118508 2006-01-10 02:32 0000 app-crypt/heimdal-0.7.1-r1 does not set path to login(1) properly 2006-05-22 08:08:43 0000 1 1 1 Unclassified Gentoo Linux Server unspecified All Linux RESOLVED FIXED P2 normal --- 1 mmokrejs@ribosome.natur.cuni.cz kerberos@gentoo.org mmokrejs@ribosome.natur.cuni.cz 2006-01-10 02:32:12 0000 It turned out that ktelnetd cannot find path to /usr/bin/login program, when I execute "ktelnetd -a none" through xinetd. Probably you only test ktelnetd with encryption enabled, but for fail-over purposes I need the old, non-encrypted approach. Anyway, what I propose is that you use the configure flag to set the full path to login program during the compile time ("/bin/login"). mmokrejs@ribosome.natur.cuni.cz 2006-03-09 10:39:30 0000 To show what I meant with this, try: # kadmin kadmin> add --random-key host/my.machine.foo.bar Max ticket life [1 day]: Max renewable life [1 week]: Principal expiration time [never]: Password expiration time [never]: Attributes []: kadmin> [create similarly random keys for services telnet and ftp, the principals are ftp/my.machine@FOO.BAR and telnet/my.machine@FOO.BAR. See http://www.pdc.kth.se/heimdal/heimdal.html#keytabs for more docs. Continue then with extraction of the host key from KDC server (created above) on your local machine] kadmin> ext host/my.machine.foo.bar kadmin> quit # ktutil list FILE:/etc/krb5.keytab: Vno Type Principal 1 des-cbc-crc afs/my.machine.foo.bar@FOO.BAR 1 des-cbc-md5 host/my.machine.foo.bar@FOO.BAR 1 des-cbc-md4 host/my.machine.foo.bar@FOO.BAR 1 des-cbc-crc host/my.machine.foo.bar@FOO.BAR 1 aes256-cts-hmac-sha1-96 host/my.machine.foo.bar@FOO.BAR 1 arcfour-hmac-md5 host/my.machine.foo.bar@FOO.BAR 1 des3-cbc-sha1 host/my.machine.foo.bar@FOO.BAR # # /usr/sbin/ktelnetd -a none -debug ktelnetd: socket af = 10: Address family not supported by protocol [this will show on current terminal the log output] # ktelnet my.machine.foo.bar -l me Encryption is verbose Trying xxx.xxx.xxx.xxx... Connected to my.machine.foo.bar. Escape character is '^]'. Waiting for encryption to be negotiated... [ Trying mutual KERBEROS5 (host/my.machine.foo.bar@FOO.BAR)... ] [ Kerberos V5 accepts you as ``me/admin@FOO.BAR'' ] [ Kerberos V5 accepted forwarded credentials ] [ Output is now encrypted with type DES_CFB64 ] [ Input is now decrypted with type DES_CFB64 ] Encryption negotiated. This is \n.