Date: Wed, 2 Mar 2005 13:46:51 -0600 From: "Tillman Hodgson" <tillman@seekingfire.com> To: "FreeBSD gnats submit" <FreeBSD-gnats-submit@FreeBSD.org> Subject: ports/78325: -current behaves differently than 4.X w.r.t rsh from security/krb5 port Message-ID: <1109792811.0@backforty.seekingfire.prv> Resent-Message-ID: <200503021950.j22Jo2G2012127@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 78325 >Category: ports >Synopsis: -current behaves differently than 4.X w.r.t rsh from security/krb5 port >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Mar 02 19:50:02 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Tillman Hodgson >Release: FreeBSD 6.0-CURRENT i386 >Organization: >Environment: System 1: FreeBSD 6.0-CURRENT #0: Mon Jan 24 09:41:28 CST 2005 tillman@backforty.seekingfire.prv:/usr/obj/usr/src/sys/BACKFORTY System 2: FreeBSD 6.0-CURRENT #0: Tue Mar 1 16:04:05 CST 2005 toor@thoth.seekingfire.com:/usr/obj/usr/src/sys/THOTH i386 System 3: FreeBSD 4.10-STABLE #0: Thu Nov 18 12:49:31 CST 2004 toor@athena.seekingfire.prv:/usr/obj/usr/src/sys/ATHENA i386 >Description: Note: I originally posted this problem to freebsd-ports@ on Nov 23 2004, with a followup to current@ on Dec 14 2004. The problem still exists in -current with src from as recent as March 01 2005 so I figured I'd file a PR so that the issue can be properly tracked. I run a couple of Kerberos realms. in late 2004 I installed some new 5.3R machines and then immediately upgraded them to -current. Cursory testing seemed to show that the MIT Kerberos port (security/krb5) was working correctly. Over time, I've found a regression between it and my older 4.X systems (of which I have only remaining). While kinit, kdestroy, klist, kerberos telnet and ftp, and other basic Kerberos-enabled tools work correctly, the kerberos rsh client (not the server, it's fine) doesn't work on -current. Here's a a 4-stable box connecting via rsh to another 4-stable box as well as to a -current box: [root@athena ~]# rsh -x coyote uname -a This rsh session is encrypting input/output data transmissions. FreeBSD coyote.seekingfire.com 4.10-STABLE FreeBSD 4.10-STABLE #0: Thu Nov 18 13:10:32 CST 2004 toor@athena.seekingfire.prv:/usr/obj/usr/src/sys/COYOTE i386 [root@athena ~]# rsh -x backforty uname -a This rsh session is encrypting input/output data transmissions. FreeBSD backforty.seekingfire.prv 6.0-CURRENT FreeBSD 6.0-CURRENT #2: Fri Nov 19 08:03:52 CST 2004 tillman@backforty.seekingfire.prv:/usr/obj/usr/src/sys/BACKFORTY i386 When I try to connect from the -current box ('backforty' from the example above) outwards to either type of box I get a failure: $ rsh -x coyote uptime socket: protocol error or closed connection in circuit setup $ rsh -x caliban uptime socket: protocol error or closed connection in circuit setup (caliban is another -current box, in thsi case a sparc64 one). The auth.log on the server-side system shows: Nov 23 15:55:10 athena kshd[4565]: connect second port: Connection refused Note that all other client Kerberos apps work: I can telnet -x, ftp -x, rlogin, etc to my hearts connect. Only rsh displays this behaviour. I've confirmed that I'm running the right rsh binary: $ which rsh /usr/local/krb5/bin/rsh And I've confirmed that they're both running up-to-date ports trees and the most current version fo security/krb5. I've confirmed that inetd.conf is set up identically between the 4.X and the -current sysetms for the kshd line. I've googled for the auth.log message. It seems that the connection "back" for stderr is being denied. By what, I don't know ... the host backforty isn't running any sort of firewall: root@backforty# ipfw list ipfw: getsockopt(IP_FW_GET): Protocol not available root@backforty# ipfstat -hin open: No such file or directory root@backforty# pfctl -s rules pfctl: /dev/pf: No such file or directory I've confirmed that this issue exists for every -current box that I've run across (I run 4 myself). The problem is particularly vexing because Kerberos rsh is commonly used for securing "cluster" type operations (rmt for remote central backups, the clusterit port, central management scripting, etc). >How-To-Repeat: Install security/krb5 port (the MIT Kerberos port) on a -current system. Try to use the rsh client that it installs. Compare with the results on a 4.X system. I have a good working knowledge of Kerberos and I'm willing to do testing across a variety of systems if someone wants to test a potential fix :-) >Fix: >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1109792811.0>