Date: Sun, 14 Dec 1997 13:51:20 GMT From: rhh@ct.picker.com To: FreeBSD-gnats-submit@FreeBSD.ORG Cc: rhh@ct.picker.com Subject: bin/5293: DES dist (req'd by PPP) defaults to kerberos auth enable Message-ID: <199712141351.NAA04476@stealth.ct.picker.com> Resent-Message-ID: <199712141900.LAA28774@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 5293
>Category: bin
>Synopsis: DES dist (req'd by PPP) defaults to kerberos auth enable
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun Dec 14 11:00:01 PST 1997
>Last-Modified:
>Originator: Randall Hopper
>Organization:
self
>Release: FreeBSD 3.0-971208-SNAP i386
>Environment:
Fresh installation of 3.0-971208 SNAP.
>Description:
Recently installed the latest 3.0 snap, and as I'd seen in the
lists, ppp now links with DES for Microsoft authentication. Confirmed
this by running PPP w/o the DES dist installed and seeing that it
wouldn't dynlink.
After decompressing the DES dist, I find that "su" now tries to
do Kerberos ACL lookups. Each su generates a dozen or so bogus
DNS lookups to krb4-realm, and then fails with something like
"... not in root's ACL list". It then lets you get to root.
>How-To-Repeat:
On a 971208-SNAP system without the DES package installed. ppp
doesn't dynlink. Install DES, then run "su".
>Fix:
Since ppp now requires DES, and many FreeBSD-at-home folks run PPP
but have no want/need for running Kerberos, the better fix might
be to have the DES dist not enable Kerberos by default.
Alternatively, split the DES dist into two dists. DESLIB with
library dependencies only (for PPP, etc.), and a separate
KERBEROS dist.
Either way, this probably deserves a mention in the FAQ/handbook in
the PPP section. My searches for "PPP AND DES" in the top section
of the search page didn't reveal anything describing my "PPP w/ DES
w/o kerberos" question.
I really don't think an acceptable solution would be to require
everyone wanting to run PPP to learn how to turn off the
enabled-by-default Kerberos in the DES dist, though that is of course
one possible fix as well. (Note that I do have all the kerberos
options in rc.conf set to NO [kerberos_server_enable and
kadmind_server_enable]).
My hack work-around for this problem was to install the DES dist, and
then selectively reinstall the bin and lib dirs in the BIN dist
overtop of this (to restore the original libcrypt.*, init, ed, etc.).
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199712141351.NAA04476>