krb5-1.6.3-beta1 is available
Douglas E. Engert
deengert at anl.gov
Fri Sep 28 12:20:26 EDT 2007
The pkinit plugin does not load on Solaris 10. It is looking for libgcc_s.so
but not looking in the correct location /usr/sfw/lib
I built the 1.6.3-beta1 using the same environment as I used with the Umich
pkinit, which did not have this problem.
(/krb5m-> /afs/anl.gov/appl/krb5-dev/@sys/krb5m as --prefix=/krb5m)
Truss shows:
open("/krb5m/lib/krb5/plugins/preauth/pkinit.so", O_RDONLY) = 4
...
stat("/afs/anl.gov/appl/krb5-dev/@sys/krb5m/lib/libgcc_s.so.1", 0xFFBFD9B8) Err#2 ENOENT
stat("/opt/smartcard/lib/libgcc_s.so.1", 0xFFBFD9B8) Err#2 ENOENT
which is looking at the two -R directories, but not at
/usr/sfw/lib or at /usr/lib
Something has changed in how the plugin is linked, as
the 1.6.3-beta1 shows:
ldd /krb5m/lib/krb5/plugins/preauth/pkinit.so
warning: ldd: /krb5m/lib/krb5/plugins/preauth/pkinit.so: is not executable
libgcc_s.so.1 => /usr/sfw/lib/libgcc_s.so.1
libc.so.1 => /lib/libc.so.1
libm.so.2 => /lib/libm.so.2
/platform/SUNW,A70/lib/libc_psr.so.1
Where as the Umich version showed:
ldd /krb5m/lib/krb5/plugins/preauth/pkinit.so
warning: ldd: /krb5m/lib/krb5/plugins/preauth/pkinit.so: is not executable
libkrb5.so.3 => /krb5m/lib/libkrb5.so.3
libcom_err.so.3 => /krb5m/lib/libcom_err.so.3
libk5crypto.so.3 => /krb5m/lib/libk5crypto.so.3
libdl.so.1 => /lib/libdl.so.1
libkrb5support.so.0 => /krb5m/lib/libkrb5support.so.0
libcrypto.so.0.9.8 => /opt/smartcard/lib/libcrypto.so.0.9.8
libresolv.so.2 => /lib/libresolv.so.2
libsocket.so.1 => /lib/libsocket.so.1
libnsl.so.1 => /lib/libnsl.so.1
libgcc_s.so.1 => /usr/sfw/lib/libgcc_s.so.1
libc.so.1 => /lib/libc.so.1
libmp.so.2 => /lib/libmp.so.2
libmd5.so.1 => /lib/libmd5.so.1
libscf.so.1 => /lib/libscf.so.1
libdoor.so.1 => /lib/libdoor.so.1
libuutil.so.1 => /lib/libuutil.so.1
libgen.so.1 => /lib/libgen.so.1
libm.so.2 => /lib/libm.so.2
/platform/SUNW,A70/lib/libc_psr.so.1
/platform/SUNW,A70/lib/libmd5_psr.so.1
During the ./configure I did have:
LD_LIBRARY_PATH=/opt/smartcard/lib
Tom Yu wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> MIT krb5-1.6.3-beta1 is now available for download from
>
> http://web.mit.edu/kerberos/dist/
>
> The main MIT Kerberos web page is
>
> http://web.mit.edu/kerberos/
>
> Please send comments to the krbdev list in the next few weeks. The
> beta period will be somewhat longer than usual due to the
> incorporation of PKINIT. Major changes in krb5-1.6.3 include:
>
> Major changes in 1.6.3 include
>
> * fix CVE-2007-3999, CVE-2007-4743 svc_auth_gss.c buffer overflow
> * fix CVE-2007-4000 modify_policy vulnerability
>
> The above are two kadmind vulnerabilities described in
> MITKRB5-SA-2007-006. CVE-2007-3999 is actually a vulnerability in the
> RPC library.
>
> * Add PKINIT support
>
> At this point, PKINIT support should be considered to be ALPHA
> code. We would greatly appreciate testing and feedback of PKINIT
> support.
>
> For a more complete list of changes, please consult
>
> http://krbdev.mit.edu/rt/NoAuth/krb5-1.6/fixed-1.6.3.html
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (SunOS)
>
> iQCVAwUBRvG/UKbDgE/zdoE9AQKIWwP/YNVXLRmRbSoWbQRvAr27LhP/O2VfQtSe
> HJqegjWupE+t2xrNDNSPCzDKBPEijRpuqiuiQifls+emtzuPomJoRFezoKmM9VgH
> lCX0gU+fVbh3AW37IhF+lKbpZdaVhWGSsIiPwIyxRqnVNzHVMFIatNLfIrZO3xOM
> upTP0wteJ0s=
> =rPbE
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> krbdev mailing list krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the krbdev
mailing list