.k5login and krb5.conf syntax errors
Russ Allbery
rra at stanford.edu
Wed Sep 6 14:47:25 EDT 2006
"Christopher D Clausen" <cclausen at acm.org> writes:
> Last night I found out the hard way that if a user creates a .k5login
> file that isn't correct, (has Windows linebreaks or has multiple
> pricipal names on the same line) that they cannot login at all to
> systems using pam-krb5 for authentication. (This is on Ubuntu 6.06 on
> x86.) Further, no error is listed in the auth.log at all.
Yeah, the Kerberos library parsing of .k5login files is very simple-minded
and doesn't distinguish between not matching and bad syntax, so you aren't
going to get an error message. Here's the code:
/* check each line */
while (!isok && (fgets(linebuf, BUFSIZ, fp) != NULL)) {
/* null-terminate the input string */
linebuf[BUFSIZ-1] = '\0';
newline = NULL;
/* nuke the newline if it exists */
if ((newline = strchr(linebuf, '\n')))
*newline = '\0';
if (!strcmp(linebuf, princname)) {
isok = TRUE;
continue;
}
/* clean up the rest of the line if necessary */
if (!newline)
while (((gobble = getc(fp)) != EOF) && gobble != '\n');
}
So yes, a trailing CR will cause that to fail to match.
> Similarly, I've been completely locked out of systems if there are
> syntax errors in the krb5.conf file and I've seen Windows BSOD if the
> system krb5.ini isn't correct. Is there no way to have a fail-safe
> method of operation?
I can't imagine what else Kerberos can do if krb5.conf is bad, since it
doesn't know what the configuration was supposed to be and therefore can't
make reasonable authentication decisions at that point.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list