\O (\s \m \r) \t telnetd: /usr/bin/login: No such file or directory. Connection closed by foreign host. # The fix is just a simple configure flag to be added to .ebuild! mmokrejs@ribosome.natur.cuni.cz 2006-03-09 14:54:12 0000 Sorry, I forgot the --with-login flag to configure is available only in case of openssh. Configure distributed with heimdal doesn't have it. It would work out of the box with the login binary available from heimdal itself, but you install it as /usr/bin/klogin. Let me emphasize on platform (other than Linux) where for example the heimdal-x.x.x./appl/login/login.c did not support well its native authentication mechanism telnetd/ftpd/rshd call the system-wide "/usr/bin/login -f" to finish login procedure, that means the login binary available with heimdal is not strictly necessary. I think as the PAM support is available on Linux the login from heimdal is functionally same as login in Gentoo base system. In my example in original comment #1 I should have said one can work around by doing: /usr/sbin/ktelnetd -a none -debug -L /usr/bin/klogin or /usr/sbin/ktelnetd -a none -debug -L /bin/login exg@gentoo.org 2006-05-03 04:30:42 0000 *** Bug 125443 has been marked as a duplicate of this bug. *** exg@gentoo.org 2006-05-03 05:28:18 0000 Created an attachment (id=86069) 014_all_heimdal-path.patch I would prefer it to be self-contained. Does this patch fix all the issues? mmokrejs@ribosome.natur.cuni.cz 2006-05-03 17:25:55 0000 Quick inspection tells me one more are missing: # strings /usr/bin/klogin | grep bin /usr/bin:/bin /bin/sh /usr/bin/passwd fork /bin/passwd # ls -la /usr/bin/passwd lrwxrwxrwx 1 root root 11 Mar 23 11:51 /usr/bin/passwd -> /bin/passwd # It should point to kpasswd. mmokrejs@ribosome.natur.cuni.cz 2006-05-03 19:32:35 0000 The ktelnetd issue is fixed by the patch 014_all_heimdal-path.patch, also the krsh issue is fixed. The client rsh manpages are installed in any case now, but rhsd.8 is not. Generally, the selective installation of manpages makes me suspect not all manpages are installed on Gentoo. :( Please fix the klogin sources as well so it executes kpasswd from proper location (comment #5). Thanks. mmokrejs@ribosome.natur.cuni.cz 2006-05-04 05:22:16 0000 heimdal developers answered my email, so here we go: > Hi, > I had some fun on Gentoo linux with Heimdal packages and after a while I > have finally figured out that the hard-compiled-in path to login(1) is wrong. > Is there any way to tell configure which path to use? > http://bugs.gentoo.org/show_bug.cgi?id=118508 Johan, how to solve this ? > I think Gentoo developers should be instructed how to tell configure that > rcp/rsh will be installed under different names (krcp, krsh), etc. It sucks > they always rename an relocate things. > http://bugs.gentoo.org/show_bug.cgi?id=125443 > --program-transform-name="s/^rsh$/krsh/;s/^rshd$/krshd/" as argument to configure. Love exg@gentoo.org 2006-05-04 21:55:02 0000 Created an attachment (id=86183) 014_all_heimdal-path.patch Next time Cc us instead please. What