Kerberos referrals

Mike Friedman mikef at ack.Berkeley.EDU
Wed Nov 9 15:56:27 EST 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 9 Nov 2005 at 15:36 (-0500), Kevin Coffman wrote:

> Our patches are here: http://www.citi.umich.edu/u/kwc/krb5stuff/referrals.html
>
> The page will be updated soon with a patch for 1.4.2, but the 1.3.4 
> patch applied rather cleanly last night while doing the cvs merge to 
> 1.4.2.

Kevin,

I've been using your referrals patch for about 4 years now and last August 
I updated our KDC to 1.4.2.  So, I had to update the patch as well. Aside 
from line number changes, I found at least one place where a substantive 
(though very small) change was required.

In krb5/src/lib/krb5/os/hst_realm.c, in the krbt_get_host_referral_realm 
function, I changed

     char local_host[MAX_DNS_NAMELEN+1];

to

     char local_host[MAXDNAME];

because, I believe (this is based on my memory now) MAX_DNS_NAMELEN was 
not defined in this module.  I figured that MAXDNAME was large enough to 
incorporate the size of MAX_DNS_NAMELEN+1, at least to avoid a buffer 
overflow condition.  Of course, I might be wrong and there may very well 
be a better way to handle this change.

My 1.4.2 KDC has been running (continuously) since early September with no 
problems.

I didn't sent you my patch updates because initially I was going to 1.4.1 
and I needed to incorporate MIT patches SA-2005-002 and SA-2005-003 that 
came out before 1.4.2 was released and which hit one of the modules that 
your patch does.  So I had to incorporate all 3 patches in that particular 
module (kdc/do_tgs_req.c, I believe).

But then I decided to go with 1.4.2, so I guess my referrals patch stands 
on its own.  If you like, I can send it to you if you haven't already done
your own update.

Mike

_____________________________________________________________________
Mike Friedman                   System and Network Security
mikef at ack.Berkeley.EDU          2484 Shattuck Avenue
1-510-642-1410                  University of California at Berkeley
http://ack.Berkeley.EDU/~mikef  http://security.berkeley.edu
_____________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQA/AwUBQ3Jifq0bf1iNr4mCEQJkNwCgtkvuK6HeEHja+XtcMOdZIVdCvDkAn3R2
t+8a08k3SQspExm7Bb1HFMiN
=dn26
-----END PGP SIGNATURE-----

More information about the Kerberos mailing list