324 – privsep break KRB4 auth, KRB4 TGT forwarding and AFS token forwarding

Bug 324 - privsep break KRB4 auth, KRB4 TGT forwarding and AFS token forwarding

Summary: privsep break KRB4 auth, KRB4 TGT forwarding and AFS token forwarding

Status:	CLOSED FIXED

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	sshd (show other bugs)
Version:	-current
Hardware:	All All

Importance:	P2 normal
Assignee:	OpenSSH Bugzilla mailing list

URL:
Keywords:

Depends on:
Blocks:

Reported:	2002-06-30 09:17 AEST by Jan Iven
Modified:	2004-04-14 12:24 AEST (History)
CC List:	0 users

See Also:

Attachments
KRB4/KRB5/AFS with privsep (17.41 KB, patch) 2002-06-30 09:19 AEST, Jan Iven	no flags	Details \| Diff
KRB4/5 auth with privsep (11.86 KB, patch) 2002-07-03 19:56 AEST, Jan Iven	no flags	Details \| Diff
(fixing a "xfree" of an uninitialized buffer, in case KRB4 auth fails) (11.96 KB, patch) 2002-07-09 18:23 AEST, Jan Iven	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jan Iven 2002-06-30 09:17:43 AEST

Since all of KRB4/KRB5 authentication (in protocol 1), TGT and AFS token
forwarding are priviledged operations, all fail with privsep.

The attached patch seems to fix this at least for KRB4 auth, KRB4 TGTs and AFS
tokens (cannot try KRB5 here).
Please review and consider for future inclusion.

Thanks,
Jan

Comment 1 Jan Iven 2002-06-30 09:19:56 AEST

Created attachment 125 [details]
KRB4/KRB5/AFS with privsep

Comment 2 Jan Iven 2002-07-03 19:56:04 AEST

Created attachment 128 [details]
KRB4/5 auth with privsep

Comment 3 Jan Iven 2002-07-03 19:57:56 AEST

(neither TGT forwarding nor AFS tokens needs privsep), reduced to just KRB4/5
auth. I suspect that KerberosPassword will be slightly broken since the ticket
file name does not go back to the session environment. To be confirmed, I am
using PAM now.

Comment 4 Jan Iven 2002-07-09 18:23:48 AEST

Created attachment 130 [details]
(fixing a "xfree" of an uninitialized buffer, in case KRB4 auth fails)

Comment 5 Darren Tucker 2003-08-26 17:47:57 AEST

KRB4 and AFS support has been dropped, and the KRB5 support has been overhauled.

Should this bug be closed?

Comment 6 Jan Iven 2003-08-26 18:07:04 AEST

Yes, this appears to be fixed (at least for Kerberos5). Since you have dropped
support for Kerberos4/AFS, I guess we will have to maintain the rest of it
ourselves, so it is no longer relevant to bugzilla..

Still, nice to see the GSSAPI stuff going in.

Comment 7 Damien Miller 2003-08-26 18:10:41 AEST

Yes, if I have time I will prepare a Krb4 patch around the time of the release.
An interested party is welcome to maintain this as a 3rd party patch

Comment 8 Damien Miller 2004-04-14 12:24:18 AEST

Mass change of RESOLVED bugs to CLOSED