Banners in Kerberized services
Ken Raeburn
raeburn at MIT.EDU
Tue Dec 9 22:38:30 EST 2003
On Tuesday, Dec 9, 2003, at 14:14 US/Eastern, Quellyn Snead wrote:
> Displaying /etc/motd upon successful authentication always works;
> however, if I try to use banners through TCP Wrappers, the client's
> connection seems to hang. For example in my hosts.allow:
Presumably this is because the TCP wrapper code is sending the banner
message when the connection first comes in. With protocols like
Kerberos rlogin, the first bytes exchanged are the Kerberos
authentication exchange and some rlogin application data (desired user
name, terminal type, etc), and the server sends back one or more bytes
of status info; if you stick in arbitrary data, it's unlikely to parse
properly as the intended reply in the Kerberos exchange.
The MIT Kerberos login program (run by Kerberos rlogind after
successful authentication) only looks for and displays /etc/motd in its
current incarnation. It might be reasonable to change it to look for
an additional file specific to itself.
Ken
More information about the Kerberos
mailing list