Date: Sun, 14 Dec 1997 13:51:20 GMT From: rhh@ct.picker.com To: FreeBSD-gnats-submit@FreeBSD.ORG Cc: rhh@ct.picker.com Subject: bin/5293: DES dist (req'd by PPP) defaults to kerberos auth enable Message-ID: <199712141351.NAA04476@stealth.ct.picker.com> Resent-Message-ID: <199712141900.LAA28774@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 5293 >Category: bin >Synopsis: DES dist (req'd by PPP) defaults to kerberos auth enable >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Dec 14 11:00:01 PST 1997 >Last-Modified: >Originator: Randall Hopper >Organization: self >Release: FreeBSD 3.0-971208-SNAP i386 >Environment: Fresh installation of 3.0-971208 SNAP. >Description: Recently installed the latest 3.0 snap, and as I'd seen in the lists, ppp now links with DES for Microsoft authentication. Confirmed this by running PPP w/o the DES dist installed and seeing that it wouldn't dynlink. After decompressing the DES dist, I find that "su" now tries to do Kerberos ACL lookups. Each su generates a dozen or so bogus DNS lookups to krb4-realm, and then fails with something like "... not in root's ACL list". It then lets you get to root. >How-To-Repeat: On a 971208-SNAP system without the DES package installed. ppp doesn't dynlink. Install DES, then run "su". >Fix: Since ppp now requires DES, and many FreeBSD-at-home folks run PPP but have no want/need for running Kerberos, the better fix might be to have the DES dist not enable Kerberos by default. Alternatively, split the DES dist into two dists. DESLIB with library dependencies only (for PPP, etc.), and a separate KERBEROS dist. Either way, this probably deserves a mention in the FAQ/handbook in the PPP section. My searches for "PPP AND DES" in the top section of the search page didn't reveal anything describing my "PPP w/ DES w/o kerberos" question. I really don't think an acceptable solution would be to require everyone wanting to run PPP to learn how to turn off the enabled-by-default Kerberos in the DES dist, though that is of course one possible fix as well. (Note that I do have all the kerberos options in rc.conf set to NO [kerberos_server_enable and kadmind_server_enable]). My hack work-around for this problem was to install the DES dist, and then selectively reinstall the bin and lib dirs in the BIN dist overtop of this (to restore the original libcrypt.*, init, ed, etc.). >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199712141351.NAA04476>