Subject: Re: BSD auth for NetBSD
To: None <tech-security@NetBSD.ORG (NetBSD Security Technical Discussion\>
From: Roland Dowdeswell <>
List: tech-security
Date: 09/14/2003 22:24:49
On 1063578705 seconds since the Beginning of the UNIX epoch
"Greg A. Woods" wrote:

>Well, reading the right code might reveal to you that you've made a very
>naive coice of trusting whomever built your binaries.
>The point is that native support for kerberos (and s/key) will continue
>to be found in major applications regardless of what NetBSD does, just
>as it _is_ there today despite your attempt to claim otherwise.

None of the programs that you pointed to actually contain working
Kerberos 5 password validation code.  And some of them didn't even
contain Kerberos 4 password validation code.

I've actually read the code and tried to get it to work, and didn't
just do what you apparently did which was:

	$ cd /usr/xsrc/xfree86/xc/programs/xdm
	$ find . -name \*.c | xargs grep krb5 && echo "xdm supports krb5"

>So?  Are you not capable of fixing it?  All the pointers and hooks are
>there and it's just a matter of updating the code to meet the API
>offered by the in-tree implementation.  As you've hopefully already seen
>there is a canonical example of how it should work in usr.bin/login.

Yes, and I did.  I put a pointer to my work in the e-mail to which
you replied.  By the time that I was done, I had pretty much thrown
away the code that they provided because it was too old and tangled
in with other functionality which hasn't worked in a decade to fix.

I didn't check it in because fixing it that way is suboptimal.
The right way to fix it is to provide a PAM client side API as part
of the base OS.

>> The xdm/greeter/verify.c in our source tree does not support Kerberos 5,
>> only Kerberos 4.  So that leaves it supporting only half of the auth
>> methods that login(1) supports.
>Well, fix it then!  You said xdm didn't have "kerberos" support.  I
>showed that it does.  You say well, it's not "Kerberos 5".  I say you're
>whining about nothing.  Xdm can, and should, be fixed to have native
>krb5 support regardless of what NetBSD does in the "auth wars".  Free
>code doesn't grow on trees though and so if you're a krb5 user capable
>of fixing xdm then you should get right to it!

I'll thank you to not volunteer my time for pointless tasks whose
sole purpose is to satisfy Greg Woods' anti-PAM jihad.  If there
was actually any level of need for xdm having native krb5 support
then I'd imagine that some time in the last decade it would have
grown it.  There is no need because xdm supports PAM and BSD Auth.

I'm sorry, I don't think that I can continue this conversation
without it becoming a flame war so I'm bowing out.

    Roland Dowdeswell                      http://www.Imrryr.ORG/~elric/