[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 0.6.4 krb4 / kaserver redux

"Brandon S. Allbery KF8NH" <allbery@ece.cmu.edu> writes:

> So, turns out that the 0.6.4 KDC's kaserver emulation has the same bug
> as the krb4 emulation with respect to looking things up in the database.
> (I discovered this when I brought up the new code on one of our
> advertised KDCs, and it promptly failed as my boss's boss tried to "klog
> admin".  We've been running krb5 for 5 years now, but I think it's going
> to be a while before we can retire klog and company....)
> Attached are my current patches to the codebase:
> - fix krb4 and kaserver principal lookups

This is fixed in the 0.6-branch snapshots.

> - add automatic reauthentication to kinit
>   * unlike John Bucy's original patch for 0.6.3, this one saves the
>     password in a pipe so it's only in process memory while it's being
>     used
>   * probably a future version should get a max-renewable-life ticket
>     and renew it periodically, instead of this hack

This functionallity is already in 0.7 snapshot, please test it and see that
it does what you want.

> - su now gets (well, 524s) a krb4 ticket as well as the krb5 ticket and
>   token
>   * ideally this patch will become obsolete here when I put this stuff
>     into wide distribution, but during testing I prefer not to need to
>     kinit after su in order to connect to older systems

I'm considering to include this. But can't those site admins that really
have to deal with Kerberos 4 just type "kinit -9" ?


PGP signature