tech-security: Re: SURVEY: Removal of Kerberos 4 from base

Subject: Re: SURVEY: Removal of Kerberos 4 from base
To: =?iso-8859-1?q?Love_H=F6rnquist_=C5strand?= <lha@NetBSD.org>
From: Greg Troxel <gdt@ir.bbn.com>
List: tech-security
Date: 04/15/2005 09:34:38
  I've asked core for permission to remove Kerberos 4 support from current,
  and thus the next upcoming netbsd major release after 3.0.  I was asked to
  query our users if there was still users of the kerberos 4 code that felt
  that running Kerberos 4 from pkgsrc wasn't good enough.  I promised to glue
  in code in the KDC so it would still service requests to Kerberos 4
  clients.

I'm not sure I understand exactly what you are proposing to do.  In my
case, I use krb4 with amanda (also firewalled, since I know that's
dicey).  It sounds like the *'d libraries below will be removed:

/usr/bin/login:
        -lutil.7 => /usr/lib/libutil.so.7
        -lcrypt.0 => /usr/lib/libcrypt.so.0
        -lcrypto.2 => /usr/lib/libcrypto.so.2
        -lasn1.6 => /usr/lib/libasn1.so.6
        -lcom_err.4 => /usr/lib/libcom_err.so.4
        -lroken.12 => /usr/lib/libroken.so.12
        -lkrb5.19 => /usr/lib/libkrb5.so.19
*       -ldes.7 => /usr/lib/libdes.so.7
*       -lkrb.6 => /usr/lib/libkrb.so.6
        -lskey.1 => /usr/lib/libskey.so.1
        -lc.12 => /usr/lib/libc.so.12

resulting in native tools not supporting incoming or outgoing k4.

Amanda+krb4 needs the above *'d libs, and presumably one would be able
to install security/kth-krb4 and just configure with {-I,-LR}
/usr/pkg/{include,lib}.  Similarly for zephyr, which seems to be the
only other thing anyone uses that is krb4 still.

Then, it sounds like the libraries will not be installed or used by
normal base system programs, but the in-tree V5 KDC (/usr/sbin/kdc)
would still be able to run and answer v4 AS-REQ and TGS-REQ queries.
I don't follow whether krb524 will still work, but I personally don't
care since that isn't needed for amanda.


So if that's what you mean, that sounds ok.


Not really related, I had trouble with /usr/sbin/kdc not working for
v4, with some sort of infinite loop, and have the following local
change lying around.  I know it's a hack, but I couldn't figure out
what was wrong with des_new_random_key.

Index: src/crypto/dist/heimdal/kdc/kerberos4.c
===================================================================
RCS file: /SINEW-CVS/netbsd/src/crypto/dist/heimdal/kdc/kerberos4.c,v
retrieving revision 1.1.1.3
diff -u -r1.1.1.3 kerberos4.c
--- kerberos4.c	2 Apr 2004 14:59:47 -0000	1.1.1.3
+++ kerberos4.c	15 Apr 2005 13:25:48 -0000
@@ -258,7 +258,11 @@
 	    KTEXT r;
 	    des_cblock session;
 
+#if 0
 	    des_new_random_key(&session);
+#else
+	    krb5_generate_random_block(&session, sizeof(session));	
+#endif
 
 	    krb_create_ticket(&ticket, 0, name, inst, v4_realm,
 			      addr->sin_addr.s_addr, session, life, kdc_time, 
@@ -446,8 +450,12 @@
 	    KTEXT_ST cipher, ticket;
 	    KTEXT r;
 	    des_cblock session;
-	    des_new_random_key(&session);
 
+#if 0
+	    des_new_random_key(&session);
+#else
+	    krb5_generate_random_block(&session, sizeof(session));	
+#endif
 	    krb_create_ticket(&ticket, 0, ad.pname, ad.pinst, ad.prealm,
 			      addr->sin_addr.s_addr, &session, life, 
 			      issue_time,




-- 
        Greg Troxel <gdt@ir.bbn.com>