Bug#462741: lprng: No longer supports kerberos5 authtype
* Tim Abbott <tabbott@MIT.EDU> [080127 07:42]:
> In versions of lprng before the kerberos4 authtype was deprecated,
> authtypes of the form "kerberos*" for * different from 4 were handled as
> the standard "kerberos" authtype; below is part of the diff between the
> current Lenny and Sid versions in common/user_auth.c:
>
> # if defined(MIT_KERBEROS4)
> { "kerberos4", "kerberos", IP_SOCKET_ONLY, Send_krb4_auth, 0,0,0 },
> # endif
> - { "kerberos*", "kerberos", IP_SOCKET_ONLY, 0, Krb5_send,
> 0, Krb5_receive },
> + { "kerberos", "kerberos", IP_SOCKET_ONLY, 0, Krb5_send,
> 0, Krb5_receive },
> + { "k5conn", "kerberos", IP_SOCKET_ONLY, 0,
> Krb5_send_nocrypt, 0, Krb5_receive_nocrypt },
> #endif
This was a change by Patrick Powell (or perhaps from the people that
patched lprng to be called as transport from MacOS's cups, but included
in 2.8.32) to introduce the k5conn, the kerberos authenticated but not
encrypted connection method. I think it was added as Fix_send_auth not sends
the name instead of the config_tag so the server can distinguish them.
Other side effect should be that kerberos4 is also sent over the line,
so the kerberos4 tag is sent, which should be rejected because of
missing server_receive method.
I guess the best method is to revert this change and make k5conn send
k5conn instead of kerberos then. (And if anyone has kerberos4, I'd be
interested to know if that works, as the server would in the old code
call krb5_receive for send_krb4_auth, so I am confused).
I think the following patch (which I applied to cvs already) should restore
the functionaly. Given I lack kerberos infrastructure to test it I'd be
eager to hear if it works, too.
Thanks in advance,
Bernhard R. Link
Index: common/sendauth.c
===================================================================
RCS file: /cvsroot/lprng/lprng/src/common/sendauth.c,v
retrieving revision 1.36
diff -u -p -r1.36 sendauth.c
--- common/sendauth.c 25 Jan 2008 14:15:35 -0000 1.36
+++ common/sendauth.c 27 Jan 2008 09:38:45 -0000
@@ -258,7 +258,7 @@ struct security *Fix_send_auth( char *na
{
struct security *security = 0;
char buffer[SMALLBUFFER], *from, *client, *destination;
- const char *tag, *key;
+ const char *tag, *server_tag, *key;
if( name == 0 ){
if( Is_server ){
@@ -299,6 +299,7 @@ struct security *Fix_send_auth( char *na
if(DEBUGL1)Dump_line_list("Fix_send_auth: found info", info );
if( !(tag = security->config_tag) ) tag = security->name;
+ if( !(server_tag = security->server_tag) ) server_tag = tag;
if( Is_server ){
/* forwarding */
key = "F";
@@ -352,10 +353,10 @@ struct security *Fix_send_auth( char *na
Set_str_value(info,DESTINATION,destination);
DEBUG1("Fix_send_auth: pr '%s', key '%s', from '%s', name '%s', tag '%s'",
- RemotePrinter_DYN,key, from, security->name, tag);
+ RemotePrinter_DYN,key, from, server_tag, tag);
SNPRINTF( buffer, sizeof(buffer))
"%c%s %s %s %s",
- REQ_SECURE,RemotePrinter_DYN,key, from, security->name );
+ REQ_SECURE,RemotePrinter_DYN,key, from, server_tag );
Set_str_value(info,CMD,buffer);
DEBUG1("Fix_send_auth: sending '%s'", buffer );
Index: common/user_auth.c
===================================================================
RCS file: /cvsroot/lprng/lprng/src/common/user_auth.c,v
retrieving revision 1.22
diff -u -p -r1.22 user_auth.c
--- common/user_auth.c 25 Jan 2008 14:15:35 -0000 1.22
+++ common/user_auth.c 27 Jan 2008 09:38:45 -0000
@@ -1778,26 +1778,26 @@ static int Pgp_receive( int *sock, int t
struct security SecuritySupported[] = {
- /* name, config_name, flags,
+ /* name, server_name, config_name, flags,
client connect, send, send_done
server accept, receive, receive_done
*/
#if defined(KERBEROS)
# if defined(MIT_KERBEROS4)
- { "kerberos4", "kerberos", IP_SOCKET_ONLY, Send_krb4_auth, 0,0,0 },
+ { "kerberos4", "kerberos", "kerberos", IP_SOCKET_ONLY, Send_krb4_auth, 0,0,0 },
# endif
- { "kerberos", "kerberos", IP_SOCKET_ONLY, 0, Krb5_send, 0, Krb5_receive },
- { "k5conn", "kerberos", IP_SOCKET_ONLY, 0, Krb5_send_nocrypt, 0, Krb5_receive_nocrypt },
+ { "kerberos*", "kerberos", "kerberos", IP_SOCKET_ONLY, 0, Krb5_send, 0, Krb5_receive },
+ { "k5conn", "k5conn", "kerberos", IP_SOCKET_ONLY, 0, Krb5_send_nocrypt, 0, Krb5_receive_nocrypt },
#endif
- { "test", "test", 0, 0, Test_send, 0, Test_receive },
- { "md5", "md5", 0, 0, md5_send, 0, md5_receive },
- { "pgp", "pgp", 0, 0, Pgp_send, 0, Pgp_receive },
+ { "test", "test", "test", 0, 0, Test_send, 0, Test_receive },
+ { "md5", "md5", "md5", 0, 0, md5_send, 0, md5_receive },
+ { "pgp", "pgp", "pgp", 0, 0, Pgp_send, 0, Pgp_receive },
#ifdef SSL_ENABLE
- { "ssl", "ssl", 0, 0, Ssl_send, 0, Ssl_receive },
+ { "ssl", "ssl", "ssl", 0, 0, Ssl_send, 0, Ssl_receive },
#endif
- {0,0,0,
+ {0,0,0,0,
0,0,
0,0}
};
Index: include/user_auth.h
===================================================================
RCS file: /cvsroot/lprng/lprng/src/include/user_auth.h,v
retrieving revision 1.18
diff -u -p -r1.18 user_auth.h
--- include/user_auth.h 25 Jan 2008 14:15:35 -0000 1.18
+++ include/user_auth.h 27 Jan 2008 09:38:45 -0000
@@ -69,6 +69,7 @@ typedef int (*RCV_DONE_PROC)( int *sock,
struct security {
const char *name; /* authentication name */
+ const char *server_tag; /* send this tag to server */
const char *config_tag; /* use this tag for configuration information */
int auth_flags; /* flags */
#define IP_SOCKET_ONLY 1 /* use TCP/IP socket only */
Reply to: