From owner-freebsd-security Thu Jun 25 20:23:58 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA23668 for freebsd-security-outgoing; Thu, 25 Jun 1998 20:23:58 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from blubb.pdc.kth.se ([18.70.0.162]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id UAA23654 for ; Thu, 25 Jun 1998 20:23:48 -0700 (PDT) (envelope-from joda@pdc.kth.se) Received: from joda by blubb.pdc.kth.se with local (Exim 1.71 #3) id 0ypP6z-00007r-00; Thu, 25 Jun 1998 23:23:41 -0400 To: Ludwig Pummer Cc: security@FreeBSD.ORG Subject: Re: kerberos su problems betw 2 machines References: <3.0.3.32.19980625122541.006988b8@mail.plstn1.sfba.home.com> X-Emacs: 19.34 Mime-Version: 1.0 (generated by SEMI MIME-Edit 0.77) Content-Type: text/plain; charset=US-ASCII From: joda@pdc.kth.se (Johan Danielsson) Date: 25 Jun 1998 23:23:38 -0400 In-Reply-To: Ludwig Pummer's message of "Thu, 25 Jun 1998 12:25:41 -0700" Message-ID: Lines: 56 X-Mailer: Gnus v5.6.9/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ludwig Pummer writes: > On inet, logging in as ludwigp gives me my ticket. I can kinit to > ludwigp.root and get my ticket, but trying to do su gives me "su: > kerberos: unable to verify rcmd ticket: Incorrect network address > (krb_rd_req)". This is most likely (but not necessarily) due to some hostname/address mismatch. If your machines ip-address doesn't match the A record in DNS, you get these problems. Likewise if you have more than one interface and your hostname doesn't point to the one that you use to talk to your KDC. Check what IP address the KDC thinks you are using by looking at the log. If you run multi-homed, you might also want to check the krb.equiv(5) man-page (this is not turned off in the FreeBSD dist, right?) If you successfully used a kerberized login, this is probably not your problem (depending on how paranoid your login is). Were you actually using a kerberized login, or did you login via normal password + kinit? > Another thing which bothered me: I downloaded the kerberized telnet > from ftp://ftp.pdc.kth.se/pub/krb/binaries/i386-unknown-winnt4.0/ > and it telnets into fortress with encryption, giving me my proper > tickets (the telnet program has its own ticket lister). Trying to do > the same with inet doesn't work; i get a normal telnet connection, > without encryption or tickets. Something in your setup is screwed. The voodoo telnet doesn't, unfortunately, have any fancy debugging options. What you can do is to turn on some debugging on the server side (with `telnetd -D options'). Do you get a ticket for `inet'? > Both systems have the r* services disabled in inetd, but the > Kerberos authenticated serverices (r* -k) are enabled. The server is > also running the additional registerd and kpasswdd services. Telnet uses telnet :-), so the r* aren't used. > Any reason why 2.2.5-R's kerberos behaves differently and can't > communicate the same as 2.2.6-R's kerberos? I don't know much about the FreeBSD packaging, so someone else has to answer this. > Another question: If I want kerberos to be the only place the > passwords are stored (since my master.passwd isn't being changed > when passwd is used to change the kerberos password), how would I go > about doing that? Just remove all password information from the passwd file (replacing with `*'). You will have to replace all programs that might use the password information (like login, ftpd, popper, xnlock, su...). Root is the only user that need to have a normal unix password. /Johan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message