Date: Thu, 23 Mar 2000 08:26:38 -0800 From: Christopher J.Gibbons <gibbons@dragonfire.penguinpowered.com> To: freebsd-stable@freebsd.org Subject: No KERBEROS4 support in rshd & rlogind (4.0S) Message-ID: <20000323082638X.gibbons@dragonfire.penguinpowered.com>
next in thread | raw e-mail | index | archive | help
I think I found a problem with the Kerberos4 builds of rshd and rlogind in
4.0-Stable (cvsup'd early this morning too).
When I enable MAKE_KERBEROS4=yes in /etc/make.conf, it builds the kerberos4
binaries: ksrvutil, kerberos, kadmind, etc. However, the rshd and rlogind
binaries are still the non-kerberized versions. NOTE, that rsh and rlogin
themselves have kerberos support, it is simply their daemon counterparts that
are lacking kerberos.
Here is the output of doing a rsh and rlogin into my master server from
itself with valid tickets.
[gibbons@hercules gibbons]$ rsh hercules date
rsh: kcmd: connection unexpectedly closed.
rsh: warning, using standard rsh: can't provide Kerberos auth data
The corresponding /var/log/messages entry:
Mar 23 08:12:52 hercules rshd[91934]: usage: rshd [-alnDL]
Mar 23 08:12:52 hercules rshd[91935]: auth_pam: Permission denied
Mar 23 08:12:52 hercules rshd[91935]: PAM authentication failed
Notice the usage output--it is not accepting the kerberos flag (-k) from
inetd.conf. Hence, I believe the PAM errors are simply a condition of the
rshd command spitting out a usage message.
ldd's of the binaries show they do not have the kerberos or crypto libraries
compiled in either:
/usr/libexec/rshd:
libpam.so.1 => /usr/lib/libpam.so.1 (0x28066000)
libutil.so.3 => /usr/lib/libutil.so.3 (0x2806f000)
libc.so.4 => /usr/lib/libc.so.4 (0x28079000)
/usr/libexec/rlogind:
libutil.so.3 => /usr/lib/libutil.so.3 (0x28066000)
libpam.so.1 => /usr/lib/libpam.so.1 (0x28070000)
libc.so.4 => /usr/lib/libc.so.4 (0x28079000)
However, kerberized telnet works just fine:
[gibbons@hercules gibbons]$ telnet -a hercules
Trying 192.168.0.1...
Connected to hercules.dragonfire.penguinpowered.com.
Escape character is '^]'.
[ Trying KERBEROS4 ... ]
[ Kerberos V4 accepts you ]
[ Kerberos V4 challenge successful ]
Last login: Thu Mar 23 08:18:35 from hercules
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD 4.0-STABLE (HERCULES) #0: Wed Mar 22 15:38:10 PST 2000
Welcome to FreeBSD!
Secondly, "passwd" generates the following errors when a user tries to change
their kerberos password, yet it may be related to rsh and rlogin not working
properly:
[gibbons@hercules gibbons]$ passwd
realm DRAGONFIRE.PENGUINPOWERED.COM
Old password for gibbons:
New Password for gibbons:
Verifying password - New Password for gibbons:
Verify failure
Error reading new password, password unchanged.
[gibbons@hercules gibbons]$ passwd
realm DRAGONFIRE.PENGUINPOWERED.COM
Old password for gibbons:
New Password for gibbons:
Verifying password - New Password for gibbons:
passwd in free(): warning: junk pointer, too high to make sense.
kpasswd: Couldn't access ticket file attempting to change password.
Password NOT changed.
Kerberos logs the attempt to change a password, but there is nothing else
in the log files to indicate anything failed for the passwd change.
I wish I could have provided a fix or patch diffs, rather than simply
pointing out what looks like a bug.
Thanks!!!
/-----------------------------------------------------------------------
| Christopher J. Gibbons UNIX Systems Admin. gibbons@cs.unr.edu
|-----------------------------------------------------------------------
| "Discovered that neither the Mossad nor Cuba were willing to pay a
| living wage for computer espionage. Fell into System Administration."
\-----------------------------------------------------------------------
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000323082638X.gibbons>