is the problem in renaming the binaries, and what are we relocating? The only real issue is the hardcoding of path/name for the exec calls in the clients. Patch updated to fix also login. mmokrejs@ribosome.natur.cuni.cz 2006-05-05 01:56:10 0000 With relocation I meant installing into other PATHs than default. Especially in case of Kerberos and its apps which look for hardcoded paths, where their configure tries to guess that kth-krb is in /usr/athena, heimdal in /usr/heimdal and mit-krb5 in /usr and is often fooled if they are not. But I pointed this many times, and current buglist shows that filenames have collisions, that kth-krb and heimdal still cannot be installed together on Gentoo ... you have no resources and users have to test and report ... and there're just a few. I think the patch is correct, the passwd stuff I cannot test now as I don't use password expirations, which would force me to change my pass on next successfull login. Probably the part @@ -38,7 +38,7 @@ #ifdef HAVE_SHADOW_H #ifndef _PATH_CHPASS -#define _PATH_CHPASS "/usr/bin/passwd" +#define _PATH_CHPASS "/usr/bin/kpasswd" #endif static int would be replaced for consistency and just for future $bindir manipulations by configure with: @@ -38,7 +38,7 @@ #ifdef HAVE_SHADOW_H #ifndef _PATH_CHPASS -#define _PATH_CHPASS BINDIR "/passwd" +#define _PATH_CHPASS BINDIR "/kpasswd" #endif static int Additional answer from Love Astrand Hornquist: >> --program-transform-name="s/^rsh$/krsh/;s/^rshd$/krshd/" as argument to >> configure. > > > Is this really equivalent to the patch attached to the bug? > > http://bugs.gentoo.org/show_bug.cgi?id=118508 No, but it should be, I'll have a look if its possible. rsh/rcp are one of those interesting programs that keep running each other. Love mmokrejs@ribosome.natur.cuni.cz 2006-05-16 11:50:07 0000 I haven't heard anything back from heimdal developers yet, so please commit the patch after taking in the changes proposed in comment #9 in the meantime; but probably keep the issue open unless we hear from upstream. Thanks. seemant@gentoo.org 2006-05-22 08:08:43 0000 fixed in 0.7.2-r2 86069 2006-05-03 05:28 0000 014_all_heimdal-path.patch 014_all_heimdal-path.patch text/plain LS0tIGhlaW1kYWwtMC43LjIvYXBwbC9yY3AvcmNwLmMub2xkCTIwMDYtMDUtMDMgMTM6MzE6NTku Mzk4NDkzNjI1ICswMjAwCisrKyBoZWltZGFsLTAuNy4yL2FwcGwvcmNwL3JjcC5jCTIwMDYtMDUt MDMgMTM6MzI6MDQuNDk0NDg1OTgxICswMjAwCkBAIC0zNCw3ICszNCw3IEBACiAjaW5jbHVkZSAi cmNwX2xvY2wuaCIKICNpbmNsdWRlIDxnZXRhcmcuaD4KIAotI2RlZmluZSBSU0hfUFJPR1JBTSAi cnNoIgorI2RlZmluZSBSU0hfUFJPR1JBTSAia3JzaCIKIAogc3RydWN0ICBwYXNzd2QgKnB3ZDsK IHVpZF90CXVzZXJpZDsKLS0tIGhlaW1kYWwtMC43LjIvYXBwbC9yY3AvcmNwX2xvY2wuaC5vbGQJ MjAwNi0wNS0wMyAwMjozMDozMS42MDIwMjU0MDkgKzAyMDAKKysrIGhlaW1kYWwtMC43LjIvYXBw