Banners in Kerberized services

Ken Raeburn raeburn at MIT.EDU
Tue Dec 9 22:38:30 EST 2003


On Tuesday, Dec 9, 2003, at 14:14 US/Eastern, Quellyn Snead wrote:
> Displaying /etc/motd upon successful authentication always works;
> however, if I try to use banners through TCP Wrappers, the client's
> connection seems to hang. For example in my hosts.allow:

Presumably this is because the TCP wrapper code is sending the banner 
message when the connection first comes in.  With protocols like 
Kerberos rlogin, the first bytes exchanged are the Kerberos 
authentication exchange and some rlogin application data (desired user 
name, terminal type, etc), and the server sends back one or more bytes 
of status info; if you stick in arbitrary data, it's unlikely to parse 
properly as the intended reply in the Kerberos exchange.

The MIT Kerberos login program (run by Kerberos rlogind after 
successful authentication) only looks for and displays /etc/motd in its 
current incarnation.  It might be reasonable to change it to look for 
an additional file specific to itself.

Ken



More information about the Kerberos mailing list