patches that still haven't been applied

Neulinger, Nathan nneul at umr.edu
Fri Mar 1 10:09:00 EST 2002 

Here are a variety of bugs/fixes that still need to be applied. If y'all
aren't interested in applying them, I'd really appreciate a response as
to WHY, cause some of these bugs make krb5 pretty unusable in some
environments. 

not building the krb524 lib on windows - anyone using AFS will require
this if they are using kerberos to build aklog.

krb524 - memory leak due to copying key structure, but not re-allocating
elements within. (Copying pointer, results in dangling pointers later on
or something, I traced it down once, but don't remember all the details.
Basic result is - you need to do a deep-copy, and it's not being done.
Ideally should provide a routine to copy a key to an already allocated
key structure, but no such routine exists, just one for dynamically
allocating a copy of a key. 

Index: krb524/krb524d.c
===================================================================
RCS file:
/afs/.umr.edu/software/krb5src/cvsroot/krb5-current/src/krb524/krb524d.c
,v
retrieving revision 1.1.1.2
retrieving revision 1.4
diff -u -r1.1.1.2 -r1.4
--- krb524/krb524d.c    14 Jan 2002 15:53:05 -0000      1.1.1.2
+++ krb524/krb524d.c    14 Jan 2002 15:57:16 -0000      1.4
@@ -422,6 +426,13 @@
          if ((ret = krb5_kt_get_entry(context, kt, p, kvno, ktype,
&entry)))
               return ret;
          memcpy(key, (char *) &entry.key, sizeof(krb5_keyblock));
+
+         key->contents = (krb5_octet *)malloc(key->length);
+         if ( key->contents )
+               memcpy((char *)key->contents, (char
*)entry.key.contents,
+               key->length);
+
+         krb5_kt_free_entry(context, &entry);
          return 0;
      } else if (use_master) {
          return kdc_get_server_key(context, p, key, kvnop, ktype,
kvno);


krb524 - use of krb_time_to_life (I think this was just a problem on
windows, not sure.) Had to do with routines being undefined. 
	I think this one may not be an issue any more, I'll have to
double check.

lib/krb5/os/locate_kdc.c - defs at top don't work right when building
without DNS support, right now, a block of defs is turned off if
non-dns, but one of them MAXHOSTNAMELEN I think is used later on. I
believe this was primarily a problem on windows builds but I'm not
positive.

Index: lib/krb5/os/locate_kdc.c
===================================================================
RCS file:
/afs/.umr.edu/software/krb5src/cvsroot/krb5-current/src/lib/krb5/os/loca
te_kdc.c,v
retrieving revision 1.1.1.4
retrieving revision 1.2
diff -u -r1.1.1.4 -r1.2
--- lib/krb5/os/locate_kdc.c    30 Oct 2001 17:29:51 -0000      1.1.1.4
+++ lib/krb5/os/locate_kdc.c    13 Nov 2001 19:54:50 -0000      1.2
@@ -43,6 +43,7 @@
 #ifndef T_SRV
 #define T_SRV 33
 #endif /* T_SRV */
+#endif /* KRB5_DNS_LOOKUP */
 
 #define FAI_PREFIX krb5int
 #include "fake-addrinfo.c"
@@ -52,6 +53,7 @@
 #define MAXHOSTNAMELEN 64
 #endif
 
+#ifdef KRB5_DNS_LOOKUP
 #define MAX_DNS_NAMELEN (15*(MAXHOSTNAMELEN + 1)+1)
 
 #if KRB5_DNS_LOOKUP_KDC

telnet - does not assign proper perms/clean up properly if you 'telnet
-l userid' and don't have a .k5login that lets you in. The discussion
about "retaining credentials for other logins" isn't even relevant to
this, so please don't start harping on it. Telnetd is creating a ccache
and assigning environment vars, and then logging you in such that you
have no unix permissions to access the ccache that KRB5CCNAME points to.


Sequence of behavior:
	telnet -l userid otherhost
	otherhost - accepts forwarded creds, sticks em in ccache owned
by root
	otherhost - checks k5login, decides you're not let in
	otherhost - prompts for password, authenticates you, puts new
creds in ccache
	otherhost - spawns shell
	otherhost - you now have KRB5CCNAME pointing at a ccache that
you have no rights to.

You could fix this in krb5login I believe, but fixing it in telnetd is
far easier. Just add a:

	otherhost - delete original cred cache

before the prompts for password. Following patch yields that behavior.


The patch is simple:

Index: appl/telnet/telnetd/sys_term.c
===================================================================
RCS file:
/afs/.umr.edu/software/krb5src/cvsroot/krb5-current/src/appl/telnet/teln
etd/sys_term.c,v
retrieving revision 1.1.1.4
retrieving revision 1.5
diff -u -r1.1.1.4 -r1.5
--- appl/telnet/telnetd/sys_term.c      30 Oct 2001 17:27:52 -0000
1.1.1.4
+++ appl/telnet/telnetd/sys_term.c      30 Oct 2001 17:41:36 -0000
1.5
@@ -1402,6 +1402,10 @@
                close(pty);
 #endif
        closelog();
+#if defined(AUTHENTICATION)
+       if ( autologin != AUTH_VALID )
+               kerberos5_cleanup();
+#endif
        execv(login_program, argv);
 
        syslog(LOG_ERR, "%s: %m", login_program);





-- Nathan

------------------------------------------------------------
Nathan Neulinger                       EMail:  nneul at umr.edu
University of Missouri - Rolla         Phone: (573) 341-4841
Computing Services                       Fax: (573) 341-4216

More information about the krbdev mailing list