Hello, (Sorry about the cross post - however I believe my post to be relevant to all the addresses mentioned above... Please prune To: field as appropriate.) Anyway, lately I have been playing around with Heimdal (free Kerberos implementation without USA export restrictions). I have found though certain problems in heimdal login program. The most serious of these is that it doesn't support shadow passwords. So I have copied the Kerberos code from the Heimdal login program and added it to the Debian login program. Doing it this way seemed to be easiest. Whats more... it appears to work!!! Some comments: - The Debian login program didn't support the parameter format used for heimdal telnet, eg it expected "login -f usercode" but was given "login -f -- usercode" instead. I have hacked a solution (which should be checked by somebody who knows the code better then me), but probably broken anything that does it the old way. - mgetty logins don't work, possibly becuase I pass login an extra parameter "TERM=vt100". Maybe I have broken something in the above change? If any one can help me fix the command line processing problem, it would be appreciated. - the Debian login program sets all expected environment variables, eg TERM and SHELL. These are not set in the current release of heimdal (0.1g). - the Debian login program checks for mail on login. Heimdal login doesn't (at least on my system with mail in $HOME/Mailbox and $HOME/Maildir). - my changes fork a new child process and wait for that child to die (I think this is similar to MIT Kerberos). When the child dies, the ticket file is deleted. I am not absolutely sure how reliable it is - in one of my tests the ticket file wasn't deleted, but I haven't been able to reproduce this. I am not sure if I delete it the best way either - currently I just use 'unlink'. I have renamed to KRB5 ticket file to the nonstandard /tmp/krb5cc_<uid>_<pid> for this to work (otherwise, when you logged out from one session, it would kill the ticket used by other login sessions). - I have left the *old* Kerberos code in libmisc/login_krb.c, it is unused, and probably could be deleted. - configure.in code still needs to be modified to supply constants KRB4 (not tested) or KRB5, the appropriate include dirs and libraries. - hopefully contains no security bugs. ;-) - hopefully contains no bugs at all. ;-) - no support for OTP, but I don't know of any kerberos 5 implementation that supports it yet anyway (I could be wrong). - I am not sure how specific my changes are to Debian - you would have to investigate the source diff file to see what changes the Debian maintainer has made If anyone wants a diff file with my changes to the Debian login.c and/or the complete login.c file, please contact me. -- Brian May <bam@snoopy.apana.org.au>
Attachment:
pgpKddAhNf0pp.pgp
Description: PGP signature