[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Debian /bin/login and heimdal kerberos



Hello,

(Sorry about the cross post - however I believe my post to be relevant
to all the addresses mentioned above... Please prune To: field
as appropriate.)

Anyway, lately I have been playing around with Heimdal (free Kerberos
implementation without USA export restrictions). I have found though
certain problems in heimdal login program. The most serious of these is
that it doesn't support shadow passwords.

So I have copied the Kerberos code from the Heimdal login program and
added it to the Debian login program. Doing it this way seemed to be
easiest. Whats more... it appears to work!!!

Some comments:

- The Debian login program didn't support the parameter format used
for heimdal telnet, eg it expected "login -f usercode" but was given
"login -f -- usercode" instead. I have hacked a solution (which should
be checked by somebody who knows the code better then me), but probably
broken anything that does it the old way.

- mgetty logins don't work, possibly becuase I pass login an extra
parameter "TERM=vt100". Maybe I have broken something in the above
change? If any one can help me fix the command line processing problem,
it would be appreciated.

- the Debian login program sets all expected environment variables, eg
TERM and SHELL. These are not set in the current release of heimdal
(0.1g).

- the Debian login program checks for mail on login. Heimdal login
doesn't (at least on my system with mail in $HOME/Mailbox and
$HOME/Maildir).

- my changes fork a new child process and wait for that child to die (I
think this is similar to MIT Kerberos). When the child dies, the ticket
file is deleted. I am not absolutely sure how reliable it is - in one
of my tests the ticket file wasn't deleted, but I haven't been able
to reproduce this. I am not sure if I delete it the best way either -
currently I just use 'unlink'. I have renamed to KRB5 ticket file to the
nonstandard /tmp/krb5cc_<uid>_<pid> for this to work (otherwise, when
you logged out from one session, it would kill the ticket used by other
login sessions).

- I have left the *old* Kerberos code in libmisc/login_krb.c,
it is unused, and probably could be deleted.

- configure.in code still needs to be modified to supply constants KRB4
(not tested) or KRB5, the appropriate include dirs and libraries.

- hopefully contains no security bugs. ;-)

- hopefully contains no bugs at all. ;-)

- no support for OTP, but I don't know of any kerberos 5 implementation
that supports it yet anyway (I could be wrong).

- I am not sure how specific my changes are to Debian - you would
have to investigate the source diff file to see what changes the
Debian maintainer has made
If anyone wants a diff file with my changes to the Debian login.c and/or
the complete login.c file, please contact me.

-- 
Brian May <bam@snoopy.apana.org.au>

PGP signature