From kenh@cmf.nrl.navy.mil Tue Nov 12 17:42:24 1996 Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id RAA28612 for ; Tue, 12 Nov 1996 17:42:24 -0500 Received: from ginger.cmf.nrl.navy.mil by MIT.EDU with SMTP id AA15082; Tue, 12 Nov 96 17:42:21 EST Received: from elvis.cmf.nrl.navy.mil (kenh@elvis.cmf.nrl.navy.mil [134.207.10.38]) by ginger.cmf.nrl.navy.mil (8.7.5/8.7.3) with ESMTP id RAA20532 for ; Tue, 12 Nov 1996 17:42:21 -0500 (EST) Received: (kenh@localhost) by elvis.cmf.nrl.navy.mil (8.6.12/8.6.11) id RAA09828; Tue, 12 Nov 1996 17:42:10 -0500 Message-Id: <199611122242.RAA09828@elvis.cmf.nrl.navy.mil> Date: Tue, 12 Nov 1996 17:42:10 -0500 From: Ken Hornstein Reply-To: kenh@cmf.nrl.navy.mil To: krb5-bugs@MIT.EDU Subject: popper can't handle V4 clients X-Send-Pr-Version: 3.2 >Number: 181 >Category: krb5-appl >Synopsis: popper doesn't know about V4 clients >Confidential: no >Severity: serious >Priority: medium >Responsible: krb5-unassigned >State: closed >Class: change-request >Submitter-Id: unknown >Arrival-Date: Tue Nov 12 17:43:00 EST 1996 >Last-Modified: Wed Apr 10 16:09:36 EDT 2002 >Originator: Ken Hornstein >Organization: Naval Research Lab >Release: beta-7 >Environment: System: SunOS elvis 4.1.3_U1 13 sun4m Architecture: sun4 >Description: The V5 popper included with Kerberos V5 doesn't know how to deal with V4 POP clients. This is unfortunate, since there are many V4 POP clients that will be slow to be upgraded (like Eudora). >How-To-Repeat: Try to use Eudora on a Mac or PC with the V5 popper. >Fix: The following patch adds functionality to the V5 popper by using the krb5_compat_recvauth() function much the same way that kshd and klogind do. It does the right thing no matter if you use a V5 POP client or a V4 POP client. I'm not sure if the autoconf stuff is 100% right, but it works for me. --- appl/popper/configure.in.orig Tue Nov 12 15:54:10 1996 +++ appl/popper/configure.in Tue Nov 12 17:16:48 1996 @@ -11,6 +11,8 @@ AC_HEADER_CHECK(paths.h,AC_DEFINE(HAS_PATHS_H)) USE_ANAME +USE_KRB4_LIBRARY +USE_KRB5UTIL_LIBRARY KRB5_LIBRARIES V5_USE_SHARED_LIB V5_AC_OUTPUT_MAKEFILE --- appl/popper/pop_init.c.orig Tue Nov 12 13:45:43 1996 +++ appl/popper/pop_init.c Tue Nov 12 17:14:57 1996 @@ -25,9 +25,12 @@ #include "krb5.h" #include "com_err.h" #include +#include krb5_principal ext_client; krb5_context pop_context; char *client_name; +#define KRB5_RECVAUTH_V4 4 /* V4 recvauth */ +#define KRB5_RECVAUTH_V5 5 /* V5 recvauth */ #endif /* KRB5 */ #endif /* KERBEROS */ @@ -291,6 +294,11 @@ krb5_error_code retval; krb5_principal server; krb5_ticket *ticket; + char v4_instance[INST_SZ]; /* V4 instance */ + char v4_version[9]; /* V4 version */ + char krb_vers[KRB_SENDAUTH_VLEN + 1]; /* Version from sendauth */ + AUTH_DAT *v4_kdata; /* Authorization data */ + krb5_int32 auth_sys = 0; int sock = 0; krb5_init_context(&pop_context); @@ -306,28 +314,84 @@ exit(-1); } - if (retval = krb5_recvauth(pop_context, &auth_context, (krb5_pointer)&sock, - "KPOPV1.0", server, - 0, /* no flags */ - NULL, /* default keytab */ - &ticket /* need ticket for client name */ - )) { + /* + * Since the instance gets filled in, we need to have room for it + */ + + strcpy(v4_instance, "*"); + + /* + * Note that here we're using krb5_compat_recvauth so we can handle + * _both_ V5 and V4 pop services. + */ + + if (retval = krb5_compat_recvauth(pop_context, &auth_context, + (krb5_pointer)&sock, + "KPOPV1.0", server, + 0, /* no flags */ + NULL, /* default keytab */ + 0, /* V4 options */ + "pop", /* V4 service */ + v4_instance, /* V4 instance */ + addr, /* Remote address */ + NULL, /* Local address (unused) */ + "", /* Use default srvtab */ + &ticket, /* V5 ticket for client name */ + &auth_sys, /* Authentication type */ + &v4_kdata, /* V4 kerberos data */ + NULL, /* Key schedule (unused */ + &v4_version /* V4 version */ + )) { pop_msg(p, POP_FAILURE, "recvauth failed--%s", error_message(retval)); pop_log(p, POP_WARNING, "%s: recvauth failed--%s", p->client, error_message(retval)); exit(-1); } + krb5_free_principal(pop_context, server); - krb5_auth_con_free(pop_context, auth_context); - if (retval = krb5_copy_principal(pop_context, ticket->enc_part2->client, - &ext_client)) { - pop_msg(p, POP_FAILURE, "unable to copy principal--%s", - error_message(retval)); - pop_msg(p, POP_FAILURE, "unable to copy principal (%s)", + +#ifdef KRB5_KRB4_COMPAT + + /* + * Handle the case if we were talking to a V4 sendauth + */ + + if (auth_sys == KRB5_RECVAUTH_V4) { + + if (retval = krb5_425_conv_principal(pop_context, v4_kdata->pname, + v4_kdata->pinst, v4_kdata->prealm, + &ext_client)) { + pop_msg(p, POP_FAILURE, "unable to convert V4 principal to V5--%s", + error_message(retval)); + pop_log(p, POP_DEBUG, "unable to convert V4 principal (%s)", + inet_ntoa(addr->sin_addr)); + exit(-1); + } + } else +#endif /* KRB5_KRB4_COMPAT */ + if (auth_sys == KRB5_RECVAUTH_V5) { + + + krb5_auth_con_free(pop_context, auth_context); + + if (retval = krb5_copy_principal(pop_context, ticket->enc_part2->client, + &ext_client)) { + pop_msg(p, POP_FAILURE, "unable to copy principal--%s", + error_message(retval)); + pop_log(p, POP_DEBUG, "unable to copy principal (%s)", + inet_ntoa(addr->sin_addr)); + exit(-1); + } + + krb5_free_ticket(pop_context, ticket); + + } else { + pop_msg(p, POP_FAILURE, "unknown authentication type--%d", auth_sys); + pop_log(p, POP_DEBUG, "unknown authentication type (%s)", inet_ntoa(addr->sin_addr)); exit(-1); } - krb5_free_ticket(pop_context, ticket); + if (retval = krb5_unparse_name(pop_context, ext_client, &client_name)) { pop_msg(p, POP_FAILURE, "name not parsable--%s", error_message(retval)); >Audit-Trail: State-Changed-From-To: open-closed State-Changed-By: hartmans State-Changed-When: Wed Apr 10 16:09:26 2002 State-Changed-Why: We don't ship a pop server in the more. >Unformatted: