Skip Menu |
 

Download (untitled) / with headers
text/plain 6.1KiB
From schemers@slapshot.stanford.edu Wed Jan 15 19:14:32 1997
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id TAA20935 for <bugs@RT-11.MIT.EDU>; Wed, 15 Jan 1997 19:14:31 -0500
Received: from slapshot.Stanford.EDU by MIT.EDU with SMTP
id AA02783; Wed, 15 Jan 97 19:14:30 EST
Received: (from schemers@localhost) by slapshot.stanford.edu (8.8.4/8.7.3) id QAA02372; Wed, 15 Jan 1997 16:14:00 -0800 (PST)
Message-Id: <199701160014.QAA02372@slapshot.stanford.edu>
Date: Wed, 15 Jan 1997 16:14:00 -0800 (PST)
From: schemers@stanford.edu
To: krb5-bugs@MIT.EDU
Cc: schemers@slapshot.stanford.edu
In-Reply-To: <199701152255.OAA13656@slapshot.stanford.edu>
Subject: Re: bug in telnet client?
References: <199701152222.OAA13631@slapshot.stanford.edu>
<199701152255.OAA13656@slapshot.stanford.edu>

Show quoted text
>Number: 344
>Category: pending
>Synopsis: Re: bug in telnet client?
>Confidential: yes
>Severity: serious
>Priority: medium
>Responsible: gnats-admin
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Wed Jan 15 19:15:01 EST 1997
>Last-Modified: Wed Feb 12 21:14:53 EST 1997
>Originator:
>Organization:
>Release:
>Environment:
>Description:
>How-To-Repeat:
>Fix:
>Audit-Trail:

From: schemers@stanford.edu
To: deengert@anl.gov, krb5-bugs@MIT.EDU
Cc: schemers@stanford.edu
Subject: Re: pending/344: Re: bug in telnet client?
Date: Wed, 15 Jan 1997 17:01:12 -0800 (PST)

Thanks. I applied the patch and it works. I checked for the bug in:

http://web.mit.edu/kerberos/www/krb5-1.0/known-bugs.html

But didn't see it. Is there another URL with a more up to date list of bugs?

roland

Doug Engert writes:
Show quoted text
> schemers@stanford.edu wrote:
> >
> >
> > Since authentication correctly uses the value telnet_krb5_realm to connect
> > to the server I would assume that krb5_fwd_tgt_creds should be using
> > the same realm.
> >
> > thanks, roland
>
> Roland,
>
> Do you have the fix to fwd_tgt.c which has been reported at least
> twice? This
> sounds a lot like that.
>
> *** ,fwd_tgt.c Sun Apr 28 09:22:54
> 1996
> --- fwd_tgt.c Tue Dec 17 09:58:03
> 1996
> ***************
> *** 77,84
> ****
> goto
> errout;
>
> if ((retval = krb5_build_principal_ext(context,
> &creds.server,
> !
> server->realm.length,
> !
> server->realm.data,
>
> KRB5_TGS_NAME_SIZE,
>
> KRB5_TGS_NAME,
>
> client->realm.length,
> --- 77,84
> ----
> goto
> errout;
>
> if ((retval = krb5_build_principal_ext(context,
> &creds.server,
> !
> client->realm.length,
> !
> client->realm.data,
>
> KRB5_TGS_NAME_SIZE,
>
> KRB5_TGS_NAME,
>
> client->realm.length,
>
> The idea to to forward a version of your original TGT.
> Note that it should not make any difference what the server is,
> it is the client's.
>
>
> --
>
>
>
> Douglas E. Engert <DEEngert@anl.gov>
> Argonne National Laboratory
> 9700 South Cass Avenue
> Argonne, Illinois 60439
> (630) 252-5444

State-Changed-From-To: open-closed
State-Changed-By: tlyu
State-Changed-When: Wed Feb 12 21:14:34 1997
State-Changed-Why:

This has been dealt with in a separate PR (krb5-libs/206).

Show quoted text
>Unformatted:
Me again. Let me refresh your memory... I have two K5/DCE realms
(stanford.edu, and test.stanford.edu), and Stanford has a flat domain
name space (everything is FOO.Stanford.EDU), thus the host
dcecrash1.stanford.edu might in the test.stanford.edu realm, and
slapshot.stanford.edu might be in the stanford.edu realm. When I
want to telnet (and forward my test.stanford.edu credentials) from
slapshot to dcecrash1, and I specify a realm on the command line:

telnet ... -k test.stanford.edu dcecrash1

The telnet works ok (i.e., authentication works), but credential
forwarding doesn't, because the kerberos5_forward function
(in appl/telnet/libtelnet) calls krb5_sname_to_principal on
the server's hostname:

if ((r = krb5_sname_to_principal(telnet_context, RemoteHostName, "host",
KRB5_NT_SRV_HST, &server))) {
if (auth_debug_mode)
printf("Kerberos V5: could not make server principal - %s\r\n",
error_message(r));
goto cleanup;
}

Thus, the "server" variable ends up with the realm "stanford.edu" (which it
should, according to the rules in krb5.conf). This causes the
krb5_fwd_tgt_creds call to fail:


if ((r = krb5_fwd_tgt_creds(telnet_context, auth_context, 0, client,
server, ccache,
forward_flags & OPTS_FORWARDABLE_CREDS,
&forw_creds))) {
if (auth_debug_mode)
printf("Kerberos V5: error getting forwarded creds - %s\r\n",
error_message(r));
goto cleanup;
}

My question is, should the realm of the server principal be explicitly
set to telnet_krb5_realm (the value of the "-k" option) if it is
set? i.e., set the realm of the server principal to telnet_krb5_realm
after the call to krb5_sname_to_principal.

Since authentication correctly uses the value telnet_krb5_realm to connect
to the server I would assume that krb5_fwd_tgt_creds should be using
the same realm.

thanks, roland