Porting Heimdal's libkafs to MIT Kerberos

Alexandra Ellwood lxs at MIT.EDU
Sun Jan 11 12:41:03 EST 2004

>  >On Mac OS X, we support a Login Logout Notification Plugin API to
>>modify the library behavior when tickets are acquired.  This API
>>exists because of the complete lack of pam on Mac OS 9 (where it was
>>first introduced) and the poor quality of pam support in early
>>versions of Mac OS X.
>That's _very_ cool.  I shall definately check that out.  Thanks!

I should probably warn you that if you get a copy of the 
aklog.loginLogout plugin from Alexei Kosut or from one of the links 
to it on the web that you make sure it's one which has been patched 
for Mac OS 10.3 (Panther).  There are two bugs in the original 
version which prevent it from working properly on Panther.  For 
various reasons, these bugs were masked by the KfM 4.5 implementation 
in Jaguar.

1) In afs_realm_of_cell (aklog.c), krbhst should be MAXHOSTNAMELEN 
bytes, not MAX_K_NAME_SZ bytes.  Otherwise the hostname can overrun 
the buffer and crash the calling application.

2) In add_to_error_table (shim.c), the plugin shims out to the KfM 
add_error_table.  However, it never calls remove_error_table before 
returning to the caller.  When the plugin gets unloaded, the next 
call to error_message will crash because the calling application no 
longer has access to the error tables loaded by the plugin.  The 
plugin must unload the error tables before returning to the caller.


Alexandra Ellwood                                               <lxs at mit.edu>
MIT Information Systems                               http://mit.edu/lxs/www/

More information about the krbdev mailing list