bC9yY3AvcmNwX2xvY2wuaAkyMDA2LTA1LTAzIDAyOjMwOjM1Ljg4NjAxODk4MyArMDIwMApAQCAt NjQsNCArNjQsNCBAQAogI2RlZmluZQlfUEFUSF9DUAkiL2Jpbi9jcCIKICNlbmRpZgogI3VuZGVm IF9QQVRIX1JTSAotI2RlZmluZQlfUEFUSF9SU0gJQklORElSICIvcnNoIgorI2RlZmluZQlfUEFU SF9SU0gJQklORElSICIva3JzaCIKLS0tIGhlaW1kYWwtMC43LjIvYXBwbC90ZWxuZXQvdGVsbmV0 ZC90ZWxuZXRkLmgub2xkCTIwMDYtMDUtMDMgMDI6MjM6MTQuNTgyNjgwOTM5ICswMjAwCisrKyBo ZWltZGFsLTAuNy4yL2FwcGwvdGVsbmV0L3RlbG5ldGQvdGVsbmV0ZC5oCTIwMDYtMDUtMDMgMDI6 MjM6MjMuNzQ2NjY3MTkzICswMjAwCkBAIC0xOTIsNyArMTkyLDcgQEAKICNlbmRpZgogCiAjdW5k ZWYgX1BBVEhfTE9HSU4KLSNkZWZpbmUgX1BBVEhfTE9HSU4JQklORElSICIvbG9naW4iCisjZGVm aW5lIF9QQVRIX0xPR0lOCUJJTkRJUiAiL2tsb2dpbiIKIAogLyogZmFsbGJhY2tzICovCiAK 86183 2006-05-04 21:55 0000 014_all_heimdal-path.patch 014_all_heimdal-path.patch text/plain LS0tIGFwcGwvcmNwL3JjcC5jLm9sZAkyMDA2LTA1LTAzIDEzOjMxOjU5LjM5ODQ5MzYyNSArMDIw MAorKysgYXBwbC9yY3AvcmNwLmMJMjAwNi0wNS0wMyAxMzozMjowNC40OTQ0ODU5ODEgKzAyMDAK QEAgLTM0LDcgKzM0LDcgQEAKICNpbmNsdWRlICJyY3BfbG9jbC5oIgogI2luY2x1ZGUgPGdldGFy Zy5oPgogCi0jZGVmaW5lIFJTSF9QUk9HUkFNICJyc2giCisjZGVmaW5lIFJTSF9QUk9HUkFNICJr cnNoIgogCiBzdHJ1Y3QgIHBhc3N3ZCAqcHdkOwogdWlkX3QJdXNlcmlkOwotLS0gYXBwbC9yY3Av cmNwX2xvY2wuaC5vbGQJMjAwNi0wNS0wMyAwMjozMDozMS42MDIwMjU0MDkgKzAyMDAKKysrIGFw cGwvcmNwL3JjcF9sb2NsLmgJMjAwNi0wNS0wMyAwMjozMDozNS44ODYwMTg5ODMgKzAyMDAKQEAg LTY0LDQgKzY0LDQgQEAKICNkZWZpbmUJX1BBVEhfQ1AJIi9iaW4vY3AiCiAjZW5kaWYKICN1bmRl ZiBfUEFUSF9SU0gKLSNkZWZpbmUJX1BBVEhfUlNICUJJTkRJUiAiL3JzaCIKKyNkZWZpbmUJX1BB VEhfUlNICUJJTkRJUiAiL2tyc2giCi0tLSBhcHBsL3RlbG5ldC90ZWxuZXRkL3RlbG5ldGQuaC5v bGQJMjAwNi0wNS0wMyAwMjoyMzoxNC41ODI2ODA5MzkgKzAyMDAKKysrIGFwcGwvdGVsbmV0L3Rl bG5ldGQvdGVsbmV0ZC5oCTIwMDYtMDUtMDMgMDI6MjM6MjMuNzQ2NjY3MTkzICswMjAwCkBAIC0x OTIsNyArMTkyLDcgQEAKICNlbmRpZgogCiAjdW5kZWYgX1BBVEhfTE9HSU4KLSNkZWZpbmUgX1BB VEhfTE9HSU4JQklORElSICIvbG9naW4iCisjZGVmaW5lIF9QQVRIX0xPR0lOCUJJTkRJUiAiL2ts b2dpbiIKIAogLyogZmFsbGJhY2tzICovCiAKLS0tIGFwcGwvbG9naW4vc2hhZG93LmMub2xkCTIw MDYtMDUtMDUgMDY6MzE6MjkuNTE3MTM4MTE1ICswMjAwCisrKyBhcHBsL2xvZ2luL3NoYWRvdy5j CTIwMDYtMDUtMDUgMDY6MzI6MjYuNDMzMDUyNzQxICswMjAwCkBAIC0zOCw3ICszOCw3IEBACiAj aWZkZWYgSEFWRV9TSEFET1dfSAogCiAjaWZuZGVmIF9QQVRIX0NIUEFTUwotI2RlZmluZSBfUEFU SF9DSFBBU1MgIi91c3IvYmluL3Bhc3N3ZCIKKyNkZWZpbmUgX1BBVEhfQ0hQQVNTICIvdXNyL2Jp bi9rcGFzc3dkIgogI2VuZGlmCiAKIHN0YXRpYyBpbnQKQEAgLTUyLDcgKzUyLDcgQEAKICAgICAg ICAgcHJpbnRmKCJmb3JrIC9iaW4vcGFzc3dkIik7CiAgICAgICAgIGV4aXQoMSk7CiAgICAgY2Fz ZSAwOgotICAgICAgICBleGVjbHAoX1BBVEhfQ0hQQVNTLCAicGFzc3dkIiwgd2hvLT5wd19uYW1l LCAoY2hhciAqKSAwKTsKKyAgICAgICAgZXhlY2xwKF9QQVRIX0NIUEFTUywgImtwYXNzd2QiLCB3 aG8tPnB3X25hbWUsIChjaGFyICopIDApOwogICAgICAgICBleGl0KDEpOwogICAgIGRlZmF1bHQ6 CiAgICAgICAgIHdhaXRwaWQocGlkLCAmc3RhdHVzLCAwKTsK