ncvs/src/kerberos5/libexec/telnetd/Makefile,v > retrieving revision 1.15 > retrieving revision 1.16 > diff -c -c -r1.15 -r1.16 > *** kerberos5/libexec/telnetd/Makefile 17 Dec 2001 01:33:20 -0000 1.15 > --- kerberos5/libexec/telnetd/Makefile 6 Mar 2003 13:41:52 -0000 1.16 > *************** > *** 12,18 **** > CFLAGS+= -DLINEMODE -DUSE_TERMIO -DDIAGNOSTICS -DOLD_ENVIRON \ > -DENV_HACK -DAUTHENTICATION -DENCRYPTION \ > -I${TELNETDIR} -DINET6 > ! CFLAGS+= -DKRB5 > > WARNS?= 2 > > --- 12,18 ---- > CFLAGS+= -DLINEMODE -DUSE_TERMIO -DDIAGNOSTICS -DOLD_ENVIRON \ > -DENV_HACK -DAUTHENTICATION -DENCRYPTION \ > -I${TELNETDIR} -DINET6 > ! CFLAGS+= -DKRB5 -DFORWARD -Dnet_write=telnet_net_write > > WARNS?= 2 > >