Porting Heimdal's libkafs to MIT Kerberos
Alexandra Ellwood
lxs at MIT.EDU
Sun Jan 11 12:41:03 EST 2004
> >On Mac OS X, we support a Login Logout Notification Plugin API to
>>modify the library behavior when tickets are acquired. This API
>>exists because of the complete lack of pam on Mac OS 9 (where it was
>>first introduced) and the poor quality of pam support in early
>>versions of Mac OS X.
>
>That's _very_ cool. I shall definately check that out. Thanks!
I should probably warn you that if you get a copy of the
aklog.loginLogout plugin from Alexei Kosut or from one of the links
to it on the web that you make sure it's one which has been patched
for Mac OS 10.3 (Panther). There are two bugs in the original
version which prevent it from working properly on Panther. For
various reasons, these bugs were masked by the KfM 4.5 implementation
in Jaguar.
1) In afs_realm_of_cell (aklog.c), krbhst should be MAXHOSTNAMELEN
bytes, not MAX_K_NAME_SZ bytes. Otherwise the hostname can overrun
the buffer and crash the calling application.
2) In add_to_error_table (shim.c), the plugin shims out to the KfM
add_error_table. However, it never calls remove_error_table before
returning to the caller. When the plugin gets unloaded, the next
call to error_message will crash because the calling application no
longer has access to the error tables loaded by the plugin. The
plugin must unload the error tables before returning to the caller.
HTH,
--lxs
--
-----------------------------------------------------------------------------
Alexandra Ellwood <lxs at mit.edu>
MIT Information Systems http://mit.edu/lxs/www/
-----------------------------------------------------------------------------
--
More information about the krbdev
mailing list